Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Loki.32.origin
- Android.Triada.222.origin
- Android.Triada.243
- Android.Triada.247.origin
- Android.Triada.248.origin
Скрывает свою иконку с экрана устройства.
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) fkdownl####.c####.ufi####.com:80
- TCP(HTTP/1.1) img.ace####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) fkserv####.adfan####.com:8080
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) l.ace####.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) svr.doti####.com:80
- TCP(TLS/1.0) o####.sn####.com.####.net:443
- TCP(TLS/1.0) d.tou####.com:443
- TCP(TLS/1.0) owe.joy-r####.com:9050
- TCP(TLS/1.0) it####.a####.com.####.net:443
- TCP(TLS/1.0) d####.c####.l####.####.com:443
Запросы DNS:
- and####.b####.qq.com
- cdn.joy-r####.com
- d.tou####.com
- fkdownl####.u####.uc####.####.cn
- fkserv####.adfan####.com
- img.ace####.com
- it####.a####.com
- l.ace####.com
- loc.map.b####.com
- o####.sn####.com
- owe.joy-r####.com
- svr.doti####.com
Запросы HTTP GET:
- l.ace####.com/ando/v2/mn?k=####&d=####&m=####
- svr.doti####.com/ics?sid=####&adid=####&idfa=####&clickid=####
Запросы HTTP HEAD:
- d####.c####.l####.####.com/5facf938-6ae3-4afd-a118-789a194c4ec3bdco_10027
Запросы HTTP POST:
- fkserv####.adfan####.com:8080/api/updateCheck.do
- l.ace####.com/ando/v1/x/ap?app_id=####&r=####
- l.ace####.com/ando/v1/x/lv?app_id=####&r=####
- l.ace####.com/ando/v1/x/qa?app_id=####&r=####
- loc.map.b####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_C3g3qVLoPom3/####/list1.cache
- <Package Folder>/app_C3g3qVLoPom3/####/list2.chche
- <Package Folder>/app_aqPVSg3/tMS866P3hcq
- <Package Folder>/app_crashrecord/1004
- <Package Folder>/app_localdata/ApplicationCache.db-journal
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/code-8094893/kGNO0wtCU0CTiOlB
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_TM2...RUNA==
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_TM2...ournal
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_jf4...ournal
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_mVw...GTFA==
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_mVw...ournal
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_qn9...Sg9taZ
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_qn9...ournal
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_siJ...LxRfE=
- <Package Folder>/databases/zNJsQCDdY3BIHrIXML3-lQ-c6rDAfyMw_siJ...ournal
- <Package Folder>/fankingbox/####/ad10021.apk
- <Package Folder>/fankingbox/####/ad10021.tmp
- <Package Folder>/fankingbox/####/fsdk80000.apk
- <Package Folder>/fankingbox/libgooglevi.so
- <Package Folder>/files/####/09fdb0c7-1136-4487-898b-6ec2c815219c.pic
- <Package Folder>/files/####/524JYWNnr_6EMok2
- <Package Folder>/files/####/7KxhRNNa6MiGWsZqKQ_wMQ==
- <Package Folder>/files/####/Bys0FDepwShl9So-N8QupHGH5DuMVpdI.new
- <Package Folder>/files/####/CJXJ_2rI2AMLazte.new
- <Package Folder>/files/####/IG_g1zTZScrLuITJw6wOMmkjDK8=.new
- <Package Folder>/files/####/JyaqhVkK8bY8CEsGabDCRw==
- <Package Folder>/files/####/LG32yFswogF8fFZ6uVOnwAHp39U=
- <Package Folder>/files/####/NlPnt8o_JhjVV5pFf4Uda-VjRt2ADxC6.new
- <Package Folder>/files/####/Pyo8ST5ouEAAIviNMQUP8hMyWkj4HOj40EsMeA==.new
- <Package Folder>/files/####/QA-bVF6Yk2bGQTwzc6iFtvKYBj2cASIR.new
