Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- a####.####.com
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/content.action?id=####
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/0/9/837ec120-ccf8-4ad0-b6fd-1303ff645eca/773...
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/jarStatus
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- a####.####.com/app_logs
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/00582cc4f4e9a38eb429283f9d5c9332c8dc801bfcb89e13299af53eea8170d2.0.tmp
- <Package Folder>/cache/####/0a6527013df727a1c60c80cc05665969030acfb0cbc4b38e3bbff4e45d01d164.0.tmp
- <Package Folder>/cache/####/16c59c26be623719f3f1f4f2e571e4af34ced2afd4df2ce372129b218e364d95.0.tmp
- <Package Folder>/cache/####/19095fe735982cc8a543c2ad9c740eeb04ce18fb55910424abf391f9896f8ada.0.tmp
- <Package Folder>/cache/####/19ccb8d8747335a92c58b705d446d4e3db0a897d783d3adf0139aff6f8495dce.0.tmp
- <Package Folder>/cache/####/1c8addf5c0fc863be99d026db07164f75bf78f2ab18f6c856f537be3f4421f84.0.tmp
- <Package Folder>/cache/####/2516c0048a4a55777dc0936ccc6cebb779d96ac98c9d2b0ef43bab4f066c9c61.0.tmp
- <Package Folder>/cache/####/531f9947b36503b9c2dccccea2c0c7eb0cc679b0e99f727f7672f99023956e1b.0.tmp
- <Package Folder>/cache/####/6b344d221f5428cdb69fc7c87cb01c532f0298c42ac43fa28bc685947b695e45.0.tmp
- <Package Folder>/cache/####/9e526a2ef61dc36f4444aba0fe47f048fe9fd21001187ea2a13dcc970cb9ff2a.0.tmp
- <Package Folder>/cache/####/b7aefb70a467618c76829cee1ff2e8ba017c961e45ec8eb515dedca9e8799a00.0.tmp
- <Package Folder>/cache/####/c31c8641406461c3d6a1172e3b3bdbcb2c87559fb495439572c2081a723cf40a.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/e336adc1b3f560a3c85718aca708daa08b45c683b7b1dc2eaaf652045596e0f0.0.tmp
- <Package Folder>/cache/####/e3a405223139f066bdd26b2021d23d558ac8fe9ed960b46e7ee3605ef989eb10.0.tmp
- <Package Folder>/cache/####/ef97a98b8cbd76a0c8d44b46f6676308f3ce4c38ea84f5ca39b542dd905df94d.0.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-3380500/eaZN-Jo8fmf76SG7
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_5aOdZ55yT6Zk_aPVSKOydA==
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_5aOdZ55yT6Zk_aPVSKOydA==-journal
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_obBDnh0iHzxDoat60Ex0vP-VtgQ=
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_obBDnh0iHzxDoat60Ex0vP-VtgQ=-journal
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_qauK2lMAu_7nPxXV
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_qauK2lMAu_7nPxXV-journal
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_u7oT7OcJsTCbql-kIXMNiw==
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_u7oT7OcJsTCbql-kIXMNiw==-journal
- <Package Folder>/databases/OfiQ0_vIjwXUT4KubullNZWgtzd4uskqGOI0dVof58k=_xDWv0IuIVac=-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-ZXnOs0M45IbyuhZ4-a0w-ohzlmHp064itVSQL_LZUs=.new
- <Package Folder>/files/####/0J-SY3benu8k49XQADK7mg==.new
- <Package Folder>/files/####/0Zt1HO8xJiapaMAhWTUR1w==
- <Package Folder>/files/####/0avvpGiTFfNa0ZEjVY_1EnZN2F8JkJFjOyvPt8fZeIc=.new
