Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.16.origin
- Android.Mixi.21.origin
- Android.Triada.247.origin
- Android.Triada.248.origin
- Android.Triada.308.origin
Предлагает установить сторонние приложения.
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 0####.####.com
- 1####.####.197
- 1####.####.21
- 6####.####.140
- a####.####.com
- b####.####.com
- c####.####.com
- c####.####.net
- e####.####.com
- f####.####.com
- g####.####.com
- i####.####.com
- image####.####.com
- l####.####.com
- m####.####.com
- m####.####.com:81
- n####.####.com:10091
- p####.####.com
- pass####.####.com
- s####.####.com
- t####.####.com
- tou####.####.com
- tr####.####.com
- w####.####.cn
- w####.####.com
- x####.####.com
- z####.####.com
Запросы HTTP GET:
- 0####.####.com/mobile/20170805/20170805144634_962968dec2f643ea0dd2a4490a...
- 6####.####.140/ando/i/mon?k=####&d=####
- b####.####.com/eye.php?t=####&actionid=####&attach=####&time=####&exp_li...
- c####.####.com/cm.gif?dspid=####
- c####.####.com/cpro/ui/noexpire/img/2.0.1/custmLogo1.png
- c####.####.com/du?&baidu_user_id=####&cookie_version=####×tamp=####...
- c####.####.com/pixel?dspid=####
- c####.####.com/sync.htm?cproid=####
- c####.####.net/pixel?google_nid=####&google_cm=####&google_tc=####
- e####.####.com/public03/imageplus/m/title_img_only/pa_lu_moreclkzone.app...
- f####.####.com/it/u=643825451,3656971138&fm=76
- g####.####.com/cr/sv/crn?m5=####&nm=####
- g####.####.com/cr/sv/getRecord?eids=####&appKey=####&flag=####
- i####.####.com/ando-res/ads/0/9/837ec120-ccf8-4ad0-b6fd-1303ff645eca/773...
- i####.####.com/app/a/200630/2f667e8bad04ed002890354b6daad796
- image####.####.com/imgs/showcase-1.jpg
- m####.####.com/mobile/20170807/20170807040754_f242a2e0bc994951d9d44008e0...
- p####.####.com/s?hei=####&wid=####&di=####<u=####&pss=####&drs=####&pa...
- pass####.####.com/member/avatar/5327/15978549_big.jpg
- s####.####.com/cr/sdk/170417/goplaysdk_statistics_all_1704171.dat
- s####.####.com/s.htm?cproid=####&t=####
- t####.####.com/cm.gif?ver=####&mid=####&uid=####
- t####.####.com/dhbfebfhveheuugbfhnqu.js
- t####.####.com/wap/js/anticheat-min.js
- tou####.####.com/?qid=####
- w####.####.cn/mmhead/dibCvqHg4WncDgdGyXH6qqEdNoH3iawsaIslhsPmGBtnXFWCib5...
- w####.####.com/adx.php?c=####
- x####.####.com/ask?id=####&cb=####&ssi0=####&wsg=####&_v=####
- z####.####.com/img/20151208/193240/closeimg_20151208193240.png
Запросы HTTP POST:
- 1####.####.197/main/content/upd.php
- 1####.####.21/main/form/rg.php
- a####.####.com/app_logs
- l####.####.com/sdk.php
- m####.####.com/hladserver/api/3
- m####.####.com:81/hladserver/api/1
- n####.####.com:10091/opaService/link
- tr####.####.com/update.xxdd
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.shell_ass/####/libopalink.so_32
- <Package Folder>/.shell_ass/####/libopalink.so_64
- <Package Folder>/.shell_ass/libopalink.so
- <Package Folder>/.shell_ass/opa_link.jar
- <Package Folder>/.shell_ass/stupid
- <Package Folder>/.shell_ass/stupid.zip
- <Package Folder>/app_baidu/xpodg
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/f_000028
- <Package Folder>/cache/####/f_000029
- <Package Folder>/cache/####/f_00002a
- <Package Folder>/cache/####/f_00002b
- <Package Folder>/cache/####/f_00002c
- <Package Folder>/cache/####/f_00002d
- <Package Folder>/cache/####/f_00002e
- <Package Folder>/cache/####/f_00002f
- <Package Folder>/cache/####/f_000030
- <Package Folder>/cache/####/f_000031
- <Package Folder>/cache/####/f_000032
- <Package Folder>/cache/####/f_000033
- <Package Folder>/cache/####/f_000034
- <Package Folder>/cache/####/f_000035
- <Package Folder>/cache/####/f_000036
- <Package Folder>/cache/####/f_000037
