Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.MobiDash.2.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.86
- 1####.####.86:8090
- a####.####.com
- a####.####.net
- disco####.com
- ip####.com
- kee####.com
- reso####.####.com
Запросы HTTP GET:
- 1####.####.86/api?url=####
- 1####.####.86:8090/api?url=####
- a####.####.net/api/v2/template/get?slot_id=####&update_time=####
- disco####.com/
- ip####.com/json
- kee####.com/mobilePlatform/kvMobileApi.php?type=####&lasttime=####×...
- reso####.####.com/002/193/KeepVidUpdate.xml
Запросы HTTP POST:
- a####.####.com/amdc/mobileDispatch?appkey=####&platform=####&v=####&devi...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_app_apk/studio.dat.jar
- <Package Folder>/cache/####/028ec25858f2df25fbcdd87fa15bf48c16822c781255e127f6c5f2603b973051.0.tmp
- <Package Folder>/cache/####/0813e2b3aec0934bf2a16942335502997acbd04a0faa33c1d6b871aa0eb8eb22.0.tmp
- <Package Folder>/cache/####/114d78fd0b5f10b54cee6b1a79b24d8e32f6ddb146d53a916544355bda4fd748.0.tmp
- <Package Folder>/cache/####/2003e92b4d707b50df6cdaa9184624348c51a7bca25ffa876410f5d27931e76a.0.tmp
- <Package Folder>/cache/####/44025ac0fb6bc92b4dab05351677b603357ca9b344f4c61e23e245948c3b8550.0.tmp
- <Package Folder>/cache/####/4ed837213eb99fd6536d7745cbddb4ab7b34049cf627e99a87c634c3c6bc6fd9.0.tmp
- <Package Folder>/cache/####/71ab0cd5191add92f0437cca405b7378989e54617d666ded9fbab42adbd324a3.0.tmp
- <Package Folder>/cache/####/72e9a9d58b293a597cbd912bc6dc41093f39dd84b262777f26d0a7d3667e16f8.0.tmp
- <Package Folder>/cache/####/86756609844dc259e70b240f0a3a3d568cf311a9844a03e53ddac35db0925786.0.tmp
- <Package Folder>/cache/####/c4539230aef5a50258e187c14c81b861e2cfbd161e401011e2c675aecd1f8aca.0.tmp
- <Package Folder>/cache/####/cb8a7e3ee228b6ab887fde72efc70c69aa45c564b6361f7688ca55d17ac756f8.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/ec47eac434b181147838090a223fb524abb1a8346bdcd4873d7b4c1cf703b832.0.tmp
- <Package Folder>/cache/####/f5277e2b9e8efe10c28df5df63ca991aeb95625038b1fa8d92439905906d250d.0.tmp
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code_cache/####/MultiDex.lock
- <Package Folder>/code_cache/####/tmp-<Package>-1.apk.classes-665575817.zip
- <Package Folder>/code_cache/####/tmp-<Package>-1.apk.classes-669247106.zip
- <Package Folder>/databases/MessageStore.db-journal
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/databases/accs.db-journal
- <Package Folder>/databases/filedownloader.db-journal
- <Package Folder>/databases/jsinfo_db-journal
- <Package Folder>/databases/keepvid_task.db-journal
- <Package Folder>/databases/message_accs_db
- <Package Folder>/databases/message_accs_db-journal
- <Package Folder>/databases/subscribe_db-journal
- <Package Folder>/databases/video_detail-db-journal
- <Package Folder>/databases/website_db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal (deleted)
- <Package Folder>/files/####/.old_file_converted
- <Package Folder>/files/####/1501849931131_2096
- <Package Folder>/files/####/1501849931246_2096
- <Package Folder>/files/####/1501849931505_2150
- <Package Folder>/files/####/1501849931740_2150
- <Package Folder>/files/####/1501849931801_2150
- <Package Folder>/files/####/1501849932035_2150
- <Package Folder>/files/####/1501849932056_2096
- <Package Folder>/files/####/1501849934067_2096
- <Package Folder>/files/####/1501849941737_2340
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsData_YSGSFC7XM754KF2RJTCP_236
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsMain
- <Package Folder>/files/.yflurrydatasenderblock.3335b0ef-7ba6-495c-916c-64aa18386966
- <Package Folder>/files/.yflurryprotonconfig.-3768be767e86c03c
- <Package Folder>/files/.yflurryprotonreport.-3768be767e86c03c
- <Package Folder>/files/.yflurryreport.-3768be767e86c03c
- <Package Folder>/files/DCCsTpLcf
- <Package Folder>/files/DaemonServer
- <Package Folder>/files/agoo.pid
- <Package Folder>/files/bin.-1349825747
- <Package Folder>/files/bin.-1371072743
- <Package Folder>/files/bin.-2125514117
- <Package Folder>/files/bin.1146890913
- <Package Folder>/files/bin.1506139745
- <Package Folder>/files/bin.1634542245
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/ACCS_LOAD_SO.xml
- <Package Folder>/shared_prefs/ACCS_SDK.xml
- <Package Folder>/shared_prefs/ACCS_SDK_CHANNEL.xml
- <Package Folder>/shared_prefs/Agoo_AppStore.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/FLURRY_SHARED_PREFERENCES.xml
- <Package Folder>/shared_prefs/SP_NEW_DATA.xml
- <Package Folder>/shared_prefs/TDCloudSettingsConfigD23AE145D86644C0B41983B575F05475.xml
- <Package Folder>/shared_prefs/TDCloudSettingsConfigD23AE145D86644C0B41983B575F05475.xml.bak
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml (deleted)
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/TD_push_pref_file.xml
- <Package Folder>/shared_prefs/TDpref_longtime.xml
- <Package Folder>/shared_prefs/TDpref_longtime.xml (deleted)
- <Package Folder>/shared_prefs/TDpref_longtime0.xml
- <Package Folder>/shared_prefs/TDpref_longtime0.xml.bak
- <Package Folder>/shared_prefs/TDpref_shorttime.xml
- <Package Folder>/shared_prefs/TDpref_shorttime0.xml
- <Package Folder>/shared_prefs/TOKEN.xml
- <Package Folder>/shared_prefs/TOKEN.xml.bak
- <Package Folder>/shared_prefs/_has_set_default_values.xml
- <Package Folder>/shared_prefs/app_config.xml
- <Package Folder>/shared_prefs/com.wondershare.update.manager.xml
- <Package Folder>/shared_prefs/ct_default.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/talkingdata_app_default_push_preferences.xml
- <Package Folder>/shared_prefs/tdid.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.DataStorage/ContextData.xml.bak
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.tcookieid
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/4034526f98ea476e985c4cc51154b6f4
- <SD-Card>/Android/####/42a43596a73b482ea08e3e7632d08138
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D %7B%22package%22%3A%22<Package>%22%2C%22appKey%22%3A%22umeng%3A594095baaed1794f85002251%22%2C%22utdid%22%3A%22WYRpSyyjFOYDAGdzx1ExJfb%2B%22%2C%22sdkVersion%22%3A%22220%22%7D -I agoodm.m.taobao.com -O 80 -T -Z
- chmod 500 <Package Folder>/files/DaemonServer
- getprop
- sh
Загружает динамические библиотеки:
- DCCsTpLcf
- tnet-3.1
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
