Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- b####.####.com
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/upload/images/9e61afd2-9f05-416e-9160-e217aa2d25...
- 6####.####.140/ando/i/mon?k=####&d=####
- b####.####.com/item/%E4%BD%9B%E7%BD%97%E9%87%8C%E8%BE%BE%E5%B7%9E
- i####.####.com/ando-res/ads/black/640x270.png
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/deploymentMode
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/17d7d3d2f4416719cbca75f29c420b54674f3f5b0bfc1068b6c603332d25c543.0.tmp
- <Package Folder>/cache/####/240c72cb7834d86c0ed539a3ed825d578c2df6531716f4e3fe49dec5646d5aaa.0.tmp
- <Package Folder>/cache/####/5d2164a5e529684fffcfd37fd6f26405165e85bb19c6136b6407281d3832630c.0.tmp
- <Package Folder>/cache/####/6f14f16979038533d70b34ffbfd838607d1529fc94d42388439f1be9866c5cab.0.tmp
- <Package Folder>/cache/####/78a61986efe3116ccebd12b90892273f79685a4e93e049e3ee09ea99a1d4eb8a.0.tmp
- <Package Folder>/cache/####/7c11007d75925668c5d5d03c3b7bc484f869dfadaa6a15e575c68ba060b28e2f.0.tmp
- <Package Folder>/cache/####/9aaddd9a0dc6514861de5403f29dcf086eae5bdcbaba53d4016e5c4150a2797e.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/e3a7ee4a7506cfc1a6daf715fd2eba3d9cc6fbce843f6772820754dc734dfa3d.0.tmp
- <Package Folder>/cache/####/f6b9c75c84aba8d2500e42d2a26a7ac3b988cd5514f94052c220ffe02f0c4c71.0.tmp
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-4582433/7EsGF6wjohpnzbSn
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_8GqihdGf14xFaBYDLW2-jQ==
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_8GqihdGf14xFaBYDLW2-jQ==-journal
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_Jhg_k3cKvQ4XP0Oydvc-f4K_SwA=
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_Jhg_k3cKvQ4XP0Oydvc-f4K_SwA=-journal
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_M8AuMnt7Tss=-journal
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_VLY3PqAZysnI0s3pbUFvAg==
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_VLY3PqAZysnI0s3pbUFvAg==-journal
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_lxJ2MSmwylICgHI4
- <Package Folder>/databases/333tre_NcbPla1xmGEgYupAej51MtLL3GexFyc-vKJU=_lxJ2MSmwylICgHI4-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/2MFnWcC0bJs3Y0RxSexDfA==.new
- <Package Folder>/files/####/5B8oTCLhSDW8_YUN1cpOVg==.new
- <Package Folder>/files/####/863b3b46-5882-493d-9442-3cceff2d899c.pic.temp
- <Package Folder>/files/####/8QdJgH-YO6QYwDrnsg0r6Mtg5-2piXHB
- <Package Folder>/files/####/8QdJgH-YO6QYwDrnsg0r6Mtg5-2piXHB.new
- <Package Folder>/files/####/8QdJgH-YO6QYwDrnsg0r6Mtg5-2piXHB.old (deleted)
- <Package Folder>/files/####/98KIrlCz_m1PkvhF4rlm7jXDosWDylHq.new
- <Package Folder>/files/####/AuyFAYWIRReDTetbNIYyJA==
- <Package Folder>/files/####/D3hODYDZJbUUl0dUQlC8smOIlBr5fbVZlWrVsF4OEPU=.new
- <Package Folder>/files/####/DHrXPO_TRpeOoyluV6N69T8InBj4eCuV.new
- <Package Folder>/files/####/EUd5QW__dEtl2YG8fcaeEi9CAB6zbnLoPjfYFg==.new
- <Package Folder>/files/####/HI3fOXYfmRS0C_lyM50292F6raZA1OnF.new
- <Package Folder>/files/####/KtQFiI-Ip8pW1Gg-1hzVYw==
- <Package Folder>/files/####/KtQFiI-Ip8pW1Gg-1hzVYw==.new
- <Package Folder>/files/####/Md62UoPQ_id8Aen_Jj2Xr1YBmE1b9X4GcG0IJg==.new
- <Package Folder>/files/####/NOdx-4Uyq59wdFv6-Gw05_r2xKw=
- <Package Folder>/files/####/NgetxyoPaU9fM5JJwbpyNmagOQ2U0mK2-HMl6nIsdkY=.new
- <Package Folder>/files/####/SOGUBCHLCvI-48Y93o6o24kHP1MnFyhp.new
- <Package Folder>/files/####/WR7b6la330Hsfd0uxgfGmrwF3Ek=.new
- <Package Folder>/files/####/XpdkV3vKlmo3s32Zq1z8_fyyuP8=.new
- <Package Folder>/files/####/Y1cU_Jr2D4wHbLR7.zip
- <Package Folder>/files/####/bTciJwX6uL9kX00IjtpzMMmYEzGjVZ1Qk7KDvQ==.new
- <Package Folder>/files/####/bdyWlcX4tmSfh8t03A-O7qr2JdMsxUP7sm8Nwxrrl2U=.new
- <Package Folder>/files/####/dU8Pgp5-ag4DNyCzFKNmpw==
- <Package Folder>/files/####/eca2f133-104b-4b11-b10f-29de581ae80f.pic.temp
- <Package Folder>/files/####/ef_DY5NgA0ZMQtEqPz6x2TV05bU=
- <Package Folder>/files/####/g5kCg-tA6KUeR03uvXBIZ48_OX4=.new
- <Package Folder>/files/####/gNtHQvdsB5LJv_MHl7qce3tiG1aUN6MT.new
- <Package Folder>/files/####/h-jsHqdlKAJCBefzRpFfJjD4OR6b8S7T.new
- <Package Folder>/files/####/hQ2TmPpNKP5HKqFI
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/ull7vJBKk0xq7oTjLFIT-WrOwjI=.new
- <Package Folder>/files/####/wWiY4T4d1sE43Z57RgB0z_WL0Nyy4JGkt-LrVKjlkq0=.new
- <Package Folder>/files/####/xEr53kIZtVD7PqNi.new
- <Package Folder>/files/####/xRLIK73ynaxfEuZL60fx7fysMDoT4P1L.new
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/0ccdf022-aeb4-4da6-b8a7-3f58a1bb6c12.res
- <SD-Card>/.armsd/####/3b808d6e-ca4c-4d01-a4d0-44c7c96e39fa.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.old (deleted)
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.zuiedushi.feicheshipin.zedsfcspm/code-4582433/7EsGF6wjohpnzbSn -p com.zuiedushi.feicheshipin.zedsfcspm -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <error:2>
- sh <Package Folder>/code-4582433/7EsGF6wjohpnzbSn -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
