Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.16.origin
- Android.Mixi.21.origin
- Android.Triada.247.origin
- Android.Triada.248.origin
- Android.Triada.308.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony)
Сетевая активность:
Подключается к:
- 0####.####.com
- 1####.####.197
- 1####.####.204
- 1####.####.204:88
- 1####.####.21
- 6####.####.140
- a####.####.com
- g####.####.com
- i####.####.cn
- i####.####.com
- l####.####.com
- m####.####.com
- m####.####.com:81
- n####.####.com:10091
- product####.####.cn
- s####.####.com
- t####.####.com
- tou####.####.com
- tr####.####.com
- z####.####.com
Запросы HTTP GET:
- 0####.####.com/mobile/20170729/20170729093828_377d9409ae74656250ed372ca1...
- 6####.####.140/ando/i/mon?k=####&d=####
- g####.####.com/cr/sv/crn?m5=####&nm=####
- g####.####.com/cr/sv/getGoFile?name=####
- i####.####.cn/iplookup/iplookup.php?format=####
- i####.####.com/ando-res/ads/0/9/837ec120-ccf8-4ad0-b6fd-1303ff645eca/773...
- m####.####.com/mobile/20170727/20170727_49d0fac200bd0a9ee867fc493f984c88...
- product####.####.cn/dex20170629125532.jar
- s####.####.com/web/ng/201705/280/c/icon.png
- t####.####.com/dhbfebfhveheuugbfhnqu.js
- tou####.####.com/?qid=####
- z####.####.com/img/20151208/193208/closeimg_20151208193203.png
Запросы HTTP POST:
- 1####.####.197/main/content/upd.php
- 1####.####.204/game/centerbanner2.do?ver=####
- 1####.####.204:88/game/open.do
- 1####.####.21/main/form/rg.php
- a####.####.com/app_logs
- l####.####.com/sdk.php
- m####.####.com/hladserver/api/1
- m####.####.com:81/hladserver/api/1
- n####.####.com:10091/opaService/link
- tr####.####.com/update.xxdd
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.shell_ass/####/libopalink.so_32
- <Package Folder>/.shell_ass/####/libopalink.so_64
- <Package Folder>/.shell_ass/libopalink.so
- <Package Folder>/.shell_ass/opa_link.jar
- <Package Folder>/.shell_ass/stupid
- <Package Folder>/.shell_ass/stupid.zip
- <Package Folder>/app_baidu/xpodg
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/index
- <Package Folder>/cache/539c78f43cb06f3fb6e40c313d06973a.jar
- <Package Folder>/code-9164892/sAFOqKqQPw7r4VQX
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW__0JciGAhucG7itJ4-MhUcR9Qeto=
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW__0JciGAhucG7itJ4-MhUcR9Qeto=-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_gjADvICN86M=-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_mAGODyoC6-muhCvvHQZfdQ==
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_mAGODyoC6-muhCvvHQZfdQ==-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_pD34mu1Tl1iXxxeBmA_UpA==
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_pD34mu1Tl1iXxxeBmA_UpA==-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_x-hgf5rn6iuV7ySL
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_x-hgf5rn6iuV7ySL-journal
- <Package Folder>/databases/twsdk.db-journal
- <Package Folder>/databases/vastpaydb
- <Package Folder>/databases/vastpaydb-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-VtemiOkZjnYoHePaofurU7oZS4293_zxt2lg8U3bw0=.new
- <Package Folder>/files/####/0783ead4-100f-4e52-b8e8-4179ef3521df.pic
- <Package Folder>/files/####/0As_3p7iY99nXELsIKfIt5pWFMU=
- <Package Folder>/files/####/0RrYTpAhc-3sRKH6qaM35kVBvFM=.new
- <Package Folder>/files/####/0b66e9f3-d70d-41dd-8928-7b6b524052e5.pic.temp
