Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Click.171.origin
- Android.DownLoader.463.origin
- Android.DownLoader.478.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) 2####.170.49.101:80
- TCP(HTTP/1.1) you####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) www.go####.cn:80
- TCP(HTTP/1.1) ck2.mobi-####.org:13631
- TCP(HTTP/1.1) www.red####.com:80
- TCP(HTTP/1.1) b####.com:80
- TCP(HTTP/1.1) s####.mob####.b####.com:80
- TCP(HTTP/1.1) i####.yy####.com:80
- TCP(HTTP/1.1) i####.c.yinyu####.com:80
- TCP(HTTP/1.1) api.mob####.b####.com:80
- TCP(HTTP/1.1) rp.freeind####.com:80
- TCP(HTTP/1.1) ck1.mobi-####.org:13631
- TCP(HTTP/1.1) img.p####.b####.####.net:80
- TCP(HTTP/1.1) u####.b####.com:80
- TCP(HTTP/1.1) mo.freeind####.com:80
- TCP(HTTP/1.1) www.x####.com:80
- TCP(HTTP/1.1) api.mi####.com:80
- TCP(HTTP/1.1) dpl.b####.com:80
- TCP(HTTP/1.1) pl####.mob####.b####.com:80
- TCP(HTTP/1.1) face####.com:80
- TCP(HTTP/1.1) up.press####.com:80
- TCP(HTTP/1.1) ln.nobv####.com:80
- TCP(HTTP/1.1) d####.mobi-####.org:13631
- TCP(TLS/1.0) www.p####.com:443
- TCP(TLS/1.0) www.red####.com:443
Запросы DNS:
- api.mi####.com
- api.mob####.b####.com
- b####.com
- ck1.mobi-####.org
- ck2.mobi-####.org
- d####.mobi-####.org
- dpl.b####.com
- face####.com
- i####.c.yinyu####.com
- i####.yy####.com
- i####.yy####.com
- i####.yy####.com
- i####.yy####.com
- img.p####.b####.com
- ln.nobv####.com
- m.tv.s####.com
- mo.freeind####.com
- pl####.mob####.b####.com
- rp.freeind####.com
- s####.mob####.b####.com
- u####.b####.com
- up.press####.com
- www.go####.cn
- www.p####.com
- www.red####.com
- www.x####.com
- you####.com
Запросы HTTP GET:
- api.mi####.com/v1/ad_crack/get?_appPkgName=####&_updateTime=####&_locale...
- api.mi####.com/v1/ad_sdk?_appPkgName=####&_updateTime=####&_locale=####&...
- api.mob####.b####.com/strategy/api/v1/rule/get?p=####&hp=####&l=####&c=#...
- b####.com/favicon.ico
- dpl.b####.com/M00/01/AD/CvJJDVmj_xWALo2aAArECPaKkRM720.zip
- face####.com/favicon.ico
- i####.yy####.com/video/mv/160123/0/-M-15e425213d8e68ea4d100950db3e75f4_2...
- i####.yy####.com/video/mv/160123/0/-M-b4316668f3775c40c6c7e60e950019b8_2...
- i####.yy####.com/video/mv/160130/0/-M-214a10eb1edaa7043ac369a4d4048363_2...
- i####.yy####.com/video/mv/160130/0/-M-ecc4ae8ce7c851e3487f559f2e410bf6_2...
- i####.yy####.com/video/mv/170512/2860431/-M-f1c91f61f8696f9e9e51586f7bdd...
- i####.yy####.com/video/mv/170605/0/241b1500cf5dbbb552dbc260b0aedaa8_240x...
- i####.yy####.com/video/mv/170606/2881310/-M-fdbdfe6316a1b86d29168cbfa4db...
- i####.yy####.com/video/mv/170609/0/b9e511fd1e2d793140db2f94479c7144_240x...
- ln.nobv####.com/imgs/a60.png
- ln.nobv####.com/imgs/a61.png
- ln.nobv####.com/imgs/a62.png
- ln.nobv####.com/vd.php?prd=####&lang=####
- ln.nobv####.com/vd.php?prd=####&lang=####&type_id=####
- u####.b####.com/setting/grobal_strategy?p=####&hp=####&l=####&c=####&pro...
