Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.632.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) s####.ie.s####.com:80
- TCP(HTTP/1.1) down####.zhu####.s####.####.com:80
- TCP(HTTP/1.1) exten####.ie.s####.com:80
- TCP(HTTP/1.1) multi####.mse.s####.com:80
- TCP(HTTP/1.1) at####.ie.s####.com:80
- TCP(HTTP/1.1) baz####.mse.s####.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(HTTP/1.1) i####.sogo####.com.####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(TLS/1.0) exten####.ie.s####.com:443
- TCP(TLS/1.0) baz####.mse.s####.com:443
- TCP(TLS/1.0) mse.s####.com:443
Запросы DNS:
- at####.ie.cdn.####.com
- at####.ie.s####.com
- baz####.mse.s####.com
- cgi.con####.qq.com
- d####.mse.s####.com
- de####.p####.mse.####.com
- dl.m.s####.com
- down####.mse.s####.com
- down####.zhu####.s####.com
- ext.mse.s####.com
- exten####.ie.s####.com
- get.s####.com
- gp.hz####.com
- i####.sogo####.com
- i.i####.com
- mse.s####.com
- multi####.mse.s####.com
- p####.mse.s####.com
- p####.s####.com
- p9.123.sogo####.com
- pi####.qq.com
- s####.ie.s####.com
- s####.mse.s####.com
Запросы HTTP GET:
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- down####.zhu####.s####.####.com/zhushou/android/liulanqi/plugin/20170828...
Запросы HTTP POST:
- pi####.qq.com/mstat/report
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_FaviconDb/WebpageIcons.db-journal
- <Package Folder>/app_appcache/ApplicationCache.db-journal
- <Package Folder>/app_databases/####/file__0.localstorage-journal
- <Package Folder>/app_mdex/abc.zip
- <Package Folder>/app_mdex/classes.dex
- <Package Folder>/app_mdex/classes2.dex
- <Package Folder>/cache/####/985bvtVeZ0fGAWQwyq_eTRLdb8A.723597431.tmp
- <Package Folder>/cache/####/EEqx_O2Cu1eOVRpmxQEfn3YcJBg.1133293.tmp
- <Package Folder>/cache/####/ITzCKTj1prLs7Ngup38DctTW9Js.-1137325309.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/uotcW9iVcCQcIj1mWh5OSFnMeAM.-1348977231.tmp
- <Package Folder>/databases/MessageStore.db-journal
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/databases/downloads.db-journal
- <Package Folder>/databases/sogou_mobile_athena.db-journal
- <Package Folder>/databases/sogou_mobile_browser.db-journal
- <Package Folder>/databases/tencent_analysis.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/files/####/12306.96.com.png
- <Package Folder>/files/####/12306.com.png
- <Package Folder>/files/####/12306@2x.com.png
- <Package Folder>/files/####/12306@3x.com.png
- <Package Folder>/files/####/action.js
- <Package Folder>/files/####/add_passenger.png
- <Package Folder>/files/####/all.css
- <Package Folder>/files/####/arrow_left.png
- <Package Folder>/files/####/arrow_right.png
- <Package Folder>/files/####/back.png
- <Package Folder>/files/####/background-4.js
- <Package Folder>/files/####/background-import.js
- <Package Folder>/files/####/background-layer.js
- <Package Folder>/files/####/background.html
- <Package Folder>/files/####/background.js
- <Package Folder>/files/####/checkbox02_selected.png
- <Package Folder>/files/####/checkbox02_unselected.png
- <Package Folder>/files/####/checkbox_disable.png
- <Package Folder>/files/####/checkbox_selected.png
- <Package Folder>/files/####/checkbox_unselected.png
- <Package Folder>/files/####/clear.png
- <Package Folder>/files/####/content-script.js
- <Package Folder>/files/####/cover-loading.gif
- <Package Folder>/files/####/day_next.png
- <Package Folder>/files/####/day_next_disable.png
- <Package Folder>/files/####/day_previous.png
- <Package Folder>/files/####/day_previous_disable.png
- <Package Folder>/files/####/edit.png
- <Package Folder>/files/####/ex1510836162242.dat
- <Package Folder>/files/####/ex1510836162262.dat
- <Package Folder>/files/####/item_select.png
- <Package Folder>/files/####/layer.js
- <Package Folder>/files/####/loading.gif
- <Package Folder>/files/####/manifest.json
- <Package Folder>/files/####/order_list_default.png
- <Package Folder>/files/####/order_titlebar.png
- <Package Folder>/files/####/pages-4.js
- <Package Folder>/files/####/pikaday.css
- <Package Folder>/files/####/popup.html
- <Package Folder>/files/####/popup.js
- <Package Folder>/files/####/prebook.js
