Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- a####.####.com
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/upload/images/477176bd-40ea-4f08-a4ba-922673713c...
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/black/640x270.png
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/jarStatus
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- a####.####.com/app_logs
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/0c19d6a3ea33e11ce4a041d0e646736a336bdc36352a2c4a7ce9a48ca7d1431c.0.tmp
- <Package Folder>/cache/####/0f5a8afebcf1de8b121d089a3176b83dabc09f5a42659dfee3a13d1a1b19b23f.0.tmp
- <Package Folder>/cache/####/1245f0d430751d032006dacccf2f4dce7622c8ee46eef6c44e82b727bc92302f.0.tmp
- <Package Folder>/cache/####/5a16cf9d1401207a2e13e4351274d41c90429fc44eaa839993b16d9d2a1a7a31.0.tmp
- <Package Folder>/cache/####/676d10eaba1f62283ca9894d285225ecebe2196187f2bc589c7594afbb7988d4.0.tmp
- <Package Folder>/cache/####/6ac53d843ebd3b763ff3b060e0883b342886329cc70dcb9325025a27217f97b8.0.tmp
- <Package Folder>/cache/####/8a55c66c171809dafdbd0783d29c66227e65a6b03102ff7d07cefdb9dd412238.0.tmp
- <Package Folder>/cache/####/985fc02cb132c74b9b512aff09750e67ef6abe39e678a313c493979482d226fd.0.tmp
- <Package Folder>/cache/####/b60e58249d4e5dc20af8b3cc930079c095a5a06b736048a41a45183befc795c6.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/e5cb9d4ebe2bf886e7b8e07a949aca8ef013ee64cdc7fb44bb3441066cb95e7a.0.tmp
- <Package Folder>/cache/####/e713d24a723c1934e03dbfa34b0576e13739704249a43ef3ab4aac533597849e.0.tmp
- <Package Folder>/cache/####/f2b7ab120c40a601d639e89883b283c93d0449a7bd99a2d0a65e134a2a91ccb8.0.tmp
- <Package Folder>/cache/####/f3aa50e9aa768a300b1f06473fbdf987d50d707d17cbee13cc718403007d5ccb.0.tmp
- <Package Folder>/cache/####/f9c1d1da71828e1ce46a649ae9c304336834d572daef86f8c64ee7e70bc29bfb.0.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-2671865/09NmEomrdgYtVQtx
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_4fl54U43AFY=-journal
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_XUOO4vexioyb7X4Z
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_XUOO4vexioyb7X4Z-journal
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_hGFMVIg__382Ya0EB27iuQ==
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_hGFMVIg__382Ya0EB27iuQ==-journal
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_hWX4eF2iFtkhlYW81O98VA==
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_hWX4eF2iFtkhlYW81O98VA==-journal
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_lEsQBH0yJopYhpLY1xD0JdpxYI4=
- <Package Folder>/databases/BquKwC9SJE0xnUvCzWeUq1GD5e5S_67AwLEbZifbjwQ=_lEsQBH0yJopYhpLY1xD0JdpxYI4=-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/053738fd-32a7-4bb0-acb6-51744898a471.pic.temp
- <Package Folder>/files/####/1Cp_OCvsC6dTxuCZpAyoP4oT23BmOK8WvAOSCg==.new
- <Package Folder>/files/####/1kZ7ipRFCnLW3JyJ_eR7PflS4YHrESI8IcztjjTEb9I=.new
- <Package Folder>/files/####/25zXRDcAgrLZNSRRff7ueH-bOJ3AZPqQ.new
- <Package Folder>/files/####/28647d33-79da-4e12-8df3-2a471e84ba3b.pic.temp
- <Package Folder>/files/####/2d6f4ba8-1ad0-4c66-9ecc-10385abc51d9.pic.temp
- <Package Folder>/files/####/33381994-af1d-4191-a616-05ea109596cd.pic.temp
- <Package Folder>/files/####/3IHyDHuK0CT0XDLPPihjyQ==
- <Package Folder>/files/####/538622a5-ba13-4e72-a4c3-4dca680f23cc.pic.temp
- <Package Folder>/files/####/5WkEK-2g_jwJM_U0zkbzzzfp4wVbcW53.new
