Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.13.origin
- Android.Mixi.16.origin
- Android.Xiny.164.origin
- Android.Xiny.166.origin
- Android.Xiny.202.origin
- Android.Xiny.72.origin
- Android.Xiny.73.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Packed.24043
Предлагает установить сторонние приложения.
Скрывает свою иконку с экрана устройства.
Сетевая активность:
Подключается к:
- 2####.####.68:8288
- 4####.####.123
- 4####.####.126
- 4####.####.160
- 4####.####.161
- 4####.####.176
- 4####.####.188
- 4####.####.241
- 4####.####.251
- 4####.####.48
- 4####.####.75
- a####.####.com
- busi####.####.com
- co####.####.com
- d####.####.com
- g####.####.com
- g####.####.net
- koapk####.com
- koapk####.com:8081
- mmmmmm####.com
- n####.####.com
- okyes####.com
- okyes####.com:8081
- p####.####.com
- pl####.####.com
- r####.####.com
- s####.####.cn
- s####.####.com
- u####.####.com
Запросы HTTP GET:
- 4####.####.123/admin201506/uploadApkFile/rt/20161230/ym43.data
- 4####.####.126/admin201506/uploadApkFile/20170722/029100115.jpg
- 4####.####.160/admin201506/uploadApkFile/rt/20170617/N2029.data
- 4####.####.161/admin201506/uploadApkFile/rt/20170617/N2044.data
- 4####.####.176/admin201506/uploadApkFile/rt/20170617/N2048.data
- 4####.####.188/admin201506/uploadApkFile/20170719/504185804.apk
- 4####.####.241/admin201506/uploadApkFile/rt/20170113/gp41.data
- 4####.####.251/admin201506/uploadApkFile/20170719/122190031.png
- 4####.####.48/admin201506/uploadApkFile/rt/20170617/N2061.data
- 4####.####.75/admin201506/uploadApkFile/rt/20170113/p_dzsd45.data
- a####.####.com/index.php?r=####&al=####&l=####&p=####&hp=####&lc=####&sd...
- co####.####.com/adunion/slot/getDlAd?h=####&w=####&model=####&vendor=###...
- d####.####.com/M00/01/AC/CvJJDVloLSCAV4GUAAYnO4arg5g199.zip
- g####.####.com/cr/sv/getRltNew?eid=####&estatus=####&appkey=####&pid=###...
- g####.####.net/prod/upload/adunion/images/3a6/80_80_9b0d786b8da90da9.png
- n####.####.com/get?model=####&signmd5=####&op=####&vendor=####&locale=##...
- s####.####.cn/apks/icon/icon_01_1.png
- s####.####.com/rtf/6106c835e4d5906917109492ee4c4578.slze
- u####.####.com/setting/grobal_strategy?p=####&hp=####&l=####&c=####&prod...
Запросы HTTP POST:
- 2####.####.68:8288/logsp.do
- a####.####.com/detail/getPrStrategy?product=####&adid=####&appVer=####&d...
- busi####.####.com/business/request
- koapk####.com/sm/sr/sp/py
- koapk####.com:8081/sm/sr/rt/ry
- mmmmmm####.com/osp/oaen_reg.action
- okyes####.com/sdk/nsd.action?b=####&ci=####&ct=####&re=####&sd=####
- okyes####.com:8081/sdk/nsd.action?b=####
- p####.####.com/api/data?token=####&tk=####&sv=####
- pl####.####.com/ad_dex.php
- r####.####.com/orts/rpb?h=####&w=####&model=####&vendor=####&sdk=####&dp...
