Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.266.origin
- Android.Triada.38.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) ptmgtd0####.wsclou####.com:80
- TCP(HTTP/1.1) c.m.1####.com:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) and####.cli####.go####.com:443
Запросы DNS:
- 2.and####.p####.####.org
- and####.cli####.go####.com
- b####.52####.com
- c.m.1####.com
- cms-bu####.n####.127.net
- ksf.sd####.com
- mt####.go####.com
Запросы HTTP GET:
- ptmgtd0####.wsclou####.com/0437dfd522fb45a5bbe2d121930e18302017090119140...
- ptmgtd0####.wsclou####.com/092cdce044874c39b8201c13dce74df12017090115582...
- ptmgtd0####.wsclou####.com/0dacbe0fba1a4ae1bf652794c0a1d4a32017083015455...
- ptmgtd0####.wsclou####.com/165defe3384d416580309bcb91eba7fb2017090409473...
- ptmgtd0####.wsclou####.com/189b7dffb6bb44a1a01eb78961b76af62017090409494...
- ptmgtd0####.wsclou####.com/1fc823c820e64d6491993cf24ca0c6912017090220471...
- ptmgtd0####.wsclou####.com/236728b906d7488c81edfbd15baf82502017090409584...
- ptmgtd0####.wsclou####.com/362af27362ff45029d3712cdacd8ed742017090207103...
- ptmgtd0####.wsclou####.com/3b95d288f0ac4037a73fa3056e8e08b72017090407161...
- ptmgtd0####.wsclou####.com/41c00c74e50741baae9be776e5a46af72017090410083...
- ptmgtd0####.wsclou####.com/42f1bc4efa3447448fd306ceceb64a922017083117180...
- ptmgtd0####.wsclou####.com/49b5a1753df946b39c483e1b34a0c8272017090407142...
- ptmgtd0####.wsclou####.com/4ac6096a76a64c4eab6a69814edf4cf72017090408224...
- ptmgtd0####.wsclou####.com/546235e69a1447528a250ba881a2a4702017090408545...
- ptmgtd0####.wsclou####.com/5baf3abb22a44e388835c7cc3fa0bcdb2017090407083...
- ptmgtd0####.wsclou####.com/5c9a6b9d1bbd4ea7bc3d2f16101d104d2017090311054...
- ptmgtd0####.wsclou####.com/5cf26f75e64d469ea38da9046fcfc6942017090408361...
- ptmgtd0####.wsclou####.com/5d07cd34efdc49efa6dd3e49f23726712017090410045...
- ptmgtd0####.wsclou####.com/5da7b4348d0e49dfba4d6f424c6dd6cb2017090409283...
- ptmgtd0####.wsclou####.com/616347a129ee4dec877ca3e2513c1bf02017090407174...
- ptmgtd0####.wsclou####.com/65962040d3e848b6bec82371d0a6c5392017090407554...
- ptmgtd0####.wsclou####.com/691789f91f1c4a3998cdd1a827feae852017083106455...
- ptmgtd0####.wsclou####.com/7378cfec0ff94f72afe594f99331f2b02017090316434...
- ptmgtd0####.wsclou####.com/849addbf3fe84223bdb8f691bf2bf8362017090407055...
- ptmgtd0####.wsclou####.com/87e27206d9c04308a655e2d08334ac1f2017090409321...
- ptmgtd0####.wsclou####.com/98b43f60700c4367b0d86cfb8636e7922017090407165...
- ptmgtd0####.wsclou####.com/a70b72b175cc41a0963b943f944bb6cb2017090408520...
- ptmgtd0####.wsclou####.com/a7a387aa8e1145058feef620da849bfd2017090407011...
- ptmgtd0####.wsclou####.com/ab63c370d26d4f838f6cbf8e41135eb82017083019013...
- ptmgtd0####.wsclou####.com/ae0de0fc4ff643ebab76ce1ec5dae5c62017082417554...
- ptmgtd0####.wsclou####.com/bb6d5a1973d84e56bdd013be885b44652017090408244...
- ptmgtd0####.wsclou####.com/c5cac6b61b584263932b997a1dfebdef2017090400222...
- ptmgtd0####.wsclou####.com/c72d6f11c66e415887ef1a1c5f5061322017090410061...
- ptmgtd0####.wsclou####.com/cfec5ce4cf89426bac287c32e33b77112017090408584...
- ptmgtd0####.wsclou####.com/d14da0cc183441ddb4a7b9edd06d23362017090408584...
