Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- a####.####.com
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/upload/images/8afe068f-f2db-4fd9-8fb9-f4fecf8c08...
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/black/640x270.png
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/advertisment
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- a####.####.com/app_logs
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/0304f18d0d7cc8a53a23ce00422893fb2a0917f54c5f122aa75c2e435680c294.0.tmp
- <Package Folder>/cache/####/06ab3be676d748d71fe86587b3e3d64b82cc7cb7e44a2c5da5da670461588225.0.tmp
- <Package Folder>/cache/####/0ee32f40ae7248a35c60470d28501e41bc5bd11d5baf2342924983d982358257.0.tmp
- <Package Folder>/cache/####/17c304c640c92c26d62f5954b20b546b9724662c6e4e8a45ef6ce948e3a9c4ec.0.tmp
- <Package Folder>/cache/####/1ad15fcba9b9b370cf82699ecea2ff4dca591af55e71479b8442280775b6a8a8.0.tmp
- <Package Folder>/cache/####/2c6f49c676b2ff24ca5a624b4b6949cd7150aff8d19bdfed2eceb01909c4d049.0.tmp
- <Package Folder>/cache/####/3491d8812261b888dfd8da65f2509cc1a4cde94534a6de7a1b322fa3d641a419.0.tmp
- <Package Folder>/cache/####/3cf7f0d6d5abf04a9d660b2d437405ff189c4ec1675191aa9067e1e3fabec44a.0.tmp
- <Package Folder>/cache/####/4ff5f572e889bf030e16b8f70be7280d7d874ea4a9535c680f6415785dc31e4c.0.tmp
- <Package Folder>/cache/####/59a9510c601a187b89ba0c51619e7c6da7ff66f6f0e09a868e07d321144df267.0.tmp
- <Package Folder>/cache/####/5fc2dcffa01f7649564f198de49f1728875e5720b87be87f1880eba351b03c44.0.tmp
- <Package Folder>/cache/####/6c56985f2200b4c010c394eac0195e6791ac926cfbc4551d87b7f47107c36a31.0.tmp
- <Package Folder>/cache/####/6ea621b3f9e9ba17d0784d964aa7fccdd6604e43e16586d0e0ddebbb39e70174.0.tmp
- <Package Folder>/cache/####/8e8ecb7e48fb3f68e4086223fc7f5bb7abd0a6be01bdce1b8ad3f02e90e9b7d3.0.tmp
- <Package Folder>/cache/####/a793bc70475242860d0691690c438d65f5da68da6a88380861fcde2139092d1f.0.tmp
- <Package Folder>/cache/####/a81e3f3fbe04c03cc89454435b44c26c5b766797aef634217cd3d0173d9a1d29.0.tmp
- <Package Folder>/cache/####/c5eacdb764106d8bb462cc5f976553c4c4c9acfceca66d4cf9109e235c4d598f.0
- <Package Folder>/cache/####/c60c0c9152f499bcb78090d92099a40262c6e1aeb7c365caeadef52a10f07256.0.tmp
- <Package Folder>/cache/####/d100d0112aa0a5de5380cbd0c54d6d8deec437a5c500094e2b8e60e5815dc4c3.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/df93bb2757ec908bab4aa386480c30392921135299c82aac2c2b28bb62211bef.0.tmp
- <Package Folder>/cache/####/e323be0c0eec8569b8c0f2d33dc1ca3a43a44991efe11077c344d6948e5ab93b.0.tmp
- <Package Folder>/cache/####/e3b001e872b50bc1e2f1d81e035c908d75c9113917f418563da57a70ae10753e.0.tmp
- <Package Folder>/cache/####/e951e60364fe8914ca13065a92e93d93dcbeb805b5f752a3e49c1bfa21c8ed7f.0.tmp
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-329157/haQP738TZc5VJanr
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_EdQ7bZVnAq2ql-Y1CrxP2g==
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_EdQ7bZVnAq2ql-Y1CrxP2g==-journal
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_co6s9xHdp7zK6RiaDWpi8y-kjMM=
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_co6s9xHdp7zK6RiaDWpi8y-kjMM=-journal
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_i6W3jpbsJKM=-journal
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_nXAUwXgM1UHzN6XJwfbPsA==
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_nXAUwXgM1UHzN6XJwfbPsA==-journal
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_ot7h1JFU6hnlxrWn