- s####.####.com/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/002105f43f04c8e94e0c925bc4386a06.0.tmp
- /data/data/####/002105f43f04c8e94e0c925bc4386a06.1.tmp
- /data/data/####/02ba5b863735b0b70a903dc5bb863b7a.0.tmp
- /data/data/####/02ba5b863735b0b70a903dc5bb863b7a.1.tmp
- /data/data/####/1501850132839
- /data/data/####/1501850132839_log
- /data/data/####/1cfb8a8772b2a4c097386e6700ea23ae.0
- /data/data/####/1cfb8a8772b2a4c097386e6700ea23ae.1
- /data/data/####/1d608ec0dd21b7c38e783cb1cd8e6755.0.tmp
- /data/data/####/1d608ec0dd21b7c38e783cb1cd8e6755.1.tmp
- /data/data/####/3be26a99d06106770d1daa07c67770a7.0.tmp
- /data/data/####/3be26a99d06106770d1daa07c67770a7.1.tmp
- /data/data/####/3ecc611cf658958e5631b95006c1bb0b.0.tmp
- /data/data/####/3ecc611cf658958e5631b95006c1bb0b.1.tmp
- /data/data/####/40aa0a92bac5e80439d4f295c5909af9.0
- /data/data/####/498f45a54c71f16813804dfa8794492e.0
- /data/data/####/6ae2439c83b6d0d992cb0585691da88a.0.tmp
- /data/data/####/6ae2439c83b6d0d992cb0585691da88a.1.tmp
- /data/data/####/7a4623354c59a6ca924a3eb345d2eef9.0.tmp
- /data/data/####/7a4623354c59a6ca924a3eb345d2eef9.1
- /data/data/####/935a4974da7afbc14436e5b89daab029.0
- /data/data/####/935a4974da7afbc14436e5b89daab029.1
- /data/data/####/AdsBusiness-data.xml
- /data/data/####/AdsBusiness-data.xml.bak
- /data/data/####/AppWhiteList.xml
- /data/data/####/ChargingConfig.xml
- /data/data/####/DianxinDXB.xml
- /data/data/####/DuSwipeSharedPref.xml
- /data/data/####/DuSwipeSharedPref.xml.bak
- /data/data/####/FBAdPrefs.xml
- /data/data/####/RootRequestTimeRecord.xml
- /data/data/####/SDKIDFA.xml
- /data/data/####/SettingsConfig.xml
- /data/data/####/_duf_prefs.xml
- /data/data/####/_duf_prefs.xml.bak
- /data/data/####/_duscene_module_prefs.xml
- /data/data/####/_search_prefs.xml
- /data/data/####/_search_prefs.xml.bak
- /data/data/####/_toolbox_prefs.xml
- /data/data/####/_toolbox_prefs.xml.bak
- /data/data/####/adblib.db-journal
- /data/data/####/appPackageName.db
- /data/data/####/appPackageName.db-journal
- /data/data/####/app_actions.xml
- /data/data/####/app_lock_global_config.xml
- /data/data/####/app_lock_global_config.xml.bak
- /data/data/####/appsflyer-data.xml
- /data/data/####/appsflyer-data.xml.bak
- /data/data/####/appsflyer-data.xml.bak (deleted)
- /data/data/####/aps.xml
- /data/data/####/apsad.xml
- /data/data/####/apsad.xml.bak
- /data/data/####/apscomm.xml
- /data/data/####/apsol.xml
- /data/data/####/battery_global_configs_sp.xml
- /data/data/####/batterycurve.db-journal
- /data/data/####/cdc89d3d15d98074bae4cc426422f305.0
- /data/data/####/cdc89d3d15d98074bae4cc426422f305.1
- /data/data/####/charging_configs_sp.xml
- /data/data/####/charging_configs_sp.xml.bak
- /data/data/####/classes.zip
- /data/data/####/com.dianxinos.dxbs_preferences.xml
- /data/data/####/com.dianxinos.dxbs_shell_dlsdk_reflux_global.xml
- /data/data/####/com.dianxinos.dxbs_shell_scenerydispatcher_global.xml