- <Package Folder>/files/####/18110b32-0de7-49d6-bad5-38a42bc9f659.pic.temp
- <Package Folder>/files/####/1nxc0Qe-yGVQ3MtQ3vMNuEKAXnDmEzI7oBowog==.new
- <Package Folder>/files/####/2c01b5a1-1f2d-4133-955a-7603abebed3f.pic.temp
- <Package Folder>/files/####/3sR2d4Ss3gP3-sm6zwWSGIVKcroTi1IXypKEsA==
- <Package Folder>/files/####/3sR2d4Ss3gP3-sm6zwWSGIVKcroTi1IXypKEsA==.new
- <Package Folder>/files/####/5topline2<System Property>46
- <Package Folder>/files/####/67c483f0-32f1-4351-81da-c4846d3205c3.pic
- <Package Folder>/files/####/8dd0c292-2260-4f42-86cb-0ed874d88538.pic.temp
- <Package Folder>/files/####/8e5beaa6-a905-4542-b434-245f77826244.pic.temp
- <Package Folder>/files/####/9OfcBKqjVN_imyZOMWvahw==
- <Package Folder>/files/####/9OfcBKqjVN_imyZOMWvahw==.new
- <Package Folder>/files/####/<Package>12<System Property>2
- <Package Folder>/files/####/AwvrUn9758eYWugmiquQzA==.new
- <Package Folder>/files/####/By6Ob_lrGKVgo1wyBsxiNg==
- <Package Folder>/files/####/D9z933wPvC1dUe6FQG49XqARpCUMx06s.new
- <Package Folder>/files/####/FP6ULURJ9IAK-LxzY-FeyRG0H2UrqLPE.new
- <Package Folder>/files/####/PJ_Tznq7MbPLqBYc7g_TSWhMgvZSsRAt.new
- <Package Folder>/files/####/RAR_Ey_C59nYJQkpo7SlNelIrCc=.new
- <Package Folder>/files/####/TgdkmLB7zaJ_osx3bqGgbQHQVokL7QMK
- <Package Folder>/files/####/TgdkmLB7zaJ_osx3bqGgbQHQVokL7QMK.new
- <Package Folder>/files/####/Z4f68PXJ9MK4LSMu0N6uB04F4c0=.new
- <Package Folder>/files/####/boE4qYyFlpiYNEAIhsDBQ4y_xDM=.new
- <Package Folder>/files/####/d2akSdnoxAF_lR6-D5e86zl0s3wogsur.new
- <Package Folder>/files/####/f870b044-b159-4464-b9a0-f70d1faa671c.pic.temp
- <Package Folder>/files/####/fY7iVKAAlsSwKtNhjoZ_flDRmbNAT_ZRvKYfH7qUg8w=.new
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj.new
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj.old (deleted)
- <Package Folder>/files/####/grfua_f.zip
- <Package Folder>/files/####/hydLj8eufs4I3XAhx5HOjJcLzRU=
- <Package Folder>/files/####/hzq6UOHE3CsdhmayGhdRd1RrNFrYRZzl.new
- <Package Folder>/files/####/i9f1earUnIvr07E7TEfb4g==
- <Package Folder>/files/####/kmIIaPTHo54OZSjG.zip
- <Package Folder>/files/####/ntmp20972166
- <Package Folder>/files/####/pAvi9H-w9_eAKgzKpCXB-tBnWB7dG-BsoQzxzG_i8n4=.new
- <Package Folder>/files/####/qoJIFT2_TXBO6Qx8G_dLDw==
- <Package Folder>/files/####/qoJIFT2_TXBO6Qx8G_dLDw==.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/uuU8FbOmXKuQkLLXcRoFEBfapUbjEPm1.new
- <Package Folder>/files/####/v05p8ioE2gJZGBGS
- <Package Folder>/files/####/wEz7hafl3V8aX23lW0BL_6o-vrm0_CNVO2P1xvrPD4A=.new
- <Package Folder>/files/####/y7OhqIUxOhmkC53E.new
- <Package Folder>/files/####/zhsysgdi.jar
- <Package Folder>/files/####/zjLt-x0NTsleMdcc4hdiEtliOZGKAFscB-T_9Q==
- <Package Folder>/files/.imprint
- <Package Folder>/files/1501143593663_dyV17041701Dj1so32.so
- <Package Folder>/files/<System Property>112.jar
- <Package Folder>/files/adeyimrg.so
- <Package Folder>/files/analys.conf
- <Package Folder>/files/hftJcw46N.jar
- <Package Folder>/files/lkqw.png
- <Package Folder>/files/rdata_comdkljeoik.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak (deleted)
- <Package Folder>/shared_prefs/WebViewSettings.xml
- <Package Folder>/shared_prefs/agchk.xml
- <Package Folder>/shared_prefs/cuf_config.xml
- <Package Folder>/shared_prefs/hlcsdpf.xml
