Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 1####.####.1
- 1####.####.190:8088
- 1####.####.1:8088
- 1####.####.88
- 1####.####.88:8999
- 6####.####.140
- i####.####.com
- l####.####.com
- res####.####.com
Запросы HTTP GET:
- 1####.####.190:8088/sdkserver/adData/adInfo/sdk/1501432303194.jar
- 1####.####.88/catServer/upload/images/7ea313bd-5866-4f2f-8ce8-4dad537bfe...
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/17/15/a0d3adf1-91bd-4db8-81f7-aca0763513e2/d...
- res####.####.com/v3/ip?key=####
Запросы HTTP POST:
- 1####.####.1/sdkserver/v2/serviceConfig
- 1####.####.1:8088/sdkserver/v2/addSdk
- 1####.####.88:8999/catServer/recommend!status.action
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/006626e5fef7eab79d3eb5330478503f0b74930401892a5a0f5349a94409a089.0.tmp
- <Package Folder>/cache/####/0c91194d902dd32999680e09e0e9958f9405b5026cd3d950762ea966f14ae8fb.0.tmp
- <Package Folder>/cache/####/22ca5c17ceba470a8656ac3bfc481da65fd4c5a99b6c67e0d5eebe77d45b3b50.0.tmp
- <Package Folder>/cache/####/240c72cb7834d86c0ed539a3ed825d578c2df6531716f4e3fe49dec5646d5aaa.0.tmp
- <Package Folder>/cache/####/2b4ccea4317afb6885d5ca1b02a45f1685c1fd9c7f72af8cd78a34401eaff881.0.tmp
- <Package Folder>/cache/####/2d24bc4a04b2760f28ab120495ef5de1572a2532020594b375597c35daef6d36.0.tmp
- <Package Folder>/cache/####/3cf4628c5fa0e26bd74ec6c20380cb2237c00bf1279f9f0bfb488667974284fa.0.tmp
- <Package Folder>/cache/####/428c7300a3f81f769ff515f49e79109e77ff29467747b72eb8d3ad6d68a81126.0.tmp
- <Package Folder>/cache/####/58b5b3d3a7ab65a3455d12365f3bed2a541ab9acf7445f4d38110d2b601aa691.0.tmp
- <Package Folder>/cache/####/5b934b55536bed0e70c603a73c2e7dd97c02226fdb416fa3f7bb75c6baefcace.0.tmp
- <Package Folder>/cache/####/5d2164a5e529684fffcfd37fd6f26405165e85bb19c6136b6407281d3832630c.0.tmp
- <Package Folder>/cache/####/69c6feb62fd80c517d42dc038d1dce532e53cdec38543d4e315594344af91aa6.0.tmp
- <Package Folder>/cache/####/6bd17eed6ad5d742524ded2d4626f07d93d14c2b00b4566951e65b39726128e6.0.tmp
- <Package Folder>/cache/####/6f14f16979038533d70b34ffbfd838607d1529fc94d42388439f1be9866c5cab.0.tmp
- <Package Folder>/cache/####/78a61986efe3116ccebd12b90892273f79685a4e93e049e3ee09ea99a1d4eb8a.0.tmp
- <Package Folder>/cache/####/7a11a6a0a07d039190f647a9e957f334277509d014dfe992506097d66e1cf134.0.tmp
- <Package Folder>/cache/####/7c11007d75925668c5d5d03c3b7bc484f869dfadaa6a15e575c68ba060b28e2f.0.tmp
- <Package Folder>/cache/####/86430be72e5908963348c18690f64f7c77495288e9f73cb3f677ef293620b640.0.tmp
- <Package Folder>/cache/####/91a05bf8dbe9911ece94ecdd68b99ebac9281ecb361bd2e41027e29504b7b6d1.0.tmp
- <Package Folder>/cache/####/9aaddd9a0dc6514861de5403f29dcf086eae5bdcbaba53d4016e5c4150a2797e.0.tmp
- <Package Folder>/cache/####/ae4371506ec70c40d2ad3639d5d84b83d735056e333f9c02eb91398d5a844611.0.tmp
