Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.34:19000
- 1####.####.57:10001
- a####.####.com
- huangda####.com
- i####.####.com
- l####.####.com
Запросы HTTP GET:
- 1####.####.57:10001/v1/order/get?phone=####&imei=####&sdk_version=####&c...
- a####.####.com/ando/i/mon?k=####&d=####
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.com/ando-res/ads/27/1/a35bc83b-9bc9-40ec-ba09-35ad6fe13d58/5e...
Запросы HTTP POST:
- 1####.####.34:19000/v2/chis
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/EOZTzhVG.dex (deleted)
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/code-1220903/I0RJFNiaR1srbhLv
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_2EWrHIv_yXfmAiIvYlbrgA==
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_2EWrHIv_yXfmAiIvYlbrgA==-journal
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_RNeE4KFzGjK0NU3sdiB6Og==
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_RNeE4KFzGjK0NU3sdiB6Og==-journal
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_TQZov9bhlWc=-journal
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_nOVh7LkOdGXmcQZt
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_nOVh7LkOdGXmcQZt-journal
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_tWo-KXuCLzoMWRrdwl6ipwU-R7E=
- <Package Folder>/databases/RQhijtz7RUnonTyVgEysQrZyavejVi6a_tWo-KXuCLzoMWRrdwl6ipwU-R7E=-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-iZ8uMXCTfG8dVs00j1v2W4QUnJVPAS4.new
- <Package Folder>/files/####/006b7734-ca2d-4ecc-b7eb-d129c78ce6c8.pic.temp
- <Package Folder>/files/####/0adijGmGV3slivv5KNAmAtKAByI=.new
- <Package Folder>/files/####/0cVDhkUchFL08N33lih7f_qB1dbFeLVvcXYssg==.new
- <Package Folder>/files/####/0yv5W0WQxvI9J6LZ_jCr2dJgpiQ=.new
- <Package Folder>/files/####/1290f601-34a0-4925-8f7f-5710e77aacab.pic.temp
- <Package Folder>/files/####/22392845-6df9-4dca-b6f1-543d066467dc.pic.temp
- <Package Folder>/files/####/8fbf6aed-4d06-4db2-aece-454c7f958529.pic.temp
- <Package Folder>/files/####/9TPDvXsvoIzDbZ9E19IGhQ==.new
- <Package Folder>/files/####/B7321vLtmHwsJaS9O-R3HT9420o=.new
- <Package Folder>/files/####/BhuR3F4inVMroiU4_O77SJEGBHCCmIeO.new
- <Package Folder>/files/####/FvPxoMliEYDpKThLylLlWKW2cu8cllFLjpg8ECBXXHw=.new
- <Package Folder>/files/####/GAFqWhf2_ybIZx3Lk6o1KGd-oJ7E5qor
- <Package Folder>/files/####/GAFqWhf2_ybIZx3Lk6o1KGd-oJ7E5qor.new
- <Package Folder>/files/####/GAFqWhf2_ybIZx3Lk6o1KGd-oJ7E5qor.old (deleted)
- <Package Folder>/files/####/GBc3SoAmcq6vgZPW3bGaG7W3-0S7PuOV.new
- <Package Folder>/files/####/HHjtpsIw6Zh7rkXv.new
- <Package Folder>/files/####/OJmLnyK9x_YpgiC7Me8b-UrsgEzw5M0S.new
- <Package Folder>/files/####/OtFvWzrNmAdJBFIo4PrkgwaMQvs=.new
- <Package Folder>/files/####/UYwnXy9afKIjT270GxAblz_5C0scnkal.new
- <Package Folder>/files/####/VGc1fwZgibligj-79dzHO_EiSwUSQwirfmr1RA==.new
- <Package Folder>/files/####/VXDveXrZvpQ4nC8m-6_qKL4uBIYnDP_c1aHeFVMu-cI=.new
- <Package Folder>/files/####/VgqaIzdyCGiiAEwJ5x2deMYk7PGfxKbg5XwnwB1QRt8=.new
- <Package Folder>/files/####/ae0a4d11-04d9-4b91-bf5a-358b3fd2b2c9.pic
- <Package Folder>/files/####/b19a8dc8-31f9-44d6-973e-2b678437f99f.pic
- <Package Folder>/files/####/brqlzHZiddf7XutHoLCJkjlwk2KIO4pG.new
- <Package Folder>/files/####/c1e9f546-e965-4a9f-bc06-cd7ce297a584.pic.temp
- <Package Folder>/files/####/d49bca16-5507-4b7f-b977-220023a44d42.pic.temp
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/f_Z5rnzQABLEw893KS8lSw==
- <Package Folder>/files/####/gBhPuHKEvQuaUtBMjXpb8k0XmM7L48m_URFA-3ANRhI=.new
- <Package Folder>/files/####/hGwIEqDUJ_7huosR.zip
- <Package Folder>/files/####/jetn4kdTgV8R2zDpwEyqoJcGX3w=
- <Package Folder>/files/####/lNcxB6t9irLJtKkY2u-M4QkgBFLJvBH_bLCKcg==.new
- <Package Folder>/files/####/libus.so
- <Package Folder>/files/####/oL262xM6vyVOL3vXHfH4RA==
- <Package Folder>/files/####/oL262xM6vyVOL3vXHfH4RA==.new
- <Package Folder>/files/####/q0Ui4vFjkWQVNmKXdqaJNA==.new
- <Package Folder>/files/####/rUPD6ZMovYnU_aGtY75docarpBTX7LQV.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sDk0j76sEAb8e8xIbFFSN5HWJAc=
- <Package Folder>/files/####/sFC01YHV5bZM40Qa
- <Package Folder>/files/####/sbcnua_f.zip
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/twj.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/78f9fc6c-ba90-4a8d-b2a4-e4e7cb7f7334.res
- <SD-Card>/.armsd/####/82246a69-605a-454a-ba8f-19e14a1c01fa.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/bc463a53-07b0-4564-9ed4-acb7f4e8b9f4.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3002_2206.zip
- <SD-Card>/Download/channel_conf
- <SD-Card>/Download/channel_conf1
Другие:
Запускает следующие shell-скрипты:
- /data/data/dslm.vvd.gnnznfg.awel/code-1220903/I0RJFNiaR1srbhLv -p dslm.vvd.gnnznfg.awel -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-1220903/I0RJFNiaR1srbhLv -p <Package> -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
