Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.195
- 1####.####.197
- 1####.####.197:8080
- 6####.####.140
- 7j####.####.com
- 7x####.####.com
- a####.####.com
- boo####.####.cn
- c-h####.####.com
- i####.####.cn
- i####.####.com
- l####.####.com
- q####.####.com
- s####.####.com
- w####.####.com
Запросы HTTP GET:
- 1####.####.195/pubres/picture/bookshelfnotice/1500970089991-xiaocunyi.jpg
- 1####.####.197/pubres/downloadzipv1/1x1/11x0/110x0/11000028082/1-4685430...
- 1####.####.197:8080/pubres/downloadzipv1/1x1/11x0/110x0/11000072225/1-10...
- 6####.####.140/ando/i/mon?k=####&d=####
- 7j####.####.com/tdata_oGK676
- 7x####.####.com/zip/payjar_-1_20170720105809.zip
- boo####.####.cn/cppartner/1x1/11x0/110x0/11000000393/11000000393.jpg
- i####.####.cn/iplookup/iplookup.php?format=####&aaa_flag=####
- i####.####.com/ando-res/ads/3/2/eff3c843-7d88-43f5-8d7e-c94c4a29226a/e1c...
- s####.####.com/config/hz-hzv3.conf
- w####.####.com/r/p/myspacedata.jsp?vt=####&aaa_flag=####
Запросы HTTP POST:
- a####.####.com/app_logs
- a####.####.com/asg/portal.do
- c-h####.####.com/api.php?format=####&t=####
- l####.####.com/asg/portal.do
- l####.####.com/sdk.php
- q####.####.com/72c6d4bf524bed92/9f21011?d=####&v=####
- s####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/code-6579385/wQWPG1MVGlM9e5CX
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_0Nuo6z13LlVUBnSRYZoKyw==
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_0Nuo6z13LlVUBnSRYZoKyw==-journal
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_8Tvar9ZJ4MvPAfpuoZf3OfyMyXI=
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_8Tvar9ZJ4MvPAfpuoZf3OfyMyXI=-journal
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_AQdS-_X74cA=-journal
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_FBkO88pgmhRME9n1
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_FBkO88pgmhRME9n1-journal
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_UEM19RW1QToe0VUP-aQzmA==
- <Package Folder>/databases/N4DLKQSF-Y6GYi0-z51oBoIaQKvm7_4bLPSIHA==_UEM19RW1QToe0VUP-aQzmA==-journal
- <Package Folder>/databases/ishugui.db-journal
- <Package Folder>/databases/msp.db
- <Package Folder>/databases/msp.db-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/tmpd8.db-journal
- <Package Folder>/files/####/1BX31iPeHxPu8LMvR3R2u2QJPBM=
- <Package Folder>/files/####/1f63b140-84c4-4875-b1a4-8c1f346bca8e.pic.temp
- <Package Folder>/files/####/27547537-4c0f-4e74-977d-af6e3c8c780d.pic.temp
- <Package Folder>/files/####/283dc3da-361c-4e17-bd53-42355173585a.pic
- <Package Folder>/files/####/59b0f569-6acd-42ca-ba0f-3428e2604853.pic.temp
- <Package Folder>/files/####/5a67i34z3ieX3KznZ3nSMiVpuz8=
- <Package Folder>/files/####/5sjr3_wsrq0vBr4tDtf5XJv7m5HIr_kuJX_r9yRsd9Q=.new
- <Package Folder>/files/####/6952c5e8-d6c1-4c00-a014-43d36215cffe.pic.temp
- <Package Folder>/files/####/6rSyLrv6CdjXDsrXzfcNsY3LHnyzPrNO.new
- <Package Folder>/files/####/79cb18f4-3d0e-49ac-978d-3351fab43a57.pic.temp
- <Package Folder>/files/####/89NrHCkka1cFimVP4BkTcg==
- <Package Folder>/files/####/AEcywvKvb_UdewAbM_thPoK7yTCA7GfC
- <Package Folder>/files/####/AEcywvKvb_UdewAbM_thPoK7yTCA7GfC.new
- <Package Folder>/files/####/AEcywvKvb_UdewAbM_thPoK7yTCA7GfC.old (deleted)
- <Package Folder>/files/####/BgA3ejeV_mSBg8le_kRSuw==
