Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) c####.baidust####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) l####.b####.com:80
- TCP(HTTP/1.1) go.1mi####.cn:80
- TCP(HTTP/1.1) mo####.b####.com:80
- TCP(HTTP/1.1) b.xuezi####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) m.xuezi####.com.####.com:80
- TCP(HTTP/1.1) cm.pos.b####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) t.xuezi####.com:80
- TCP(HTTP/1.1) a.xuezi####.com:80
- TCP(HTTP/1.1) m####.z####.cn:80
- TCP(HTTP/1.1) img.xuezi####.com.####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) map####.y####.com.cn:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) c####.jd.com:80
- TCP(HTTP/1.1) wn.pos.b####.com:80
- TCP(HTTP/1.1) s.c####.b####.com:80
- TCP(HTTP/1.1) i.xuezi####.com:80
- TCP(HTTP/1.1) c####.b####.com:80
- TCP(HTTP/1.1) d.xiongj####.com.####.com:80
- TCP(HTTP/1.1) eiv.b####.com:80
- TCP(HTTP/1.1) 2####.243.193.48:80
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) c####.b####.com:443
- TCP(TLS/1.0) ec####.b####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) si####.jom####.com:443
Запросы DNS:
- a.xuezi####.com
- b.xuezi####.com
- c####.b####.com
- c####.baidust####.com
- c####.baidust####.com
- c####.jd.com
- c.c####.com
- cm.b####.com
- cm.pos.b####.com
- d.xiongj####.com.cn
- ec####.b####.com
- eiv.b####.com
- f10.b####.com
- f11.b####.com
- f12.b####.com
- go.1mi####.cn
- hm.b####.com
- i.xuezi####.com
- img.xuezi####.com
- l####.b####.com
- m####.z####.cn
- m.xuezi####.com
- map####.y####.com.cn
- mo####.b####.com
- pos.b####.com
- s.c####.b####.com
- s95.c####.com
- t.xuezi####.com
- t10.b####.com
- t11.b####.com
- t12.b####.com
- wn.pos.b####.com
- z4.c####.com
Запросы HTTP GET:
- a.xuezi####.com/cudp2498ah.js
- a.xuezi####.com/ewd71f2n7s.js
- a.xuezi####.com/mqkonkoqenepgdzkon.js
- a.xuezi####.com/pgdh5vxoea.js
- a.xuezi####.com/vndinnlicg.js
- a.xuezi####.com/xodavkf9xj.js
- a.xuezi####.com/xpdzmyes4r.js
- b.xuezi####.com/m.html?mediaid=####&cookie_version=####×tamp=####&e...
- b.xuezi####.com/wqascrzv?fcg=####&ugb=####&bg=####&jrs=####&bgq=####&cvn...
- b.xuezi####.com/zzn/bd?c=####
- c####.b####.com/cpro/ui/uijs.php?adclass=####&app_id=####&c=####&cf=####...
- c####.b####.com/cpro/ui/uijs.php?en=####&c=####&fv=####&itm=####&kdi0=##...
- c####.b####.com/cpro/ui/uijs.php?rs=####&u=####&p=####&c=####&n=####&t=#...
- c####.baidust####.com/cpro/expire/time2.js
- c####.baidust####.com/cpro/ui/noexpire/img/2.0.1/bd-logo4.png
- c####.baidust####.com/cpro/ui/pr.js
- c####.baidust####.com/sync.htm?cproid=####
- c####.jd.com/du?&baidu_user_id=####&cookie_version=####×tamp=####&e...
- cm.pos.b####.com/pixel?dspid=####
- cm.pos.b####.com/pixel?media_sign=####&media_site=####
- d.xiongj####.com.####.com/jfile/fov.jar
- eiv.b####.com/hmt/icon/21.gif
- hm.b####.com/h.js?d86aa62####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&ep=####&et=####&ja=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&et=####&ja=####&ln=#...
- i.xuezi####.com/index.php?s=####&c=####
- i.xuezi####.com/index.php?s=####&c=####&cm=####&callback=####&cl1=####&c...
