Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.SmsSend.1914.origin
Сетевая активность:
Подключается к:
- 1####.####.140
- 1####.####.gold
- 5####.####.com
- a####.####.ch
- a####.####.com
- a####.####.xyz
- ap####.mobi
- b####.com
- c####.####.net
- gl####.####.com
- gl####.####.com:9090
- koolm####.info
- m####.####.com
- poket####.com
- s####.####.com
- u####.com
- u####.com:7079
- u####.com:8083
- youngte####.com
Запросы HTTP GET:
- 1####.####.140/ma/z.php?c=####&n=####&subid=####&siteid=####
- 1####.####.gold/click/8xQA3Fw9xd?pubid=####
- 1####.####.gold/click/dDJunajhw2GsOMjhR?affid=####&pubid=####&c2=####&pi...
- 1####.####.gold/main/d.php?s=1&link=http://poketraff.com/d/22217258e4d30...
- 5####.####.com/?kw=####&s2=####
- a####.####.ch/mobiledirect/?uid=####&aid=####&cwsid=####&subid=####
- a####.####.ch/mobiledirect/?uid=####&aid=####&wsid=####&subid=####
- a####.####.com/fd/ls/l?IG=####&CID=####&TYPE=####&DATA=####
- a####.####.com/fd/ls/l?IG=####&TYPE=####&DATA=####
- a####.####.xyz/?s1=####&s2=####
- ap####.mobi/red/ed64b776-98df-11e5-91ef-0cc47a44dbaa/?alg=####&clickid=#...
- b####.com/?r=####
- b####.com/AS/Suggestions?pt=####&mkt=####&qry=####&cp=####&css=####&cvid...
- b####.com/ImageResolution.aspx?w=####&h=####&hash=####&r=####
- b####.com/Passport.aspx?popup=####
- b####.com/az/hprichbg/rb/MausoleumLovcen_ROW12562397577_320x240.jpg
- b####.com/fd/ls/l?IG=####&CID=####&Type=####&DATA=####&P=####&DA=####
- b####.com/fd/ls/l?IG=####&Type=####&DATA=####&P=####&DA=####
- b####.com/fd/s/a/sbbtn.png
- b####.com/hpmob?r=####&IG=####&IID=####
- b####.com/notifications/render?bnptrigger={"PartnerId":"HomePage","IID":...
- b####.com/rms/AutoSug/cj,nj/48de7247/3afd2d12.js?bu=####
- b####.com/rms/BingCore.Bundle/cj,nj/0b5cf849/1a2f5baa.js?bu=####
- b####.com/rms/Framework/cj,nj/f0fe13d0/9101d3f2.js?bu=####
- b####.com/rms/MobileSiteBase/cc,nc/8d0342e9/e3492d89.css?bu=####
- b####.com/rms/rms answers Homepage Mobile$MobileHeaderSprite2x/ic/7cc161...
- b####.com/rms/rms answers Identity Mobile$HamburgerMenu/cj,nj/3c429dc0/f...
- b####.com/rms/rms answers Identity Mobile$MobileSnrWindowsLiveConnectBoo...
- b####.com/rms/rms answers Shared BingCore$Animation/cj,nj/c9ce19fd/92e3c...
- b####.com/rms/rms answers Shared BingCore$fadeAnimation/cj,nj/8c497c38/f...
- b####.com/rms/rms serp Homepage$bgLogoBingTeal/ic/23b397af/f2e8bbe3.png
- c####.####.net/iclk/redirect.php?id=####&trafficsourceid=####&trackid=##...
- gl####.####.com/click?pid=####&offer_id=####&sub1=####&sub2=####&pid=####
- gl####.####.com:9090/app?IsOnlyCp=####&phone=####&offerid=####&affid=###...
- koolm####.info/r/46393f8c-8717-11e7-9b4c-1141960f9f29/0/
- koolm####.info/r/46393f8c-8717-11e7-9b4c-1141960f9f29/1/
- m####.####.com/c/69c5e7f9210e673c?tid=####&trafficsource_id=####&token2=...
- poket####.com/d/22217258e4d303b80d2?sub=####&source=####
- poket####.com/gw?url=http://aol.21045.xyz/?s1=####&s2=####&vId=####&ef=#...
- s####.####.com/in.php?s=8780&t=&b=&c=1&tm=6867.113895714283&r=http://ads...