- <Package Folder>/files/####/30137377-a487-48d7-a5b9-f921e46a052b.pic
- <Package Folder>/files/####/4a516939-6318-4c96-b438-9e88f310140d.pic.temp
- <Package Folder>/files/####/94079821-46fb-483f-8e55-e6bbc97de253.pic
- <Package Folder>/files/####/9XAZYTpzJULtPWxRNF1EqwaJ54DuMV6p.new
- <Package Folder>/files/####/9b929ee0-beed-4363-ba28-73f4390ab437.pic.temp
- <Package Folder>/files/####/FvYMozgiIt3NCJgvIK4juHaGIi6roHnUQqKdOA==.new
- <Package Folder>/files/####/GsQUzF0MMUx9xtxgAWq-0f3fXs4=
- <Package Folder>/files/####/JoPR9lvO-2g-FuJ2HGCCqTSPeag=.new
- <Package Folder>/files/####/KT3p4nSBO_klI_VxbSBFA4vUge8uiRk5.new
- <Package Folder>/files/####/KxgXS_uTc3viMsVGNBeHUieq0o23UM4o.new
- <Package Folder>/files/####/QkbItIIc1-qQa235NbEXepR02WchqeRN.new
- <Package Folder>/files/####/SXve3GYxeZlmpWx5.zip
- <Package Folder>/files/####/Tc0lnfpxsQ8zqo8WxYB-zK1JINYqqVTY.new
- <Package Folder>/files/####/XcuFtSW8JdC0TYRUO7X8uGlaR8E=
- <Package Folder>/files/####/Xql68Z6BxihUMJ9BEZjGVPxAeVo=.new
- <Package Folder>/files/####/Z_oPcb79S7GJvF-sqdYBA5hEXsw=.new
- <Package Folder>/files/####/ab8b8d0c-d2f0-4f77-b3cc-4bb71ff00f35.pic.temp
- <Package Folder>/files/####/c92633f1-f963-43a4-8914-0d4933512bdd.pic.temp
- <Package Folder>/files/####/d3178b4a-dc97-4413-954a-8918cab63586.pic.temp
- <Package Folder>/files/####/db_r-GmICz-BCJCzRyR7VA==
- <Package Folder>/files/####/e2WJy-hd4FJFhfT9uIit1pMJ8835pEUhtUvd5Q==.new
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/f6a30031-c826-4e84-917f-3af52011b35b.pic.temp
- <Package Folder>/files/####/ihEYo-Li25NkHEhedZhQ3g==.new
- <Package Folder>/files/####/jxCTpQJYG6LeoBIkdO1O9uKk2ffodcqD.new
- <Package Folder>/files/####/mawlRkoO_I2IlhBLRHtStzzo0koDfPxfmWaQXh-gZpI=.new
- <Package Folder>/files/####/rkcYvwPtpfiKZ2QbVqB7AHEqAt9ud7YvIhxGu2FXQfg=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/s5D1zXyvHw_Q5TS8
- <Package Folder>/files/####/sVLgHAMwHNkeO0RjhCENhwxzOlX9s_dH
- <Package Folder>/files/####/sVLgHAMwHNkeO0RjhCENhwxzOlX9s_dH.new
- <Package Folder>/files/####/sVLgHAMwHNkeO0RjhCENhwxzOlX9s_dH.old (deleted)
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/ub2IcQCVquFDE_nr.new
- <Package Folder>/files/####/wroZczq92d6i5h9jHm8AYoTc91c=.new
- <Package Folder>/files/####/yG7u6H5vVcQY6KbqHDmFCAPC4DQ2Hkf2AdroUg==.new
- <Package Folder>/files/####/zN81XA7eakUhScITmyJbkYokeuy9YwDJ.new
- <Package Folder>/files/####/zZi9XJUbIYP8QTXJkdr9bA==
- <Package Folder>/files/####/zZi9XJUbIYP8QTXJkdr9bA==.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/36c048c2-ef85-4181-90c0-105528c976b6.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/5eddfe74-2181-4e20-ba89-dd39b8db58b0.res
- <SD-Card>/.armsd/####/71b5e1a7-a26b-4242-aa8d-0a60fc7397b8.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/b5e70e46-96bc-4f05-bada-ec4b02ad921a.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.yuan7.lovetalkingtomcat.bd/code-3380500/eaZN-Jo8fmf76SG7 -p com.yuan7.lovetalkingtomcat.bd -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-3380500/eaZN-Jo8fmf76SG7 -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
