Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.32.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.apxadtr####.net:80
- TCP(HTTP/1.1) ads.dofun####.com:80
- TCP(HTTP/1.1) trietha####.com:80
- TCP(HTTP/1.1) c####.fe####.cn:80
- TCP(HTTP/1.1) t####.iches####.net:80
- TCP(HTTP/1.1) v####.adsb4t####.com:80
- TCP(HTTP/1.1) ad.lead####.net:80
- TCP(HTTP/1.1) vide####.xyz:80
- TCP(HTTP/1.1) sp.adpusho####.com:7088
- TCP(HTTP/1.1) www.fl####.com:80
- TCP(HTTP/1.1) www.greatmo####.mobi:80
- TCP(HTTP/1.1) a####.google####.com:80
- TCP(HTTP/1.1) trac####.shootme####.com:80
- TCP(HTTP/1.1) 5####.77.99.53:80
- TCP(HTTP/1.1) mtrac####.com:80
- TCP(HTTP/1.1) am.appw####.mobi:80
- TCP(HTTP/1.1) c.s####.co:80
- TCP(HTTP/1.1) ads.digg####.com:80
- TCP(HTTP/1.1) trac####.tap####.com:80
- TCP(HTTP/1.1) acl####.wallpap####.com:80
- TCP(HTTP/1.1) di####.pubna####.net:80
- TCP(HTTP/1.1) t####.sm4####.com:80
- TCP(HTTP/1.1) got.pubna####.net:80
- TCP(HTTP/1.1) md.apptr####.com:80
- TCP(HTTP/1.1) t####.mobfire####.com:80
- TCP(HTTP/1.1) ap####.mobi:80
- TCP(HTTP/1.1) trac####.suma####.com:80
- TCP(HTTP/1.1) s####.feedall####.com:80
- TCP(HTTP/1.1) showmeb####.xyz:80
- TCP(HTTP/1.1) y####.ottero####.com:80
- TCP(HTTP/1.1) a.n####.ren:80
- TCP(HTTP/1.1) a####.bat####.net:80
- TCP(HTTP/1.1) pr####.com:80
- TCP(HTTP/1.1) c####.gowa####.com:80
- TCP(HTTP/1.1) cl####.qh####.com:80
- TCP(HTTP/1.1) smart####.google####.com:80
- TCP(HTTP/1.1) ad.api.y####.net:80
- TCP(HTTP/1.1) api.migh####.com:80
- TCP(HTTP/1.1) ak.zs####.com:80
- TCP(HTTP/1.1) apptr####.com:80
- TCP(HTTP/1.1) cl####.r####.io:80
- TCP(HTTP/1.1) j####.a4.tl:80
- TCP(HTTP/1.1) pre####.pubna####.net.####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) vi####.faceboo####.com:80
- TCP(HTTP/1.1) c####.howdo####.net:80
- TCP(HTTP/1.1) tag.re####.net:80
- TCP(HTTP/1.1) a####.btr####.com:80
- TCP(HTTP/1.1) v####.a####.com:80
- TCP(HTTP/1.1) gp.miaoxi####.com:80
- TCP(HTTP/1.1) deli####.traffic####.com:80
- TCP(HTTP/1.1) clk.ocea####.com:80
- TCP(HTTP/1.1) w####.go2c####.org:80
- TCP(HTTP/1.1) cp####.mobisma####.com:80
- TCP(HTTP/1.1) mo####.go2af####.com:80
- TCP(HTTP/1.1) d.billyaf####.com:80
- TCP(HTTP/1.1) p####.admobc####.com:80
- TCP(HTTP/1.1) appromo####.trac####.adnova####.com:80
- TCP(HTTP/1.1) gl####.ymtrac####.com:80
- TCP(HTTP/1.1) clinkad####.com:80
- TCP(HTTP/1.1) statist####.com:80
- TCP(HTTP/1.1) c####.shar####.com:80
- TCP(HTTP/1.1) atracki####.appf####.com:80
- TCP(HTTP/1.1) t####.traffi####.com:80
- TCP(HTTP/1.1) aws.smarter####.net:80
- TCP(HTTP/1.1) t.api.y####.net:80
- TCP(HTTP/1.1) c####.jq####.com:80
- TCP(HTTP/1.1) down####.prizes####.online:80
- TCP(HTTP/1.1) a####.app####.com:80
- TCP(HTTP/1.1) tr.nova####.com:80
- TCP(HTTP/1.1) timefor####.com:80
- TCP(HTTP/1.1) a####.pubna####.net:80