- www.go####.cn/favicon.ico
- www.red####.com/favicon.ico
- you####.com/favicon.ico
Запросы HTTP POST:
- mo.freeind####.com/detail/getOfferListNew?enc=####
- pl####.mob####.b####.com/ad_dex.php
- rp.freeind####.com/business/impression
- s####.mob####.b####.com/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jhuc/.jhucs
- <Package Folder>/.jhuc_code_cache/####/.jhucs.classes-665575817.zip
- <Package Folder>/.jhuc_code_cache/####/JhucDex.lock
- <Package Folder>/.mbj/####/classes.zip
- <Package Folder>/app_lib/libmain.so
- <Package Folder>/cache/####/06de9e32cb95516d520fb6817726b5b2870...acca.0
- <Package Folder>/cache/####/1032e1056cc66745ea5cd96e052e58b4c60....0.tmp
- <Package Folder>/cache/####/121fdc1892df6b09d6287de72bbe91534ca....0.tmp
- <Package Folder>/cache/####/124114fe22f37386a7d15494b12f2d93b4a....0.tmp
- <Package Folder>/cache/####/13b1b6d2f58e008cae12a767b367d7fc779....0.tmp
- <Package Folder>/cache/####/1988b2ff8f5721a90b6254bfa11c2a6b31b....0.tmp
- <Package Folder>/cache/####/1d21719870bf4f30b09c2e033dd7877073e....0.tmp
- <Package Folder>/cache/####/26893ee32abe6a2bae1d14fcb0023ab0c6d...619b.0
- <Package Folder>/cache/####/27d84356998235d895fbacac7208b3bd6ff....0.tmp
- <Package Folder>/cache/####/2eeed19decf44eb8f12aa7d4c6e79b99aba...3a52.0
- <Package Folder>/cache/####/3400d8f18e01b67cb90c0f93757c086991e....0.tmp
- <Package Folder>/cache/####/478a5488f1d2693fed93ee07a346e5ba1d0....0.tmp
- <Package Folder>/cache/####/5f7f3ea1bfc6266c224982a336ddac22693....0.tmp
- <Package Folder>/cache/####/6fdb435e8d77fe86bc49a5100d0bc16ff54....0.tmp
- <Package Folder>/cache/####/70d45fdd92cfd7059380336b67508e75f17....0.tmp
- <Package Folder>/cache/####/75671ec42e34e72ff70e78dade4361a58b6....0.tmp
- <Package Folder>/cache/####/792065ac7f7121415057c9190a9ad371719....0.tmp
- <Package Folder>/cache/####/7f98ac0cad9622e6ff18e8db23323625a74....0.tmp
- <Package Folder>/cache/####/870f1a5e4482f28fdf4645a228a8d4dd244....0.tmp
- <Package Folder>/cache/####/8bc277412ac0d9a9a12cbd94852644f2957....0.tmp
- <Package Folder>/cache/####/8eeee86ae87e8b2226781e1b4a9af466169....0.tmp
- <Package Folder>/cache/####/90d117de0aa63f7004fc0a134c787aeada6....0.tmp
- <Package Folder>/cache/####/91a2f471cedf5f362a16600189f26566d87....0.tmp
- <Package Folder>/cache/####/a89108edf96f02cd799e337c66c583049d1...391d.0
- <Package Folder>/cache/####/ace5d961b21f9217ec0aa5bebdea98b9303....0.tmp
- <Package Folder>/cache/####/b201b3ba01aea68a7c330f45350932d0ed4....0.tmp
- <Package Folder>/cache/####/c32c490e3082eb3df137dec30c89a903077....0.tmp
- <Package Folder>/cache/####/c69d9349b573e8a0ba7ae48b5da0a259189....0.tmp
- <Package Folder>/cache/####/d76677e973b679fc7b033b642a8450d18ab....0.tmp
- <Package Folder>/cache/####/d910c423e8631c9f58bc3c67410e51ff61e....0.tmp
- <Package Folder>/cache/####/dcfbe76ebd4ac94b2a34dddb13cddf94a62...c266.0
- <Package Folder>/cache/####/ddabf62cddd271728e313728c19b7b13bc5....0.tmp
- <Package Folder>/cache/####/df906287f5c220e13bb4a0eb1cec6c04dea....0.tmp
- <Package Folder>/cache/####/e4b518016474381eaa4d3809c1a039c03b7....0.tmp
- <Package Folder>/cache/####/ef15e1b6db7e84e3129c1cf5a32af684de0....0.tmp
- <Package Folder>/cache/####/f0f22adc8fa046590aa9656e75ee31de694....0.tmp
- <Package Folder>/cache/####/fc0c2777fc53039e6f3e21d489fb93384cd....0.tmp
- <Package Folder>/cache/####/icon.jpg
- <Package Folder>/cache/####/icon1.jpg
- <Package Folder>/cache/####/icon2.jpg
- <Package Folder>/cache/####/icon4.jpg
- <Package Folder>/cache/####/icon5.jpg
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/adblib.db-journal
- <Package Folder>/files/####/.myd
- <Package Folder>/files/####/.x.sh
- <Package Folder>/files/####/hotfix.dex
- <Package Folder>/files/####/installed.meta
- <Package Folder>/files/####/killall
- <Package Folder>/files/####/newPathinfo
- <Package Folder>/files/####/pathinfo
- <Package Folder>/files/####/r0
- <Package Folder>/files/####/r1
- <Package Folder>/files/####/r2
- <Package Folder>/files/####/r3
- <Package Folder>/files/####/r4
- <Package Folder>/files/####/r5
- <Package Folder>/files/####/r6
- <Package Folder>/files/####/r8
- <Package Folder>/files/####/su
- <Package Folder>/files/####/su2
- <Package Folder>/files/.an.prop