- /data/data/####/com.dianxinos.dxbs_shell_scenerydispatcher_global.xml.bak
- /data/data/####/com.dianxinos.dxbs_shell_scenerydispatcher_private.xml
- /data/data/####/com.dianxinos.dxbs_shell_scenerydispatcher_private.xml.bak
- /data/data/####/com.dianxinos.dxbs_sp_file_grid.xml
- /data/data/####/com.dianxinos.dxbs_sp_file_grid.xml.bak
- /data/data/####/com.dianxinos.dxbs_sp_file_scenery_global.xml
- /data/data/####/com.dianxinos.dxbs_sp_file_scenery_global.xml.bak
- /data/data/####/com.dianxinos.dxbs_sp_file_scenery_private.xml
- /data/data/####/com.facebook.ads.FEATURE_CONFIG.xml
- /data/data/####/com.facebook.internal.preferences.APP_SETTINGS.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.facebook.sdk.attributionTracking.xml
- /data/data/####/d-journal
- /data/data/####/d.xml
- /data/data/####/df9ab5141a0edb03b35a25d508f7f0eb.0.tmp
- /data/data/####/df9ab5141a0edb03b35a25d508f7f0eb.1.tmp
- /data/data/####/dufamily_cache.db-journal
- /data/data/####/duresultcard_image.db-journal
- /data/data/####/duscene_mobula.db-journal
- /data/data/####/dx_chargings.db-journal
- /data/data/####/e9e72142f3117519189e8047e12b3e68.0
- /data/data/####/e9e72142f3117519189e8047e12b3e68.1
- /data/data/####/ec5d4bdf825e09b5a35580bd0b235d50.0
- /data/data/####/ec5d4bdf825e09b5a35580bd0b235d50.1
- /data/data/####/emergency.sp-journal
- /data/data/####/f3b8f14a15ac722f9f9a8e7db989d6ae.0.tmp
- /data/data/####/f3b8f14a15ac722f9f9a8e7db989d6ae.1.tmp
- /data/data/####/front_scene.xml
- /data/data/####/front_scene.xml.bak (deleted)
- /data/data/####/global_config.xml
- /data/data/####/global_config.xml.bak
- /data/data/####/google.db
- /data/data/####/h.xml
- /data/data/####/i-journal
- /data/data/####/i.xml
- /data/data/####/integral.db-journal
- /data/data/####/journal
- /data/data/####/journal (deleted)
- /data/data/####/journal.tmp
- /data/data/####/landing_page_data.xml
- /data/data/####/landing_page_data.xml.bak
- /data/data/####/lazy_global_config.xml
- /data/data/####/ls_sp_date.xml
- /data/data/####/ls_sp_date.xml.bak
- /data/data/####/mode_settings.xml
- /data/data/####/mode_settings.xml.bak
- /data/data/####/multidex.version.xml
- /data/data/####/notify_items.sp-journal
- /data/data/####/performace_monitor.xml
- /data/data/####/rrpolicy.xml
- /data/data/####/rrpolicy.xml.bak
- /data/data/####/rt.xml
- /data/data/####/scenery_app_info-journal
- /data/data/####/scenery_games_from_server.db-journal
- /data/data/####/scenery_games_name.db-journal
- /data/data/####/sdk_(unknown)_pref.xml
- /data/data/####/sdk_gmk_sp.xml
- /data/data/####/sdk_gmk_sp.xml.bak
- /data/data/####/sk
- /data/data/####/sk-journal
- /data/data/####/smart_settings.xml
- /data/data/####/sp_file_card_private.xml
- /data/data/####/time_strategy.xml
- /data/data/####/toolbox_ts.db-journal
- /data/data/####/utils.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/data/####/widget_config.xml