- TCP(HTTP/1.1) ap####.mobisen####.com:80
- TCP(HTTP/1.1) cpgnrot####.com:80
- TCP(TLS/1.0) p####.lead####.com:443
- TCP(TLS/1.0) dashb####.appsam####.com:443
- TCP(TLS/1.0) md.apptr####.com:443
- TCP(TLS/1.0) p####.go####.com:443
- TCP(TLS/1.0) p####.t####.io:443
- TCP(TLS/1.0) c.n####.com:443
- TCP(TLS/1.0) t.ins####.com:443
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) syndica####.exoc####.com:443
- TCP(TLS/1.0) api.applike####.info:443
- TCP(TLS/1.0) questio####.com:443
- TCP(TLS/1.0) a####.app####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) mm####.go2af####.com:443
- TCP(TLS/1.0) api.lead####.net:443
- TCP(TLS/1.0) ad4sc####.go2af####.com:443
- TCP(TLS/1.0) con####.koc####.com:443
- TCP(TLS/1.0) go6.mob####.xyz:443
Запросы DNS:
- a####.app####.com
- a####.app####.com
- a####.bat####.net
- a####.btr####.com
- a####.google####.com
- a####.pubna####.net
- a.n####.ren
- acl####.wallpap####.com
- activeo####.appromo####.com
- ad.api.y####.net
- ad.lead####.net
- ads.digg####.com
- ads.dofun####.com
- ak.zs####.com
- am.appw####.mobi
- ap####.mobi
- ap####.mobisen####.com
- api.applike####.info
- api.lead####.net
- api.migh####.com
- apptr####.com
- atracki####.appf####.com
- aws.smarter####.net
- c####.fe####.cn
- c####.gowa####.com
- c####.howdo####.net
- c####.jq####.com
- c####.shar####.com
- c.n####.com
- c.s####.co
- cl####.qh####.com
- cl####.r####.io
- clinkad####.com
- clk.ocea####.com
- con####.koc####.com
- cp####.mobisma####.com
- cpgnrot####.com
- d.billyaf####.com
- dashb####.appsam####.com
- deli####.traffic####.com
- di####.pubna####.net
- down####.prizes####.online
- f####.gst####.com
- gl####.ymtrac####.com
- go6.mob####.xyz
- got.pubna####.net
- gp.miaoxi####.com
- horny-m####.club
- j####.a4.tl
- kar####.com
- m####.ex####.com
- m####.exdy####.com
- m####.exoc####.com
- md.apptr####.com
- mo####.go2af####.com
- mtrac####.com
- offer####.online
- p####.admobc####.com
- p####.go####.com
- p####.lead####.com
- p####.t####.io
- poli####.com
- pr####.com
- pre####.pubna####.net
- questio####.com
- s####.feedall####.com
- showmeb####.xyz
- smart####.google####.com
- sp.adpusho####.com
- ssl.gst####.com
- statist####.com
- t####.iches####.net
- t####.mobfire####.com
- t####.sm4####.com
- t####.traffi####.com
- t.api.y####.net
- t.ins####.com
- t.m####.agency
- tag.re####.net
- timefor####.com
- tk.on####.mobi
- tr.nova####.com
- tra####.a4.tf
- trac####.shootme####.com
- trac####.suma####.com
- trac####.tap####.com
- trac####.tap####.com
- v####.a####.com
- vi####.faceboo####.com
- vide####.xyz
- w####.go2c####.org
- www.apxadtr####.net
- www.fl####.com
- www.greatmo####.mobi
- y####.ottero####.com
Запросы HTTP GET:
- a####.app####.com/aff_c?offer_id=####&aff_id=####&aff_sub4=####&source=#...