- i.xuezi####.com/index.php?s=####&c=####&cm=####&type=####&val=####
- i.xuezi####.com/skins/mobile/images/isloading.gif
- i.xuezi####.com/skins/mobile/images/search.png
- i.xuezi####.com/skins/mobile/js/config.js
- i.xuezi####.com/skins/mobile/js/imageceche.js
- i.xuezi####.com/skins/mobile/js/model_answerbook.js
- i.xuezi####.com/skins/mobile/member/js/jquery.min.js
- i.xuezi####.com/skins/mobile/model/daanebook/style/daanebook.css
- i.xuezi####.com/skins/mobile/model/image/isloading.gif
- i.xuezi####.com/skins/mobile/style/global.css
- img.xuezi####.com.####.com/czsxxxff/
- img.xuezi####.com.####.com/data/index.php?s=####&d=####&c=####&aid=####
- img.xuezi####.com.####.com/data/index.php?s=####&d=####&cm=####&c=####&t...
- img.xuezi####.com.####.com/skin/css/image/logo.png
- img.xuezi####.com.####.com/skin/image/isloading.gif
- img.xuezi####.com.####.com/skin/pbl/image/daansearchicon.png
- img.xuezi####.com.####.com/skin/pbl/image/isloading.gif
- img.xuezi####.com.####.com/skin/pbl/image/nav_more.png
- img.xuezi####.com.####.com/skin/pbl/image/search_btn.png
- img.xuezi####.com.####.com/skin/pbl/image/tj.png
- img.xuezi####.com.####.com/skin/pbl/images/1111.jpg
- img.xuezi####.com.####.com/skin/pbl/images/2222.jpg
- img.xuezi####.com.####.com/skin/pbl/js/main.js
- img.xuezi####.com.####.com/skin/pbl/js/main.js?1####
- img.xuezi####.com.####.com/skin/pbl/style/zuowen.css
- img.xuezi####.com.####.com/uploads/allimg/icon/p1155.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p124.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p1356.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p1618.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p1679.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p1746.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p2024.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p2048.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p249.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p325.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p508.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p705.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p767.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p777.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p893.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p933.jpg
- img.xuezi####.com.####.com/uploads/allimg/icon/p982.jpg
- img.xuezi####.com.####.com/uploads/daan/type/20160305/10084b4f4d0c4167a5...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/1d812c55dbd34c0a8b...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/4e468287ffc642b9b2...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/4f11f8a65e6c4437aa...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/581ced31253b444986...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/81f93620b8ce466694...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/95e2edd2674a4de28f...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/ad4e0f7985024d42b2...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/b68a313fad594a89bd...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/de56c655159f457388...
- img.xuezi####.com.####.com/uploads/daan/type/20160305/ff6f31be95f84b15b1...
- img.xuezi####.com.####.com/uploads/litimg/20160819/1471573209604467.jpg
- img.xuezi####.com.####.com/uploads/litimg/20160819/1471573497753959.jpg
- img.xuezi####.com.####.com/uploads/litimg/20170317/1489711597128097.jpg
- img.xuezi####.com.####.com/uploads/litimg/20170625/1498380146304234.jpg
- img.xuezi####.com.####.com/uploads/litimg/20170801/1501568805120549.jpg
- img.xuezi####.com.####.com/uploads/litimg/20170801/1501568857133665.jpg
- img.xuezi####.com.####.com/xxff/224782.html
- img.xuezi####.com.####.com/xxff/6794.html
- l####.b####.com/jquery/2.0.0/jquery.min.js
- map####.y####.com.cn/s/mapping/?baidu_user_id=####&cookie_version=####&t...
- mo####.b####.com/ads/pa/8/__pasys_remote_banner.php?bdr=####&os=####&v=#...
- mo####.b####.com/ads/pa/8/__xadsdk__remote__8.7004.jar
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&cce=####&col=####&pcs...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&cec=####&dri=####&ti=...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&col=####&dai=####&psr...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&drs=####&pcs=####&dc=...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psr=####&chi=####&ant...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&pss=####&cdo=####&dc=...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&pss=####&col=####&chi...
