Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.34:19000
- 1####.####.57:10001
- a####.####.com
- huangda####.com
- i####.####.com
- l####.####.com
Запросы HTTP GET:
- 1####.####.57:10001/v1/order/get?phone=####&imei=####&sdk_version=####&c...
- a####.####.com/ando/i/mon?k=####&d=####
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.com/ando-res/m/s3KOUSTUNwqwJOgW89Tsl-Qlaroq07gDVNfYRzW-w*Av*E...
Запросы HTTP POST:
- 1####.####.34:19000/v2/chis
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/code-6642433/3BmC_Pq_UvhUJp4d
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_5TtnJMMi1aQ=-journal
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_LObDx1IHM6MEqYG9UZeATQ==
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_LObDx1IHM6MEqYG9UZeATQ==-journal
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_Sv-ObacjanrB5cLYLfCS3URqmK0=
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_Sv-ObacjanrB5cLYLfCS3URqmK0=-journal
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_UV-knEIri49UU-5r
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_UV-knEIri49UU-5r-journal
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_d5f7wTpEY31XC86kEDzMzA==
- <Package Folder>/databases/PkLzhwkCYwp1BX-PKjRcdK-36XqpnKjg_d5f7wTpEY31XC86kEDzMzA==-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-QFuCUUYQs5MJyp2BwVLsj7GAXs-aLTp.new
- <Package Folder>/files/####/0Nc2CIiIejNxcSuhrB_NsehjFag=
- <Package Folder>/files/####/1bfd46ac-f31e-4bb7-b3b0-1afc1e01f904.pic.temp
- <Package Folder>/files/####/1d2c0c62-a36e-44cf-83aa-5a6a315e8a86.pic.temp
- <Package Folder>/files/####/525f5ab5-1b43-441c-bdcf-2902d19dbe07.pic.temp
- <Package Folder>/files/####/5866af43-e28b-48c2-aace-d8a4ec22a038.pic.temp
- <Package Folder>/files/####/93WltWV9bI16SJB4kJfo_g==
- <Package Folder>/files/####/93WltWV9bI16SJB4kJfo_g==.new
- <Package Folder>/files/####/Ag3PQFI2IWuGA4CkQcwC_nzesz06GZrr.new
- <Package Folder>/files/####/BQnrQ6ZpPrNl4ljAqPO1Ep9ykqk=.new
- <Package Folder>/files/####/HvnLXhs_J4Bl10uCh_NEow==
- <Package Folder>/files/####/IJKooEvS6cPkMq54.new
- <Package Folder>/files/####/SIkceSBos9Q8RVt0g5LGYekIed447t_esSg9Zw==.new
- <Package Folder>/files/####/TaEHZ87FfYYUXv2tvm2xgOQjyC_9RJCXR4CVrg==.new
- <Package Folder>/files/####/Zvn8uFWdlk2cXXPVbDgiZwv2MnI=.new
- <Package Folder>/files/####/bWNpVE8AmJoLjKTy
- <Package Folder>/files/####/bb5fdc27-d49f-4ec3-894e-6f4c25bbc836.pic.temp
- <Package Folder>/files/####/d068bde1-f794-4557-9aba-ac4dc6df3116.pic
- <Package Folder>/files/####/d17262ae-0192-4b6d-8508-d7c3f9d7e15d.pic.temp
- <Package Folder>/files/####/dVQeRYOMy886pTlfhmhm0bAII3femAjIvsa7KR6lONA=.new
- <Package Folder>/files/####/data.dat.tmp (deleted)
- <Package Folder>/files/####/e2cc3534-89b3-452e-81e4-8980868ecbe3.pic
- <Package Folder>/files/####/jcoA3vTEEl5nNpDswqlVZu2V0EO4wWvx-m_5OUmq6S8=.new
- <Package Folder>/files/####/lfmKUswPrfVNNHNJMja3CtWPLrJKtPXn.new
- <Package Folder>/files/####/libus.so
- <Package Folder>/files/####/mIBvDYvrhkWUnW1OoT8WG01zss8C8uo1qzqcpHUwNMA=.new
- <Package Folder>/files/####/nqi3qjroKvuE1PQM9Euy-w==
- <Package Folder>/files/####/nqi3qjroKvuE1PQM9Euy-w==.new
- <Package Folder>/files/####/oDr15NyDhvA6QtnZx93aILn7cOZYv9C2KFi-yw==.new
- <Package Folder>/files/####/prWWVPD-peqva_lMAo0vyBWuaGe_hI1U.new
- <Package Folder>/files/####/qyZOc_wQZ48pYblr.zip
- <Package Folder>/files/####/rFKlOi6i96hkLUABW3AnsI0OvDgw1zA5KYvsYZOO5eQ=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sbcnua_f.zip
- <Package Folder>/files/####/uc7E3t7ON2MdkNyoEEfZwdm2HMo=
- <Package Folder>/files/####/vAmRgXBUKBzcVoMYAySjza-mS6YpsNXs.new
- <Package Folder>/files/####/vmXKYqPKo6f6LmDfcsck_w==
- <Package Folder>/files/####/vmXKYqPKo6f6LmDfcsck_w==.new
- <Package Folder>/files/####/w9ptdcQK22FAwI8G9QURTEeQxTg=.new
- <Package Folder>/files/####/x4TAxMFFzyGRB6GIch7V1g3GXE8=.new
- <Package Folder>/files/####/x_DhmJDkR8XVSp8bgWJsJX-8CBdfBoEQ.new
- <Package Folder>/files/####/zRLX-Wdn4BKMFLsS67CJrbq07WaPgPDr
- <Package Folder>/files/####/zRLX-Wdn4BKMFLsS67CJrbq07WaPgPDr.new
- <Package Folder>/files/####/zRLX-Wdn4BKMFLsS67CJrbq07WaPgPDr.old (deleted)
- <Package Folder>/files/####/zrOwaeWwcbaNEjVh1eF0s3wrHgnOOgEa.new
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/twj.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.armsd/####/2b0f6a60-43a4-4bab-a5f0-0f962797c3cd.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/f76566ad-c9f7-4870-92fe-ba4a69a745e4.res
- <SD-Card>/.armsd/####/ffd0989e-c1fa-4570-87a0-fc453cb55080.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3002_2206.zip
- <SD-Card>/Download/channel_conf
- <SD-Card>/Download/channel_conf1
Другие:
Запускает следующие shell-скрипты:
- /data/data/eeufa.kshr.gtcbd.ece/code-6642433/3BmC_Pq_UvhUJp4d -p eeufa.kshr.gtcbd.ece -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-6642433/3BmC_Pq_UvhUJp4d -p <Package> -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