- /data/data/####/widget_config.xml.bak
- /data/data/####/z
- /data/data/####/z-journal
- <Package Folder>/app_DEX_OPT/03203352.dex
- <Package Folder>/app_DEX_OPT/04682450.dex
- <Package Folder>/app_DEX_OPT/0549053.dex
- <Package Folder>/app_DEX_OPT/06085922.dex
- <Package Folder>/app_DEX_OPT/09819608.dex
- <Package Folder>/app_DEX_OPT/09845338.dex
- <Package Folder>/app_DEX_OPT/12640779.dex
- <Package Folder>/app_DEX_OPT/17363149.dex
- <Package Folder>/app_DEX_OPT/18824363.dex
- <Package Folder>/app_DEX_OPT/32010554.dex
- <Package Folder>/app_DEX_OPT/34683587.dex
- <Package Folder>/app_DEX_OPT/43967325.dex
- <Package Folder>/app_DEX_OPT/48489951.dex
- <Package Folder>/app_DEX_OPT/52255848.dex
- <Package Folder>/app_DEX_OPT/53406729.dex
- <Package Folder>/app_DEX_OPT/55074875.dex
- <Package Folder>/app_DEX_OPT/61258459.dex
- <Package Folder>/app_DEX_OPT/64994290.dex
- <Package Folder>/app_DEX_OPT/68921616.dex
- <Package Folder>/app_DEX_OPT/74999783.dex
- <Package Folder>/app_DEX_OPT/78383755.dex
- <Package Folder>/app_DEX_OPT/84938612.dex
- <Package Folder>/app_DEX_OPT/91122196.dex
- <Package Folder>/app_DEX_OPT/93295917.dex
- <Package Folder>/app_DEX_OPT/93789511.dex
- <Package Folder>/app_DEX_OPT/98721390.dex
- <Package Folder>/com.init.env/####/debuggerd_hulu
- <Package Folder>/com.init.env/####/elfm
- <Package Folder>/com.init.env/####/elfm1501850068529.zip
- <Package Folder>/com.init.env/####/enable_gazq_radish
- <Package Folder>/com.init.env/####/forever.sh
- <Package Folder>/com.init.env/####/install-recovery.sh
- <Package Folder>/com.init.env/####/kcol_ysy
- <Package Folder>/com.init.env/####/rc_qgza_hd
- <Package Folder>/com.init.env/####/supolicy
- <Package Folder>/com.init.env/####/toolbox
- <Package Folder>/com.init.env/####/toolbox1501850068667.zip
- <Package Folder>/databases/bdownloaders.db-journal
- <Package Folder>/databases/rtr.db
- <Package Folder>/databases/rtr.db-journal
- <Package Folder>/databases/swith1014.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/03203352.apk
- <Package Folder>/files/####/04682450.apk
- <Package Folder>/files/####/0549053.apk
- <Package Folder>/files/####/06085922.apk
- <Package Folder>/files/####/09819608.apk
- <Package Folder>/files/####/09845338.apk
- <Package Folder>/files/####/12640779.apk
- <Package Folder>/files/####/17363149.apk
- <Package Folder>/files/####/18824363.apk
- <Package Folder>/files/####/32010554.apk
- <Package Folder>/files/####/34683587.apk
- <Package Folder>/files/####/43967325.apk
- <Package Folder>/files/####/48489951.apk
- <Package Folder>/files/####/52255848.apk
- <Package Folder>/files/####/53406729.apk
- <Package Folder>/files/####/55074875.apk
- <Package Folder>/files/####/61258459.apk
- <Package Folder>/files/####/64994290.apk
- <Package Folder>/files/####/68921616.apk
- <Package Folder>/files/####/74999783.apk
- <Package Folder>/files/####/78383755.apk
- <Package Folder>/files/####/84938612.apk
