Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Appsad.11.origin
- Android.RemoteCode.110.origin
- Android.Xiny.1.origin
- Android.Xiny.197
- Android.Xiny.232.origin
- Android.Xiny.233.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c.s####.co:80
- TCP(HTTP/1.1) premium####.com:80
- TCP(HTTP/1.1) duc####.b####.com:80
- TCP(HTTP/1.1) wa####.go2c####.org:80
- TCP(HTTP/1.1) api.lead####.net:80
- TCP(HTTP/1.1) t####.admob####.com:80
- TCP(HTTP/1.1) cl####.mob####.net:80
- TCP(HTTP/1.1) g####.supermo####.online:80
- TCP(HTTP/1.1) 2####.177.13.68:8288
- TCP(HTTP/1.1) duapps-####.gsh####.com:80
- TCP(HTTP/1.1) f####.gst####.com:80
- TCP(HTTP/1.1) tretras####.com:80
- TCP(HTTP/1.1) m.ize####.com:80
- TCP(HTTP/1.1) us.api.adf####.cn:5000
- TCP(HTTP/1.1) clinkad####.com:80
- TCP(HTTP/1.1) c.ar####.co:80
- TCP(HTTP/1.1) apptr####.com:80
- TCP(HTTP/1.1) s####.androi####.b####.####.net:80
- TCP(HTTP/1.1) appco####.fusetra####.com:80
- TCP(HTTP/1.1) www.targe####.com:80
- TCP(HTTP/1.1) s####.r####.world:80
- TCP(HTTP/1.1) trac####.suma####.com:80
- TCP(HTTP/1.1) w####.redirec####.com:80
- TCP(HTTP/1.1) newrota####.com:80
- TCP(HTTP/1.1) ea.sno####.1####.com:8088
- TCP(HTTP/1.1) api.l####.com:80
- TCP(HTTP/1.1) www.m####.site:80
- TCP(HTTP/1.1) s####.mob####.b####.com:80
- TCP(HTTP/1.1) t####.cpa.iqop####.com:80
- TCP(HTTP/1.1) w####.voluu####.com:80
- TCP(HTTP/1.1) gl####.ymtrac####.com:80
- TCP(HTTP/1.1) clk.hope####.net:80
- TCP(HTTP/1.1) trk.gl####.com:80
- TCP(HTTP/1.1) www.zfr####.com:80
- TCP(HTTP/1.1) api.mo####.sdk.####.com:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) 9app####.com:80
- TCP(HTTP/1.1) www.admobim####.com:80
- TCP(HTTP/1.1) trac####.pubt####.com:80
- TCP(HTTP/1.1) a####.bat####.net:80
- TCP(HTTP/1.1) cl####.ads####.com:80
- TCP(HTTP/1.1) mo.freeind####.com:80
- TCP(HTTP/1.1) akw.e####.space:80
- TCP(HTTP/1.1) api.mi####.com:80
- TCP(HTTP/1.1) www.mobna####.net:80
- TCP(HTTP/1.1) www.mmmmmm####.com:80
- TCP(HTTP/1.1) c####.shar####.com:80
- TCP(HTTP/1.1) imno####.com:80
- TCP(HTTP/1.1) koolmed####.com:80
- TCP(HTTP/1.1) www.jp####.com:80
- TCP(HTTP/1.1) 5####.77.99.53:80
- TCP(HTTP/1.1) www.cu####.com:80
- TCP(HTTP/1.1) ali.f####.cdn.####.com:80
- TCP(HTTP/1.1) c####.gowa####.com:80
- TCP(HTTP/1.1) ea.sno####.1####.com:18088
- TCP(HTTP/1.1) clk.tap####.com:80
- TCP(HTTP/1.1) t####.iches####.net:80
- TCP(HTTP/1.1) atracki####.appf####.com:80
- TCP(HTTP/1.1) cl####.qh####.com:80
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) tpc.googles####.com:443
- TCP(TLS/1.0) g####.gl:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) t####.cpa.iqop####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) app.appsf####.com:443
- TCP(TLS/1.0) www.you####.com:443
- TCP(TLS/1.0) clk.tap####.com:443
- TCP(TLS/1.0) mobileo####.site:443
Запросы DNS:
- 9app####.com
- a####.bat####.net
- ad.lead####.net
- akw.e####.space
- ali.f####.cdn.####.com
- api.l####.com
- api.lead####.net
- api.mi####.com
- api.migh####.com
