Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 106575206321505460: dyl#<IMSI>,<IMEI>,6000065-1-1039-6_kh37s0001_-0
- 15121150845: #2016#900000&100001&<IMSI>&<IMEI>&<ICCID>
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) and####.hzd####.com:80
- TCP(HTTP/1.1) app.su####.com.####.com:80
- TCP(HTTP/1.1) mch.sz####.com:80
- TCP(HTTP/1.1) 1####.76.223.181:84
- TCP(HTTP/1.1) tinyq####.ove####.b0.####.com:80
- TCP(HTTP/1.1) and####.5####.com:8077
- TCP(HTTP/1.1) 1####.75.30.57:10001
- TCP(HTTP/1.1) 1####.76.223.181:83
- TCP(HTTP/1.1) img-a####.b0.upa####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) ping####.qq.com:80
- TCP(HTTP/1.1) www.huangda####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) 1####.59.40.34:19000
- TCP(HTTP/1.1) at.al####.com:80
- TCP(HTTP/1.1) api.meme####.com:80
- TCP(HTTP/1.1) b####.hzd####.com.####.cn:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/???) 1####.76.223.181:84
- TCP(TLS/1.0) sa.meme####.com:9001
Запросы DNS:
- and####.5####.com
- and####.hzd####.com
- api.meme####.com
- app.su####.com
- at.al####.com
- b####.hzd####.com
- hm.b####.com
- img-a####.b0.upa####.com
- img.su####.com
- lib.su####.com
- m.2####.com
- mch.sz####.com
- pi####.qq.com
- ping####.qq.com
- pv.s####.com
- sa.meme####.com
- www.huangda####.com
Запросы HTTP GET:
- api.meme####.com/channel/prop?_id=####&callback=####&_=####
- api.meme####.com/public/blackword_list/0?callback=####&_=####
- api.meme####.com/public/blackword_list/1?callback=####&_=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&ep=####&et=####&ja=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&et=####&ja=####&ln=#...
- hm.b####.com/hm.js?a97087b####
- img-a####.b0.upa####.com/22994134/0826/cb1feb7c158135cd503c0485a8ef9145....
- img-a####.b0.upa####.com/26175714/0705/80f2e1615373016505324f383f5e3609....
- img-a####.b0.upa####.com/27368911/0730/2848cc6bcea42c91a4dea7696f346b0f....
- img-a####.b0.upa####.com/30290941/0907/eb173f8c99386b9abce19d047785323c....
- img-a####.b0.upa####.com/30293058/0911/d8a56aa20f6ac162cff8b8b43b860bc6....
- img-a####.b0.upa####.com/31288278/0912/dd1ce551f5dcd2251ef552b5bd3838be....
- img-a####.b0.upa####.com/31337299/0823/e41839940e3167bca3bbe3beb3d21711....
- img-a####.b0.upa####.com/31354121/0802/70fcbb79b5a078f6fbafd817df327c49....
- img-a####.b0.upa####.com/31407636/0904/c9f8a903fac47f1f0d9ccfbe161427c4....
- img-a####.b0.upa####.com/31548544/0821/5fb41189aea8dc44a5f88e6aad7ff7fd....
- img-a####.b0.upa####.com/33561838/0905/08eb6c374c178131d47c6f2aa2dbecc5....
- img-a####.b0.upa####.com/34288949/0829/722eb7942bcd96d6956c6a39cc602283....
- img-a####.b0.upa####.com/35982928/0804/25fd792310ebea7b3c0e5384ca9a526a....
- img-a####.b0.upa####.com/36229389/0706/3feec0c81c7d068f80ae8b01bd264987....
- img-a####.b0.upa####.com/40214087/0801/f2338c396260af7ff26eee842a1dc4f5....
- img-a####.b0.upa####.com/45380940/0907/56991a0069f92c0fc1a62851f59fae4c....
- img-a####.b0.upa####.com/45980520/0827/ad70190c43d2f69d549fed8b5c839342....
- img-a####.b0.upa####.com/47943095/0711/a5e8c7efb1849431ba8a23e7f7ad8e50....
- img-a####.b0.upa####.com/48798775/0807/d7afdc9364c57550815cf8bfa0daa575....
- img-a####.b0.upa####.com/49094278/0904/7f43d48423ba4a1f551f77fb835ae0c9....
- img-a####.b0.upa####.com/49132056/0827/3d414d9a5839a818cd20dea3be2577b9....
- img-a####.b0.upa####.com/50307835/0903/c2c37faf339a3fa2639799fcc8324e3d....
- img-a####.b0.upa####.com/52295580/0729/a776edde9d96c0ebc74f17455198dfab....
- img-a####.b0.upa####.com/53907515/0904/c1e3d1d21d08cea5d8ccbe51b9bbf566....