- a####.app####.com/aff_c?offer_id=####&aff_id=####&aff_unique4=####&aff_s...
- a####.app####.com/aff_r?offer_id=54264&aff_id=18891&url=https://api.appl...
- a####.app####.com/aff_r?offer_id=54486&aff_id=25084&url=https://pwa-y.tl...
- a####.btr####.com/click/s/?id=####&aff_click_id=####
- acl####.wallpap####.com/?tmpc=####
- ads.digg####.com/acs.php?sid=####&adid=####&os=####&osv=####&udid=####&g...
- ads.dofun####.com/acs.php?sid=####&adid=####&os=####&osv=####&udid=####&...
- ads.dofun####.com/acs.php?sid=####&adid=####&pb=####&gaid=####&subid=####
- ads.dofun####.com/acs.php?sid=####&adid=####&pb=####&subid=####&gaid=####
- ap####.mobisen####.com/index.php?m=####&p=####&app_id=####&offer_id=####...
- api.migh####.com/server/v1/track?c=####&sub=####&gaid=####
- c####.fe####.cn/index.php?m=####&p=####&app_id=####&offer_id=####&clicki...
- c####.gowa####.com/click?transaction_id=wadogo_WAdvAppnextAPI_281610_102...
- c####.jq####.com/jquery-1.11.1.min.js
- c####.jq####.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js
- cl####.qh####.com/index.php?m=####&p=####&app_id=####&offer_id=####&clic...
- cl####.r####.io/tracking/click?trafficsource=####&clickid=####&offerid=#...
- clinkad####.com/tracking?camp=####&pubid=####&sid1=####&gaid=####&idfa=#...
- clinkad####.com/tracking?camp=####&pubid=####&subpubid=####&gaid=####&si...
- cp####.mobisma####.com/index.php?m=####&p=####&app_id=####&offer_id=####...
- deli####.traffic####.com/retargeting.php?id=####
- down####.prizes####.online/?utm_medium=####&utm_campaign=####&1=####&2=#...
- down####.prizes####.online/?utm_term=####&clickverify=####&utm_content=#...
- down####.prizes####.online/proc.php?5f22461####
- gp.miaoxi####.com/cr/sv/getGoFile?name=####
- j####.a4.tl/?pub_url=####&pid=####&offer_id=####&l=####&sub5=####&sub1=#...
- p####.admobc####.com/v1/ad/click?subsite_id=####&id=####&offer_id=####&t...
- pre####.pubna####.net.####.com/
- showmeb####.xyz/go/1377/1?subid1=####&subid2=####
- smart####.google####.com/?utm_medium=####&utm_campaign=####&1=####&cid=#...
- t####.mobfire####.com/mobfire/data/click?cid=####&affid=####&sub_param1=...
- t####.sm4####.com/click?cid=####&s1=####&s2=####
- t####.sm4####.com/game/hextris
- t####.sm4####.com/game/hextris/
- t####.traffi####.com/click.php?key=####&p=####&f=####&idfa=####&sub=####
- t####.traffi####.com/click.php?key=####&p=####&f=####&idfa=####&sub=####...
- t####.traffi####.com/nlp/index.php?key=####&p=####&f=####&idfa=####&sub=...
- t####.traffi####.com/nlp/index.php?pid=####&offer_id=####&l=####&sub1=##...