- <Package Folder>/files/####/RpEOQ3sawVJRC3yEZfCd9_SIgeg=.new
- <Package Folder>/files/####/TnS72XkJzVz5bAPabAIYAAbAE5DeKU3Y.new
- <Package Folder>/files/####/UrHE1uYVwZpM4sGvFREt3Q==.new
- <Package Folder>/files/####/b843e3a1-2824-4440-8520-4edaeab6909f.pic.temp
- <Package Folder>/files/####/cd989956-2229-4e12-8e19-53c6db0e876b.pic.temp
- <Package Folder>/files/####/ermFN9wLN3K6mB3xhnGNTQ==.new
- <Package Folder>/files/####/f0518033-a854-4aba-a030-9492d1db5478.pic
- <Package Folder>/files/####/fd35c174-ae1b-4710-9547-e366e5888de5.pic.temp
- <Package Folder>/files/####/fy2QxYg_l_NPWx8X2zmF0kAQ7pnrLBa8DSvRPA==.new
- <Package Folder>/files/####/gaaNW5e-SlLMCMT7CuYfRtNNjAc=.new
- <Package Folder>/files/####/gqwppmia2dv-221HoeDLc6Dcfh-6GOmJt_M...4=.new
- <Package Folder>/files/####/hbXPqgmcuV3fTwQ4IMhGrQ==.new
- <Package Folder>/files/####/ioeCfZoDfLCYUK-VXwJFV373xtzZfgpp.new
- <Package Folder>/files/####/ioiLhuo1VUca5h2FDruwNyX2cRTFCRK0.new
- <Package Folder>/files/####/jf8PFDbR0W0VsNQy51WCSEhagkE=.new
- <Package Folder>/files/####/lM81FhEHD2V6gj_4-Iv8yFdBVQtqo9xh9i0...k=.new
- <Package Folder>/files/####/mDaD2oezasL41pSVPi-jYjO4fRY=.new
- <Package Folder>/files/####/mF5Q32ksYVP_w2CAobiKq9s5SoKP70fh.new
- <Package Folder>/files/####/qurbua_f.zip
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/tizNGILvZ1UCJZIzvXAff5zQqtdsgKUrj1p...k=.new
- <Package Folder>/files/####/uISM6qDlPX3Va0S3uM3C6OjtKDhtTMeHfarcEQ==.new
- <Package Folder>/files/####/vT2AHqiheRgajt5f5z3FpFq_squ_cHUYzzZ...E=.new
- <Package Folder>/files/####/vTyI0mu2RvwFgwVK.zip
- <Package Folder>/files/####/z6dt35suQI7RdSNns9fIVqJXy96UHAIO.new
- <Package Folder>/files/2078793401
- <Package Folder>/files/3018798.jar
- <Package Folder>/files/H4O783l.apk
- <Package Folder>/files/bdco.cf
- <Package Folder>/files/bdco.tmp.temp
- <Package Folder>/files/bdco.tmp0.temp
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/rdata_comekzroizz.new
- <Package Folder>/files/security_info
- <Package Folder>/shared_prefs/alias.xml
- <Package Folder>/shared_prefs/crashrecord.xml
- <Package Folder>/shared_prefs/fanking.sdk.xml
- <Package Folder>/shared_prefs/fanking.strategy.sdk.xml
- <Package Folder>/shared_prefs/fksdk_pid_config.xml
- <Package Folder>/shared_prefs/sdfgh.xml
- <Package Folder>/shared_prefs/sdfgh.xml.bak
- <SD-Card>/.armsd/####/29755ef0-af9f-45b9-93b5-839393ce46fc.res
- <SD-Card>/.armsd/####/2d42f42c-6ba0-407d-a41b-91b005b639d8.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/c680fa0a-eb09-4a8f-95a4-3ed5a4018831.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.fankv7/.fankcoas
- <SD-Card>/BIRDDOWNLOAD/####/YvscMPs.xml
- <SD-Card>/BIRDDOWNLOAD/####/rinsWPVPycqVPSq38.db
- <SD-Card>/BIRDDOWNLOAD/####/rinsWPVPycqVPSq38.db-journal
- <SD-Card>/BIRDDOWNLOAD/####/webinfo.xml
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.system.setting.BackgroundService -t 600
- <Package Folder>/code-8094893/kGNO0wtCU0CTiOlB -p <Package> -c com.ekzr.oizz.wlfeuq.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- chmod 0755 <Package Folder>/app_aqPVSg3/tMS866P3hcq
- getprop
- sh <Package Folder>/app_aqPVSg3/tMS866P3hcq -p <Package> -s com.system.setting.BackgroundService -t 600
Загружает динамические библиотеки:
- Bugly
- libgooglevi
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