- s####.####.com/s8780.js
- u####.com/ru/findbutton0718.js
- u####.com/ru/processurl0718.js
- u####.com/ru/simulationClickYes0718.js
- youngte####.com/images/logo_YTP-com.png
- youngte####.com/index2.php?clickid=####&traaaaaaa=####
- youngte####.com/log.php?hash=####
- youngte####.com/read.js
- youngte####.com/st/thumbs/006/KiHkti2bQn.jpg
- youngte####.com/st/thumbs/013/u0LLS33x3K.jpg
- youngte####.com/st/thumbs/020/jg51aSLrTh.jpg
- youngte####.com/st/thumbs/031/nKmOOziJll.jpg
- youngte####.com/st/thumbs/045/6mQ6ZWJ2oP.jpg
- youngte####.com/st/thumbs/046/nLXh3lGpge.jpg
- youngte####.com/st/thumbs/048/etqeYRbH5U.jpg
- youngte####.com/st/thumbs/052/qvLVpGGc6t.jpg
- youngte####.com/st/thumbs/061/RjVM9mTPZd.jpg
- youngte####.com/st/thumbs/093/Y6F8mWu3lg.jpg
- youngte####.com/st/thumbs/111/fvTRmcnMi5.jpg
- youngte####.com/st/thumbs/120/084cLG083X.jpg
- youngte####.com/st/thumbs/125/5V3bTbEzcy.jpg
- youngte####.com/st/thumbs/132/GtSruRyR6L.jpg
- youngte####.com/st/thumbs/143/SbzOmVEgNL.jpg
- youngte####.com/st/thumbs/148/KXWP4ENEUJ.jpg
- youngte####.com/st/thumbs/160/RfsTp43Mzp.jpg
- youngte####.com/st/thumbs/182/Tc937UEsPV.jpg
- youngte####.com/st/thumbs/194/zO2QfKpUZE.jpg
- youngte####.com/st/thumbs/204/rjUF852K48.jpg
- youngte####.com/st/thumbs/212/Ryb8zk0mby.jpg
- youngte####.com/st/thumbs/222/1UK79Fee6v.jpg
- youngte####.com/st/thumbs/238/IR7lk02sgx.jpg
- youngte####.com/st/thumbs/239/skbxm9q2JM.jpg
- youngte####.com/st/thumbs/255/Vt1H0K3kGW.jpg
- youngte####.com/st/thumbs/268/VrgKSfFiFF.jpg
- youngte####.com/st/thumbs/278/X1hdHy6sOo.jpg
- youngte####.com/st/thumbs/305/9gcdvzrnxr.jpg
- youngte####.com/st/thumbs/320/QHK9s9KiN6.jpg
- youngte####.com/st/thumbs/326/cuWI3LlQPz.jpg
- youngte####.com/st/thumbs/328/k5ylddbMzS.jpg
- youngte####.com/st/thumbs/331/omtrEqlr8J.jpg
- youngte####.com/st/thumbs/357/SPr1L6krH0.jpg
- youngte####.com/st/thumbs/358/wouE8qnlrt.jpg
- youngte####.com/st/thumbs/360/u8l5m83Tmo.jpg
- youngte####.com/st/thumbs/364/tpNWIPkQNi.jpg
- youngte####.com/st/thumbs/368/EW4uN1sl27.jpg
- youngte####.com/st/thumbs/379/9cMRPrZ4Mn.jpg
- youngte####.com/st/thumbs/383/y0xZKXjipE.jpg
- youngte####.com/st/thumbs/393/M58xL3Gu4V.jpg
- youngte####.com/st/thumbs/399/NJnku000sH.jpg
- youngte####.com/st/thumbs/401/Q4xzEn8jay.jpg
- youngte####.com/st/thumbs/416/eIpbaTnIUT.jpg
- youngte####.com/st/thumbs/426/Vmti6t1F69.jpg
- youngte####.com/st/thumbs/441/y7OJXnbSVJ.jpg
- youngte####.com/st/thumbs/445/RmyNSyQWa1.jpg
- youngte####.com/st/thumbs/486/iO0mPRW3U9.jpg
- youngte####.com/st/thumbs/487/2FmvdfniyN.jpg
- youngte####.com/st/thumbs/491/VeNuEJTs8P.jpg
- youngte####.com/st/thumbs/496/Hld0YhgmKf.jpg
- youngte####.com/st/thumbs/497/eO42WZVaR2.jpg
- youngte####.com/st/thumbs/502/EWV4oyUKSu.jpg
- youngte####.com/st/thumbs/502/nyg1KqV1r8.jpg
- youngte####.com/st/thumbs/555/KEiimT6wZw.jpg
- youngte####.com/st/thumbs/572/P8PR26eQdO.jpg
- youngte####.com/st/thumbs/573/9F1GP2rzXY.jpg
- youngte####.com/st/thumbs/585/Gd1kjis2iK.jpg
- youngte####.com/st/thumbs/614/ZLRHiftHvf.jpg
- youngte####.com/st/thumbs/617/o3F4Vi8R48.jpg
- youngte####.com/st/thumbs/621/fGb7rNKvbG.jpg