- api.mo####.sdk.####.com
- api.mob####.b####.com
- app.appsf####.com
- apptr####.com
- atracki####.appf####.com
- c####.gowa####.com
- c####.shar####.com
- c.ar####.co
- c.s####.co
- cl####.ads####.com
- cl####.mob####.net
- cl####.qh####.com
- clinkad####.com
- clk.hope####.net
- clk.tap####.com
- duc####.b####.com
- ea.sno####.1####.com
- en.sno####.1####.com
- f####.google####.com
- f####.gst####.com
- fc.appco####.com
- g####.gl
- g####.supermo####.online
- g####.t####.net
- gl####.ymtrac####.com
- googl####.g.doublec####.net
- ilv####.com
- imno####.com
- koolmed####.com
- m.ize####.com
- md.apptr####.com
- mo.freeind####.com
- mobileo####.site
- newrota####.com
- oad.tap####.com
- pag####.googles####.com
- premium####.com
- rts.mo####.sdk.####.com
- s####.androi####.b####.com
- s####.mob####.b####.com
- s####.r####.world
- t####.admob####.com
- t####.cpa.iqop####.com
- t####.iches####.net
- t####.z####.xyz
- t.mob####.net
- tango####.com
- tleadst####.com
- tpc.googles####.com
- trac####.pubt####.com
- trac####.suma####.com
- trk.gl####.com
- us.api.adf####.cn
- w####.redirec####.com
- w####.voluu####.com
- wa####.go2c####.org
- www.admobim####.com
- www.cu####.com
- www.google-####.com
- www.googlet####.com
- www.jp####.com
- www.m####.site
- www.mmmmmm####.com
- www.mobna####.net
- www.targe####.com
- www.you####.com
- www.zfr####.com
Запросы HTTP GET:
- 9app####.com/
- 9app####.com/wp-content/cache/autoptimize/js/autoptimize_232da78ebcef1e9...
- 9app####.com/wp-content/plugins/social-warfare/fonts/sw-icon-font.ttf?ve...
- 9app####.com/wp-content/plugins/tablepress/css/tablepress.ttf
- 9app####.com/wp-includes/js/jquery/jquery.js?ver=####
- 9app####.com/wp-includes/js/wp-emoji-release.min.js?ver=####
- a####.bat####.net/call/v2/ad/click?recommend_id=####&ads_id=####&aff_id=...
- akw.e####.space/index.php?r=####&al=####&l=####&p=####&hp=####&lc=####&s...
- akw.e####.space/index.php?r=####&appid=####
- akw.e####.space/index.php?r=####&p=####&hp=####&l=####&c=####&prod=####&...
- akw.e####.space/strategy/api/v1/rule/get?p=####&hp=####&l=####&c=####&pr...
- ali.f####.cdn.####.com/20180106173244-snowfox_v19i154et.jar
- api.l####.com/redirect?s=####&at=####&rt=####&s1=####&s2=####&s3=####&s4...
- api.lead####.net/applnk/826227844?src_section_id=####
- api.lead####.net/nat_clk/239389936/6329608?sid=RSB####&devad_id=####&gid...
- api.mi####.com/v1/ad_crack/get?_appPkgName=####&_updateTime=####&_locale...
- api.mo####.sdk.####.com/adunion/fetchalad?adid=####
- api.mo####.sdk.####.com/adunion/slot/getDlAd?h=####&w=####&model=####&ve...
- api.mo####.sdk.####.com/adunion/slot/getSrcPrio?h=####&w=####&model=####...
- appco####.fusetra####.com/tl?a=####&o=####&s1=####&sc=####&s2=####&s3=##...
- apptr####.com/dir/click?placement_id=####&campaign_id=####&affid=####&ci...
- apptr####.com/dir/redirect?placement_id=####&campaign_id=####&affid=####...
- atracki####.appf####.com/transaction/post_click?offer_id=####&aff_id=###...
