Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.RemoteCode.110.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) p####.wp.com:80
- TCP(HTTP/1.1) s.grav####.com:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) na####.sno####.1####.com:8111
- TCP(HTTP/1.1) stat####.face####.com:80
- TCP(HTTP/1.1) f####.cdn.1####.com:80
- TCP(HTTP/1.1) www.esq####.tw:80
- TCP(HTTP/1.1) con####.face####.net:80
- TCP(HTTP/1.1) api-ce####.coo####.org:80
- TCP(HTTP/1.1) p.mo####.cc:80
- TCP(HTTP/1.1) i.y####.com:80
- TCP(TLS/1.0) ma####.bootstr####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) m.face####.com:443
- TCP(TLS/1.0) scon####.cdninst####.com:443
- TCP(TLS/1.0) ti####.jom####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) s####.g.doublec####.net:443
- TCP(TLS/1.0) hpd.b####.com:443
- TCP(TLS/1.0) s####.wp.com:443
- TCP(TLS/1.0) stat####.face####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) api.insta####.com:443
- TCP(TLS/1.0) st####.doublec####.net:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) i.y####.com:443
- TCP(TLS/1.0) st####.xx.f####.net:443
- TCP(TLS/1.0) sconten####.xx.f####.net:443
- TCP(TLS/1.0) wap.n.sh####.com:443
- TCP(TLS/1.0) www.you####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) i####.wp.com:443
Запросы DNS:
- api-ce####.coo####.org
- api.insta####.com
- c####.api.coo####.org
- con####.face####.net
- f####.b####.com
- f####.cdn.1####.com
- f####.google####.com
- f####.gst####.com
- g####.bdst####.com
- googl####.g.doublec####.net
- hpd.b####.com
- i####.wp.com
- i####.wp.com
- i####.wp.com
- i.y####.com
- m.b####.com
- m.face####.com
- ma####.bootstr####.com
- mipc####.bdst####.com
- na####.sno####.1####.com
- p####.wp.com
- p.mo####.cc
- s####.g.doublec####.net
- s####.wp.com
- s####.wp.com
- s.grav####.com
- s.y####.com
- scon####.cdninst####.com
- sconten####.xx.f####.net
- ss0.b####.com
- ss1.b####.com
- ss2.b####.com
- st####.doublec####.net
- st####.xx.f####.net
- stat####.face####.com
- timg####.b####.com
- www.b####.com
- www.esq####.tw
- www.face####.com
- www.go####.com
- www.google-####.com
- www.you####.com
Запросы HTTP GET:
- api-ce####.coo####.org/v2/content/getItemDetails-49309845.json?&id=####&...
- api-ce####.coo####.org/v2/content/getItemList-cn.json?&min=####&category...
- api-ce####.coo####.org/v2/content/getLangList.json
- api-ce####.coo####.org/v3/system/querytopicBycountry.json?&countryCode=#...
- f####.google####.com/css?family=####&subset=####&ver=####
- p####.wp.com/g.gif?v=####&j=####&blog=####&post=####&tz=####&srv=####&ho...
- s.grav####.com/css/hovercard.css?ver=####
- s.grav####.com/css/services.css?ver=####
- s.grav####.com/js/gprofiles.js?ver=####
- www.esq####.tw/esq-choice/歲月的洗禮/
- www.esq####.tw/wp-content/plugins/instagram-feed/css/sb-instagram.min.cs...
- www.esq####.tw/wp-content/plugins/instagram-feed/img/loader.png
- www.esq####.tw/wp-content/plugins/instagram-feed/img/small-logo.png
- www.esq####.tw/wp-content/plugins/instagram-feed/js/sb-instagram.min.js?...
- www.esq####.tw/wp-content/plugins/jetpack/_inc/social-logos/social-logos...
- www.esq####.tw/wp-content/plugins/jetpack/css/jetpack.css?ver=####
- www.esq####.tw/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js?...