- <Package Folder>/files/.m.jar
- <Package Folder>/files/.m.prop
- <Package Folder>/files/Test.Myd.zip
- <Package Folder>/files/Test.ToolAbs.zip
- <Package Folder>/files/Test.bbox.zip
- <Package Folder>/files/busybox
- <Package Folder>/files/google.db
- <Package Folder>/shared_prefs/.y.jar
- <Package Folder>/shared_prefs/<Package>_ls_global_configs_sp.xml
- <Package Folder>/shared_prefs/AdsBusiness-data.xml
- <Package Folder>/shared_prefs/AdsBusiness-data.xml.bak
- <Package Folder>/shared_prefs/aps.xml
- <Package Folder>/shared_prefs/aps.xml.bak
- <Package Folder>/shared_prefs/apsad.xml
- <Package Folder>/shared_prefs/apsad.xml.bak
- <Package Folder>/shared_prefs/apscomm.xml
- <Package Folder>/shared_prefs/hotfix.xml
- <Package Folder>/shared_prefs/jduc.xml
- <Package Folder>/shared_prefs/jduc.xml.bak
- <Package Folder>/shared_prefs/jduc.xml.bak (deleted)
- <Package Folder>/shared_prefs/jhucs.info.xml
- <Package Folder>/shared_prefs/jhucs.info.xml.bak
- <Package Folder>/shared_prefs/jhucs.version.xml
- <Package Folder>/shared_prefs/mkad.xml
- <Package Folder>/shared_prefs/mobads.xml
- <Package Folder>/shared_prefs/preference.db.xml
- <Package Folder>/shared_prefs/preference_videos.xml
- <Package Folder>/shared_prefs/static_date.xml
- <Package Folder>/shared_prefs/test.xml
- <SD-Card>/._X0
- <SD-Card>/._X1
- <SD-Card>/.androidsystem/####/49.x-4.3.5-vs.apk
- <SD-Card>/.androidsystem/####/PlugShareData
- <SD-Card>/.androidsystem/####/files.db
- <SD-Card>/.androidsystem/####/plugxml.xml
- <SD-Card>/.androidsystem/####/syncfiles.db
- <SD-Card>/.androidsystem/7a1ab4ff2a0a803265e986e131d41e47.jpg
- <SD-Card>/.androidsystem/Plugin.zip
- <SD-Card>/.tmp_
- <SD-Card>/Android/####/._LOST_.DATA.B
- <SD-Card>/Android/####/._LOST_.DATA.D
- <SD-Card>/Android/####/hotfix.jar
- <SD-Card>/Android/...130
- <SD-Card>/Android/...131
- <SD-Card>/Android/...180
- <SD-Card>/Android/...181
- <SD-Card>/Android/...190
- <SD-Card>/Android/...191
- <SD-Card>/baidu/####/journal
- <SD-Card>/baidu/####/journal.tmp
- <SD-Card>/baidu/.cuid
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/.z/r0 -c <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/r1 -C '<Package Folder>/files/.z/.x.sh'
- <Package Folder>/files/.z/r1 -auto
- <Package Folder>/files/.z/r1 <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/r2
- <Package Folder>/files/.z/r2 -c <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/r3
- <Package Folder>/files/.z/r3 -c <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/r4 -c <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/r4 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- <Package Folder>/files/.z/r5 /system/bin/sh
- <Package Folder>/files/.z/r6 /system/bin/sh
- <Package Folder>/files/.z/r8
- <Package Folder>/files/.z/su2 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/su2 al1s7jBFNtn9faBmC0Jb9A9NslGZSg== <Package Folder>/files/.z/.x.sh
- <Package Folder>/files/.z/su2 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== <Package Folder>/files/.z/.x.sh
- chmod 775 <Package Folder>/app_lib
- sh <Package Folder>/files/.z/r0 -c <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/r1 -C '<Package Folder>/files/.z/.x.sh'
- sh <Package Folder>/files/.z/r1 -auto
- sh <Package Folder>/files/.z/r1 <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/r2
- sh <Package Folder>/files/.z/r2 -c <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/r3
- sh <Package Folder>/files/.z/r3 -c <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/r4 -c <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/r4 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- sh <Package Folder>/files/.z/r5 /system/bin/sh
- sh <Package Folder>/files/.z/r6 /system/bin/sh
- sh <Package Folder>/files/.z/r8
- sh <Package Folder>/files/.z/su2 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/su2 al1s7jBFNtn9faBmC0Jb9A9NslGZSg== <Package Folder>/files/.z/.x.sh
- sh <Package Folder>/files/.z/su2 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== <Package Folder>/files/.z/.x.sh
Загружает динамические библиотеки:
- main
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- DES
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
