Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.32.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c.s####.co:80
- TCP(HTTP/1.1) cp####.mobisma####.com:80
- TCP(HTTP/1.1) www.apxadtr####.net:80
- TCP(HTTP/1.1) wa####.go2c####.org:80
- TCP(HTTP/1.1) i####.com:80
- TCP(HTTP/1.1) go.uni####.net:80
- TCP(HTTP/1.1) api.ap####.com:80
- TCP(HTTP/1.1) vi####.ddf####.com:80
- TCP(HTTP/1.1) d.billyaf####.com:80
- TCP(HTTP/1.1) t####.bruce####.com:80
- TCP(HTTP/1.1) pocketm####.go2c####.org:80
- TCP(HTTP/1.1) api.lead####.net:80
- TCP(HTTP/1.1) appromo####.trac####.adnova####.com:80
- TCP(HTTP/1.1) 1####.243.32.94:80
- TCP(HTTP/1.1) t####.sm4####.com:80
- TCP(HTTP/1.1) ad.api.y####.net:80
- TCP(HTTP/1.1) got.pubna####.net:80
- TCP(HTTP/1.1) ak.zs####.com:80
- TCP(HTTP/1.1) clinkad####.com:80
- TCP(HTTP/1.1) c####.he####.com:80
- TCP(HTTP/1.1) a####.app####.com:80
- TCP(HTTP/1.1) trac####.acek####.com:80
- TCP(HTTP/1.1) md.apptr####.com:80
- TCP(HTTP/1.1) appco####.fusetra####.com:80
- TCP(HTTP/1.1) down####.prizes####.online:80
- TCP(HTTP/1.1) 5####.77.99.53:80
- TCP(HTTP/1.1) api.migh####.com:80
- TCP(HTTP/1.1) duc####.b####.com:80
- TCP(HTTP/1.1) t####.traffi####.com:80
- TCP(HTTP/1.1) hy####.com:80
- TCP(HTTP/1.1) aws.smarter####.net:80
- TCP(HTTP/1.1) apptr####.com:80
- TCP(HTTP/1.1) t.api.y####.net:80
- TCP(HTTP/1.1) t####.admob####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) trac####.suma####.com:80
- TCP(HTTP/1.1) ads.digg####.com:80
- TCP(HTTP/1.1) gl####.ymtrac####.com:80
- TCP(HTTP/1.1) t####.glk####.com:80
- TCP(HTTP/1.1) ad.lead####.net:80
- TCP(HTTP/1.1) s####.feedall####.com:80
- TCP(HTTP/1.1) offence####.accountant:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) y####.ottero####.com:80
- TCP(HTTP/1.1) sp.adpusho####.com:7088
- TCP(HTTP/1.1) s2s.go2af####.com:80
- TCP(HTTP/1.1) t####.g####.com:89
- TCP(HTTP/1.1) ald####.com:80
- TCP(HTTP/1.1) a####.bat####.net:80
- TCP(HTTP/1.1) statist####.com:80
- TCP(HTTP/1.1) c####.lab####.com:80
- TCP(HTTP/1.1) gp.miaoxi####.com:80
- TCP(HTTP/1.1) mtrac####.com:80
- TCP(HTTP/1.1) trac####.shootme####.com:80
- TCP(HTTP/1.1) a####.pubna####.net:80
- TCP(HTTP/1.1) clk.ocea####.com:80
- TCP(HTTP/1.1) adx.ki####.com:80
- TCP(HTTP/1.1) www.google-####.com:80
- TCP(HTTP/1.1) c####.gowa####.com:80
- TCP(HTTP/1.1) cpgnrot####.com:80
- TCP(HTTP/1.1) am.appw####.mobi:80
- TCP(HTTP/1.1) atracki####.appf####.com:80
- TCP(HTTP/1.1) t####.snapbac####.com:80
- TCP(TLS/1.0) p####.go####.com:443
- TCP(TLS/1.0) 1####.217.17.46:443
- TCP(TLS/1.0) a####.app####.com:443
- TCP(TLS/1.0) air####.go2af####.com:443
- TCP(TLS/1.0) api.applike####.info:443
- TCP(TLS/1.0) app####.hs.l####.net:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) ad4sc####.go2af####.com:443
- TCP(TLS/1.0) app.ad####.com:443
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) cl####.dis####.io:443
