Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 106575206321505460: dyl#null,<IMEI>,6000098-1-1107-ssxs_00615-0
- 10691009: @8DYL#null,<IMEI>,6000098-1-1107-ssxs_00615-0
- 106912114: HZSY#<IMSI>
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- 6####.####.140
- huangda####.com
- i####.####.cn
- i####.####.com
- i####.####.com:10003
- n####.####.cn
- p####.####.cn
- p####.####.com
- r####.####.cn
- re####.####.com
- re####.####.com:10002
- s####.####.com
- s####.####.com:10201
Запросы HTTP GET:
- 6####.####.140/ando/i/mon?k=####&d=####
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.cn/iplookup/iplookup.php?format=####
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/0...
- n####.####.cn/novel-app/server/css/style.css
- p####.####.com/cityjson?ie=####
- r####.####.cn/34aaf5db7b6744529c4f5c983aac2eb0
- re####.####.com/v1/order/get?phone=####&imei=####&sdk_version=####&cid=#...
- re####.####.com:10002/v1/sdk/init?net_name=####&imei=####&package_name=#...
- s####.####.com/v1/sdk/report?sdk_type=####&sdk_status=####&trade_id=####...
- s####.####.com:10201/v1/sdk/report?sdk_type=####&sdk_status=####&trade_i...
Запросы HTTP POST:
- i####.####.com:10003/v2/chis
- p####.####.cn/index.php/API
- s####.####.com/pay-data-collect/collectAppStartUserData.json
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_apCoreplugn/####/23uiusfjc.bin
- <Package Folder>/app_apCoreplugn/sinner.apk
- <Package Folder>/app_apCoreplugn/sky.apk
- <Package Folder>/app_apCoreplugn/smap.apk
- <Package Folder>/app_apCoreplugn/sms.apk
- <Package Folder>/app_apCoreplugn/sqq.apk
- <Package Folder>/app_apCoreplugn/sweb.apk
- <Package Folder>/app_apCoreplugn/syl.apk
- <Package Folder>/app_plugin_dir/####/base-1.apk
- <Package Folder>/app_plugin_dir/####/base-1.dex
- <Package Folder>/app_process_lock/32609640.9965372
- <Package Folder>/app_process_lock/32614458.8053275
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/cache/sinner.apk.apk
- <Package Folder>/cache/sky.apk.apk
- <Package Folder>/cache/smap.apk.apk
- <Package Folder>/cache/sms.apk.apk
- <Package Folder>/cache/sqq.apk.apk
- <Package Folder>/cache/sweb.apk.apk
- <Package Folder>/cache/syl.apk.apk
- <Package Folder>/code-2844466/N6NkrmaiovnnAvBt
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_1PbfP-mn200=-journal
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_EYMrnMnvohIVJXNd
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_EYMrnMnvohIVJXNd-journal
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_X4BmVyEQiNVhSDZ9T6q3dkl0mIg=
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_X4BmVyEQiNVhSDZ9T6q3dkl0mIg=-journal
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_YaiQTlTi7vQbed_hKj2wHg==
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_YaiQTlTi7vQbed_hKj2wHg==-journal
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_fcyA-B91yusrXPCT9DtiGA==
- <Package Folder>/databases/Rwd5jOmeTr2eKZCZ7CNvEkglLB1jwjOO_fcyA-B91yusrXPCT9DtiGA==-journal
- <Package Folder>/databases/TestinAgent.db
- <Package Folder>/databases/TestinAgent.db-journal