- www.esq####.tw/wp-content/plugins/jetpack/modules/wpgroho.js?ver=####
- www.esq####.tw/wp-content/plugins/lazy-load/images/1x1.trans.gif
- www.esq####.tw/wp-content/plugins/lazy-load/js/jquery.sonar.min.js?ver=#...
- www.esq####.tw/wp-content/plugins/lazy-load/js/lazy-load.js?ver=####
- www.esq####.tw/wp-content/plugins/photo-gallery/css/bwg_frontend.css?ver...
- www.esq####.tw/wp-content/plugins/photo-gallery/css/font-awesome/font-aw...
- www.esq####.tw/wp-content/plugins/photo-gallery/css/font-awesome/fonts/f...
- www.esq####.tw/wp-content/plugins/photo-gallery/css/jquery.mCustomScroll...
- www.esq####.tw/wp-content/plugins/photo-gallery/css/sumoselect.css?ver=#...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/bwg_frontend.js?ver=#...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/bwg_gallery_box.js?ve...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/jquery.fullscreen-0.4...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollb...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/jquery.mobile.js?ver=...
- www.esq####.tw/wp-content/plugins/photo-gallery/js/jquery.sumoselect.min...
- www.esq####.tw/wp-content/plugins/tablepress/css/default.min.css?ver=####
- www.esq####.tw/wp-content/plugins/youtube-channel-gallery/magnific-popup...
- www.esq####.tw/wp-content/plugins/youtube-channel-gallery/styles.css?ver...
- www.esq####.tw/wp-content/plugins/youtube-embed/css/main.min.css?ver=####
- www.esq####.tw/wp-content/themes/GRay/library/css/fontawesome/css/font-a...
- www.esq####.tw/wp-content/themes/GRay/library/css/fontawesome/fonts/font...
- www.esq####.tw/wp-content/themes/GRay/library/css/style.css?ver=####
- www.esq####.tw/wp-content/themes/GRay/library/js/cb-scripts.js?ver=####
- www.esq####.tw/wp-content/themes/GRay/library/js/cookie.min.js?ver=####
- www.esq####.tw/wp-content/themes/GRay/library/js/jquery.ext.js?ver=####
- www.esq####.tw/wp-content/themes/GRay/library/js/jquery.flexslider-min.j...
- www.esq####.tw/wp-content/themes/GRay/library/js/jquery.fs.boxer.min.js?...
- www.esq####.tw/wp-content/themes/GRay/library/js/modernizr.custom.min.js...
- www.esq####.tw/wp-content/themes/GRay/library/js/selectivizr-min.js?ver=...
- www.esq####.tw/wp-content/themes/GRay/plugins/login-with-ajax/login-with...
- www.esq####.tw/wp-content/themes/GRay/plugins/login-with-ajax/widget.css...
- www.esq####.tw/wp-content/uploads/2015/07/ESQUIRE_360xH500pix-01.jpg
- www.esq####.tw/wp-content/uploads/2015/07/ESQUIRElogo-1.png
- www.esq####.tw/wp-content/uploads/2015/07/Esquire-club360x215.jpg
- www.esq####.tw/wp-content/uploads/2015/07/bottle1-480x240.jpg
- www.esq####.tw/wp-content/uploads/2015/08/3381.jpg
- www.esq####.tw/wp-content/uploads/2015/10/2015081438569-480x240.jpg
- www.esq####.tw/wp-content/uploads/2016/02/20151218_Ahbin-480x240.jpg
- www.esq####.tw/wp-content/uploads/2016/03/w-480x240.jpg
- www.esq####.tw/wp-content/uploads/2017/02/2017-0202-03-480x240.png
- www.esq####.tw/wp-content/uploads/2017/05/Meat-Love使用橡木炭,燃燒時散發淡淡清香,還會產生對...
- www.esq####.tw/wp-content/uploads/2017/09/網頁大圖比例-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/10/網頁大圖比例-烏鴉-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/14-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/1_2-2-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/ASD000033-10010100101010351_10...