- <Package Folder>/cache/####/b60dcaa8cb01c9b71bf920679f3971629cd7225869f457fc6bdd46b0018704d9.0.tmp
- <Package Folder>/cache/####/c4bc6800b821a00fcd914c28ad04b1b5ed81ffb99c62408072940719507b416e.0.tmp
- <Package Folder>/cache/####/c64344f22c81876ebefc7b9f0a30d1fb308bc373ebe695a36366b6148b94a877.0.tmp
- <Package Folder>/cache/####/ca5386293d4369b806716c323664ea2680a37334996169230d95b5b29e85425f.0.tmp
- <Package Folder>/cache/####/d5145471125cdc3380de472829097654864aa1e1594ed08fb0103386dea576f5.0.tmp
- <Package Folder>/cache/####/d8d46871d873b718aaae88551c1fbdfec4ab65b7e755e4824e9dffad4b478e04.0.tmp
- <Package Folder>/cache/####/d9c72294940bc07adfa7bfc61a64db6898f68ce77ce2a35d7f3605ae86641f59.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/db75e7413d2a3e5723d2de1dd897d49f19c754bf8b1cf398a7422fe934650b7f.0.tmp
- <Package Folder>/cache/####/e3a7ee4a7506cfc1a6daf715fd2eba3d9cc6fbce843f6772820754dc734dfa3d.0.tmp
- <Package Folder>/cache/####/e59ea54fe647d59bc74d56a81cb1a380dc87917d242175f0a04ac877a70e5458.0.tmp
- <Package Folder>/cache/####/f06dc7076d4bba2cf5f31a9d13fbcd2dafe62639d43a292885158b8b5a08cd7a.0.tmp
- <Package Folder>/cache/####/f44297b18dfbbcfda20e5c30237289652275df8eb2bd7cb6408093aee079e13c.0.tmp
- <Package Folder>/cache/####/f88507bb59ea0f09a485257058bf8b0fc6c4bc4f44e971c71d4506e02bdd0cac.0.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code-6545325/y4ucDeTGmitkM_PH
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_-Y5QXOG9kmUoZWEQUfutmQ==
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_-Y5QXOG9kmUoZWEQUfutmQ==-journal
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_WpCWAKy_tdKklyHc
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_WpCWAKy_tdKklyHc-journal
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_c_Q_zBrRBgDeF2s5xEnZOQ==
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_c_Q_zBrRBgDeF2s5xEnZOQ==-journal
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_ec_VZS5cD88=-journal
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_pJLpPqSpigWDnILLnKn0gRDbZEk=
- <Package Folder>/databases/qP4cRrZ-tjSZ1Q85ffnhdHRjUfN7Z2ku48KBoIwHbuo=_pJLpPqSpigWDnILLnKn0gRDbZEk=-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/1U--tSkA1uZPlXGa
- <Package Folder>/files/####/1U--tSkA1uZPlXGa.temp
- <Package Folder>/files/####/3e9f57b7-7416-4cd2-9d3b-1ecd8d27a323.pic
- <Package Folder>/files/####/48c1c42f-e08a-4038-b8a1-c7833c8f435b.pic.temp
- <Package Folder>/files/####/5EIb6AGtNPhNBmBnxpcXQtx21_k=
- <Package Folder>/files/####/5b27c0f0-e44e-4dff-bdc3-4202f4a9686e.pic.temp
- <Package Folder>/files/####/6CoUomfXBtiT2J2ZAyWMecSl1T_toQ7X.new
- <Package Folder>/files/####/90cca762-391b-48f2-a08a-6269056ca5e4.pic
- <Package Folder>/files/####/ALBQZj0AW-OH1NKfZPA2zzb9OiM=.new
- <Package Folder>/files/####/CvL1oWaX2z_ZwvUDC_1z858B6NFsF1qlPb-4hz-5Np8=.new