- c####.gowa####.com/click?transaction_id=wadogo_goeuro_120808_102e140f568...
- c####.shar####.com/click/index?tp_id=####&tp_placementid=####&tp_aaid=##...
- c####.shar####.com/smartlink/click?id=####&type=####&tl_clickid=####&tl_...
- c.ar####.co/aff_c?offer_id=####&aff_id=####&aff_sub=####&sub_channel=###...
- c.ar####.co/click?campid=####&gid=####&imei=####&android=####&sub_channe...
- c.s####.co/api/v4/click?campaign_id=####&publisher_id=####&rt=####&_po=#...
- cl####.ads####.com/index.php?m=####&p=####&app_id=####&offer_id=####&cli...
- cl####.mob####.net/target/t.mobrand.net/tracking/aff/sNogAzqvRdiJVANDgyF...
- cl####.mob####.net/tracking/aff/sNogAzqvRdiJVANDgyFlFg/U9xp0HB4RWCy6p-ks...
- cl####.qh####.com/index.php?m=####&p=####&app_id=####&offer_id=####&clic...
- clinkad####.com/tracking?camp=####&pubid=####&sid=####&subpubid=####&sid...
- clk.hope####.net/click?id=####&aff=####&ost=####&click_id=####&aff_sub=#...
- clk.tap####.com/engine/a.aspx?id=####
- duapps-####.gsh####.com/prod/upload/adunion/images/0b3/796_416_c7b095807...
- duapps-####.gsh####.com/prod/upload/adunion/images/41e/300_300_408810485...
- duapps-####.gsh####.com/prod/upload/adunion/images/4af/796_416_b27174b84...
- duapps-####.gsh####.com/prod/upload/adunion/images/d09/300_300_4de63effc...
- duc####.b####.com/click/affClick?aff_sub=####&aff_sub19=####&aff_sub2=##...
- f####.google####.com/css?family=####&subset=####
- f####.gst####.com/s/ubuntu/v11/4iCs6KVjbNBYlgoKcQ7znU6AFw.ttf
- f####.gst####.com/s/ubuntu/v11/4iCv6KVjbNBYlgoCxCvjvmyIPYZvgw.ttf
- g####.supermo####.online/?utm_medium=####&utm_campaign=####&1=####&2=###...
- gl####.ymtrac####.com/trace?offer_id=####&aff_id=####&aff_sub####&idfa=#...
- gl####.ymtrac####.com/trace?offer_id=####&app_id=####&type=####&aff_sub6...
- gl####.ymtrac####.com/trace?offer_id=####&app_id=####&type=####&aff_sub=...
- imno####.com/c/152567/s1n9r662-469r-66r2-42no-5nn6qp2oqss7/4593r0s0.html...
- koolmed####.com/r/eecf3e88-f406-11e7-bfeb-114171d9835b/0/
- koolmed####.com/r/eecf3e88-f406-11e7-bfeb-114171d9835b/1/
- m.ize####.com/nl/farmflipperg/?cpid=####&publisher=####
- m.ize####.com/nl/farmflipperg/index.php?cpid=####&publisher=####&flow=##...
- m.ize####.com/nl/farmflipperg/js/exitScript.js
- m.ize####.com/nl/farmflipperg/js/main.js
- m.ize####.com/nl/farmflipperg/js/scripts.js
- m.ize####.com/nl/farmflipperg/styles/styles.css
- m.ize####.com/nl/farmflipperg/vendors/jquery.min.js
- m.ize####.com/nl/farmflipperg/vendors/normalize.css
- m.ize####.com/nl/farmflipperg/vendors/skeleton.css
- newrota####.com/campaign/20611|3533?website=####&tag=####
- premium####.com/d/46064259b9f90e4c211?sub=####
- premium####.com/d/46064259b9f90e4c211?sub=####&code=####
- premium####.com/gw?url=http://wlynl.voluumtrk.com/117da624-29e5-4e9d-a6f...
- premium####.com/gw?url=https://mobileofferplace.site/c/faecc269-e3e2-11e...
- s####.androi####.b####.####.net/public/uploads/store_10/0/f/9/0f988e9ff2...