- timefor####.com/?u=####&o=####&t=####&c_id=####
- timefor####.com/cookie/js.cookie.js
- timefor####.com/media/bb.js
- timefor####.com/media/dating/toon3/css/style.css
- timefor####.com/media/dating/toon3/fonts/QuattrocentoSans.ttf
- timefor####.com/media/dating/toon3/fonts/QuattrocentoSansBold.ttf
- timefor####.com/media/dating/toon3/images/age1_o.jpg
- timefor####.com/media/dating/toon3/images/age2_o.jpg
- timefor####.com/media/dating/toon3/images/age3_o.jpg
- timefor####.com/media/dating/toon3/images/age4_o.jpg
- timefor####.com/media/dating/toon3/images/age5_o.jpg
- timefor####.com/media/dating/toon3/images/body1_o.jpg
- timefor####.com/media/dating/toon3/images/body2_o.jpg
- timefor####.com/media/dating/toon3/images/body3_o.jpg
- timefor####.com/media/dating/toon3/images/body4_o.jpg
- timefor####.com/media/dating/toon3/images/body5_o.jpg
- timefor####.com/media/dating/toon3/images/girl.jpg
- timefor####.com/media/dating/toon3/images/relations1_o.jpg
- timefor####.com/media/dating/toon3/images/relations2_o.jpg
- timefor####.com/media/dating/toon3/images/relations3_o.jpg
- timefor####.com/media/dating/toon3/images/relations4_o.jpg
- timefor####.com/media/dating/toon3/images/relations5_o.jpg
- timefor####.com/media/dating/toon3/js/jquery-1.11.1.min.js
- timefor####.com/media/dating/toon3/js/main.js
- timefor####.com/media/exit-new/exit-popup.css
- timefor####.com/media/exit-new/exit1.js
- timefor####.com/util/utils.js
- tr.nova####.com/?s=####&a=####&sub1=####&pubid=####
- tr.nova####.com/Home/Img?nfi=NLaJQg5usdCO3sh072344d071217ub97e1861533&nf...
- tr.nova####.com/go/NLaJQg5usdCO3sh072344d071217ub97e1861533?r=####
- trac####.tap####.com/aff_c?tt_aff_impid=####&aff_id=####&offer_id=####&p...
- trietha####.com/15w53/sV8D/v1sT/5xdE_zTOvAH6fzfQd6GRzfoPCRXqLmZbY7-rAlvI...
- trietha####.com/26C47/Jvug/Ne69/cLPh5ArjvVZpsRF4mvxLL00IVwlbHOKYXUyv26GA...
- v####.a####.com/redirect/index?type=####&to=####&data=####&action=####
- vide####.xyz/lY6S/h6d5pnqdiqya/23873_27709
- y####.ottero####.com/?utm_medium=####&utm_campaign=####
- y####.ottero####.com/?utm_term=####&clickverify=####&c=####&utm_content=...
- y####.ottero####.com/proc.php?7a51b84####
Запросы HTTP POST:
- sp.adpusho####.com:7088/sdk_p/a
- sp.adpusho####.com:7088/sdk_p/b
- vi####.faceboo####.com/api/ls
- vi####.faceboo####.com/api/newc
- vi####.faceboo####.com/api/o
- vi####.faceboo####.com/api/va
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/index
- <Package Folder>/databases/databases.db-journal
- <Package Folder>/databases/easv.data-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/<Package>12<System Property>2
- <Package Folder>/files/####/ntmp20892339
- <Package Folder>/files/1512642281003_libneo32.so
- <Package Folder>/files/DEAB89CE10FEAA11
- <Package Folder>/files/hftJcw46N.jar
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/_c_month.xml
- <Package Folder>/shared_prefs/local_storage0.xml
- <Package Folder>/shared_prefs/local_storage1.xml
- <Package Folder>/shared_prefs/local_storage999.xml
- <Package Folder>/shared_prefs/resource_status_xml.xml
- <Package Folder>/shared_prefs/sp.xml
- <Package Folder>/shared_prefs/sub_preference_name.xml
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
- cat /sys/class/net/wlan0/address
- chmod 0771 <Package Folder>/.syslib-
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
Загружает динамические библиотеки:
- 1512642281003_libneo32
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