- pos.b####.com/sync_pos.htm?cproid=####
- pos.b####.com/sync_pos.htm?cproid=####&t=####
- s.c####.b####.com/s.htm?cproid=####&t=####
- si####.jom####.com/it/u=1117774159,162223482&fm=76
- si####.jom####.com/it/u=1172592357,1361907035&fm=76
- si####.jom####.com/it/u=14227813,1707185245&fm=76
- si####.jom####.com/it/u=145337872,3917615446&fm=76
- si####.jom####.com/it/u=150158167,1758008337&fm=76
- si####.jom####.com/it/u=165700383,2217186882&fm=76
- si####.jom####.com/it/u=1778216149,2238043669&fm=76
- si####.jom####.com/it/u=1789519269,1052323278&fm=76
- si####.jom####.com/it/u=185138717,1812398500&fm=76
- si####.jom####.com/it/u=2307456749,3379751380&fm=76
- si####.jom####.com/it/u=2309716944,2654945353&fm=76
- si####.jom####.com/it/u=2383638222,3419487030&fm=76
- si####.jom####.com/it/u=253227054,186101040&fm=76
- si####.jom####.com/it/u=2594222363,3786436383&fm=76
- si####.jom####.com/it/u=2873890027,3532045425&fm=76
- si####.jom####.com/it/u=3123536280,3593509617&fm=76
- si####.jom####.com/it/u=3378993785,666367490&fm=76
- si####.jom####.com/it/u=3587268959,75009308&fm=76
- si####.jom####.com/it/u=361369288,3328287106&fm=76
- si####.jom####.com/it/u=3701994385,2305095443&fm=76
- si####.jom####.com/it/u=386850795,3239662606&fm=76
- si####.jom####.com/it/u=4044105353,1190104940&fm=76
- si####.jom####.com/it/u=413314635,3299858611&fm=76
- si####.jom####.com/it/u=4289845849,38970968&fm=76
- si####.jom####.com/it/u=506598912,2220714535&fm=76
- si####.jom####.com/it/u=509827831,3061346639&fm=76
- si####.jom####.com/it/u=532111687,1427742597&fm=76
- si####.jom####.com/it/u=58706576,1392330400&fm=76
- si####.jom####.com/it/u=598775401,1445984355&fm=76
- si####.jom####.com/it/u=600842760,1897449143&fm=76
- si####.jom####.com/it/u=828834914,532223101&fm=76
- t.xuezi####.com/uploads/daanbook/h4d/4d6377dc8954940e237d743b30d82832.jpg
- t.xuezi####.com/uploads/daanbook/hbc/bc1e7e6eb85be51e7bfe48b7f6d9da33.jpg
- t.xuezi####.com/uploads/daanbook/hd5/d51ebc2387dbba9c2baa5069c84db144.jpg
- t.xuezi####.com/uploads/daanbook/hfe/fe6924473282971982d78b227a2ca7c1.jpg
- t.xuezi####.com/uploads/daanbook/i11/11434f700d39e36ecd24a9964068b9ba.jpg
- t.xuezi####.com/uploads/daanbook/i1b/1baa33673f74d7d0f4f54036f9b46087.jpg
- t.xuezi####.com/uploads/daanbook/i21/212956a1737153ad309eb3edbd73c137.jpg
- t.xuezi####.com/uploads/daanbook/i2e/2e2de823d4b7c3766feb551960b228f1.jpg
- t.xuezi####.com/uploads/daanbook/i69/69b4c9961e04f3fbb71c0144d034d4ba.jpg
- t.xuezi####.com/uploads/daanbook/i6a/6a441c6bf128b724f6f69a02750b2e24.jpg
- t.xuezi####.com/uploads/daanbook/ia2/a208a7e1116ba9181353693bba1949df.jpg
- t.xuezi####.com/uploads/daanbook/icc/cc2a06e84e6687793b00be94d10f3419.jpg
- t.xuezi####.com/uploads/daanbook/idc/dc9cc211e89879d93c31201d0ae7b66e.jpg
- t.xuezi####.com/uploads/daanlitpic/20160919/5e8dc096-5714-4e9c-96ae-2a3a...
- t.xuezi####.com/uploads/daanlitpic/20160919/74301a08-2f9c-4d95-9629-ce48...
- wn.pos.b####.com/adx.php?c=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__4553...6f.jar
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/index
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-jou...leted)
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/__x_adsdk_agent_header__.xml
- <Package Folder>/shared_prefs/__xadsdk_downloaded__version__.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/z.xml
- <SD-Card>/Download/####/4.9fov.jar
- <SD-Card>/dt/restime.dat
Другие:
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