- <Package Folder>/databases/com.core.main.pay.plugmain_sy_pay_record-journal
- <Package Folder>/databases/love_db
- <Package Folder>/databases/love_db-journal
- <Package Folder>/databases/mp.db
- <Package Folder>/databases/mp.db-journal
- <Package Folder>/databases/recordInfo-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/xUtils_http_cookie.db
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal (deleted)
- <Package Folder>/files/####/177af733-2f4c-4e82-b127-a2ce0a4906bc.pic.temp
- <Package Folder>/files/####/1a3f74e5-3c2e-482d-9f7c-7e26a77c52c1.pic
- <Package Folder>/files/####/3SSaeWT8zIjLE9E8-EvRklBXGLs=.new
- <Package Folder>/files/####/4xPG4ZEgQE3ECD8Y2Z72oAtwA32HP1slyIVshvp3Mws=.new
- <Package Folder>/files/####/4xtKRICS-R-fuTVL
- <Package Folder>/files/####/5V8Me19NmPQzUW8YDuNPuiZletZ7dxuc
- <Package Folder>/files/####/5V8Me19NmPQzUW8YDuNPuiZletZ7dxuc.new
- <Package Folder>/files/####/6118fb7a-41a3-4284-98de-b1b3d2df2225.pic
- <Package Folder>/files/####/6e38bb6c-c0d5-4316-8a66-eb1b0a16acea.pic.temp
- <Package Folder>/files/####/9y_OjJ6IZwx3mBuk.zip
- <Package Folder>/files/####/D5hbVIArf83A0Ee04yOAMhgNqfXhsrpR.new
- <Package Folder>/files/####/DxcYZwUARpqcXd80KtUs3w==.new
- <Package Folder>/files/####/Gc7U0x1gwZt9bAIT-qQb-ZhVbB-epAmDbQFC2i3KPJ8=.new
- <Package Folder>/files/####/ICrkJXpS-jBq7W2X9v_8q-Pxsyo87QETzagMj5MlITY=.new
- <Package Folder>/files/####/Ir-u9465_LhUioq54i30wBZsb7OT6QraX89pGg==.new
- <Package Folder>/files/####/LkaWbeBTbYOfKywv9GiwARhQVHGZVh7Uapl96g==.new
- <Package Folder>/files/####/Oom0nd3FJoq_cApCCMZ2LA==.new
- <Package Folder>/files/####/PlK8mO74NjXG8A45apRx0KkzmLM0QWXK.new
- <Package Folder>/files/####/QH6oUK_NG75pVSpgMq3S1YORfZA=
- <Package Folder>/files/####/QQrzxpwAdK7fVp1UJQK0pCSNY09NkVrqp3K7ZP-ns08=.new
- <Package Folder>/files/####/RWHWlxORO5cYkAkdDm82k9iRFoQ=.new
- <Package Folder>/files/####/Sww3dK5gwXHHFojwDjV4Zg==
- <Package Folder>/files/####/TH5hzlQMMRP3xWRokseK_MruoPM=.new
- <Package Folder>/files/####/Yqhrl76eWlJ39EXnllDOU2WvqWU=
- <Package Folder>/files/####/Yqhrl76eWlJ39EXnllDOU2WvqWU=.new
- <Package Folder>/files/####/_bFp-S1ni9xrKQSh2D2gDcLDS3WQhms8.new
- <Package Folder>/files/####/bb27bae1-2013-4841-975c-ef72c207d3a5.pic.temp
- <Package Folder>/files/####/c9aa73a4-0e85-435a-9510-749527c5ef26.pic.temp
- <Package Folder>/files/####/cT3EMSTa_Ime-hdc2nKvplWMmu8rhHQc.new
- <Package Folder>/files/####/e6013fe3-5377-466e-909b-f76e04b07864.pic.temp
- <Package Folder>/files/####/ebac6d44-d22b-4853-808a-df1398c913de.pic.temp
- <Package Folder>/files/####/guAVohcRmBwRQaXfKzjfTv62zmU5mse2.new
- <Package Folder>/files/####/jqc-d1VL72fwxVC7Vc0knA==
- <Package Folder>/files/####/oLUPSVsRE6ZzBuaO_zOwaUs5GZM=
- <Package Folder>/files/####/oLUPSVsRE6ZzBuaO_zOwaUs5GZM=.new
- <Package Folder>/files/####/pCdvfDBOh8c90S9s.new
- <Package Folder>/files/####/plus.jar
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sb3UrggEDrZyMyMqoLWnB8B45orW0D73.new
- <Package Folder>/files/####/senzbq_f.zip
- <Package Folder>/files/####/tYx-zZS56j-_-wOCs6TZLvMJy3byKA1_CLKQ6w==.new
