Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony)
Сетевая активность:
Подключается к:
- 1####.####.67
- c####.####.org
- c####.####.top
- che####.####.biz
Запросы HTTP GET:
- c####.####.org/strategy/loss_4.3
- c####.####.top/upload/201705/22/img/20170522095522738.png
- c####.####.top/upload/201707/28/app/20170728165452512.apk
- che####.####.biz/Version.txt
Запросы HTTP POST:
- 1####.####.67/log/interface.html
Изменения в файловой системе:
Создает следующие файлы:
- /data/dalvik-cache/data@app@<Package>-1.apk@classes.dex
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/Matrix
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/ddexe
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/debuggerd
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/fileWork
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/install-recovery.sh
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/pidof
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/su
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/supolicy
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/toolbox
- <Package Folder>/app_0999e8ff-d756-4060-96f3-c9054b65ce3f/wsroot.sh
- <Package Folder>/app_443d37a0-de12-4d29-93de-845931c478f6/checker
- <Package Folder>/app_443d37a0-de12-4d29-93de-845931c478f6/checker.jar
- <Package Folder>/app_443d37a0-de12-4d29-93de-845931c478f6/res
- <Package Folder>/app_6e04132f-a3cb-4604-abc8-3082a69fa2b6/checker
- <Package Folder>/app_6e04132f-a3cb-4604-abc8-3082a69fa2b6/checker.jar
- <Package Folder>/app_6e04132f-a3cb-4604-abc8-3082a69fa2b6/res
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/Matrix
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/ddexe
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/debuggerd
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/fileWork
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/install-recovery.sh
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/pidof
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/su
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/supolicy
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/toolbox
- <Package Folder>/app_700c9d65-43b1-4684-a89a-1b50c17503e9/wsroot.sh
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/Matrix
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/ddexe
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/debuggerd
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/device.db
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/fileWork
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/install-recovery.sh
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/pidof
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/root3
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/su
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/supolicy
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/toolbox
- <Package Folder>/app_7896f821-da64-41af-a11b-0d15924c1490/wsroot.sh
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/Matrix
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/ddexe
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/debuggerd
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/fileWork
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/install-recovery.sh
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/pidof
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/su
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/supolicy
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/toolbox
- <Package Folder>/app_b4438523-8fa8-4512-94fa-684007ae3822/wsroot.sh
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/Matrix
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/ddexe
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/debuggerd
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/fileWork
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/install-recovery.sh
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/pidof
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/su
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/supolicy
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/toolbox
- <Package Folder>/app_e5173044-3cce-4c09-a676-c8fb6e6a6060/wsroot.sh
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/Matrix
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/ddexe
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/debuggerd
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/fileWork
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/install-recovery.sh
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/pidof
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/su
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/supolicy
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/toolbox
- <Package Folder>/app_eacd91ce-f6ed-4996-982f-fd903e6cebb6/wsroot.sh
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/0b34e270-b090-4f56-a120-f04a42ee4a86
- <Package Folder>/app_subox_download/15f974b6-9b5b-4ba6-b3c7-9d0a101adb49
- <Package Folder>/app_subox_download/1699fd51-f794-4aef-a689-b8a7e5b9b68e
- <Package Folder>/app_subox_download/55f3c285-aff0-42dc-a653-3cdc03c6c9fd
- <Package Folder>/app_subox_download/7d11037f-5c93-490c-b301-88a27cdaeeb3
- <Package Folder>/app_subox_download/9a558942-a429-4e1e-9e9c-9b95398a22b2
- <Package Folder>/app_subox_download/a6448126-7f29-43a8-9f7d-bdabde1126f2