- <Package Folder>/files/####/promise.min.js
- <Package Folder>/files/####/pull_down.png
- <Package Folder>/files/####/refresh-normal.png
- <Package Folder>/files/####/refresh-pressed.png
- <Package Folder>/files/####/refresh.png
- <Package Folder>/files/####/rt.min.js
- <Package Folder>/files/####/script.js
- <Package Folder>/files/####/sogoumse_default_blank.html
- <Package Folder>/files/####/stations.js
- <Package Folder>/files/####/tag.png
- <Package Folder>/files/####/tips.png
- <Package Folder>/files/####/titlebar.png
- <Package Folder>/files/####/titlebar_btn1.png
- <Package Folder>/files/####/titlebar_btn3.png
- <Package Folder>/files/####/titlebar_btn4.png
- <Package Folder>/files/####/titlebar_btn5.png
- <Package Folder>/files/####/titlebar_order.png
- <Package Folder>/files/####/trains_filter_bg.png
- <Package Folder>/files/####/trains_filter_separator.png
- <Package Folder>/files/####/trasfer.png
- <Package Folder>/files/####/vconsole.min.js
- <Package Folder>/files/####/walk.js
- <Package Folder>/files/####/win-close.png
- <Package Folder>/files/####/win_close.png
- <Package Folder>/files/Should_call_enable_for_umengpush
- <Package Folder>/files/com.tencent.open.config.json.100951083
- <Package Folder>/files/file_log.txt
- <Package Folder>/files/last_send_push_enable_pingback_time
- <Package Folder>/files/patch_version
- <Package Folder>/files/ssl_cache.properties
- <Package Folder>/files/tabsData
- <Package Folder>/shared_prefs/<Package>.push_service_setting.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/SOGOUPLUS_CONFIG.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/quickentry_notify_pref_key.xml
- <Package Folder>/shared_prefs/register.xml
- <Package Folder>/shared_prefs/sogoumse_interface_pref.xml
- <Package Folder>/shared_prefs/ssk_c.xml
- <Package Folder>/shared_prefs/update.xml
- <Package Folder>/supervisor
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/SogouExplorer/####/-1b111a08a5313a58503a487b26116270
- <SD-Card>/SogouExplorer/####/-60b117c209f0cccd2cbb42b059d5f592
- <SD-Card>/SogouExplorer/####/-6cb2df6416435bf36849560f0655dfaf
- <SD-Card>/SogouExplorer/####/-6f26b5289785f453e5e1ab986c8ff29c
- <SD-Card>/SogouExplorer/####/130ec68c18b13721f45352074694701b
- <SD-Card>/SogouExplorer/####/1351933592c3c7e2a1c57f0a3b5a13cd
- <SD-Card>/SogouExplorer/####/1c6f95f0ed3554ef3c9881484011887c
- <SD-Card>/SogouExplorer/####/1f92e8191c11b5b8e4b9b0a9d12e3b3d
- <SD-Card>/SogouExplorer/####/233cce08a9c11fafdf5028e60d18fb0c
- <SD-Card>/SogouExplorer/####/3316aab92877ac54beb07b9d7a708d30
- <SD-Card>/SogouExplorer/####/48402ba1068b78e84376b7189480b026
- <SD-Card>/SogouExplorer/####/56128384d27361c598250e908f12289
- <SD-Card>/SogouExplorer/####/6da1b533dd1690976ce8b61d94a3a05a
- <SD-Card>/SogouExplorer/####/76c92e68ae765b71338c40c023899a23
- <SD-Card>/SogouExplorer/####/adblock.txt
- <SD-Card>/SogouExplorer/####/adblock_tastes_cloud.txt
- <SD-Card>/SogouExplorer/####/easylist.txt
- <SD-Card>/SogouExplorer/####/search_suggest_ad
- <SD-Card>/SogouExplorer/####/sglist.txt
- <SD-Card>/SogouExplorer/####/sgmlist.txt
- <SD-Card>/Tencent/####/.mid.txt
- <SD-Card>/temp.tmp (deleted)
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/supervisor 0 <Package Folder>/supervisor <Package Folder>/lock.file com.android.browser/com.android.browser.BrowserActivity https://mse.sogou.com/app/uninstall/index.html?h=ffffffff-b2c8-0386-6773-c75150ca6f57&r=121021007&v=5.9.2&hv=<System Property>&pv=ANDROID4.3.1&fr=121021007&cid=null
- cat /sys/class/net/wlan0/address
- chmod 755 <Package Folder>/supervisor
- sh <Package Folder>/supervisor 0 <Package Folder>/supervisor <Package Folder>/lock.file com.android.browser/com.android.browser.BrowserActivity https://mse.sogou.com/app/uninstall/index.html?h=ffffffff-b2c8-0386-6773-c75150ca6f57&r=121021007&v=5.9.2&hv=<System Property>&pv=ANDROID4.3.1&fr=121021007&cid=null
Загружает динамические библиотеки:
- MtaNativeCrash
- conceal
- imagepipeline
- libsogouupdcore
- sogou_mobile_explorer
- sogouupdcore
Использует права администратора.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об активных администраторах устройства.
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