- youngte####.com/st/thumbs/622/UoyUlNijzg.jpg
- youngte####.com/st/thumbs/628/aWkTkV59ri.jpg
- youngte####.com/st/thumbs/631/eFqiqERRES.jpg
- youngte####.com/st/thumbs/655/WNgnd0P1Er.jpg
- youngte####.com/st/thumbs/682/QnNYTQ0ZTZ.jpg
- youngte####.com/st/thumbs/686/OrHO5sdQ3e.jpg
- youngte####.com/st/thumbs/688/vzmkO0KENk.jpg
- youngte####.com/st/thumbs/691/JU5stYR2Vs.jpg
- youngte####.com/st/thumbs/697/VQVhpjUo69.jpg
- youngte####.com/st/thumbs/702/5z3hFNlR3b.jpg
- youngte####.com/st/thumbs/706/hb38hhHvN4.jpg
- youngte####.com/st/thumbs/731/Yp3bGm5HtE.jpg
- youngte####.com/st/thumbs/737/LONZ8rfT0G.jpg
- youngte####.com/st/thumbs/741/S1UNyh5Neh.jpg
- youngte####.com/st/thumbs/745/U3Ko6MqumF.jpg
- youngte####.com/st/thumbs/753/nzbk1qOLHl.jpg
- youngte####.com/st/thumbs/754/lbPFGQklKd.jpg
- youngte####.com/st/thumbs/763/bt3mwIfSab.jpg
- youngte####.com/st/thumbs/773/6HkJiiZ3v7.jpg
- youngte####.com/st/thumbs/781/80qyI081Ye.jpg
- youngte####.com/st/thumbs/783/F4knic7FJl.jpg
- youngte####.com/st/thumbs/785/cgo3XTIH2F.jpg
- youngte####.com/st/thumbs/788/ZoRJzIK5lc.jpg
- youngte####.com/st/thumbs/789/16KSd7OUJv.jpg
- youngte####.com/st/thumbs/793/8cGpYiX4zO.jpg
- youngte####.com/st/thumbs/795/n5l76Tajkr.jpg
- youngte####.com/st/thumbs/820/fPMluzGveG.jpg
- youngte####.com/st/thumbs/820/qZY6yLfOG0.jpg
- youngte####.com/st/thumbs/829/FHIf8WL4j6.jpg
- youngte####.com/st/thumbs/839/oz5S39sJgj.jpg
- youngte####.com/st/thumbs/857/Zif3y39dFH.jpg
- youngte####.com/st/thumbs/869/nkizcRf1KY.jpg
- youngte####.com/st/thumbs/875/tbr0mLIVzV.jpg
- youngte####.com/st/thumbs/880/WvI13SbWO0.jpg
- youngte####.com/st/thumbs/887/vKK5IbqdeX.jpg
- youngte####.com/st/thumbs/903/hjif6vvVse.jpg
- youngte####.com/st/thumbs/910/TGIaLibp6c.jpg
- youngte####.com/st/thumbs/913/WowTy0Mltg.jpg
- youngte####.com/st/thumbs/916/vFX65nXbUl.jpg
- youngte####.com/st/thumbs/918/XveQQFyx3p.jpg
- youngte####.com/st/thumbs/922/HMmTlogYGO.jpg
- youngte####.com/st/thumbs/951/gHawYY4IvN.jpg
- youngte####.com/st/thumbs/955/309i73r6vz.jpg
- youngte####.com/st/thumbs/958/maGmZlqK4K.jpg
- youngte####.com/st/thumbs/960/du94R9mz4o.jpg
- youngte####.com/st/thumbs/969/rIRmmz7qe8.jpg
- youngte####.com/st/thumbs/979/IT0wQGVbhg.jpg
- youngte####.com/styles.css
Запросы HTTP POST:
- b####.com/fd/ls/lsp.aspx
- b####.com/fd/ls/lsp.aspx?
- u####.com:7079/jsdk/sd.action?b=####&ca=####&ica=####&re=####
- u####.com:8083/jsdk/sd.action?b=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_jgu/c.h.c.201708221600.bin
- <Package Folder>/app_jgu/x.apk
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/com.hyjt.app.android.india.preferrence.xml
- <Package Folder>/shared_prefs/com.hyjt.app.android.india.preferrence.xml.bak
- <Package Folder>/shared_prefs/tip.xml
- <Package Folder>/shared_prefs/tip.xml.bak
- <SD-Card>/SexVideo/20170804.txt
- <SD-Card>/commonsdk/findbutton0718.js
- <SD-Card>/commonsdk/processurl0718.js
- <SD-Card>/commonsdk/simulationClickYes0718.js
Другие:
Загружает динамические библиотеки:
- v8js
Использует следующие алгоритмы для расшифровки данных:
- desede-CBC-PKCS5Padding
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
