Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- b####.####.com
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/upload/images/073165f4-40f4-4fdb-9a4a-ca5a5c9874...
- b####.####.com/item/%E7%BD%AA%E5%9F%8E
- i####.####.com/ando-res/m/A6EGb*Py4u1FtWQ3Rk0AdTbn3l2VkFbr8rEbwi8yQXTViC...
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/deploymentMode
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- 6####.####.140/ando/x/liv?app_id=####&r=####
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/006626e5fef7eab79d3eb5330478503f0b74930401892a5a0f5349a94409a089.0.tmp
- <Package Folder>/cache/####/17d7d3d2f4416719cbca75f29c420b54674f3f5b0bfc1068b6c603332d25c543.0.tmp
- <Package Folder>/cache/####/22ca5c17ceba470a8656ac3bfc481da65fd4c5a99b6c67e0d5eebe77d45b3b50.0.tmp
- <Package Folder>/cache/####/240c72cb7834d86c0ed539a3ed825d578c2df6531716f4e3fe49dec5646d5aaa.0.tmp
- <Package Folder>/cache/####/2b4ccea4317afb6885d5ca1b02a45f1685c1fd9c7f72af8cd78a34401eaff881.0.tmp
- <Package Folder>/cache/####/3cf4628c5fa0e26bd74ec6c20380cb2237c00bf1279f9f0bfb488667974284fa.0.tmp
- <Package Folder>/cache/####/428c7300a3f81f769ff515f49e79109e77ff29467747b72eb8d3ad6d68a81126.0.tmp
- <Package Folder>/cache/####/58b5b3d3a7ab65a3455d12365f3bed2a541ab9acf7445f4d38110d2b601aa691.0.tmp
- <Package Folder>/cache/####/5b934b55536bed0e70c603a73c2e7dd97c02226fdb416fa3f7bb75c6baefcace.0.tmp
- <Package Folder>/cache/####/5d2164a5e529684fffcfd37fd6f26405165e85bb19c6136b6407281d3832630c.0.tmp
- <Package Folder>/cache/####/6bd17eed6ad5d742524ded2d4626f07d93d14c2b00b4566951e65b39726128e6.0.tmp
- <Package Folder>/cache/####/6f14f16979038533d70b34ffbfd838607d1529fc94d42388439f1be9866c5cab.0.tmp
- <Package Folder>/cache/####/78a61986efe3116ccebd12b90892273f79685a4e93e049e3ee09ea99a1d4eb8a.0.tmp
- <Package Folder>/cache/####/7a11a6a0a07d039190f647a9e957f334277509d014dfe992506097d66e1cf134.0.tmp
- <Package Folder>/cache/####/7c11007d75925668c5d5d03c3b7bc484f869dfadaa6a15e575c68ba060b28e2f.0.tmp
- <Package Folder>/cache/####/7ddeed88e577d4df2a5417be327c84db990758d1528b366aa4f14b39b8181564.0.tmp
- <Package Folder>/cache/####/86430be72e5908963348c18690f64f7c77495288e9f73cb3f677ef293620b640.0.tmp
- <Package Folder>/cache/####/ae4371506ec70c40d2ad3639d5d84b83d735056e333f9c02eb91398d5a844611.0.tmp
- <Package Folder>/cache/####/b60dcaa8cb01c9b71bf920679f3971629cd7225869f457fc6bdd46b0018704d9.0.tmp
- <Package Folder>/cache/####/c4bc6800b821a00fcd914c28ad04b1b5ed81ffb99c62408072940719507b416e.0.tmp
- <Package Folder>/cache/####/c64344f22c81876ebefc7b9f0a30d1fb308bc373ebe695a36366b6148b94a877.0.tmp
- <Package Folder>/cache/####/ca5386293d4369b806716c323664ea2680a37334996169230d95b5b29e85425f.0.tmp
- <Package Folder>/cache/####/d5145471125cdc3380de472829097654864aa1e1594ed08fb0103386dea576f5.0.tmp
- <Package Folder>/cache/####/d9c72294940bc07adfa7bfc61a64db6898f68ce77ce2a35d7f3605ae86641f59.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/db75e7413d2a3e5723d2de1dd897d49f19c754bf8b1cf398a7422fe934650b7f.0.tmp
- <Package Folder>/cache/####/e3a7ee4a7506cfc1a6daf715fd2eba3d9cc6fbce843f6772820754dc734dfa3d.0.tmp
- <Package Folder>/cache/####/e59ea54fe647d59bc74d56a81cb1a380dc87917d242175f0a04ac877a70e5458.0.tmp
- <Package Folder>/cache/####/f06dc7076d4bba2cf5f31a9d13fbcd2dafe62639d43a292885158b8b5a08cd7a.0.tmp
- <Package Folder>/cache/####/f36c2b12b49fb61370cda958023693ac64043ead5f93b4efefd94ce0b20f359d.0.tmp
- <Package Folder>/cache/####/f44297b18dfbbcfda20e5c30237289652275df8eb2bd7cb6408093aee079e13c.0.tmp
- <Package Folder>/cache/####/f6b9c75c84aba8d2500e42d2a26a7ac3b988cd5514f94052c220ffe02f0c4c71.0.tmp