- <Package Folder>/shared_prefs/hlcsdpf.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/userData.xml
- <Package Folder>/shared_prefs/userData.xml.bak
- <SD-Card>/.android/51e67b93ded9b0925aecdc0e997688a4.apk.tmp
- <SD-Card>/.android/68654815
- <SD-Card>/.android/68654815 (deleted)
- <SD-Card>/.android/9c1afb12baebab3669032b62e5e28738.apk.tmp
- <SD-Card>/.android/close.png
- <SD-Card>/.android/dev.txt
- <SD-Card>/.android/fatpot.png
- <SD-Card>/.android/sign.info
- <SD-Card>/.android/thinpot.png
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/7cd31acf-9767-4bcc-abe0-3fa748ea7a95.res
- <SD-Card>/.armsd/####/9a3205e5-8f9b-489b-9f4f-25d3420982e1.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/fd88456a-7b8e-4c8d-a856-5727fd2ecf77.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.mkcong
- <SD-Card>/6251d7c7539bc49d4dbccd26778ee74b.jar
- <SD-Card>/<Package>/analys.conf
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/ImgCach/30b268ffdec1efa2f9f8d1a84275bd62.cach
- <SD-Card>/ImgCach/4b42f717e833f2b4849e042a4ef1ff9c.cach
- <SD-Card>/ImgCach/64f683b3d456f7b058d1f50241bde0df.cach
- <SD-Card>/ImgCach/69988bab8ff69a136cdbfac0efd57b5e.cach
- <SD-Card>/ImgCach/7a67a91fb4ce7dcbac41522eedf8abc8.cach
- <SD-Card>/ImgCach/c4a66c8c410aa727ba479482c6fa15df.cach
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.everyday.topline/app_baidu/xpodg -p com.everyday.topline -r am start --user 0 -n com.everyday.topline/ycim.nkbl -a ycim.nkbl -i 2097
- /data/data/com.everyday.topline/app_baidu/xpodg -p com.everyday.topline -r am start --user 0 -n com.everyday.topline/ycim.nkbl -a ycim.nkbl -i 2134
- /data/data/com.everyday.topline/code-9164892/sAFOqKqQPw7r4VQX -p com.everyday.topline -c com.dklj.eoik.affauq.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- /data/data/com.everyday.topline/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h badd491786664b899f904c02bc33f639 /data/data/com.everyday.topline/.syslib-
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- cat /proc/version
- cat /sys/class/net/wlan0/address
- chmod 0771 /data/data/com.everyday.topline/.syslib-
- chmod 0771 <Package Folder>/.syslib-
- chmod 777 /data/data/com.everyday.topline/app_baidu/xpodg
- chmod 777 <Package Folder>/app_baidu/xpodg
- getenforce
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2097
- sh <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2134
- sh <Package Folder>/code-9164892/sAFOqKqQPw7r4VQX -p <Package> -c com.dklj.eoik.affauq.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h badd491786664b899f904c02bc33f639 <Package Folder>/.syslib-
Загружает динамические библиотеки:
- 1501143593663_dyV17041701Dj1so32
- adeyimrg
- libopalink
Использует следующие алгоритмы для шифрования данных:
- DES
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CFB-NoPadding
- DES
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о геолокации
Осуществляет доступ к информации о сети
Осуществляет доступ к информации о телефоне (номер, imei и тд.)
Осуществляет доступ к информации об установленных приложениях
Осуществляет доступ к информации о запущенных приложениях
Добавляет задания в системный планировщик
Отрисовывает собственные окна поверх других приложений
Осуществляет доступ к информации о входящих/исходящих звонках
Осуществляет доступ к информации об отправленых/принятых смс