- <Package Folder>/files/####/5bH2RQoqWu1oF8qdcWZ54pocGvc=.new
- <Package Folder>/files/####/5d58a368-acdf-4b36-a2c8-92c0a32abd1b.pic
- <Package Folder>/files/####/6faf29fa-ff1d-4d8e-9576-8282c12b8323.pic.temp
- <Package Folder>/files/####/9cfc553b-958d-47d2-b92e-c51dbb1dc599.pic.temp
- <Package Folder>/files/####/9fbd90f7-bd11-4fca-95bc-18d3dff78e63.pic.temp
- <Package Folder>/files/####/FUuu4XcXrJfgx2lPywSBpg==.new
- <Package Folder>/files/####/FusNtPiRpk1iUjGqCBrltw==
- <Package Folder>/files/####/FusNtPiRpk1iUjGqCBrltw==.new
- <Package Folder>/files/####/Hm8Ecsm5Vk_E3xN1Ylh9fyKaW8ThiClr.new
- <Package Folder>/files/####/J_zsGhb102QsZREIHs5WjwVeScyFmcyF.new
- <Package Folder>/files/####/M3O9K2XamhSx4k4j440OGYGCxWU=.new
- <Package Folder>/files/####/W8N7c2krjlvRR_5RAWyiWX-phsW8IdNE
- <Package Folder>/files/####/W8N7c2krjlvRR_5RAWyiWX-phsW8IdNE.new
- <Package Folder>/files/####/W8N7c2krjlvRR_5RAWyiWX-phsW8IdNE.old (deleted)
- <Package Folder>/files/####/XqK3pw-y6IJmeKLOmZsNVcj6eiEZhYmYq1NE_w==.new
- <Package Folder>/files/####/ZUMKutLv0S5IlrCZZF3U_FqwGH8fbtc3guJO125NskI=.new
- <Package Folder>/files/####/_S5nlPBDaXrKltMM-ZOpEqaHe4s=
- <Package Folder>/files/####/aOvM-81PxZ2CFhZ-AsRiF7nyceF1A0gP.new
- <Package Folder>/files/####/a_SO-NGJPMJoB8sij0T82GR_JPQ=
- <Package Folder>/files/####/bIXgQ0ICjL_mNSWM3nZ7-B5615o=.new
- <Package Folder>/files/####/bd5b5aff-6a7d-4103-b760-c932c735f0c5.pic.temp
- <Package Folder>/files/####/cXz3HNmguxkZbQ-6phTjM-WV0D1Ey-28WiqJDQXJr24=.new
- <Package Folder>/files/####/cc882d38-db48-4815-834b-6fb244d46b39.pic.temp
- <Package Folder>/files/####/d049e87b-b240-4dea-a79b-d2ae9150a9ac.pic.temp
- <Package Folder>/files/####/d2f168f2-b86e-49cf-892b-26898a603ebf.pic.temp
- <Package Folder>/files/####/e210496c-49ee-49e5-8e89-5bb35e954c50.pic
- <Package Folder>/files/####/e9846529-c4e6-461a-88eb-3650eb63b65c.pic.temp
- <Package Folder>/files/####/eaWja1t-XPzZ9E7muo-ypQ==
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/f7fd66d9-a056-4afb-b739-7c26182738dd.pic.temp
- <Package Folder>/files/####/g2XNYXXfPh0ucMtp.zip
- <Package Folder>/files/####/khXwp1cjJGk_xTSiLn2cHQ==.new
- <Package Folder>/files/####/na4kHAM-o8tHEUGcnUcuw5MHUwpdvTCdi8eSQg==.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/tZ5ql1fwY9XnIKpDKeU7Bw-EK4xnQ2OK1eb83YLVpJQ=.new
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/uafAPGw3xS5F_KGZFHjNc66bFuEN0hV1.new
- <Package Folder>/files/####/wEHOIeTAi4TPql7N.new
- <Package Folder>/files/####/xt1CGwmdjHz0-lKVOG9O3lGSKV4=.new
- <Package Folder>/files/####/yJkP5Y5GK-YGcAB5
- <Package Folder>/files/####/ybc5NUMQOmZ4xQARoGdXkmOfNCbWcniI.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/0ca67832-3a07-4b9a-83e7-5116a87ed9e0.res
- <SD-Card>/.armsd/####/0ea55d72-1d92-45df-9a26-b797a158564a.res
- <SD-Card>/.armsd/####/43af1428-aeb7-4257-8c6b-336a94635133.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/8a5861fc-c23f-41a9-9af5-26b285e9e610.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/ca52dbc1-aa6e-4e0d-afb9-5162aa544a8f.res
- <SD-Card>/.armsd/####/db78bb81-a76f-4417-a8e3-a6b02ac5dd1f.res
- <SD-Card>/.armsd/####/dc0959f4-2772-424d-b6ef-bef899fff4b3.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.dadf.dfwef.poih.kluhlou/code-2671865/09NmEomrdgYtVQtx -p com.dadf.dfwef.poih.kluhlou -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-2671865/09NmEomrdgYtVQtx -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