- <Package Folder>/cache/####/f88507bb59ea0f09a485257058bf8b0fc6c4bc4f44e971c71d4506e02bdd0cac.0.tmp
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-2032378/vLds-QSx0knSI5FE
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_7hd9DN0a0HqBenTvEf3Hww==
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_7hd9DN0a0HqBenTvEf3Hww==-journal
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_HqgeOxmDVmK-FiHZwwmj1K278FY=
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_HqgeOxmDVmK-FiHZwwmj1K278FY=-journal
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_JOrMWNTbHUyiZz1OMVaGFg==
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_JOrMWNTbHUyiZz1OMVaGFg==-journal
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_fpa1xx89Hq8=-journal
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_qr9scypc9dSvm28P
- <Package Folder>/databases/7vfG-UBawIRLwO3Va51BVONlIJH1Bpf861jFw31h-8M=_qr9scypc9dSvm28P-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-HHB9AsWNa701nOGU75RTsjENbg=
- <Package Folder>/files/####/-VDkhAv34imSAp-eqU-AS5E3zUS5SNGh_WvnxQ==.new
- <Package Folder>/files/####/47xUxG2uG5WUtuEo7bthSUzqnPDl394F.new
- <Package Folder>/files/####/4bJUNqXszOfmeGWXJXXmsApXEJ_7MVti.new
- <Package Folder>/files/####/7sUZNI7gb-xcBmeYJZEVAJw0Dzs7DQl_.new
- <Package Folder>/files/####/AslPrgSRVDeaQ6cIehp7SdTiu_k=.new
- <Package Folder>/files/####/CBlGQPWLO5SPUVXMo5GfiyKb6FdBCYy3sAVZtc_GFIY=.new
- <Package Folder>/files/####/DAH-PC4W_CxwAlNl6GvacJ8rI6iHTzwukSfVPyNGRKY=.new
- <Package Folder>/files/####/IFe5Bf0ZCu15s-208td72-iPNMUAsjU_.new
- <Package Folder>/files/####/LN4ebxDGSMbUF2n2
- <Package Folder>/files/####/LN4ebxDGSMbUF2n2.temp
- <Package Folder>/files/####/Lx8ACfzjz9OGBNTu8biVpw==.new
- <Package Folder>/files/####/Okob2F2tXPg2X1yRRovKGA==
- <Package Folder>/files/####/Okob2F2tXPg2X1yRRovKGA==.new
- <Package Folder>/files/####/Okob2F2tXPg2X1yRRovKGA==.old (deleted)
- <Package Folder>/files/####/QVEpODPw30UIVkCi2-RGSLYIxJQOloX2
- <Package Folder>/files/####/QVEpODPw30UIVkCi2-RGSLYIxJQOloX2.new
- <Package Folder>/files/####/QVEpODPw30UIVkCi2-RGSLYIxJQOloX2.old (deleted)
- <Package Folder>/files/####/TEUcBakELJVIC7pV8NGVMe1ElH8=.new
- <Package Folder>/files/####/TiAPy27dAzo4vYYDMK07_ZmWGk8=
- <Package Folder>/files/####/TiAPy27dAzo4vYYDMK07_ZmWGk8=.new
- <Package Folder>/files/####/VrW9M09oGJYHj4MmTiROSs9wccY=.new
- <Package Folder>/files/####/Xe47hu0GKhQLAJ71SjLMsjhTWBFwfTddOsg76g==.new
- <Package Folder>/files/####/_qmyEhVcgiwenA4xNWF-33HNkjI=.new
- <Package Folder>/files/####/e2rwZQ_09vOwnUd_c6IUDw==
- <Package Folder>/files/####/e43pLxlqydmnyWr1tT0-3httZS9wuChzSi_IxQ==.new
- <Package Folder>/files/####/fBj1wXa20DiVbGjoeKQaGBYy-JCGUSFb.new
- <Package Folder>/files/####/fWOnA-y-1MvpnneK4PKsV1_HxvgdxUYP.new
- <Package Folder>/files/####/jL-JZ4ieL3lxFujbkmoWrQ==
- <Package Folder>/files/####/jL-JZ4ieL3lxFujbkmoWrQ==.new
- <Package Folder>/files/####/lLM44Vp2fjkGW22D.zip
- <Package Folder>/files/####/m7IaoJaG5Rdy_R8SP1_2Vg==
- <Package Folder>/files/####/mpybkBo5htRqO5YVF09r9fFXzZ9SJENu.new
- <Package Folder>/files/####/otdiuKDgudDRlsYfxGRk5_Cy5YBhbCMZqH78mN1nvco=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sDgStNkWXa_cD7FNI-rwpPc8APLvrKUKsX1CXvJPPDc=.new
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/wrExeFBzWBxtubnV.new
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.dfogne.hogenr.pdrwkg/code-2032378/vLds-QSx0knSI5FE -p com.dfogne.hogenr.pdrwkg -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-2032378/vLds-QSx0knSI5FE -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