- t####.admob####.com/adTrack/track/click?oid=####&affid=####&aff_click_id...
- t####.cpa.iqop####.com/click?pid=####&offer_id=####&sub1=####&sub2=####
- t####.iches####.net/click?id=####&aff=####&ost=####&click=####&aff_sub=#...
- t####.iches####.net/click?id=####&aff=####&ost=####&click_id=####&gaid=#...
- t####.iches####.net/track?id=####&aff=####&ost=####&click=####&aff_sub=#...
- t####.iches####.net/track?id=####&aff=####&ost=####&click_id=####&gaid=#...
- trac####.pubt####.com/click?offer_id=####&sub_id=####&click_id=####&gaid...
- trac####.suma####.com/aff_c?offer_id=####&aff_id=####&aff_click_id=####&...
- trac####.suma####.com/aff_r?offer_id=132084&aff_id=6595&url=http://clink...
- trac####.suma####.com/aff_r?offer_id=144730&aff_id=6397&url=http://click...
- tretras####.com/55K39/N-7P/Oerf/YaaPe2WRVZ5lZxs3BIiYiZ7_bHHhvSwwgn5hPHpE...
- trk.gl####.com/c/AAAAAAAAAAAAAAAAAAAAAFlY4tymEmzS/CF?subid1=####&placeme...
- us.api.adf####.cn:5000/static/click?adjust=####&p=####&pa=####&s=####&o=...
- w####.redirec####.com/redirect?target=####&ts=####&hash=####&rm=####
- w####.voluu####.com/117da624-29e5-4e9d-a6fb-2672a1de9709?sourceid=####&v...
- wa####.go2c####.org/aff_c?offer_id=####&aff_id=####&aff_sub=####&aff_sub...
- www.cu####.com/20171212103437.201712121030.zip
- www.jp####.com/click/ssp/click?channel=####&uuid=####&id=####&aoid=####&...
- www.mobna####.net/click?channelid=####&offerid=####&ext1=####&subid=####...
- www.targe####.com/wap/detect_method_by_user?returnURL=http://m.izeplay.c...
Запросы HTTP POST:
- api.mo####.sdk.####.com/orts/rp?h=####&w=####&model=####&vendor=####&sdk...
- api.mo####.sdk.####.com/orts/rpb?h=####&w=####&model=####&vendor=####&sd...
- ea.sno####.1####.com:18088/ping
- ea.sno####.1####.com:18088/sdk/api/checklib
- ea.sno####.1####.com:18088/sdk/api/regclient
- ea.sno####.1####.com:8088/sdk/api/ad/hull_v2
- ea.sno####.1####.com:8088/sdk/api/log/record
- mo.freeind####.com/detail/getOfferListNew?enc=####
- s####.mob####.b####.com/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
- s####.r####.world/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
- www.admobim####.com/surl/api2_reg.action
- www.jp####.com/tracking/ds?sdk_version=####&platform=####&app_version=##...
- www.jp####.com/tracking/uc?sdk_version=####&platform=####&app_version=##...
- www.m####.site/ad_app_dex_new.php
- www.mmmmmm####.com/osp/oaen_get.action?tasktype=####&imei=####&imsi=####...