- <Package Folder>/files/####/CNoFtLlc59M4JJMaPLlFQ3bAOw36U4QIyE07unQOaiA=.new
- <Package Folder>/files/####/EZJ8OtuBdxkgLHSl0dQVYg==
- <Package Folder>/files/####/EiOVkoS0zZ5JsBCS.new
- <Package Folder>/files/####/EoW_uP1oIkh8m8VIGONyGg==
- <Package Folder>/files/####/EoW_uP1oIkh8m8VIGONyGg==.new
- <Package Folder>/files/####/G4vv_qjFLOVCE1364bpqroSTQla5ayVl.new
- <Package Folder>/files/####/IQsgTR8KpXz6n77iRTK6mxy__eA=.new
- <Package Folder>/files/####/MI5pLCjoxAQHXyUX.zip
- <Package Folder>/files/####/M_EwqhbPd45C5BAJ5fen-QJM6HoSKVA9.new
- <Package Folder>/files/####/PsWHbZRS0gtG5ePk5Jqy8paI5pVAC_DmRd4A04PW1fw=.new
- <Package Folder>/files/####/RESoJBSSYeuOi0UfzRFC3i-CVXOh8fdt.new
- <Package Folder>/files/####/Sxqy3MqSril2jzKh4tKUSHBYP5O8IweeTOROkQ==.new
- <Package Folder>/files/####/TiC4Ej8LGOO5ivqL5bNLfo0UAgs=.new
- <Package Folder>/files/####/WFlkcdUWWbrbk854uUPzQ7wVZGPMZbBIhsjR5Q==.new
- <Package Folder>/files/####/WJhQZ6BuEOP6oVUD
- <Package Folder>/files/####/bf73b315-6b98-47a0-8a34-c0083dff376c.pic.temp
- <Package Folder>/files/####/cc88b610-9d50-4e32-afb6-4cf80dd5e710.pic
- <Package Folder>/files/####/fQHOQhZyD8cGi-XzCXFO2ZRbO1aXg8LP.new
- <Package Folder>/files/####/firll.dat
- <Package Folder>/files/####/gal.db
- <Package Folder>/files/####/gal.db-journal
- <Package Folder>/files/####/lOmeK2dnvwUC8IaseKXqWKu8oJ0X1QEp.new
- <Package Folder>/files/####/ofl.config
- <Package Folder>/files/####/ofl_location.db
- <Package Folder>/files/####/ofl_location.db-journal
- <Package Folder>/files/####/ofl_statistics.db
- <Package Folder>/files/####/ofl_statistics.db-journal
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/smQMP0aNRERIHHQ8MyKeeGSFIX-TEZ78OwZ_0g==.new
- <Package Folder>/files/####/tbvyvw_f.zip
- <Package Folder>/files/####/u1cyO-lTAk6xJDLMwUmVuA==.new
- <Package Folder>/files/####/uNdXaHmzNcZ8mr1n9stoFtKckgo=.new
- <Package Folder>/files/####/upSRkU_4rhNfjCEJyyEGOOuCQy24OsQ5Nl0NcIbRwJY=.new
- <Package Folder>/files/####/xrIQldeJ61eD_D3OHRL21OojW0xJJ9-A.new
- <Package Folder>/files/####/zjvXSu5HhZl6q2iUMzwclxmrfdo=.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/gdaemon_20161017
- <Package Folder>/files/init.pid
- <Package Folder>/files/init_c1.pid
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/mobclick_agent_cached_<Package>1010508
- <Package Folder>/files/push.pid
- <Package Folder>/files/rdata_comdzonvnewzd
- <Package Folder>/files/rdata_comdzonvnewzd.new
- <Package Folder>/files/run.pid
- <Package Folder>/files/tdata_Pbw496
- <Package Folder>/files/tdata_Pbw496.jar
- <Package Folder>/files/tdata_oGK676
- <Package Folder>/files/tdata_oGK676.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml (deleted)
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak (deleted)
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/Cookies<IMSI>.xml
- <Package Folder>/shared_prefs/authStatus_<Package>;remote.xml
- <Package Folder>/shared_prefs/conf_sp_name.xml
- <Package Folder>/shared_prefs/ishugui.shareInfo.xml
- <Package Folder>/shared_prefs/ishugui.shareInfo.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/patch_server_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/tinker_server/72c6d4bf524bed92_version.info
- <Package Folder>/tinker_server/version.lock
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/6fb75076-f10a-4390-80f7-36cc40e1b5d2.res