- <Package Folder>/databases/sm7W9u7_BKaHzppcWQbiNuxQ8ejJFsEFhP8t11_4VAI=_ot7h1JFU6hnlxrWn-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/0539ecdf-d41c-4be7-b3ba-14f975da2b7a.pic.temp
- <Package Folder>/files/####/0qeEpEdkf2p3tasrD3IYB0okjgJ2sVkxsIa2Hg==.new
- <Package Folder>/files/####/0xYOzF4z4Em-o_j_hZNv2bQ7SBNZ8-jrKXUvnDJpTMc=.new
- <Package Folder>/files/####/3Pz51BLYT_vWZtOkgm7wpHj_VG5S2-FY.new
- <Package Folder>/files/####/4336603b-b34b-4968-b17f-579af22b7d75.pic
- <Package Folder>/files/####/4638963f-209e-4e8c-a96c-044ae4bc2448.pic.temp
- <Package Folder>/files/####/735df149-8fca-4e54-bda3-a2e22c6c6f8c.pic.temp
- <Package Folder>/files/####/76D_TF84LKh27DP5er6seA==
- <Package Folder>/files/####/76D_TF84LKh27DP5er6seA==.new
- <Package Folder>/files/####/7JETprz5rtNdH_xGWu7DTeO98XhEl9O5FLew4A==.new
- <Package Folder>/files/####/8e_Dcod6aopSWJarg6L0Z79F9ZmqUTLr.new
- <Package Folder>/files/####/DvFN4QfCg63Xga89GcY5DUl65X4=
- <Package Folder>/files/####/FqUrNfnk-kZhLPTY
- <Package Folder>/files/####/MF1Kf7A_0A4X47yT.new
- <Package Folder>/files/####/NTnRWkbEPYISo7g3v9emhA==.new
- <Package Folder>/files/####/PUiqwEV0rFwD5imD-zDTeq99kV2I3t8uI6NBYuB_BBQ=.new
- <Package Folder>/files/####/TNfz7mMivUzTolAifYzrILBJXxVENIvs0uGYMQ==.new
- <Package Folder>/files/####/UrHTRUuQlHQbqAStqhgssQ==
- <Package Folder>/files/####/UzEee2hWChQr7zuH3q1439_3o8skHIk2.new
- <Package Folder>/files/####/XdeSC7YykASIeLoi.zip
- <Package Folder>/files/####/a6626280-4bf8-4aa0-8f24-96c36d717270.pic.temp
- <Package Folder>/files/####/ajf-wmQ8uzdXD0chsCEGIxOzqa8=.new
- <Package Folder>/files/####/b413675b-25e3-4f56-994b-63e0c3ef76f4.pic.temp
- <Package Folder>/files/####/bb49eea2-4ed8-4582-b045-629f7eddbf54.pic.temp
- <Package Folder>/files/####/cuc3HvNasR1e1Zhj5jCr4pHyGmjTwxqVbmZWc2y6faI=.new
- <Package Folder>/files/####/d71b0afa-124d-46a9-a788-d35c8e45eef9.pic
- <Package Folder>/files/####/dY4ydLRW5FgwQESk7m-S8f5Z3raAMjd_
- <Package Folder>/files/####/dY4ydLRW5FgwQESk7m-S8f5Z3raAMjd_.new
- <Package Folder>/files/####/dY4ydLRW5FgwQESk7m-S8f5Z3raAMjd_.old (deleted)
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/f3uCcFSW_u5KgsLGWD4a37TrAMk=.new
- <Package Folder>/files/####/gzJk4ZKyn3nIr4iAApCRd5LmfRo=.new
- <Package Folder>/files/####/mQfwRo8hDaPUO0IsEfTG9iDAv6s=
- <Package Folder>/files/####/nptTTyWr6aeBEVuB0KXbdQ==
- <Package Folder>/files/####/oFmG4kk2NcnLNqJdYdCRTHofIjHv35Up.new
- <Package Folder>/files/####/rOmri-lAfMWPseB7GYh-XOJfVpjrr_D5qjusRRrNpSI=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sMsU0oHMlktWU8wx4ChsCI_L1xhcVunQ.new
- <Package Folder>/files/####/tK_2yF15nploB7raxOBEsg==.new
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/uyr3Sg8tjA1-6P000QKSOrwFyWgFKagz.new
- <Package Folder>/files/####/zWT6N14k0YdHaERzic-lZFkNlkI=.new
- <Package Folder>/files/####/zXUeUwNlYG-Blf7VHUYwzB_aS2IAg5HI.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/2569b4bb-e0d0-4fe0-8cb0-1e3a8baeb90a.res
- <SD-Card>/.armsd/####/45d092e4-0775-4a0a-a06a-0ee38930b87a.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/b3c5109b-3913-4ea6-9211-a74b37375c15.res
- <SD-Card>/.armsd/####/eadf94c7-7510-4583-9f28-a5c87fd8527e.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.qid.dhofn.cihgn/code-329157/haQP738TZc5VJanr -p com.qid.dhofn.cihgn -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-329157/haQP738TZc5VJanr -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