- <Package Folder>/files/####/91122196.apk
- <Package Folder>/files/####/93295917.apk
- <Package Folder>/files/####/93789511.apk
- <Package Folder>/files/####/98721390.apk
- <Package Folder>/files/####/N2023.data
- <Package Folder>/files/####/N2025.data
- <Package Folder>/files/####/N2026.data
- <Package Folder>/files/####/N2029.data
- <Package Folder>/files/####/N2030.data
- <Package Folder>/files/####/N2031.data
- <Package Folder>/files/####/N2040.data
- <Package Folder>/files/####/N2043.data
- <Package Folder>/files/####/N2044.data
- <Package Folder>/files/####/N2045.data
- <Package Folder>/files/####/N2046.data
- <Package Folder>/files/####/N2048.data
- <Package Folder>/files/####/N2050.data
- <Package Folder>/files/####/N2051.data
- <Package Folder>/files/####/N2058.data
- <Package Folder>/files/####/N2061.data
- <Package Folder>/files/####/dz_p866.data
- <Package Folder>/files/####/dz_p868.data
- <Package Folder>/files/####/env201707261650.data
- <Package Folder>/files/####/gp41.data
- <Package Folder>/files/####/p_dzpg48.data
- <Package Folder>/files/####/p_dzsd45.data
- <Package Folder>/files/####/p_dzwk44.data
- <Package Folder>/files/####/rs23.data
- <Package Folder>/files/####/rs40.data
- <Package Folder>/files/####/ym43.data
- <Package Folder>/files/201708052050.apk
- <Package Folder>/files/c201708052050.apk
- <Package Folder>/p.dz866/####/ODY2ZXhl
- <Package Folder>/p.dz866/####/ODY2ZXhl1501850090045.zip
- <Package Folder>/p.dz866/####/error
- <Package Folder>/p.dz868/####/ODY4X2V4
- <Package Folder>/p.dz868/####/ODY4X2V41501850108558.zip
- <Package Folder>/p.dz868/####/error
- <Package Folder>/p.dzpg48/####/ZDExMDN6
- <Package Folder>/p.dzpg48/####/ZDExMDN61501850072301.zip
- <Package Folder>/p.dzpg48/####/ZGV4ZXoy
- <Package Folder>/p.dzpg48/####/ZGV4ZXoy1501850071336.zip
- <Package Folder>/p.dzpg48/####/error
- <Package Folder>/p.dzsd45/####/ZVhWdGFXVXpNZz09
- <Package Folder>/p.dzsd45/####/ZVhWdGFXVXpNZz091501850132094.zip
- <Package Folder>/p.dzsd45/####/error
- <Package Folder>/p.dzwk44/####/ZDJsdWEyeGxNekk9
- <Package Folder>/p.dzwk44/####/ZDJsdWEyeGxNekk91501850122037.zip
- <Package Folder>/p.dzwk44/####/error
- <Package Folder>/p.gp41/####/.md
- <Package Folder>/p.gp41/####/1501850145740.jar
- <Package Folder>/p.gp41/####/2A63DF2C983CE370A9205B913A7F4B45
- <Package Folder>/p.gp41/####/408.jar
- <Package Folder>/p.gp41/####/421.jar
- <Package Folder>/p.gp41/####/610.jar
- <Package Folder>/p.gp41/####/617.jar
- <Package Folder>/p.gp41/####/834C8EAFCA3DB238A4EF547DDC644C6B
- <Package Folder>/p.gp41/####/B11C222F5B18FADD2FFA4C70E35F4AC8
- <Package Folder>/p.gp41/####/E8EE0B0E8C98EFCC1566F520B5CF12B0
- <Package Folder>/p.gp41/####/forever.sh
- <Package Folder>/p.gp41/####/gpdu
- <Package Folder>/p.gp41/####/p.gp41_preferences.xml
- <Package Folder>/p.gp41/####/test
- <Package Folder>/p.rl23/####/forever.sh
