Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.34:19000
- 1####.####.57:10001
- a####.####.com
- huangda####.com
- i####.####.com
- l####.####.com
Запросы HTTP GET:
- 1####.####.57:10001/v1/order/get?phone=####&imei=####&sdk_version=####&c...
- a####.####.com/ando/i/mon?k=####&d=####
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
- i####.####.com/ando-res/ads/0/9/837ec120-ccf8-4ad0-b6fd-1303ff645eca/773...
Запросы HTTP POST:
- 1####.####.34:19000/v2/chis
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/code-2813121/R9Ow658XxXus2bi-
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_4XVY3KJiIyWWKAaUOgPEwg==
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_4XVY3KJiIyWWKAaUOgPEwg==-journal
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_Gx8fzwC7tSGhwrUA3vDMsA==
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_Gx8fzwC7tSGhwrUA3vDMsA==-journal
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_K0NRS7Yh3tY=-journal
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_LeJRiVu2tFkPBNFZbD4DzPTjLQU=
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_LeJRiVu2tFkPBNFZbD4DzPTjLQU=-journal
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_pUcbhdDXd6uZOmh_
- <Package Folder>/databases/EjLraiKXnCyvi0elQhkIfjN0q29P3oaI_pUcbhdDXd6uZOmh_-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/0MfMUQAZJCxlk8JH.new
- <Package Folder>/files/####/30f5bb61-ef38-4fd6-94b6-90c5e9fcb02c.pic.temp
- <Package Folder>/files/####/3b38c575-d2f6-44d5-b17b-0eff91693e0a.pic.temp
- <Package Folder>/files/####/46df8658-6f43-4e9c-8268-cbb30a77f905.pic
- <Package Folder>/files/####/5e75246f-6665-4e9e-b47f-c4240a3c53fd.pic.temp
- <Package Folder>/files/####/738b2a03-6317-499e-9f07-37025139e6c1.pic
- <Package Folder>/files/####/92e71464-9e3f-44ee-8590-f6dc10d48fc7.pic.temp
- <Package Folder>/files/####/A0wsoN_zb7WNG1FuJvAok57qL_yZtq2_3i_58JL2T7Q=.new
- <Package Folder>/files/####/E8JE8biebphBUEvm2kyJEduieNo=.new
- <Package Folder>/files/####/JZBEh4KA8z1WO-JrNeCqlnFvFQ8=
- <Package Folder>/files/####/JxP3VY9pPnv8cugBGt-ob5EJR8u21ShAmF7bYtLBIm8=.new
- <Package Folder>/files/####/KDZAGudUSfth85fD
- <Package Folder>/files/####/KISRiLN_MlgyfKLf-l_LARaN5Kc1Eqfe.new
- <Package Folder>/files/####/LfMcEoWyd3x5VpgsfeHgvQ==
- <Package Folder>/files/####/NRewcL3S4JKaHwbHWdAgx_HsQb383pITNXb1Bq3AZC4=.new
- <Package Folder>/files/####/PtKQktHB8CzZvzKZ-sTf82vOtRn1gUzM9VAIUV7gzwI=.new
- <Package Folder>/files/####/QVnnWRiLISATQLemIJg8tcHkWR1AG1W2.new
- <Package Folder>/files/####/ToMF2qeTop6qvwI09TU39ERQ7p-FHyHB6xI-iA==.new
- <Package Folder>/files/####/VjlScY0lFe53UebiIaNjtg==
- <Package Folder>/files/####/VjlScY0lFe53UebiIaNjtg==.new
- <Package Folder>/files/####/WaBy_1dsJcSHXdfVVwos7aaM89A=.new
- <Package Folder>/files/####/XWm05g0LlpEY3uQ4B_m6GCxjvsacuU8B.new
- <Package Folder>/files/####/Y4ksvWBRMeqERQagVd0YxA==
- <Package Folder>/files/####/Y4ksvWBRMeqERQagVd0YxA==.new
- <Package Folder>/files/####/Z_uKVNQcqBr9PESSxCYHN8D0WgNOk0GNzn24Hw==.new
- <Package Folder>/files/####/b1435686-8653-40da-8544-7c015aa7fe29.pic.temp
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/dfa2c11a-17a4-4f6f-888b-64043fca220a.pic.temp
- <Package Folder>/files/####/e6wob6zAjNHJZ81YdLnFunHwV0EVv4UBUnLXVA==.new
- <Package Folder>/files/####/hAuAb5ZZ5ZBIoThsnnjH_MXHOvnAO6em.new
- <Package Folder>/files/####/iCDMUts5WyVmR0dzqnFpSA==
- <Package Folder>/files/####/iCDMUts5WyVmR0dzqnFpSA==.new
- <Package Folder>/files/####/k98ar6hETlVY19KUsnH5q3ozkkc=.new
- <Package Folder>/files/####/l4Su3kGW25TFGFCh.zip
- <Package Folder>/files/####/libus.so
- <Package Folder>/files/####/lqdnEORfp2jk9zhIGTE5KuUmI_XXEIes.new
- <Package Folder>/files/####/nH7jpu-Wg63nyUajUCVINVknN-A=
- <Package Folder>/files/####/oIFTfwOnPAGBr9eOY1TilBXQJ9QMF4dk
- <Package Folder>/files/####/oIFTfwOnPAGBr9eOY1TilBXQJ9QMF4dk.new
- <Package Folder>/files/####/ps-qb2cNhi3QGIt1dL5nCsj2ZiJ9jXau.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sbcnua_f.zip
- <Package Folder>/files/####/trakHIGSStvbsh6q9msXHXOY3dQLzIBn.new
- <Package Folder>/files/####/wFziLgXVxxXzYl1lyS9YKvclB84=.new
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/twj.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/6783a05d-4c1d-423c-a66a-f3146c2720cd.res
- <SD-Card>/.armsd/####/77ec2d17-783a-41e4-87e7-482e74a6cf13.res
- <SD-Card>/.armsd/####/8cf4db6b-6203-4b09-a859-d815931ec6bc.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3002_2206.zip
- <SD-Card>/Download/channel_conf
- <SD-Card>/Download/channel_conf1
Другие:
Запускает следующие shell-скрипты:
- /data/data/tkewwkgk.suwgovdz.gvbwxv.bylgfk/code-2813121/R9Ow658XxXus2bi- -p tkewwkgk.suwgovdz.gvbwxv.bylgfk -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-2813121/R9Ow658XxXus2bi- -p <Package> -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