- <SD-Card>/.armsd/####/866399a1-d0ef-4d79-a526-fff3cb80e2b8.res
- <SD-Card>/.armsd/####/953bf682-bf11-4035-944f-47a746d2be6d.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/aa086930-6d21-488b-8076-c4a24b6d537d.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.ishugui/####/1-10082337_11000072225.zip (deleted)
- <SD-Card>/.ishugui/####/1-4685430_11000028082.zip (deleted)
- <SD-Card>/.ishugui/####/10082337.kf
- <SD-Card>/.ishugui/####/10082338.kf
- <SD-Card>/.ishugui/####/10082339.kf
- <SD-Card>/.ishugui/####/10082340.kf
- <SD-Card>/.ishugui/####/10082341.kf
- <SD-Card>/.ishugui/####/10082342.kf
- <SD-Card>/.ishugui/####/1496212852757.tmp
- <SD-Card>/.ishugui/####/1496212856604.tmp
- <SD-Card>/.ishugui/####/1496212865892.tmp
- <SD-Card>/.ishugui/####/1496212881493.tmp
- <SD-Card>/.ishugui/####/1496212884195.tmp
- <SD-Card>/.ishugui/####/1rbqv03tb0i71m9k0hcjz04u6
- <SD-Card>/.ishugui/####/1y60ruv6feiedlh6fb6wg7wzd
- <SD-Card>/.ishugui/####/2-10082338-10082339_11000072225.zip (deleted)
- <SD-Card>/.ishugui/####/224gz2brgyj3icy92mz79hlhv
- <SD-Card>/.ishugui/####/3-10082340-10082342_11000072225.zip (deleted)
- <SD-Card>/.ishugui/####/3d6xlo9fh65bdal0505q3qr8l
- <SD-Card>/.ishugui/####/3hbsdube08rwer7ectg8qen3m
- <SD-Card>/.ishugui/####/4-4685431-4685434_11000028082.zip (deleted)
- <SD-Card>/.ishugui/####/43ywg5ksj4d0f1jqc0qhn6taf
- <SD-Card>/.ishugui/####/4685430.kf
- <SD-Card>/.ishugui/####/4685431.kf
- <SD-Card>/.ishugui/####/4685432.kf
- <SD-Card>/.ishugui/####/4685433.kf
- <SD-Card>/.ishugui/####/4685434.kf
- <SD-Card>/.ishugui/####/4nw0v4u2s5fcv0xo9quryhiqj
- <SD-Card>/.ishugui/####/4xh9shomixhzzg10oso3byx7l
- <SD-Card>/.ishugui/####/4xhb8bw3gxt3k0jlmc9rf9sqd
- <SD-Card>/.ishugui/####/56r1unbzdtwt0nua8midid1oc
- <SD-Card>/.ishugui/####/5bvxbowxdspk8o5j11azs6c3c
- <SD-Card>/.ishugui/####/5tm58fdqmp4aeyhc7x1z0z9m5
- <SD-Card>/.ishugui/####/5v7uoggnjb6eljsqb9dfm7ukk
- <SD-Card>/.ishugui/####/6thcp7gskc3bfj8b3rwd7ppt1
- <SD-Card>/.ishugui/####/6ylwd4td8a9t9pz2sxj5184u
- <SD-Card>/.ishugui/####/8jznu1wremlujme9pap6d0u0
- <SD-Card>/.ishugui/####/fcgf8cazgilglyh5trmhmz3
- <SD-Card>/.ishugui/payerr.txt
- <SD-Card>/.system/####/factory.dzt
- <SD-Card>/.system/####/paydex.dzlib.temp
- <SD-Card>/.system/####/visen.conf.mark
- <SD-Card>/.system/####/visen.conf.out.temp
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/baidu/####/conlts.dat
- <SD-Card>/baidu/####/ls.db
- <SD-Card>/baidu/####/ls.db-journal
- <SD-Card>/baidu/####/yoh.dat
- <SD-Card>/baidu/####/yol.dat
- <SD-Card>/baidu/####/yom.dat
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/system/####/tdata_Pbw496
- <SD-Card>/system/####/tdata_oGK676
- <SD-Card>/test.0
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.aikan/code-6579385/wQWPG1MVGlM9e5CX -p com.aikan -c com.dzon.vnewzd.vwbhvg.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- /data/data/com.aikan/files/gdaemon_20161017 0 com.aikan/com.igexin.sdk.PushService 23881 300 0
- <dexopt>
- chmod 700 /data/data/com.aikan/files/gdaemon_20161017
- chmod 700 <Package Folder>/files/gdaemon_20161017
- sh <Package Folder>/code-6579385/wQWPG1MVGlM9e5CX -p <Package> -c com.dzon.vnewzd.vwbhvg.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 23881 300 0
Может автоматически отправлять СМС-сообщения.
