Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.84.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) c####.163.com:80
- TCP(HTTP/1.1) t.gl####.y####.net:80
- TCP(HTTP/1.1) t####.dmp.y####.net:80
- TCP(HTTP/1.1) sdk.st####.y####.com:80
- TCP(HTTP/1.1) a.dia####.com:80
- TCP(HTTP/1.1) t####.c####.l####.####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) c####.mik####.com.####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) s.redba####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) aos.w####.y####.net:80
- TCP(HTTP/1.1) s####.gw.y####.####.com:80
- TCP(HTTP/1.1) use####.redba####.com:80
- TCP(HTTP/1.1) f####.mik####.com:80
- TCP(HTTP/1.1) p####.mik####.com:80
- TCP(HTTP/1.1) www.mik####.com:80
- TCP(HTTP/1.1) dl####.dia####.com.####.com:80
- TCP(HTTP/1.1) c####.redba####.com:80
- TCP(HTTP/1.1) s.y####.net:80
- TCP c####.g####.ig####.com:5225
- UDP 2####.0.0.1:9998
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- 5####.nd####.y####.com
- 7j####.c####.z0.####.com
- a.dia####.com
- aos.w####.y####.net
- c####.163.com
- c####.g####.ig####.com
- c####.mik####.com
- c####.redba####.com
- c-h####.g####.com
- c.sz.gt.####.com
- dl####.dia####.com
- f####.mik####.com
- p####.mik####.com
- s####.gw.y####.net
- s.redba####.com
- s.y####.net
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sdk.st####.y####.com
- t####.dmp.y####.net
- t.gl####.y####.net
- use####.redba####.com
- www.mik####.com
Запросы HTTP GET:
- a.dia####.com/dev/api/adlist/adlist.php?device_id=####&imsi=####&device_...
- a.dia####.com/dev/api/adlist/task.php?device_id=####&imsi=####&device_na...
- c####.redba####.com/v1img/b1.png
- c####.redba####.com/v1img/lyq.png
- f####.mik####.com/upgrading_form.php?t=####
- f####.mik####.com/wln56x
- p####.mik####.com/ugc_3_a/pub/80/80fc679ece348a517b2d70bd067708b9/form/i...
- s####.gw.y####.####.com/aos/v3/initf?s=####
- s####.gw.y####.####.com/stat/v3/udt2?appid=####&s=####
- sdk.st####.y####.com/core/aos-dex/1609/6446/4595cef0.jar
- t####.c####.l####.####.com/config/hz-hzv3.conf
- use####.redba####.com/s/q/rcode?t=####&mid=####&u=####
Запросы HTTP POST:
- a.dia####.com/dev/api/connect.php?device_id=####&imsi=####&device_name=#...
- a.dia####.com/dev/api/e_package_update.php
- c####.163.com/client/api/uploadStartUpInfo.do
- c####.163.com/uploadCrashLogInfo.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.cache/version
- <Package Folder>/app_libs/ymdex.jar.new
- <Package Folder>/cache/####/0a177513b81a9517d1e5bc0a3eb90df6718....0.tmp
- <Package Folder>/cache/####/25a0a37b0e012c594cad1e158a4c540a4b1....0.tmp
- <Package Folder>/cache/####/51aef88d1f858f1edd860aefd63c7e44fcb....0.tmp
- <Package Folder>/cache/####/5e21bd3fb63e4593aa37eaa6ebb6781fc78....0.tmp
- <Package Folder>/cache/####/783333be9675fd56fae0c221bc5ef7239a7....0.tmp
- <Package Folder>/cache/####/b9b6216774ead75f31db5950bd842abd7b5....0.tmp
- <Package Folder>/cache/####/d69e2c93c826577f6f7b9d7b4925e065cb7....0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal
- <Package Folder>/cache/ApplicationCache.db-journal (deleted)
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/5159243fb0c8cb279d16078c04de7eb8-journal
- <Package Folder>/databases/6b6d9b9a358f167f0e42728fc9eada3b
