Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114: HZSY#<IMSI>
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- bus####.####.com
- cser####.####.cn
- huangda####.com
- i####.####.com
- i####.####.net
- i####.####.net:10001
- l####.####.com
- p####.####.com
- s####.####.com
Запросы HTTP GET:
- 6####.####.140/ando/i/mon?k=####&d=####
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
- i####.####.com/ando-res/ads/13/23/bc4dd2ed-0d19-49bd-ad99-f8d032103d54/8...
- i####.####.net/v1/sdk/init?net_name=####&imei=####&package_name=####&sdk...
- i####.####.net:10001/v1/update/check?user_id=####&app_id=####&channel_id...
- p####.####.com/cityjson?ie=####
Запросы HTTP POST:
- bus####.####.com/business-analysis-cmp/zhuabao/needCatch.do
- cser####.####.cn/channel/paymentHandle.action?v=####&requestId=####
- l####.####.com/sdk.php
- s####.####.com/pay-data-collect/collectAppStartUserData.json
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/crash-1496215267019.log
- <Package Folder>/cache/####/crash-1496215288088.log
- <Package Folder>/cache/####/crash-1496215299280.log
- <Package Folder>/cache/####/crash-1496215304760.log
- <Package Folder>/code-7773612/EMcNU8J9PR6HRdlP
- <Package Folder>/code-9606966/EMcNU8J9PR6HRdlP
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_Fv1ckHrd1Df6wlyg
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_Fv1ckHrd1Df6wlyg-journal
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_Uc0xvfm0lmr6V_cE9GeUtQ==
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_Uc0xvfm0lmr6V_cE9GeUtQ==-journal
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_s534jb9paNI=
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_s534jb9paNI=-journal
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_tccF9kCYkXto83IJQirp4g==
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_tccF9kCYkXto83IJQirp4g==-journal
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_z5z9bC_tZwpDO-Im8ZMct7zli7E=
- <Package Folder>/databases/JBHVwnacJIL_BEE75voKXNlLHsl3PyRa_z5z9bC_tZwpDO-Im8ZMct7zli7E=-journal
- <Package Folder>/databases/recordInfo-journal
- <Package Folder>/databases/sy_pay_record-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-trs5lM4s4IAWIZ1VrToLg==.new
- <Package Folder>/files/####/1496215266917_2099
- <Package Folder>/files/####/1496215266939_2099
- <Package Folder>/files/####/1496215266978_2099
- <Package Folder>/files/####/1496215267121_2099
- <Package Folder>/files/####/1496215288114_2240
- <Package Folder>/files/####/1496215288221_2240
- <Package Folder>/files/####/1496215288316_2240
- <Package Folder>/files/####/1496215304639_2473
- <Package Folder>/files/####/1496215304684_2473
- <Package Folder>/files/####/1496215304792_2473
- <Package Folder>/files/####/419059b8-ab68-4c88-91fe-7d86f2048a83.pic.temp
- <Package Folder>/files/####/52b1f4e9-49f0-410a-8704-d51d4e0492de.pic.temp
- <Package Folder>/files/####/6JtJVPUN-qu_b7IWaAguUesRTq2k8EXj
- <Package Folder>/files/####/6JtJVPUN-qu_b7IWaAguUesRTq2k8EXj.new
- <Package Folder>/files/####/6JtJVPUN-qu_b7IWaAguUesRTq2k8EXj.old (deleted)
- <Package Folder>/files/####/94976291-c72c-4aa6-b615-d908c325cd81.pic.temp
- <Package Folder>/files/####/9yr8LUuxmSmFOjDi-1oXdrWe6GKkOH-G.new
- <Package Folder>/files/####/AZh9Z7jYSYBSRWPcn1dYxEPUdeAE6Agng6PLeA==.new
- <Package Folder>/files/####/C0kyr0QvgoyP8lClPa7jYQ==
- <Package Folder>/files/####/C0kyr0QvgoyP8lClPa7jYQ==.new
- <Package Folder>/files/####/CmUguL02FRNgxrLlniG5IjOShMs=.temp
- <Package Folder>/files/####/EnCBNkj04m81h2doAAoNkw==.new
- <Package Folder>/files/####/Esl-J9z9SSCGvvP_TcMKWDWXdt4=.new
- <Package Folder>/files/####/FvxRMI6VowPPSINsy76_aACjcPStob3L.new
- <Package Folder>/files/####/H61jiOCKUmKuHFu5
- <Package Folder>/files/####/HX5HTv6Dz8BxgxyADFNtaY3QfpJ5zCg1.new
- <Package Folder>/files/####/P7tG4tSzTPaENxatr639DccIkxq5qy3DyJsuieYm0EA=.new
