Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.MulDrop.132.origin
- Android.SmsSend.1907.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.MulDrop.132.origin
- Android.SmsSend.1907.origin
Сетевая активность:
Подключается к:
- a####.####.com
- a####.####.net
- adplexm####.####.com
- adr####.com
- afftrac####.com
- apxadtr####.net
- besta####.com
- bonga####.com
- bs5####.com
- cdn####.####.com
- cleando####.com
- cp####.####.com
- d####.####.com
- dh4gnu4####.####.net
- g####.####.com
- go####.com
- go####.nl
- google-####.com
- imob####.com
- ip####.io
- lik####.com
- m####.####.com
- mobile5####.com
- mobilem####.me
- n####.####.com
- onc####.com
- onclic####.com
- p####.####.com
- pha####.info
- pi####.com
- pop####.net
- pr####.com
- pu####.com
- qu####.####.eu
- r####.####.net
- re####.####.com
- roset####.com
- se####.####.com
- set####.####.com
- sexyt####.mobi
- sofas####.com
- syndica####.####.com
- t####.####.com
- t####.####.online
- tra####.####.com
- trac####.####.com
- u####.####.com
- w####.####.com
- x####.####.com
Запросы HTTP GET:
- a####.####.com/adx-dir-d/link?aid=####&nid=####&imp=####&w=####&h=####&s...
- a####.####.com/ajax/libs/jquery/1.11.2/jquery.min.js
- a####.####.com/track?pid=####&eid=####&jsb=####&ckb=####&dm=####&dlh=###...
- a####.####.net/red?id=####&alias=####
- adplexm####.####.com/imp?p=####&ct=####&ap=####&psid=####&clickid=####
- adr####.com/?placement=####&redi####
- afftrac####.com/mnz/v1?placement=####&source=####
- apxadtr####.net/iclk/redirect.php?apxcode=####&id=####&dv1=####&nw_sub_a...
- besta####.com/?r=####&zoneid=####&pbk2=####&uuid=####&ad_scheme=####&rou...
- bonga####.com/track?c=####&subid=####
- bs5####.com/?s=####&z=####&g=####&svar=####&ssk=####&h=####
- cdn####.####.com/cdn-adn/html/common/2016/02/22/22/03/com.qihoo.security...
- cleando####.com/
- cp####.####.com/click?aid=####&linkid=####&s1=####&s2=####
- d####.####.com/?r=####&zoneid=####&pbk2=####&var=####&uuid=####&ad_schem...
- d####.####.com/click?k=####&p=####&q=####¬ice=####
- dh4gnu4####.####.net/static/UK/voucherClubTesco/js/bootstrap.min.js
- g####.####.com/afu.php?zoneid=####
- go####.com/
- go####.nl/xjs/_/js/k=xjs.qs.nl.qoSSuyABZzM.O/m=aa,abd,async,dvl,foot,ipv...
- google-####.com/analytics.js
- imob####.com/29A667/FtsE7A/AthB/BtVQv_8/VJAE7aDL-3C0ShBnZ15irKh924qG4R8F...
- ip####.io/json
- lik####.com/?b=####&ba=####&disableService=####&dm=####&ep=####&g=####&i...
- mobile5####.com/?ba=####&ep=####&g=####&l=####&s=####&z=####&tr=####&sva...
- mobilem####.me/r/b0f9f08e-6eba-11e7-b8bd-1141970ea1bd/0/
- n####.####.com/openapi/ad/v3?app_id=####&unit_id=####&category=####&req_...
- onc####.com/afu.php?zoneid=####
- onclic####.com/script/preurl.php?r=####&sub1=####
- p####.####.com/r/986/p/Re.61126
- p####.####.com/red/?code=####&a=####&pubid=####
- pha####.info/redirect?tid=####&ref=####&subid=####&q=####
- pi####.com/?id=####&to=####&ta=####
- pop####.net/world/go/61946/355583
- pr####.com/p/nf2r/direct/t:whiskey-avo-ufbsQVDd_bbbe3c10-6892-11e7-bc03-...
- pu####.com/www/delivery/directads.php?zoneid=####&sub_zoneid=####&sub_oc...
- qu####.####.eu/?cid=####&click_id=####
- r####.####.net/ck?id=####
- re####.####.com/_NTHr5U0RMqtaheC7vxhhPmNd7ZgqdRLk/53/?payload=####
- roset####.com/48f20/3tAQ/ytNc/zt5NhL0/nJsR1OEZalGIrts8C9eVlQgtq8lijbdP5S...
- se####.####.com/click?i=####
- se####.####.com/sites/?cat=####&camp=####&categoryid=####&conv=####
- set####.####.com/setting?unit_ids=####&app_id=####&sign=####&platform=##...
- sexyt####.mobi/?sl=####&data1=####&data2=####&data3=####
- sofas####.com/news/download-sofascore-app/
- syndica####.####.com/splash.php?idzone=####&type=####&sub=####
- t####.####.com/aff_c?offer_id=####&aff_id=####&aff_sub=####
- t####.####.com/click?cid=####&s1=####&s2=####
- t####.####.com/favicon.ico
- t####.####.com/hit.php?c=####&subid=####
- t####.####.online/?utm_term=####&clickverify=####&utm_content=####
- tra####.####.com/?p=####&media_type=####&click_id=####&pi=####
- trac####.####.com/click?mb_pl=####&mb_nt=####&mb_campid=####&mb_package=...
- u####.####.com/zcvisitor/99209034-6eba-11e7-b831-0af3d060fd90?campaignid...
- u####.####.com/zcvisitor/9b86bad7-6eba-11e7-8644-06635b06f2f6?campaignid...
- u####.####.com/zcvisitor/a3ff4f13-6eba-11e7-ad1d-0a57c5b9dc74?campaignid...
- u####.####.com/zcvisitor/a66c5765-6eba-11e7-aba0-12562a8bfc98?campaignid...
- u####.####.com/zcvisitor/a9fd4665-6eba-11e7-9832-12670bf6c51e?campaignid...
- w####.####.com/lp/7scf-zp-2.html
- x####.####.com/click?adv=####&i=####
- x####.####.com/click?i=####
Запросы HTTP POST:
- a####.####.com/app_logs
- a####.####.com/oversea_adjust_and_download_write_redis/notify/download/app
- a####.####.com/subscribe/api/1110
- m####.####.com/smartview/api/920
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/databases/mem_boost.db
- <Package Folder>/databases/mem_boost.db-journal
- <Package Folder>/databases/mobvista.msdk.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/.imprint
- <Package Folder>/files/hello.apk
- <Package Folder>/files/source.apk
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/mobvista.xml
- <Package Folder>/shared_prefs/share_date.xml
- <Package Folder>/shared_prefs/share_date.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.mobvista700/####/-898324802.temp
- <SD-Card>/.mobvista700/####/1539062256.temp
- <SD-Card>/.mobvista700/####/1880935128
- <SD-Card>/.mobvista700/####/2082986419
- <SD-Card>/Android/####/.nomedia
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