- www.mmmmmm####.com/osp/oaen_reg.action
- www.zfr####.com/up.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.mbj/####/classes.zip
- <Package Folder>/app_lib/libugpl.so
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_0 (deleted)
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_1 (deleted)
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_2 (deleted)
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/data_3 (deleted)
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/index (deleted)
- <Package Folder>/cache/ApplicationCache.db-journal
- <Package Folder>/cache/ads1761293372.jar
- <Package Folder>/databases/####/https_googleads.g.doubleclick.n...ournal
- <Package Folder>/databases/adblib.db
- <Package Folder>/databases/adblib.db-journal
- <Package Folder>/databases/db_snowfox.db
- <Package Folder>/databases/db_snowfox.db-journal
- <Package Folder>/databases/fac_fb_data.db
- <Package Folder>/databases/fac_fb_data.db-journal
- <Package Folder>/databases/mbj_du_ad_cache.db
- <Package Folder>/databases/mbj_du_ad_cache.db-journal
- <Package Folder>/databases/mbj_du_ad_parse.db
- <Package Folder>/databases/mbj_du_ad_parse.db-journal
- <Package Folder>/databases/mbj_du_ad_ts.db
- <Package Folder>/databases/mbj_du_ad_ts.db-journal
- <Package Folder>/databases/mc_cache.db-journal
- <Package Folder>/databases/my.db
- <Package Folder>/databases/my.db-journal
- <Package Folder>/databases/snowfoxad_msg.db
- <Package Folder>/databases/snowfoxad_msg.db-journal
- <Package Folder>/databases/webview.db
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/-188828598
- <Package Folder>/files/####/-188828598.data
- <Package Folder>/files/d.dex
- <Package Folder>/files/d.dex (deleted)
- <Package Folder>/files/d.zip
- <Package Folder>/files/dtemp.apk
- <Package Folder>/files/f.dex
- <Package Folder>/files/f.zip
- <Package Folder>/files/fb1.db
- <Package Folder>/files/google.db
- <Package Folder>/files/lib.dat
- <Package Folder>/files/mesosphere.jar
- <Package Folder>/files/ob.dex
- <Package Folder>/files/ob.zip
- <Package Folder>/files/prinstall.db
- <Package Folder>/files/snowfox_v19i.jar
- <Package Folder>/shared_prefs/<Package>_ls_global_configs_sp.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/ActivatePreUtil.xml
- <Package Folder>/shared_prefs/AdsBusiness-data.xml
- <Package Folder>/shared_prefs/BusinessPreUtil.xml
- <Package Folder>/shared_prefs/D824hunter_config.xml
- <Package Folder>/shared_prefs/D824other_config.xml
- <Package Folder>/shared_prefs/D824service_config.xml
- <Package Folder>/shared_prefs/D824service_config.xml.bak
- <Package Folder>/shared_prefs/D824sp_config.xml
- <Package Folder>/shared_prefs/D824upgrade_config.xml
- <Package Folder>/shared_prefs/LoginPreUtil.xml
- <Package Folder>/shared_prefs/OfferPreUtil.xml
- <Package Folder>/shared_prefs/_mbj_toolbox_prefs.xml
- <Package Folder>/shared_prefs/admob.xml
- <Package Folder>/shared_prefs/aps.xml
- <Package Folder>/shared_prefs/apsad.xml
- <Package Folder>/shared_prefs/apscomm.xml
- <Package Folder>/shared_prefs/device_info.xml
- <Package Folder>/shared_prefs/isupdate.xml
- <Package Folder>/shared_prefs/jduc.xml
- <Package Folder>/shared_prefs/m_cfg.xml
- <Package Folder>/shared_prefs/s_sdk_pro_pref.xml
- <Package Folder>/shared_prefs/snowfoxprf.xml
- <Package Folder>/shared_prefs/sp_cache.xml
- <Package Folder>/shared_prefs/t_ini.xml
- <SD-Card>/.adslib/com.huuuge.casino.slots@0.apk
- <SD-Card>/.androidsystem/####/gads.db
- <SD-Card>/.androidsystem/07ad08cd30950beb817531653549e5a7.jpg
- <SD-Card>/.androidsystem/8c4f855e4065d14bd1fe95ced1de699a.jpg
- <SD-Card>/.androidsystem/e1eb7d406ad38f852087ad3f74cc0933.jpg
- <SD-Card>/.androidsystem/ec40e39f9314d87ccb7a0ea170c9dca3.jpg
- <SD-Card>/Android/####/dev_f53bc04.txt
- <SD-Card>/Android/####/imei.txt
- <SD-Card>/Android/####/pid
- <SD-Card>/Android/####/ua.dat
- <SD-Card>/LogN/####/sp
- <SD-Card>/baidu/####/journal
- <SD-Card>/baidu/####/journal.tmp
- <SD-Card>/baidu/.cuid
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.gkm.ogt.MS
- cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- chmod 777 <Package Folder>/ugpl
- dd if=<Package Folder>/lib/libugpl.so of=<Package Folder>/ugpl
- sh
Загружает динамические библиотеки:
- libugpl
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