- <Package Folder>/files/####/EFmUDCxKcQO4deOsB2F8KC8q38iqtEPl.new
- <Package Folder>/files/####/EclI6jr2GcsA0elz.new
- <Package Folder>/files/####/HQ1cmIZqc1kxrD9qcmroHGMisGZH7v6C.new
- <Package Folder>/files/####/MYlgoFiFp4PiL-cEfk8w1g==
- <Package Folder>/files/####/POOplv--an4QEqqUnPkhKEHb-smL-xHz.new
- <Package Folder>/files/####/QX4_fOpfV_SRQpp1X02LVRKYqDgjxgy6R6OC4w==.new
- <Package Folder>/files/####/QakM40fZAvr_bYgNS050pDkGKt6qmhCF.new
- <Package Folder>/files/####/RxyVfB50toh7aIq29vuJjA==.new
- <Package Folder>/files/####/U_-nDdx6R2W3UWQhGUZlxAJk_oyBTCtQFy2R_qrzRXs=.new
- <Package Folder>/files/####/_ZBFfCQK-BF42C54WHEbGetR_i84xgQPKAsMviYZU-c=.new
- <Package Folder>/files/####/_coM4vJUlz5u9XAqvus76EQhQZQp-V2B-WT9sirNwyM=.new
- <Package Folder>/files/####/a0963099-611f-4380-aea9-f1bf4c666d2e.pic.temp
- <Package Folder>/files/####/a1410a4d-2f62-4bec-ba35-7e03ee8315cb.pic.temp
- <Package Folder>/files/####/aa2caae7-3d5e-4be2-90fd-649b534c1d8a.pic.temp
- <Package Folder>/files/####/dLsah4BvQtZZgOsieASOmZzCcg0=
- <Package Folder>/files/####/dyDmJaVyTGzqej5iZFyapA==
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/f6ccd8bf-0cc7-439f-892c-f1ac62d16f6b.pic.temp
- <Package Folder>/files/####/gPozRAAJnlY6mqa338UIT2w-dto=.new
- <Package Folder>/files/####/jSlWbKgo_fzUPbDh72AEl6M_XiA=.new
- <Package Folder>/files/####/kwe7yOPsxsrX-Hy2ujyJwTJ8lmE4QGuAjUmilQ==.new
- <Package Folder>/files/####/leidca-VsS5XrcpYdaU7j0igJd2N2Ub-.new
- <Package Folder>/files/####/oBUa4mBsFzkFiPhYUtn9ccZIKunDUzKG.new
- <Package Folder>/files/####/qFI3MF5rxiKtu0YyYA-snXQO4f3M-R0U.new
- <Package Folder>/files/####/qOPO30ZsK1-nMWc5.zip
- <Package Folder>/files/####/qoCs2RiISkDOB1hsvbLXipyIcxO4ys6lMb4gBA==.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/txdcxq_f.zip
- <Package Folder>/files/####/vYBtN-_HEGaMQy_yBSCEKR1XBPI=.new
- <Package Folder>/files/####/yBfXG5Ks2DNDNSgUuMPPRQ==
- <Package Folder>/files/####/yBfXG5Ks2DNDNSgUuMPPRQ==.new
- <Package Folder>/files/####/zA830FU_fOEjWm4jXFp2oA==
- <Package Folder>/files/####/zA830FU_fOEjWm4jXFp2oA==.new
- <Package Folder>/files/exid.dat
- <Package Folder>/files/patch.jar
- <Package Folder>/files/rdata_comandroidsupport.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/.armsd/####/150cc08e-ae95-49c5-8f9c-39327f238c93.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/b9693d42-7e0e-447c-9f7d-4c8e92f3bcb1.res
- <SD-Card>/.armsd/####/c66d7706-306a-4847-ba29-f46c99fa4d84.res
- <SD-Card>/.armsd/####/e966fafe-71f1-4aaf-9899-95a1d605439a.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/code-6545325/y4ucDeTGmitkM_PH -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-6545325/y4ucDeTGmitkM_PH -p <Package> -c com.android.support.vajdxa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