- <Package Folder>/files/####/uULtrpz6FpC3D_kQBuskuA==
- <Package Folder>/files/####/uULtrpz6FpC3D_kQBuskuA==.new
- <Package Folder>/files/####/yJ-u99NU7cqlEUoEC6pWv__PU1IGp3FV.new
- <Package Folder>/files/mobclick_agent_cached_<Package>1107
- <Package Folder>/files/noend.ini
- <Package Folder>/files/rdata_commfeoxpnhq
- <Package Folder>/shared_prefs/CONFIGS.xml
- <Package Folder>/shared_prefs/FIRSTFLAG.xml
- <Package Folder>/shared_prefs/SPUtils.xml
- <Package Folder>/shared_prefs/SYSTEM_BRIGHTNESS.xml
- <Package Folder>/shared_prefs/TestinAgent.xml
- <Package Folder>/shared_prefs/UPDATE_VERSION.xml
- <Package Folder>/shared_prefs/com.core.main.pay.plugmain_p_config.xml
- <Package Folder>/shared_prefs/com.souying.pay.xml
- <Package Folder>/shared_prefs/cpMsg.xml
- <Package Folder>/shared_prefs/device_id.xml.xml
- <Package Folder>/shared_prefs/dispatch_log.xml
- <Package Folder>/shared_prefs/getFlag.xml
- <Package Folder>/shared_prefs/plugins.installed.xml
- <Package Folder>/shared_prefs/plugins.serviceMapping.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml.bak
- <Package Folder>/shared_prefs/twc.xml
- <Package Folder>/shared_prefs/twc.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/userInfo.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.armsd/####/3989d259-ea41-4cb4-8324-ed4159ac184d.res
- <SD-Card>/.armsd/####/4ba9cc3f-c1e5-4439-b92a-23fb08523b03.res
- <SD-Card>/.armsd/####/50c01b38-bf1d-43a6-80ac-df9b37146ba8.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/816c3832-9032-4cc0-bc59-ced5e1e06566.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/c0ce4a3e-7607-4a98-a508-780d8eccea26.res
- <SD-Card>/.armsd/####/f452e76b-641a-4948-9554-a89157acdc17.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3001_2270.zip
- <SD-Card>/Android/####/-1120182913.tmp
- <SD-Card>/Android/####/-1163850147.tmp
- <SD-Card>/Android/####/-1208602129.tmp
- <SD-Card>/Android/####/-1228496617.tmp
- <SD-Card>/Android/####/-1278366751.tmp
- <SD-Card>/Android/####/-1592391425.tmp
- <SD-Card>/Android/####/-1857908712.tmp
- <SD-Card>/Android/####/-952719128.tmp
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/1205844160.tmp
- <SD-Card>/Android/####/1344671579.tmp
- <SD-Card>/Android/####/1598456268.tmp
- <SD-Card>/Android/####/1728910087.tmp
- <SD-Card>/mmnovel/b305526b4bfc3c56614701efc12c141b.txt.tmp
- <SD-Card>/mmnovel/ba5a987e22c6d41ad4666a48e311ca54.txt.tmp
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/code-2844466/N6NkrmaiovnnAvBt -p <Package> -c com.mfeo.xpnhq.uzgba.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- cat /proc/version
- cat /sys/block/mmcblk0/device/cid
- sh <Package Folder>/code-2844466/N6NkrmaiovnnAvBt -p <Package> -c com.mfeo.xpnhq.uzgba.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Загружает динамические библиотеки:
- NativeCrash
- goldcoast
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS7Padding
- DES
Может автоматически отправлять СМС-сообщения.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Парсит информацию из смс сообщений.
Осуществляет доступ к информации об отправленых/принятых смс.