- <Package Folder>/app_subox_download/b1e9f6cf-cc5b-4141-807a-2db0b9418530
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/PackagesDB
- <Package Folder>/databases/PackagesDB-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/au.jar
- <Package Folder>/files/busybox
- <Package Folder>/files/go.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>5220
- <Package Folder>/files/reboot
- <Package Folder>/shared_prefs/LogCollector.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/kr.xml.bak
- <Package Folder>/shared_prefs/lz.xml
- <Package Folder>/shared_prefs/sv.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/Android/####/4134631f9d04e6d6af62c7427446679e.apk
- <SD-Card>/Android/####/V2.8.7.txt
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/b77ffeb883dc9
- <SD-Card>/LuckyPatcher/0.11.53_com.emulator.fpse.txt
- <SD-Card>/LuckyPatcher/1.7.0.0442.pl.aqurat.automapa.txt
- <SD-Card>/LuckyPatcher/160dpi.3.10.9-4.x.com.android.vending.txt
- <SD-Card>/LuckyPatcher/160dpi.com.google.android.gsf.txt
- <SD-Card>/LuckyPatcher/240dpi.3.10.9-4.x.com.android.vending.txt
- <SD-Card>/LuckyPatcher/240dpi.com.google.android.gsf.txt
- <SD-Card>/LuckyPatcher/320dpi.3.10.9-4.x.com.android.vending.txt
- <SD-Card>/LuckyPatcher/320dpi.com.google.android.gsf.txt
- <SD-Card>/LuckyPatcher/AdsBlockList.txt
- <SD-Card>/LuckyPatcher/AdsBlockList_user_edit.txt
- <SD-Card>/LuckyPatcher/biz.bokhorst.xprivacy.txt
- <SD-Card>/LuckyPatcher/code.patch.com.jb.gosms.txt
- <SD-Card>/LuckyPatcher/com.StyleTap.StyleTap.txt
- <SD-Card>/LuckyPatcher/com.adobe.flashplayer.txt
- <SD-Card>/LuckyPatcher/com.aide.ui.txt
- <SD-Card>/LuckyPatcher/com.disney.WMP.txt
- <SD-Card>/LuckyPatcher/com.disney.WMW.txt
- <SD-Card>/LuckyPatcher/com.disney.wheresmymickey_goo.txt
- <SD-Card>/LuckyPatcher/com.disney.wheresmymickey_tab_goo.txt
- <SD-Card>/LuckyPatcher/com.iudesk.android.photo.editor.txt
- <SD-Card>/LuckyPatcher/com.jrummy.liberty.toolboxpro.txt
- <SD-Card>/LuckyPatcher/com.keramidas.TitaniumBackup.txt
- <SD-Card>/LuckyPatcher/com.microsoft.office.officehub.txt
- <SD-Card>/LuckyPatcher/com.nuance.swype.dtc.txt
- <SD-Card>/LuckyPatcher/com.oasisfeng.greenify.txt
- <SD-Card>/LuckyPatcher/com.omgpop.dstpaid.txt
- <SD-Card>/LuckyPatcher/com.pyrsoftware.pokerstars.com.txt
- <SD-Card>/LuckyPatcher/com.svox.classic.langpack_%ALL%.txt
- <SD-Card>/LuckyPatcher/com.teslacoilsw.widgetlocker.txt
- <SD-Card>/LuckyPatcher/com.tournesol.rockingshortcuts.lite.txt
- <SD-Card>/LuckyPatcher/com.tsf.shell.txt
- <SD-Card>/LuckyPatcher/com.urbandroid.sleep.txt
- <SD-Card>/LuckyPatcher/com.zl.inputmethod.latin.txt
- <SD-Card>/LuckyPatcher/com.zvasvari.anmoneyp.txt
- <SD-Card>/LuckyPatcher/craigs.pro.plus.txt
- <SD-Card>/LuckyPatcher/database.patch.com.jb.gosms.txt
- <SD-Card>/LuckyPatcher/disable.selfupdate.com.android.vending.txt
- <SD-Card>/LuckyPatcher/jp.sblo.pandora.jota.plus.txt
- <SD-Card>/LuckyPatcher/menion.android.locus.pro.txt
- <SD-Card>/LuckyPatcher/mobi.<System Property>dict.android.txt
- <SD-Card>/LuckyPatcher/patch.by.sanx_com.emulator.fpse.txt
- <SD-Card>/LuckyPatcher/patch.by.sanx_com.maxmpz.audioplayer.txt
- <SD-Card>/LuckyPatcher/pl.aqurat.automapa.txt
- <SD-Card>/LuckyPatcher/tb.array.bin
- <SD-Card>/LuckyPatcher/tmp.txt
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh
- <Package Folder>/files/busybox chmod 777 <Package Folder>/files/reboot
- <Package Folder>/files/busybox chown 0.0 <Package Folder>/files/busybox
- <Package Folder>/files/busybox chown 0.0 <Package Folder>/files/reboot
- <Package Folder>/files/busybox chown 0:0 <Package Folder>/files/busybox
- <Package Folder>/files/busybox chown 0:0 <Package Folder>/files/reboot
- <error:2>
- busybox
- busybox chmod 06777 <Package Folder>/files/busybox
- busybox chmod 777 <Package Folder>/files/reboot
- busybox chown 0.0 <Package Folder>/files/busybox
- busybox chown 0.0 <Package Folder>/files/reboot
- busybox chown 0:0 <Package Folder>/files/busybox
- busybox chown 0:0 <Package Folder>/files/reboot
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/4134631f9d04e6d6af62c7427446679e.apk
- chmod 777 /storage/emulated/0/Android/data/com.dimonvideo.luckypatcher/files/Download/Android/azb/4134631f9d04e6d6af62c7427446679e.apk
- chmod 777 <Package Folder>/files/reboot
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- chown 0.0 <Package Folder>/files/busybox
- chown 0.0 <Package Folder>/files/reboot
- chown 0:0 <Package Folder>/files/busybox
- chown 0:0 <Package Folder>/files/reboot
- dalvikvm -Xbootclasspath:/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar -Xverify:none -Xdexopt:none -cp /data/app/<Package>-1.apk com.chelpus.root.utils.unusedodex
- logcat -d
- logcat -d -v time *:E
- ls /system/bin/failsafe/toolbox
- sh
- su
- toolbox chmod 06777 <Package Folder>/files/busybox
- toolbox chmod 777 <Package Folder>/files/reboot
- toolbox chown 0.0 <Package Folder>/files/busybox
- toolbox chown 0:0 <Package Folder>/files/busybox
- toolbox chown 0:0 <Package Folder>/files/reboot
Использует следующие алгоритмы для расшифровки данных:
- DES
Использует повышенные привилегии.
Осуществляет доступ к информации о сети
Осуществляет доступ к информации о телефоне (номер, imei и тд.)
Осуществляет доступ к информации об установленных приложениях
Осуществляет доступ к информации о запущенных приложениях
Отрисовывает собственные окна поверх других приложений
