Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Loki.32.origin
- Android.Triada.222.origin
- Android.Triada.243
- Android.Triada.247.origin
Скрывает свою иконку с экрана устройства.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google Host>
- TCP(Google Services) <Google Host>
- TCP(HTTP/1.1) p0-meit####.b0.a####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) wap.s####.com:80
- TCP(HTTP/1.1) i####.com:80
- TCP(HTTP/1.1) d####.sogo####.com.####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) i####.sogo####.com.####.com:80
- TCP(HTTP/1.1) fkserv####.adfan####.com:8080
- TCP(HTTP/1.1) pb.s####.com:80
- TCP(HTTP/1.1) 24c4####.cdn.uc####.####.cn:80
- TCP(TLS/1.1) ti####.c####.l####.####.com:443
- TCP(TLS/1.1) pb.s####.com:443
- TCP(TLS/1.1) i####.sogo####.com.####.com:443
- TCP(TLS/1.1) owe.joy-r####.com:9050
Запросы DNS:
- and####.b####.qq.com
- cdn.joy-r####.com
- d####.sogo####.com
- fkdownl####.u####.uc####.####.cn
- fkserv####.adfan####.com
- i####.com
- i####.sogo####.com
- i####.sogo####.com
- i####.sogo####.com
- i####.sogo####.com
- owe.joy-r####.com
- p0.mei####.net
- pb.s####.com
- pp.m####.com
- wap.s####.com
Запросы HTTP GET:
- p0-meit####.b0.a####.com/284.400//movie/41ebecd825ffe37afd93687d480de1f1...
- pb.s####.com/cl.gif?uigs_productid=####&type=####&sugtype=####&source=##...
- pb.s####.com/cl.gif?uigs_productid=####&uigs_uid=####&uuid=####&ua=####&...
- pb.s####.com/fuwu_usercenter?sec=####&reqtype=####&_=####&callback=####
- pb.s####.com/getloc?data=####&points1=####&points2=####&points3=####&poi...
- pb.s####.com/images/logo/2014/new/sogou150x40.png?v=####
- pb.s####.com/js/common/require.min.v2.1.20.js
- pb.s####.com/js/common/vrResult.min.js?v=####
- pb.s####.com/js/web/antifraud.js?v=####
- pb.s####.com/js/web/gdtStatistics.min.js?v=####
- pb.s####.com/js/web/suggestion.min.js?v=####
- pb.s####.com/liaoliao/search?op=####&type=####&suv=####&name=####&detail...
- pb.s####.com/pv.gif?uigs_productid=####&stype=####&uid=####&uuid=####&t=...
- pb.s####.com/pv.gif?uigs_productid=####&type=####&sugtype=####&source=##...
- pb.s####.com/pv.gif?uigs_productid=####&uigs_t=####&uigs_uid=####&query=...
- pb.s####.com/pv.gif?uigs_productid=####&uigs_uid=####&uuid=####&ua=####&...
- pb.s####.com/resource/static/css/font/iconfont_b69054c.ttf
- pb.s####.com/resource/static/js/index/common_8b12875.js
- pb.s####.com/resource/static/js/index/index_023c679.js
- pb.s####.com/resource/web/css/dist/css_dist_d66562c.css
- pb.s####.com/resource/web/css/new/horizontal_screen.min.css?v=####
- pb.s####.com/resource/web/font_new/iconfont.ttf?v=####
- pb.s####.com/resource/web/images/gray_sogou_logo.png
- pb.s####.com/resource/web/images/img-error.png
- pb.s####.com/resource/web/images/indexIco_v2.png?v=####
- pb.s####.com/reventondc/inner/kread/api/vr/v2/vr4rank
- pb.s####.com/reventondc/wireless
- pb.s####.com/secondary/attitude/getVoteNum?attitudeid=####
- pb.s####.com/sugg_json?type=####&cb=####&key=####
- pb.s####.com/tworeq?format=####&ie=####&queryString=####&forceQuery=####...
- pb.s####.com/tworeq?ie=####&reqClassids=####&queryFrom=####&vrForQc=####...
- pb.s####.com/tworeq?reqtype=####&queryString=####&qoInfo=####&location=#...
- pb.s####.com/web/search/hot_news.jsp
- pb.s####.com/web/searchList.jsp?uID=####&v=####&from=####&bid=####&w=###...
- pb.s####.com/web/sugg.jsp?vr=####&kw=####&t=####&prereq_a=####&sugsuv=##...
Запросы HTTP POST:
- fkserv####.adfan####.com:8080/api/updateCheck.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_C3g3qVLoPom3/####/list2.chche
- <Package Folder>/app_aqPVSg3/tMS866P3hcq
- <Package Folder>/app_crashrecord/1004
- <Package Folder>/app_localdata/ApplicationCache.db-journal
- <Package Folder>/app_localdata/ApplicationCache.db-journal (deleted)
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/index
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/fankingbox/####/ad10021.apk
- <Package Folder>/fankingbox/####/ad10021.tmp
- <Package Folder>/fankingbox/####/fsdk80000.apk
- <Package Folder>/fankingbox/libgooglevi.so
- <Package Folder>/files/####/524JYWNnr_6EMok2
- <Package Folder>/files/####/7KxhRNNa6MiGWsZqKQ_wMQ==
- <Package Folder>/files/####/JyaqhVkK8bY8CEsGabDCRw==
- <Package Folder>/files/####/ermFN9wLN3K6mB3xhnGNTQ==.new
- <Package Folder>/files/####/hbXPqgmcuV3fTwQ4IMhGrQ==.new
- <Package Folder>/files/####/tuqoxa_f.zip
- <Package Folder>/files/####/vTyI0mu2RvwFgwVK.zip
- <Package Folder>/files/2078793401
- <Package Folder>/files/3018798.jar
- <Package Folder>/files/H4O783l.apk
- <Package Folder>/files/bdco.cf
- <Package Folder>/files/bdco.tmp.temp
- <Package Folder>/files/bdco.tmp0.temp
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/security_info
- <Package Folder>/shared_prefs/alias.xml
- <Package Folder>/shared_prefs/crashrecord.xml
- <Package Folder>/shared_prefs/fanking.sdk.xml
- <Package Folder>/shared_prefs/fanking.sdk.xml.bak
- <Package Folder>/shared_prefs/fanking.strategy.sdk.xml
- <Package Folder>/shared_prefs/fksdk_pid_config.xml
- <Package Folder>/shared_prefs/sdfgh.xml
- <SD-Card>/.fankv7/.fankcoas
- <SD-Card>/BIRDDOWNLOAD/####/YvscMPs.xml
- <SD-Card>/BIRDDOWNLOAD/####/rinsWPVPycqVPSq38.db
- <SD-Card>/BIRDDOWNLOAD/####/rinsWPVPycqVPSq38.db-journal
- <SD-Card>/BIRDDOWNLOAD/####/webinfo.xml
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.system.setting.BackgroundService -t 600
- chmod 0755 <Package Folder>/app_aqPVSg3/tMS866P3hcq
- getprop
- logcat -d -v threadtime
- sh <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.system.setting.BackgroundService -t 600
Загружает динамические библиотеки:
- Bugly
- libgooglevi
Использует следующие алгоритмы для шифрования данных:
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
- DES-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
- DES-ECB-NoPadding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