- www.esq####.tw/wp-content/uploads/2017/11/Camila-Cabello-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/IMG_0856-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/UNADJUSTEDNONRAW_thumb_1392-80...
- www.esq####.tw/wp-content/uploads/2017/11/coway-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/es-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/主圖-4-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/未命名-2-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/王正方750x400-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/網頁大圖比例-11-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/網頁大圖比例-12-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/網頁大圖比例-2-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/網頁大圖比例-8-80x60.jpg
- www.esq####.tw/wp-content/uploads/2017/11/網頁大圖比例-常寓-80x60.jpg
- www.esq####.tw/wp-includes/js/comment-reply.min.js?ver=####
- www.esq####.tw/wp-includes/js/jquery/jquery-migrate.min.js?ver=####
- www.esq####.tw/wp-includes/js/jquery/jquery.js?ver=####
- www.esq####.tw/wp-includes/js/wp-embed.min.js?ver=####
- www.esq####.tw/wp-includes/js/wp-emoji-release.min.js?ver=####
Запросы HTTP POST:
- na####.sno####.1####.com:8111/native/api/v1/init
- na####.sno####.1####.com:8111/native/api/v1/update
- na####.sno####.1####.com:8111/native/sdk/api/ad/client_action
- na####.sno####.1####.com:8111/native/sdk/api/regclient
- p.mo####.cc/api/ads/connect
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_osdk/android_shell.jar
- <Package Folder>/app_osdk/t.zip
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/f_000028
- <Package Folder>/cache/####/f_000029
- <Package Folder>/cache/####/f_00002a
- <Package Folder>/cache/####/f_00002b
- <Package Folder>/cache/####/f_00002c
- <Package Folder>/cache/####/f_00002d
- <Package Folder>/cache/####/f_00002e
- <Package Folder>/cache/####/f_00002f
- <Package Folder>/cache/####/f_000030
- <Package Folder>/cache/####/f_000031
- <Package Folder>/cache/####/f_000032
- <Package Folder>/cache/####/f_000033
- <Package Folder>/cache/####/f_000034
- <Package Folder>/cache/####/f_000035
- <Package Folder>/cache/####/f_000036
- <Package Folder>/cache/####/f_000037
- <Package Folder>/cache/####/f_000038
- <Package Folder>/cache/####/f_000039
- <Package Folder>/cache/####/f_00003a
- <Package Folder>/cache/####/f_00003b
- <Package Folder>/cache/####/f_00003c
- <Package Folder>/cache/####/f_00003d
- <Package Folder>/cache/####/f_00003e
- <Package Folder>/cache/####/f_00003f
- <Package Folder>/cache/####/f_000040
- <Package Folder>/cache/####/f_000041
- <Package Folder>/cache/####/f_000042
- <Package Folder>/cache/####/f_000043
- <Package Folder>/cache/####/f_000044
- <Package Folder>/cache/####/f_000045
- <Package Folder>/cache/####/f_000046
- <Package Folder>/cache/####/f_000047
- <Package Folder>/cache/####/f_000048
- <Package Folder>/cache/####/f_000049
- <Package Folder>/cache/####/f_00004a
- <Package Folder>/cache/####/f_00004b
- <Package Folder>/cache/####/index
- <Package Folder>/databases/app.manager-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/nativesdk_core.jar
- <Package Folder>/servi
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/coolook.xml
- <Package Folder>/shared_prefs/nativesdk_conf_pre.xml
- <Package Folder>/shared_prefs/s_sdk_pro_pref.xml
- <SD-Card>/Android/####/inapp_dev.txt
- <SD-Card>/Android/####/pid
- <SD-Card>/ad_native/2017-11-30.txt
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/<Package>.init.NewsService
- cat /sys/class/net/wlan0/address
- chmod 777 <Package Folder>/servi
- dd if=<Package Folder>/lib/libservi.so of=<Package Folder>/servi
- sh
Загружает динамические библиотеки:
- servi
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