- <Package Folder>/databases/6b6d9b9a358f167f0e42728fc9eada3b-journal
- <Package Folder>/databases/791e82c8f290a80fa99e701d051bfe43
- <Package Folder>/databases/791e82c8f290a80fa99e701d051bfe43-journal
- <Package Folder>/databases/819fa48d74b00d4e7b30ce82ddeb2e59
- <Package Folder>/databases/819fa48d74b00d4e7b30ce82ddeb2e59-journal
- <Package Folder>/databases/832aac1cf901b73f0714da38bab00ba3
- <Package Folder>/databases/832aac1cf901b73f0714da38bab00ba3-journal
- <Package Folder>/databases/OxgHkj2lz09F
- <Package Folder>/databases/OxgHkj2lz09F-journal
- <Package Folder>/databases/P15pKIjsm64m
- <Package Folder>/databases/P15pKIjsm64m-journal
- <Package Folder>/databases/T1oX0rhhuXWt
- <Package Folder>/databases/T1oX0rhhuXWt-journal
- <Package Folder>/databases/XKwVoK0huy3R
- <Package Folder>/databases/XKwVoK0huy3R-journal
- <Package Folder>/databases/jqIqJYOT3JpT
- <Package Folder>/databases/jqIqJYOT3JpT-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/redbb.db
- <Package Folder>/databases/redbb.db-journal
- <Package Folder>/databases/wIU6pTyUBYWX
- <Package Folder>/databases/wIU6pTyUBYWX-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/wsUL1uCdKvjD
- <Package Folder>/databases/wsUL1uCdKvjD-journal
- <Package Folder>/files/gdaemon_20161017
- <Package Folder>/files/init.pid
- <Package Folder>/files/init_c.pid
- <Package Folder>/files/libdlhbbworke.so
- <Package Folder>/files/mobclick_agent_cached_<Package>112
- <Package Folder>/files/prop.dat (deleted)
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/files/sec.lck
- <Package Folder>/files/tdata_VBQ588
- <Package Folder>/files/tdata_VBQ588.jar
- <Package Folder>/files/tdata_XXp259
- <Package Folder>/files/tdata_XXp259.jar
- <Package Folder>/shared_prefs/C0XKJAO3JLZKJPDKJFXLINQCJIOAOD.xml
- <Package Folder>/shared_prefs/CE94557724F842149D690D0E8CBB1CBD.xml
- <Package Folder>/shared_prefs/DefaultPreferences.xml
- <Package Folder>/shared_prefs/DefaultPreferences.xml.bak
- <Package Folder>/shared_prefs/InitTag.xml
- <Package Folder>/shared_prefs/OFFERSCONFIG1.xml
- <Package Folder>/shared_prefs/mobclick_agent_user_<Package>.xml
- <Package Folder>/shared_prefs/preferences.xml
- <Package Folder>/shared_prefs/preferences.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak (deleted)
- <SD-Card>/Android/####/DXTX902KJZX9JASLDJF
- <SD-Card>/Android/####/DXTX902KJZX9JASLDJF.ymtf
- <SD-Card>/Android/####/i42d45df023jnkdd93la483f9xGFKXI
- <SD-Card>/Android/####/s92TjjdfoP2n3o9dfji2l9s1olkjf0p
- <SD-Card>/Android/djaof.dll
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/libs/test.log
- <SD-Card>/system/####/tdata_VBQ588
- <SD-Card>/system/####/tdata_XXp259
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/kernel_max
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 25882 300 0
- chmod 700 <Package Folder>/files/gdaemon_20161017
- getprop
- logcat -d -v threadtime
- ls -l /system/bin/su
- sh -c getprop > <Package Folder>/files/prop.dat
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 25882 300 0
Загружает динамические библиотеки:
- abcdefgh
- dlhbbworkc
- getuiext2
- nesec
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- PBEWITHMD5andDES
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- PBEWITHMD5andDES
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