- img-a####.b0.upa####.com/54571548/0906/e131cd57cbc46d997c7c0f911ec34708....
- img-a####.b0.upa####.com/55251747/0902/060e69e20ca81b110cc4a225a7af9872....
- img-a####.b0.upa####.com/55376144/0905/b9ed2a7656841e9d64d1420d3ec677c5....
- img-a####.b0.upa####.com/55604617/0909/945195fb672d535d250fba5c4bef2b95....
- img-a####.b0.upa####.com/9902351/0814/9fc347f47e28238ca3fd9138ab377974.j...
- img-a####.b0.upa####.com/9902735/0912/84ff386696e00379163508cf4c7707f3.j...
- img-a####.b0.upa####.com/9902794/0907/a8f1439e381463d1fc78e68d962ed7ca.j...
- mch.sz####.com/adv.do?ge####&distributionId=####&openId=####
- ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=uni####&ty=#...
- www.huangda####.com/active!activeLog.action?provider=####&clickId=####&m...
- www.huangda####.com/resource!resource?resTypes=####&appid=####&channel=#...
Запросы HTTP POST:
- and####.5####.com:8077/query-plat/conf/common/query.do
- and####.5####.com:8077/record-collect/record/upload.do
- and####.hzd####.com/video-plat/channel/getChannel.do
- and####.hzd####.com/video-plat/new/column/query.do
- and####.hzd####.com/video-plat/plugin/query.do
- www.huangda####.com/shop/shop_upload_log
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_PayImgs/35C0AA4E35870D8FB61718068BDBCF35
- <Package Folder>/app_PayImgs/5A0C98FA35D82BC7E418646B07304289
- <Package Folder>/app_PayImgs/60BB9E200DE476621218D5FF77D8E560
- <Package Folder>/app_workbench17860/apk.zip
- <Package Folder>/cache/####/0928f492a1a57b3b02d8c077037f1999dc3....0.tmp
- <Package Folder>/cache/####/0932b6bbbb28a41214bd29c56b6cc7c00c1....0.tmp
- <Package Folder>/cache/####/0d385e8c1c0933c30bd9ef6544f80b07063....0.tmp
- <Package Folder>/cache/####/13cc4a8df93b625fa61f60f1a0daab15b93....0.tmp
- <Package Folder>/cache/####/1c9b45365472c2190e86b8d7d1982742755....0.tmp
- <Package Folder>/cache/####/34993e4ff100c82daba51920e999a2dacdc....0.tmp
- <Package Folder>/cache/####/3e2d93e8d778e615381015d0c5b816ae7a0....0.tmp
- <Package Folder>/cache/####/410a000027f5f6f82176e802d93f98918f5....0.tmp
- <Package Folder>/cache/####/50d15f820c68feddb9d5b7a507e7fca48d4....0.tmp
- <Package Folder>/cache/####/63729a04135574403e7fb6edea0329a97cb....0.tmp
- <Package Folder>/cache/####/77073299dee68dacf67188e0b149970eb49....0.tmp
- <Package Folder>/cache/####/7f5cd01416d2dc32c9473c9d1d6188881cb....0.tmp
- <Package Folder>/cache/####/8a7b0f3d879d44992514a7eba5ef73e77d2....0.tmp
- <Package Folder>/cache/####/aa15ee7a412a3c75b47f18d826716bd1c1a....0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/f_000028
- <Package Folder>/cache/####/f_000029
- <Package Folder>/cache/####/f_00002a
- <Package Folder>/cache/####/f_00002b
- <Package Folder>/cache/####/f_00002c
- <Package Folder>/cache/####/f_00002d
- <Package Folder>/cache/####/fe11fc47f687ea38e6450d1415ad768a6da....0.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/libabc
- <Package Folder>/shared_prefs/IsSecondEx.xml
- <Package Folder>/shared_prefs/IsSecondEx.xml.bak
- <Package Folder>/shared_prefs/data.xml
- <Package Folder>/shared_prefs/data.xml.bak
- <Package Folder>/shared_prefs/out.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/twc.xml
- <Package Folder>/shared_prefs/twc.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/Android/####/79C96062F33D857A57DA862BE5514BE8
- <SD-Card>/Android/####/<Package>.plugin.jar
- <SD-Card>/Android/####/com.skymobi.pay.plugin.main.data
- <SD-Card>/Android/####/data.xml
Другие:
Запускает следующие shell-скрипты:
- cat /sys/block/mmcblk0/device/cid
- chmod 666 /storage/emulated/0/Android/data/<Package>/plugins/<Package>.plugin.jar
Загружает динамические библиотеки:
- libabc
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Парсит информацию из смс сообщений.
Осуществляет доступ к информации об отправленых/принятых смс.