- ptmgtd0####.wsclou####.com/e6fce683a92342d6b8c23edb36b812fd2017090407342...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/04ee7035f283d6dfaa4429d85508dadb69c....0.tmp
- <Package Folder>/cache/####/0c00bea40e9c7960902d22fcec976675909....0.tmp
- <Package Folder>/cache/####/17293bab9d66cd88ed51776deb88f895412....0.tmp
- <Package Folder>/cache/####/1934821080f9ace0e6ab0f255379db3ef9b....0.tmp
- <Package Folder>/cache/####/1cffdcff87dfb617961f08a21f4ec82d3ef....0.tmp
- <Package Folder>/cache/####/1ece4fa4520526292f0bbcc406d8ecb8ad6....0.tmp
- <Package Folder>/cache/####/1fc54b1444979dd432054f73f192e73ae8c....0.tmp
- <Package Folder>/cache/####/230041a5fd96edd82dfd90ac46cfbf9da78....0.tmp
- <Package Folder>/cache/####/316e6da37b456cc070ebc81046d51173b93....0.tmp
- <Package Folder>/cache/####/33aec35ae003e1b9a7e11c541885557ad5e....0.tmp
- <Package Folder>/cache/####/34181b936da5d5d413f90a2dd879ec64577....0.tmp
- <Package Folder>/cache/####/36eb7eb7b52325324096c22dda15b37e7e0....0.tmp
- <Package Folder>/cache/####/48dab8678ea5b999a46eddd33c4c5f183fe....0.tmp
- <Package Folder>/cache/####/52c11b561d5bfeb7c85834f86a80702dd6d....0.tmp
- <Package Folder>/cache/####/57c6939c520cbd4647f16c6ebe08a1b83e7....0.tmp
- <Package Folder>/cache/####/5b87d663a0252d48b36fb3f9a92343967bc....0.tmp
- <Package Folder>/cache/####/5fee4b696e9d3f315112734a4c8011e8dc2....0.tmp
- <Package Folder>/cache/####/6307aef2eaaf68780c0fb674dd965432bc6....0.tmp
- <Package Folder>/cache/####/7166723668daf8a5012f04940af32f3513f....0.tmp
- <Package Folder>/cache/####/7dac8bf6d9d9f3f80048e9b6703a0a4727f....0.tmp
- <Package Folder>/cache/####/7f6168c18bf557f87d8c33849b55c393471....0.tmp
- <Package Folder>/cache/####/808e933f2cf45a5ac3a80ce4b6f8548086b....0.tmp
- <Package Folder>/cache/####/908407571ae89a1c07326f1b40a11618471....0.tmp
- <Package Folder>/cache/####/91ce3eb9155d1c4239d3a01741cce07dd5e....0.tmp
- <Package Folder>/cache/####/9856a968e94addea8108ad8020e194dd171....0.tmp
- <Package Folder>/cache/####/9f9cce602e3e69f56fd3e815f5f374d80d4....0.tmp
- <Package Folder>/cache/####/bd6393e85d574cf59086b6886b017c77345....0.tmp
- <Package Folder>/cache/####/cc896f0f17d49ebba443df91dc541940251....0.tmp
- <Package Folder>/cache/####/ce41d550d72dfe811c7fcaca3b12253bfa8....0.tmp
- <Package Folder>/cache/####/d1b500006eb57c51764b7cce8d94fa9c3e9....0.tmp
- <Package Folder>/cache/####/d8ca9cfd18b479e606847f6686be094b1ed....0.tmp
- <Package Folder>/cache/####/da20de25adbfb5a39234627ecfc1ec8c4ad....0.tmp
- <Package Folder>/cache/####/daab0c8cc411f7ee5b12afe5d414c68febd....0.tmp
- <Package Folder>/cache/####/def46cc0129cfb9d41a783f5eba9e22ec4e....0.tmp
- <Package Folder>/cache/####/e1b960c174dc380a7d8c02ae4c8ad578f12....0.tmp
- <Package Folder>/cache/####/e9863b0f04bade4147e536c62f46d020c50....0.tmp
- <Package Folder>/cache/####/ed64e74fd797d12f90577a9e25c73f0435b....0.tmp
- <Package Folder>/cache/####/ee4b95fceed1765580827b78e66cf64f85a....0.tmp
- <Package Folder>/cache/####/eed8e0042d777024b5fb8304a0a0bf0fe72....0.tmp
- <Package Folder>/cache/####/f0b5f9dff987631573c194d675f53115129....0.tmp
- <Package Folder>/cache/####/f3d4a4560f8247c50c610eb050204ea629c....0.tmp
- <Package Folder>/cache/####/f6f33797c18a1adfbb209a7082f2de5257f....0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/files/rosg
- <Package Folder>/files/rosg.jar
- <Package Folder>/files/ru
- <Package Folder>/files/ru.apk
- <Package Folder>/files/yqqp.png
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/xapcinfo.xml
Другие:
Запускает следующие shell-скрипты:
- conbb od2gf04pd9
- cufsdosck ac554db364f
- cufsmgr eb47495f7bb
- service call appops 0 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 1 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 11 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 12 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 13 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 14 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 15 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 16 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 17 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 18 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 19 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 2 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 3 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 4 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 5 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 7 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 8 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 9 i32 15 i32 10044 s16 <Package> i32 0
- sh
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