- <Package Folder>/cache/####/f_000038
- <Package Folder>/cache/####/f_000039
- <Package Folder>/cache/####/f_00003a
- <Package Folder>/cache/####/f_00003b
- <Package Folder>/cache/####/f_00003c
- <Package Folder>/cache/####/f_00003d
- <Package Folder>/cache/####/f_00003e
- <Package Folder>/cache/####/f_00003f
- <Package Folder>/cache/####/f_000040
- <Package Folder>/cache/####/f_000041
- <Package Folder>/cache/####/f_000042
- <Package Folder>/cache/####/f_000043
- <Package Folder>/cache/####/f_000044
- <Package Folder>/cache/####/f_000045
- <Package Folder>/cache/####/f_000046
- <Package Folder>/cache/####/f_000047
- <Package Folder>/cache/####/f_000048
- <Package Folder>/cache/####/f_000049
- <Package Folder>/cache/####/f_00004a
- <Package Folder>/cache/####/f_00004b
- <Package Folder>/cache/####/f_00004c
- <Package Folder>/cache/####/f_00004d
- <Package Folder>/cache/####/f_00004e
- <Package Folder>/cache/####/f_00004f
- <Package Folder>/cache/####/f_000050
- <Package Folder>/cache/####/f_000051
- <Package Folder>/cache/####/f_000052
- <Package Folder>/cache/####/f_000053
- <Package Folder>/cache/####/index
- <Package Folder>/code-8672385/sAFOqKqQPw7r4VQX
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW__0JciGAhucG7itJ4-MhUcR9Qeto=
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW__0JciGAhucG7itJ4-MhUcR9Qeto=-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_gjADvICN86M=-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_mAGODyoC6-muhCvvHQZfdQ==
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_mAGODyoC6-muhCvvHQZfdQ==-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_pD34mu1Tl1iXxxeBmA_UpA==
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_pD34mu1Tl1iXxxeBmA_UpA==-journal
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_x-hgf5rn6iuV7ySL
- <Package Folder>/databases/lvdKSJO0saNXnoBb-iu6EGeK9BO9BTFW_x-hgf5rn6iuV7ySL-journal
- <Package Folder>/databases/vastpaydb
- <Package Folder>/databases/vastpaydb-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-VtemiOkZjnYoHePaofurU7oZS4293_zxt2lg8U3bw0=.new
- <Package Folder>/files/####/0As_3p7iY99nXELsIKfIt5pWFMU=
- <Package Folder>/files/####/0RrYTpAhc-3sRKH6qaM35kVBvFM=.new
- <Package Folder>/files/####/1db5ebef-02ab-457c-ae84-69a6a62a3ff4.pic.temp
- <Package Folder>/files/####/1nxc0Qe-yGVQ3MtQ3vMNuEKAXnDmEzI7oBowog==.new
- <Package Folder>/files/####/35f78846-4c6c-485e-9f3f-5d5ccdb37d97.pic
- <Package Folder>/files/####/3sR2d4Ss3gP3-sm6zwWSGIVKcroTi1IXypKEsA==.new
- <Package Folder>/files/####/5topline2<System Property>46
- <Package Folder>/files/####/6e660db8-0061-4261-9780-2b7e6bacda03.pic.temp
- <Package Folder>/files/####/7e2f11ae-8c23-4c5e-a639-5ab5359a1ce1.pic.temp
- <Package Folder>/files/####/88456215-0b00-4523-9473-fa8f654641b8.pic.temp
- <Package Folder>/files/####/89951211-b1af-4317-897e-d374b338c93d.pic.temp
- <Package Folder>/files/####/9OfcBKqjVN_imyZOMWvahw==
- <Package Folder>/files/####/9OfcBKqjVN_imyZOMWvahw==.new
- <Package Folder>/files/####/<Package>12<System Property>2
- <Package Folder>/files/####/AwvrUn9758eYWugmiquQzA==.new
- <Package Folder>/files/####/By6Ob_lrGKVgo1wyBsxiNg==
- <Package Folder>/files/####/D9z933wPvC1dUe6FQG49XqARpCUMx06s.new
- <Package Folder>/files/####/FP6ULURJ9IAK-LxzY-FeyRG0H2UrqLPE.new
- <Package Folder>/files/####/PJ_Tznq7MbPLqBYc7g_TSWhMgvZSsRAt.new
- <Package Folder>/files/####/RAR_Ey_C59nYJQkpo7SlNelIrCc=.new
- <Package Folder>/files/####/TgdkmLB7zaJ_osx3bqGgbQHQVokL7QMK.new
- <Package Folder>/files/####/Z4f68PXJ9MK4LSMu0N6uB04F4c0=.new
- <Package Folder>/files/####/aacf7cc5-41e1-42f5-b34b-1a7fd9e6958a.pic.temp
- <Package Folder>/files/####/boE4qYyFlpiYNEAIhsDBQ4y_xDM=.new