- <Package Folder>/p.sr40/####/cnVuc2hlbGwy
- <Package Folder>/p.sr40/####/cnVuc2hlbGwy1501850069239.zip
- <Package Folder>/p.sr40/####/forever.sh
- <Package Folder>/p.ym43/####/Wlhod1gzbDFiVjh5
- <Package Folder>/p.ym43/####/Wlhod1gzbDFiVjh51501850082077.zip
- <Package Folder>/p.ym43/####/forever.sh
- <Package Folder>/shared_prefs/20160121.xml
- <Package Folder>/shared_prefs/20160121.xml.bak
- <Package Folder>/shared_prefs/Q2hhbm5lbElES2V5MjAxNjEyMjcxODU3.xml
- <Package Folder>/shared_prefs/QURfUk9PVF9TREtfMjAxNzAyMDgxMA.xml
- <Package Folder>/shared_prefs/ae.xml
- <SD-Card>/.androidsystem/####/files.db
- <SD-Card>/.androidsystem/####/syncfiles.db
- <SD-Card>/.userReturn
- <SD-Card>/APPMarket/####/029100115.jpg.tmp
- <SD-Card>/APPMarket/####/122190031.png.tmp
- <SD-Card>/APPMarket/####/5202496.apk
- <SD-Card>/baidu/####/journal.tmp
- <SD-Card>/baidu/.cuid
- <SD-Card>/dianxin/####/5ef15ce1aa4b07b83d042dd4320bd639.0
- <SD-Card>/dianxin/####/journal
- <SD-Card>/dianxin/####/journal.tmp
- <SD-Card>/test1501850067868
Другие:
Запускает следующие shell-скрипты:
- .kugua
- .kugua -c id
- /system/bin/cat /proc/meminfo
- /system/bin/cat /sys/block/mmcblk0/device/cid
- /system/bin/cat /sys/block/mmcblk1/device/cid
- /system/bin/cat /sys/block/mmcblk2/device/cid
- /system/bin/cat /sys/block/mmcblk3/device/cid
- <error:2>
- app_process /system/bin com.android.commands.pm.Pm path com.dianxinos.dxbs
- c201708052050.apk -p <Package> -c <Package>:a
- chmod 0755 <Package Folder>/com.init.env
- chmod 0777 <Package Folder>/com.init.env/files/elfm
- chmod 0777 <Package Folder>/com.init.env/files/forever.sh
- chmod 0777 <Package Folder>/com.init.env/files/toolbox
- chmod 0777 <Package Folder>/p.dz866/files/ODY2ZXhl
- chmod 0777 <Package Folder>/p.dz866/files/ZGV4ZXoy
- chmod 0777 <Package Folder>/p.dz866/files/error
- chmod 0777 <Package Folder>/p.dz868/files/ODY4X2V4
- chmod 0777 <Package Folder>/p.dz868/files/ZGV4ZXoy
- chmod 0777 <Package Folder>/p.dz868/files/error
- chmod 0777 <Package Folder>/p.dzpg48/files/ZDExMDN6
- chmod 0777 <Package Folder>/p.dzpg48/files/ZGV4ZXoy
- chmod 0777 <Package Folder>/p.dzpg48/files/error
- chmod 0777 <Package Folder>/p.dzsd45/files/ZGV4ZXoy
- chmod 0777 <Package Folder>/p.dzwk44/files/ZDJsdWEyeGxNekk9
- chmod 0777 <Package Folder>/p.dzwk44/files/ZGV4ZXoy
- chmod 0777 <Package Folder>/p.dzwk44/files/error
- chmod 0777 <Package Folder>/p.rl23/files/cnVuc2hlbGwy
- chmod 0777 <Package Folder>/p.rl23/files/forever.sh
- chmod 0777 <Package Folder>/p.sr40/files/cnVuc2hlbGwy
- chmod 0777 <Package Folder>/p.sr40/files/forever.sh
- chmod 0777 <Package Folder>/p.ym43/files/Wlhod1gzbDFiVjh5
- chmod 0777 <Package Folder>/p.ym43/files/forever.sh
- chmod 6777 <Package Folder>/files/c201708052050.apk
- logcat -d -v time
- ls -l /system/bin/su
- ps
- rc_qgza_hd
- rc_qgza_hd -c id
- sh
Загружает динамические библиотеки:
- libjni-aaa
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