- TCP(TLS/1.0) md.apptr####.com:443
- TCP(TLS/1.0) gl####.app####.com:443
- TCP(TLS/1.0) con####.koc####.com:443
- TCP(TLS/1.0) m.z####.org:443
- TCP(TLS/1.0) questio####.com:443
- TCP(TLS/1.0) ad.lead####.net:443
- TCP(TLS/1.0) billmsc####.com:443
- TCP(TLS/1.0) app.appsf####.com:443
- TCP(TLS/1.0) go6.mob####.xyz:443
Запросы DNS:
- a####.app####.com
- a####.app####.com
- a####.bat####.net
- a####.pubna####.net
- activeo####.appromo####.com
- ad.api.y####.net
- ad.lead####.net
- ads.digg####.com
- adx.ki####.com
- air####.go2af####.com
- ak.zs####.com
- ald####.com
- am.appw####.mobi
- api.ap####.com
- api.applike####.info
- api.lead####.net
- api.migh####.com
- app####.hs.l####.net
- app.ad####.com
- app.appsf####.com
- apptr####.com
- atracki####.appf####.com
- aws.smarter####.net
- billmsc####.com
- c####.gowa####.com
- c####.he####.com
- c####.lab####.com
- c.s####.co
- cl####.dis####.io
- clinkad####.com
- clk.ocea####.com
- con####.koc####.com
- cp####.mobisma####.com
- cpgnrot####.com
- d.billyaf####.com
- down####.prizes####.online
- duc####.b####.com
- f####.google####.com
- f####.gst####.com
- fc.appco####.com
- gl####.app####.com
- gl####.ymtrac####.com
- go.uni####.net
- go6.mob####.xyz
- got.pubna####.net
- gp.miaoxi####.com
- hy####.com
- i####.com
- m.z####.org
- md.apptr####.com
- mtrac####.com
- offence####.accountant
- offer####.online
- p####.go####.com
- pocketm####.go2c####.org
- questio####.com
- s####.feedall####.com
- s2s.go2af####.com
- sp.adpusho####.com
- ssl.gst####.com
- statist####.com
- t####.admob####.com
- t####.bruce####.com
- t####.g####.com
- t####.glk####.com
- t####.sm4####.com
- t####.snapbac####.com
- t####.traffi####.com
- t.api.y####.net
- tra####.a4.tf
- trac####.acek####.com
- trac####.shootme####.com
- trac####.suma####.com
- vi####.ddf####.com
- wa####.go2c####.org
- www.app####.com
- www.apxadtr####.net
- www.google-####.com
- y####.ottero####.com
Запросы HTTP GET:
- a####.app####.com/aff_c?offer_id=####&aff_id=####&aff_sub4=####&aff_sub=...
- a####.app####.com/aff_r?offer_id=54628&aff_id=18715&url=http://activeoff...
- ads.digg####.com/acs.php?sid=####&adid=####&pb=####&subid=####&gaid=####
- adx.ki####.com/adx/api?token=####&page=####
- api.migh####.com/server/v1/track?c=####&sub=####&gaid=####
- c####.gowa####.com/click?transaction_id=wadogo_WAdvMobadooAPI_258183_102...
- clinkad####.com/tracking?camp=####&pubid=####&sid1=####&gaid=####&idfa=#...
- clinkad####.com/tracking?camp=####&pubid=####&sid=####&aid=####&gaid=###...
- clinkad####.com/tracking?camp=####&pubid=####&sid=####&gaid=####
- clinkad####.com/tracking?camp=####&pubid=####&sid=####&sid1=####&sid2=##...
- cp####.mobisma####.com/index.php?m=####&p=####&app_id=####&offer_id=####...
- down####.prizes####.online/?utm_medium=####&utm_campaign=####&1=####&2=#...
