Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.32.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) rt.hm####.com:80
- TCP(HTTP/1.1) www.apxadtr####.net:80
- TCP(HTTP/1.1) smart####.google####.com:80
- TCP(HTTP/1.1) mo####.go2af####.com:80
- TCP(HTTP/1.1) vi####.ddf####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) t####.sm4####.com:80
- TCP(HTTP/1.1) ak.zs####.com:80
- TCP(HTTP/1.1) pb.imagepe####.in:80
- TCP(HTTP/1.1) www.4g####.net:80
- TCP(HTTP/1.1) atracki####.appf####.com:80
- TCP(HTTP/1.1) a####.google####.com:80
- TCP(HTTP/1.1) c####.jq####.com:80
- TCP(HTTP/1.1) gp.lik####.com:80
- TCP(HTTP/1.1) www.bigt####.com:80
- TCP(HTTP/1.1) tra####.tc-cl####.com:80
- TCP(HTTP/1.1) y####.ottero####.com:80
- TCP(HTTP/1.1) www.greatmo####.mobi:80
- TCP(HTTP/1.1) www.sexonth####.mobi:80
- TCP(HTTP/1.1) gp.miaoxi####.com:80
- TCP(HTTP/1.1) ap####.mobi:80
- TCP(TLS/1.0) p####.lead####.com:443
- TCP(TLS/1.0) c.n####.com:443
- TCP(TLS/1.0) questio####.com:443
Запросы DNS:
- a####.google####.com
- ak.zs####.com
- ap####.mobi
- atracki####.appf####.com
- c####.jq####.com
- c.n####.com
- gp.lik####.com
- gp.miaoxi####.com
- mo####.go2af####.com
- offer####.online
- p####.lead####.com
- pb.imagepe####.in
- questio####.com
- rt.hm####.com
- smart####.google####.com
- t####.sm4####.com
- tra####.tc-cl####.com
- vi####.ddf####.com
- www.4g####.net
- www.apxadtr####.net
- www.bigt####.com
- www.greatmo####.mobi
- www.sexonth####.mobi
- y####.ottero####.com
Запросы HTTP GET:
- gp.lik####.com/cr/sv/getRltNew?eid=####&estatus=####&appkey=####&pid=###...
- mo####.go2af####.com/click?pid=####&offer_id=####&sub5=####&sub1=####
- mo####.go2af####.com/sl?id=####&pid=####&sub3=####
- pb.imagepe####.in/lp/lp.php?urlid=####&adst=####&nsrc=####&clickid=####
- smart####.google####.com/?utm_medium=####&utm_campaign=####&1=####&cid=#...
- t####.sm4####.com/click?cid=####&s1=####&s2=####
- y####.ottero####.com/?utm_medium=####&utm_campaign=####
- y####.ottero####.com/?utm_term=####&clickverify=####&c=####&utm_content=...
- y####.ottero####.com/proc.php?17b7739####
Запросы HTTP POST:
- gp.lik####.com/cr/sv/getEPList
- vi####.ddf####.com/api/o
- vi####.ddf####.com/api/va
- www.4g####.net/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=###...
- www.bigt####.com/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=#...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/databases/easv.data-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.md
- <Package Folder>/files/####/041A8B2A8A36C737EF3D92A11FF960C1
- <Package Folder>/files/####/0A116A2CA527A91B0F8D50A2C1EE18F0
- <Package Folder>/files/####/26EA30F30BF04BF9445C4468AF7C4075
- <Package Folder>/files/####/56A53DB0FCD27A5E5A11DE3DB15A742D
- <Package Folder>/files/####/5demo32<System Property>46
- <Package Folder>/files/####/910D8C936C1FA815A0ACF674B8DDD8DE
- <Package Folder>/files/####/9C2342D416127B163722F75EA15B01DA
- <Package Folder>/files/####/<Package>12<System Property>2
- <Package Folder>/files/####/A6845124F5C634706F195CDBBDE9A504
- <Package Folder>/files/####/AEE16DDF9A7D0CF0869E6E72BAEA89AD
- <Package Folder>/files/####/F6CDB64910014D8A7B10280F91757D61
- <Package Folder>/files/####/gpdu
- <Package Folder>/files/####/ntmp20772089
- <Package Folder>/files/####/test
- <Package Folder>/files/1512735487073_libneo32.so
- <Package Folder>/files/1805.jar
- <Package Folder>/files/408.jar
- <Package Folder>/files/421.jar
- <Package Folder>/files/430.jar
- <Package Folder>/files/610.jar
- <Package Folder>/files/611.jar
- <Package Folder>/files/617.jar
- <Package Folder>/files/640.jar
- <Package Folder>/files/806.jar
- <Package Folder>/files/<System Property>112.jar
- <Package Folder>/files/DMLABC9CE10FEVA11
- <Package Folder>/files/hftJcw46N.jar
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/device_gpid.xml.xml
- <Package Folder>/shared_prefs/local_storage0.xml
- <Package Folder>/shared_prefs/local_storage1.xml
- <Package Folder>/shared_prefs/local_storage33.xml
- <Package Folder>/shared_prefs/local_storage999.xml
- <Package Folder>/shared_prefs/sp.xml
- <Package Folder>/shared_prefs/sp.xml.bak
- <SD-Card>/Android/####/GPMID.bin
- <SD-Card>/sys/GPMID.bin
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/.play/test <Package Folder>/files/.play/ 0e8d60f26f8c4182894ffaf2424101bb
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
- cat /sys/class/net/wlan0/address
- chmod 0771 <Package Folder>/.syslib-
- chmod 770 <Package Folder>/files/.play/test
- getenforce
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh <Package Folder>/files/.play/test <Package Folder>/files/.play/ 0e8d60f26f8c4182894ffaf2424101bb
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
Загружает динамические библиотеки:
- 1512735487073_libneo32
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