- <Package Folder>/files/####/PWkj1pCvS8P-HhZjaF97CHe5N9s=.temp
- <Package Folder>/files/####/QdSPsIXiPU57zODApCl8cgHXido=.new
- <Package Folder>/files/####/RIVrro3WSb6Gc-gD_w95A_d3anAH87y7.new
- <Package Folder>/files/####/Rxd1skCBZAgRwDMc3mumj_g6P5GcWPJH8tmrwA==.new
- <Package Folder>/files/####/STp6eo7y0NjgxXfpCqvqR7LLbzHsYNWb.new
- <Package Folder>/files/####/V6AYKik_PoDgDozLJSrWbQ==
- <Package Folder>/files/####/Yz1lRNbWk3gj-2A4w4lR-se1vQk=.new
- <Package Folder>/files/####/a6abd638-ca5d-4c39-9b10-4344e90afe7a.pic.temp
- <Package Folder>/files/####/ab8bdddf-0552-48fc-86cc-25ee5f8ec5e5.pic
- <Package Folder>/files/####/d5694e8c-4f27-4277-a97a-64cf287945f9.pic.temp
- <Package Folder>/files/####/de861d58-b19a-44c7-8ff3-3f7de2b8a6f2.pic.temp
- <Package Folder>/files/####/digTHEuTNiRGReOAi3EDp4jmTOOh6jxZ.new
- <Package Folder>/files/####/f3seCn9PvAkozzI_SGrq1G4KxKsQtow-kHqpHZtppmM=.new
- <Package Folder>/files/####/h3HCSgLgd5CF8E3OjpeDxLTzPj9HPCuS2Wfp1LkN31M=.new
- <Package Folder>/files/####/hbipuw_f.zip
- <Package Folder>/files/####/hqvMyl0enmiKAjhpCaloeVC_wpA=
- <Package Folder>/files/####/iot1lQDGybf-dQY1.zip
- <Package Folder>/files/####/k0FGSImhAHuRqoAX2ADIfU1QePg7qr2N7xewdgy_G6k=.new
- <Package Folder>/files/####/ps3IJ0wbiqhlURf7A4ZhzJajzan-1Xn6omVnKA==.new
- <Package Folder>/files/####/r89fNW7N0ReLWmiIdSwCrth0Kw4=.new
- <Package Folder>/files/####/rb_wEK5LCOGRhUtR0-dstQ==
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sxMf88NN7A4Qiysk.new
- <Package Folder>/files/####/wJLsIUUiUY4-bO69yVmFfMcJAOY=
- <Package Folder>/files/####/wbV2pUGHNvxvRXeFDOE_UlVreTRXrHUd.new
- <Package Folder>/files/pay.jar
- <Package Folder>/files/pay.md
- <Package Folder>/files/rdata_comyvznyxpn.new
- <Package Folder>/files/yy.dt
- <Package Folder>/shared_prefs/3db355750bea842d8ee0cece950aa5ecd|account_file.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/TDpref_game.xml
- <Package Folder>/shared_prefs/TDpref_longtime.xml
- <Package Folder>/shared_prefs/TDpref_longtime3.xml
- <Package Folder>/shared_prefs/TDpref_longtime3.xml.bak
- <Package Folder>/shared_prefs/TDpref_shorttime.xml
- <Package Folder>/shared_prefs/data.xml
- <Package Folder>/shared_prefs/data.xml.bak
- <Package Folder>/shared_prefs/p_config.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/pretw.xml.bak
- <Package Folder>/shared_prefs/sdk.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml.bak
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/shared_prefs/twc.xml
- <Package Folder>/shared_prefs/twc.xml.bak
- <SD-Card>/.armsd/####/32b2bf84-bccd-434e-851e-065b38ba0148.res
- <SD-Card>/.armsd/####/4ab36d93-d1fa-46c0-908a-b303ad56a8ff.res
- <SD-Card>/.armsd/####/53616e43-3527-452a-b52e-0d104b9432e3.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/bea5a196-9c15-4774-b6c4-e2e5b4843ccc.res
- <SD-Card>/.armsd/####/f54519d6-f230-4d70-81a0-6ccd3d5a165b.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.exit
- <SD-Card>/.tcookieid
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/tkddbp_3001_2275.zip
- <SD-Card>/CrashLog/WyyyCrashLog_20170531072128_2240.log
- <SD-Card>/CrashLog/WyyyCrashLog_20170531072139_2387.log
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.abe.abe/code-7773612/EMcNU8J9PR6HRdlP -p com.abe.abe -c com.yvzn.yxpn.bwcqug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- /data/data/com.abe.abe/code-9606966/EMcNU8J9PR6HRdlP -p com.abe.abe -c com.yvzn.yxpn.bwcqug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- <error:2>
- cat /proc/version
- cat /sys/block/mmcblk0/device/cid
- getprop
- sh <Package Folder>/code-7773612/EMcNU8J9PR6HRdlP -p <Package> -c com.yvzn.yxpn.bwcqug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-9606966/EMcNU8J9PR6HRdlP -p <Package> -c com.yvzn.yxpn.bwcqug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