- down####.prizes####.online/?utm_term=####&clickverify=####&utm_content=#...
- down####.prizes####.online/proc.php?29a35ce####
- duc####.b####.com/click/affClick?aff_id=####&offer_id=####&aff_sub=####&...
- duc####.b####.com/click/affClick?aff_id=####&offer_id=####&google_aid=##...
- f####.google####.com/css?family=####
- gp.miaoxi####.com/cr/sv/getGoFile?name=####
- hy####.com/28c88/4acA/76MQ/t-9Gs6VqRfgVCfcgxeCEkAI6SfAXQk8arOD0goKhos-Ud...
- offence####.accountant/10.jpg
- offence####.accountant/11.jpg
- offence####.accountant/7.jpg
- offence####.accountant/8.jpg
- offence####.accountant/9.jpg
- offence####.accountant/?brand=####&model=####&browser=####&td=####&voluu...
- offence####.accountant/flag.png
- offence####.accountant/index.html
- offence####.accountant/ip7.png
- offence####.accountant/iphone6.jpg
- offence####.accountant/iphone7.jpg
- offence####.accountant/item1.png
- offence####.accountant/item2.png
- offence####.accountant/item3.png
- offence####.accountant/like.png
- offence####.accountant/search.png
- s2s.go2af####.com/click?pid=####&offer_id=####&sub1=####&sub2=####
- t####.admob####.com/adTrack/track/click?oid=####&affid=####&aff_click_id...
- t####.bruce####.com/ck_jump?id=cz02####&__if=####&__type=####&__ref=####
- t####.sm4####.com/game/hextris
- t####.sm4####.com/game/hextris/
- t####.sm4####.com/game/hextris/style/fa/css/font-awesome.min.css
- t####.sm4####.com/game/hextris/style/fa/fonts/fontawesome-webfont.ttf
- t####.traffi####.com/click.php?key=####&p=####&f=####&idfa=####&sub=####...
- t####.traffi####.com/nlp/index.php?offer_id=####&aff_id=####&aff_sub2=##...
- www.google-####.com/analytics.js
- www.google-####.com/collect?v=####&_v=####&a=####&t=####&_s=####&dl=####...
- www.google-####.com/r/collect?v=####&_v=####&a=####&t=####&_s=####&dl=##...
- y####.ottero####.com/?utm_medium=####&utm_campaign=####
- y####.ottero####.com/?utm_term=####&clickverify=####&utm_content=####
- y####.ottero####.com/proc.php?0632273####
Запросы HTTP POST:
- sp.adpusho####.com:7088/sdk_p/a
- sp.adpusho####.com:7088/sdk_p/b
- t####.g####.com:89/validate
- vi####.ddf####.com/api/ls
- vi####.ddf####.com/api/newc
- vi####.ddf####.com/api/o
- vi####.ddf####.com/api/va
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/index
- <Package Folder>/databases/databases.db-journal
- <Package Folder>/databases/easv.data-journal
- <Package Folder>/databases/google_app_measurement_local.db
- <Package Folder>/databases/google_app_measurement_local.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/<Package>12<System Property>2
- <Package Folder>/files/####/ntmp20782322
- <Package Folder>/files/1513078160586_libneo32.so
- <Package Folder>/files/hftJcw46N.jar
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- <Package Folder>/no_backup/com.google.android.gms.appid-no-backup
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/_c_month.xml
- <Package Folder>/shared_prefs/com.google.android.gms.appid.xml
- <Package Folder>/shared_prefs/com.google.android.gms.measurement.prefs.xml
- <Package Folder>/shared_prefs/jianRtFlag.xml
- <Package Folder>/shared_prefs/resource_status_xml.xml
- <Package Folder>/shared_prefs/sp.xml
- <Package Folder>/shared_prefs/sub_preference_name.xml
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
- chmod 0771 <Package Folder>/.syslib-
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h 0e8d60f26f8c4182894ffaf2424101bb <Package Folder>/.syslib-
Загружает динамические библиотеки:
- 1513078160586_libneo32
- audioeffect_jni
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
