Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.222.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.79.62.117:8080
- TCP(HTTP/1.1) s####.ti####.cn:80
- TCP(HTTP/1.1) dl.api.kyli####.com:80
- TCP(HTTP/1.1) se####.ti####.cn:80
- TCP(HTTP/1.1) c####.tian####.com:80
- TCP(HTTP/1.1) terr####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) st####.tian####.com.####.net:80
- TCP(HTTP/1.1) g.al####.com:80
- TCP(HTTP/1.1) 1####.26.75.41:8881
- TCP(HTTP/1.1) bbs.ti####.cn:80
- TCP(HTTP/1.1) l####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) d####.wos####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) www.ti####.cn:80
- TCP(HTTP/1.1) 1####.42.157.151:8080
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) user####.ti####.cn:80
- TCP(HTTP/1.1) dol.ti####.cn:80
- TCP(HTTP/1.1) 1####.124.37.167:9321
- TCP(HTTP/1.1) 7e8c613####.dlc####.fas####.com:80
- TCP(SSL/3.0) www.addkin####.com:8081
- TCP(TLS/1.0) www.addkin####.com:8081
- TCP(TLS/1.0) bird####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) s####.m.sm.cn:443
- TCP(TLS/1.0) l####.m.sm.cn:443
- TCP(TLS/1.0) y####.m.sm.cn:443
- TCP(TLS/1.0) owe.joy-r####.com:9050
- TCP(TLS/1.0) g.al####.com:443
- TCP(TLS/1.0) zm8.s####.cn:443
- TCP(TLS/1.0) log.mm####.com:443
Запросы DNS:
- a####.m.sm.cn
- bbs.ti####.cn
- bird####.oss-cn-####.aliy####.com
- c####.tian####.com
- car.moyum####.com
- cdn.joy-r####.com
- d####.wos####.com
- dl.api.kyli####.com
- dol.ti####.cn
- g.al####.com
- kldyn####.u####.uc####.####.cn
- l####.m.sm.cn
- l####.oss-cn-####.aliy####.com
- log.mm####.com
- owe.joy-r####.com
- pi####.qq.com
- s####.al####.com
- s####.m.sm.cn
- s####.ti####.cn
- s2.z####.cn
- se####.ti####.cn
- st####.tian####.com
- terr####.oss-cn-####.aliy####.com
- user####.ti####.cn
- www.addkin####.com
- www.ti####.cn
- y####.m.sm.cn
- zm8.s####.cn
Запросы HTTP GET:
- 7e8c613####.dlc####.fas####.com/1512473981641_utils.ttf
- bbs.ti####.cn/m/post-98-696053-1.shtml
- c####.tian####.com/clkme.jsp?item=####&idArticle=####&cookie_####
- d####.c####.l####.####.com/2b086961-e4ef-4edb-8247-e6bde0604782bdco_20017
- dol.ti####.cn/s?z=####&op=####&c=####
- g.al####.com/L1/272/6837/static/wap/img/index/v7/logo2.png
- g.al####.com/L1/272/6837/static/wap/img/index/v7/navs4.png
- g.al####.com/L1/272/6837/static/wap/img/sc/wenda_juhe/loading.gif
- g.al####.com/L1/272/6837/static/wap/img/uc-32.png
- g.al####.com/L1/272/6837/static/wap/img/uc.png
- g.al####.com/ims?kt=####&at=####&key=####&sign=yx####&tv=####
- g.al####.com/ims?kt=####&at=####&key=####&tv=####&x####
- l####.oss-cn-####.aliy####.com/path_jar_zhangwan0000001_cn.ttf
- s####.ti####.cn/cityid.jsp
- se####.ti####.cn/fcgi-bin/tj?pos=####&url=####&title=####&l=####
- st####.tian####.com.####.net/global/dashang/ds/api/ds_api_router.jsonp?t...
- st####.tian####.com.####.net/global/dashang/ds/api/ds_api_v1.2.js?v0511....
- st####.tian####.com.####.net/global/dashang/ds/v2/css/m_ds_bottom_v2.1.c...
- st####.tian####.com.####.net/global/dashang/ds/v2/js/m_ds_bottom_v2.2.js...
- st####.tian####.com.####.net/global/data/shang/props_all.js
- st####.tian####.com.####.net/global/m/v3/static/css/main_d2374d5.css
- st####.tian####.com.####.net/global/m/v3/static/css/post_a013b45.css
- st####.tian####.com.####.net/global/m/v3/static/js/main_8f367c6.js
- st####.tian####.com.####.net/global/m/v3/static/js/mod/extra_2448d45.js
- st####.tian####.com.####.net/global/m/v3/static/js/post_b71b751.js
- st####.tian####.com.####.net/global/ty/main.js
- st####.tian####.com.####.net/global/ty2.0/TY_m_2.0.js?v=####
- st####.tian####.com.####.net/global/ty2.0/core/core_interface.js?_v=####
- st####.tian####.com.####.net/global/ty2.0/m/bbsPost/bbsPost_16518df.js?_...
- st####.tian####.com.####.net/global/ty2.0/m/bbsPost/bbsPost_d2b46a2.css?...
- st####.tian####.com.####.net/global/ty2.0/m/lazyload_e23dd69.js?_t=####
- st####.tian####.com.####.net/global/ty2.0/m/openApp/js/TY.ui.openApp_06d...
- terr####.oss-cn-####.aliy####.com/11/load.bat
- user####.ti####.cn/adsp/user/getVIipUser.jsp?userid=####&jsonpcallback=#...
- www.ti####.cn/api/tw?method=####&header.userId=####¶ms.blockId=####&...
Запросы HTTP POST:
- d####.wos####.com/upload/event.jsp
- d####.wos####.com/upload/longheartbeat.jsp
- dl.api.kyli####.com/v2/load/mobile
- pi####.qq.com/mstat/report/?index=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_C3g3qVLoPom3/####/list2.chche
- <Package Folder>/app_localdata/ApplicationCache.db-journal
- <Package Folder>/app_resDownload/data.tmp
- <Package Folder>/app_resDownload/res.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/index
- <Package Folder>/databases/file_multithreading_info.db-journal
- <Package Folder>/databases/pri_tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/3018798.jar
- <Package Folder>/files/3323003.jar
- <Package Folder>/files/3323003.ttf
- <Package Folder>/files/ads2017
- <Package Folder>/files/android-util.ttf
- <Package Folder>/files/bdco
- <Package Folder>/files/bdco.cf
- <Package Folder>/files/path_jar_zhangwan0000001_cn.temp (deleted)
- <Package Folder>/files/sdk.jar
- <Package Folder>/shared_prefs/1314|account_file.xml
- <Package Folder>/shared_prefs/<Package>.mid.world.ro.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/STORE_MAIN.xml
- <Package Folder>/shared_prefs/abs.xml
- <Package Folder>/shared_prefs/defaultpref1.xml
- <Package Folder>/shared_prefs/ljtq.xml
- <Package Folder>/shared_prefs/rws_sp.xml
- <Package Folder>/shared_prefs/sp_rvp.xml
- <SD-Card>/BIRDDOWNLOAD/####/YvscMPs.xml
- <SD-Card>/BIRDDOWNLOAD/####/webinfo.xml
- <SD-Card>/Download/####/load.bat
- <SD-Card>/Download/####/ver.txt
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Загружает динамические библиотеки:
- MtaNativeCrash_v2
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