- <Package Folder>/files/####/d2akSdnoxAF_lR6-D5e86zl0s3wogsur.new
- <Package Folder>/files/####/e626e41c-a7d1-425a-ab22-053072dcdab5.pic
- <Package Folder>/files/####/fY7iVKAAlsSwKtNhjoZ_flDRmbNAT_ZRvKYfH7qUg8w=.new
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj.new
- <Package Folder>/files/####/gJzutbJQrNqVAtSh6uApmlmhhMebd6fj.old (deleted)
- <Package Folder>/files/####/grfua_f.zip
- <Package Folder>/files/####/hydLj8eufs4I3XAhx5HOjJcLzRU=
- <Package Folder>/files/####/hzq6UOHE3CsdhmayGhdRd1RrNFrYRZzl.new
- <Package Folder>/files/####/i9f1earUnIvr07E7TEfb4g==
- <Package Folder>/files/####/kmIIaPTHo54OZSjG.zip
- <Package Folder>/files/####/ntmp20782116
- <Package Folder>/files/####/pAvi9H-w9_eAKgzKpCXB-tBnWB7dG-BsoQzxzG_i8n4=.new
- <Package Folder>/files/####/qoJIFT2_TXBO6Qx8G_dLDw==
- <Package Folder>/files/####/qoJIFT2_TXBO6Qx8G_dLDw==.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/uuU8FbOmXKuQkLLXcRoFEBfapUbjEPm1.new
- <Package Folder>/files/####/v05p8ioE2gJZGBGS
- <Package Folder>/files/####/wEz7hafl3V8aX23lW0BL_6o-vrm0_CNVO2P1xvrPD4A=.new
- <Package Folder>/files/####/y7OhqIUxOhmkC53E.new
- <Package Folder>/files/####/zhsysgdi.jar
- <Package Folder>/files/####/zjLt-x0NTsleMdcc4hdiEtliOZGKAFscB-T_9Q==.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/1501850197902_dyV17041701Dj1so32.so
- <Package Folder>/files/<System Property>112.jar
- <Package Folder>/files/adeyimrg.so
- <Package Folder>/files/analys.conf
- <Package Folder>/files/borr.png
- <Package Folder>/files/hftJcw46N.jar
- <Package Folder>/files/rdata_comdkljeoik.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/WebViewSettings.xml
- <Package Folder>/shared_prefs/agchk.xml
- <Package Folder>/shared_prefs/cuf_config.xml
- <Package Folder>/shared_prefs/hlcsdpf.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.android/68654815
- <SD-Card>/.android/68654815 (deleted)
- <SD-Card>/.android/cf290316074c9690ad84ee4cec6d099e.apk.tmp
- <SD-Card>/.android/close.png
- <SD-Card>/.android/dev.txt
- <SD-Card>/.android/fatpot.png
- <SD-Card>/.android/sign.info
- <SD-Card>/.android/thinpot.png
- <SD-Card>/.armsd/####/1ae3c705-bab6-4090-945f-e955866e0aab.res
- <SD-Card>/.armsd/####/4003c1d2-5786-4f6e-b3ca-a467a7b80e83.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/699a90dc-0813-4162-8bc7-5bcf7b49f149.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.mkcong
- <SD-Card>/6251d7c7539bc49d4dbccd26778ee74b.jar
- <SD-Card>/<Package>/analys.conf
- <SD-Card>/Android/####/.nomedia
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2078
- <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2118
- <Package Folder>/code-8672385/sAFOqKqQPw7r4VQX -p <Package> -c com.dklj.eoik.affauq.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h b3fbec2cab4f4135b34222f3af122d95 <Package Folder>/.syslib-
- cat /proc/version
- cat /sys/class/net/wlan0/address
- chmod 0771 <Package Folder>/.syslib-
- chmod 777 <Package Folder>/app_baidu/xpodg
- getenforce
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2078
- sh <Package Folder>/app_baidu/xpodg -p <Package> -r am start --user 0 -n <Package>/ycim.nkbl -a ycim.nkbl -i 2118
- sh <Package Folder>/code-8672385/sAFOqKqQPw7r4VQX -p <Package> -c com.dklj.eoik.affauq.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h b3fbec2cab4f4135b34222f3af122d95 <Package Folder>/.syslib-
Загружает динамические библиотеки:
- 1501850197902_dyV17041701Dj1so32
- adeyimrg
- libopalink
Использует следующие алгоритмы для шифрования данных:
- DES
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CFB-NoPadding
- DES
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации о входящих/исходящих звонках.
Осуществляет доступ к информации об отправленых/принятых смс.
