Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.1:8088
- 6####.####.140
- a####.####.com
- i####.####.com
- l####.####.com
- mo####.####.com
- res####.####.com
Запросы HTTP GET:
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/20/1/d0a0a034-c410-458b-8a8f-78a09ae731b8/05...
- mo####.####.com/ads/pa/8/__pasys_remote_banner.php?bdr=####&os=####&v=##...
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/updateSdk
- 1####.####.1:8088/sdkserver/v2/addSdk
- a####.####.com/app_logs
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- /data/system/####/wallpaper
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__e4cf6d82-f1a2-4bae-8df2-9187ca9615f9.jar
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.localstorage-journal
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.localstorage-journal (deleted)
- <Package Folder>/app_database/ApplicationCache.db-journal (deleted)
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/code-7198189/dr0q7IILLMqiKfrN
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_2V3OOWT53ZlUApHp
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_2V3OOWT53ZlUApHp-journal
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_I_gFWOOZ9RckeKqv1EQKSA==
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_I_gFWOOZ9RckeKqv1EQKSA==-journal
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_KEyHEWcV7hI6ex4lFapCjQ==
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_KEyHEWcV7hI6ex4lFapCjQ==-journal
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_MoBYgDo0xR4=-journal
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_dBbFlKEtRHZwkf4WGTcec1mLY60=
- <Package Folder>/databases/WRz_ZRtsZMyPKVSDCNJpHvj4u1x-y5XRm2_1dQ==_dBbFlKEtRHZwkf4WGTcec1mLY60=-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal (deleted)
- <Package Folder>/files/####/0515ef81-1a2e-4f88-abd3-a0247ce35f2b.pic.temp
- <Package Folder>/files/####/0f84f78a-c6e4-4d35-aed6-68f61fec9065.pic.temp
- <Package Folder>/files/####/29ef3f2d-5ba8-46c7-b852-e670d7fed119.pic
- <Package Folder>/files/####/3xW0tY-rvwqImvbS8qSlW9doM5Q=.new
- <Package Folder>/files/####/80154d78-5566-4858-8b86-f3996322df98.pic.temp
- <Package Folder>/files/####/8u5iGP9h0unz6Q21k8dMlbnPg5OQh5Tq.new
- <Package Folder>/files/####/Akce6Ee2OKRzwvk2jF4FseuVzlbiZo3S.new
- <Package Folder>/files/####/D1OiPzmdJbjuhsn8.zip
- <Package Folder>/files/####/ExMNx8S-4KKYlWuZZMtgJHbhtAnv6EWDX4fEAw==.new
- <Package Folder>/files/####/GWfKm6tARoWDUlnECaqAoA81H0UOzSOZ4DQExvq2AnA=.new
- <Package Folder>/files/####/GmSkmBancGWbRab4.new
- <Package Folder>/files/####/JitVFw-mjrKPlCe2JiHEsslUyTgUicHZ.new
- <Package Folder>/files/####/K-Bs5aXfjEn-T8WDc2FP-Bd82XhhK2gu.new
- <Package Folder>/files/####/N5V9__0LOS7L-DSZ7f4jTe8Cnr7EtUVgItQdMg==.new
- <Package Folder>/files/####/QEb00Y0-GJk468lO9Dpvfw==
- <Package Folder>/files/####/QvrPsDbLfes37LuHpvt9fBghDzjRZ8YbSV_du18tSp8=.new
- <Package Folder>/files/####/W8wRKwya1PpcIdUOa6aDlg==
- <Package Folder>/files/####/W8wRKwya1PpcIdUOa6aDlg==.new
- <Package Folder>/files/####/W8wRKwya1PpcIdUOa6aDlg==.old (deleted)
- <Package Folder>/files/####/YGkH5T5GsNRwmq4tkhAQx-yO-_E=.new
- <Package Folder>/files/####/_U1hgbpo6n-zkCfD9pqJKzxkxf7xLlGt.new
- <Package Folder>/files/####/a12929d0-7b30-4545-943c-6b48cee09a78.pic.temp
- <Package Folder>/files/####/a7v3EXi-l-9X3_pwGQzLN7j4eelnkaaDlfoHIg==.new
- <Package Folder>/files/####/b49e4abb-e8aa-46d8-bb26-1c7008d18454.pic.temp
- <Package Folder>/files/####/be177c40-b7af-404f-b4c9-e17deacb4b2d.pic.temp
- <Package Folder>/files/####/e89992a3-6eed-4663-a4ed-05e2db2a9866.pic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/fv3SkcOvC8YW4VrPo03NFTEV0et_sRxgxmWdsAu6Cbo=.new
- <Package Folder>/files/####/hurbuw_f.zip
- <Package Folder>/files/####/ito5MPc1uAGdwV_o
- <Package Folder>/files/####/kH5ubzJgCqpMDpRsA-Lt0gaE--jpkvrN.new
- <Package Folder>/files/####/qFiM2Tl8HZuY_MTaOEpof9avTdjzSBm-.new
- <Package Folder>/files/####/r9pcwD3sF4CdJaIqqV9vINMMaTxTqmOo.new
- <Package Folder>/files/####/rU5qhgiJjk7Ovwx8-r60Qg==.new
- <Package Folder>/files/####/rilg5bJk6nB8iwNXewDG_PWactBJXEcp0NzYyF7IypA=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/t9gIeXpAfyxZSuXzb4gvyWFcV5w=
- <Package Folder>/files/####/u9CMqncNZTowXcQGUCjbjbT7m98=.new
- <Package Folder>/files/####/vlpLyzry8gX7iZ7mFCm4yKsU0qs=.new
- <Package Folder>/files/####/x4IgO2Gv2yVAYhwCLwKntw==
- <Package Folder>/files/####/xzG35nqzX3QV5ShSovBnCw==.new
- <Package Folder>/files/####/zGPMgjKzGvgk5TGohal_oHnhnhg=
- <Package Folder>/files/exid.dat
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comgithubclient.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/__x_adsdk_agent_header__.xml
- <Package Folder>/shared_prefs/__xadsdk_downloaded__version__.xml
- <Package Folder>/shared_prefs/com.baidu.mobads.loader.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/wallpaper_prefs.xml
- <SD-Card>/.armsd/####/19dab34f-56a8-4b39-82a7-11d7e77764de.res
- <SD-Card>/.armsd/####/3fc8f4b5-6f9b-4292-82bf-c225f708f076.res
- <SD-Card>/.armsd/####/4b592265-f3c3-4979-ae7c-bece99a3c2c4.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/5b6b353f-5f49-4087-8fba-62d35177a42f.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.bwlb.zwdzjsyi/code-7198189/dr0q7IILLMqiKfrN -p com.bwlb.zwdzjsyi -c com.github.client.blfeug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-7198189/dr0q7IILLMqiKfrN -p <Package> -c com.github.client.blfeug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
