Техническая информация
Вредоносные функции:
Скрывает свою иконку с экрана устройства.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.e####.com:80
- TCP(HTTP/1.1) x####.tc.qq.com:80
- TCP(HTTP/1.1) wap####.b####.com:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) wei.sz####.top:9000
- TCP(HTTP/1.1) cdn.e####.com.####.net:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) a.esp####.com.####.net:80
- TCP(HTTP/1.1) c.amazon-####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) h5.1####.com:80
- TCP(HTTP/1.1) i####.de####.net:80
- TCP(HTTP/1.1) hpd.b####.com:80
- TCP(HTTP/1.1) 386.disp####.spcd####.com:80
- TCP(HTTP/1.1) 1####.29.50.190:8082
- TCP(HTTP/1.1) tr####.go.com:80
- TCP(HTTP/1.1) supermo####.jom####.com:80
- TCP(HTTP/1.1) v.1####.com.####.com:80
- TCP(HTTP/1.1) cdn.optimi####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) m.b####.com:80
- TCP(HTTP/1.1) e####.com:80
- TCP(HTTP/1.1) 1####.29.183.230:9613
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) www.b####.com:80
- TCP(HTTP/1.1) gs.a.s####.com:80
- TCP(TLS/1.0) im####.s####.com.####.com:443
- TCP(TLS/1.0) app.k.36####.com:443
- TCP(TLS/1.0) p.ssl.q####.com:443
- TCP(TLS/1.0) 31098####.log.optimi####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) m.b####.com:443
- TCP(TLS/1.0) ext.b####.com:443
- TCP(TLS/1.0) wu####.e####.s####.com:443
- TCP(TLS/1.0) g####.bdst####.com:443
- TCP(TLS/1.0) mbd.b####.com:443
- TCP(TLS/1.0) i####.sogo####.com.####.com:443
- TCP(TLS/1.0) l####.optimi####.com:443
- TCP(TLS/1.0) t####.sogo####.com.####.com:443
- TCP(TLS/1.0) s.3####.cn:443
- TCP(TLS/1.0) ss0.b####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) gd.a.s####.com:443
- TCP(TLS/1.0) gs.a.s####.com:443
- TCP(TLS/1.0) usa.gd.a.####.com:443
Запросы DNS:
- 31098####.log.optimi####.com
- a.esp####.com
- a1.esp####.com
- a4.esp####.com
- app.k.36####.com
- c####.mm####.com
- c.amazon-####.com
- c.c####.com
- cdn.e####.com
- cdn.optimi####.com
- dpm.de####.net
- e####.com
- ext.b####.com
- f####.b####.com
- g####.bdst####.com
- h5.1####.com
- hm.b####.com
- hpd.b####.com
- i####.sogo####.com
- i.go.s####.com
- im####.s####.com
- js.s####.com
- l####.optimi####.com
- m.b####.com
- m.s####.com
- m1.go.s####.com
- mbd.b####.com
- mt####.go####.com
- p.ssl.q####.com
- p0.ssl.q####.com
- pv.s####.com
- s.3####.cn
- s.bdst####.com
- s.go.s####.com
- s1.rr.i####.cn
- s6.rr.i####.cn
- s7.rr.i####.cn
- s8.rr.i####.cn
- s9.rr.i####.cn
- s95.c####.com
- sm.b####.com
- ss0.b####.com
- ss1.b####.com
- ss2.b####.com
- t####.sogo####.com
- tr####.e####.com
- v.1####.com
- wap####.b####.com
- wei.sz####.top
- wu####.e####.s####.com
- www.b####.com
- www.e####.com
- www.go####.com
- www.googlet####.com
- www.san####.com
- z####.g####.com
- z4.c####.com
- zz.m.s####.com
Запросы HTTP GET:
- 386.disp####.spcd####.com/ap/lla198edet8.dat
- a.esp####.com.####.net/combiner/i?img=####
- a.esp####.com.####.net/fonts/1.0.46/ESPNIcons/ESPNIcons.ttf
- box.jom####.com/common/openjs/bdbanner.js?bd-reform-version=####
- box.jom####.com/common/openjs/openBox.js?_v=####
- c.amazon-####.com/aax2/apstag.js
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####&web_id=####
- cdn.e####.com.####.net/combiner/i?img=####&h=####&w=####
- cdn.e####.com.####.net/combiner/i?img=####&w=####&h=####&scale=####&cqua...
- cdn.e####.com.####.net/core/format/modules/head/i18n?edition-host=####&l...
- cdn.e####.com.####.net/redesign/0.383.2/css/one-feed-v1.css
- cdn.e####.com.####.net/redesign/0.383.2/css/page.css
- cdn.e####.com.####.net/redesign/0.383.2/css/shell-mobile.css
- cdn.e####.com.####.net/redesign/0.383.2/js/espn-analytics.js
- cdn.e####.com.####.net/redesign/0.383.2/js/espn-critical-mobile.js
- cdn.e####.com.####.net/redesign/0.383.2/node_modules/espn-lazysizes/lazy...
- cdn.e####.com.####.net/redesign/assets/img/icons/icon-play-arrow.png
- cdn.e####.com.####.net/redesign/assets/img/icons/icon-search.png
- cdn.e####.com.####.net/redesign/assets/img/logos/logo-espn-82x20.png
- cdn.e####.com.####.net/test/fancyLogo2.svg
- cdn.e####.com.####.net/wireless/mw5/r1/images/bookmark-icons/espn_icon-1...
- cdn.optimi####.com/js/310987714.js
- e####.com/
- gd.a.s####.com/z1/M00/F1/5D/ChAKr1ow3mqAWC0bAAC-IRu0rPs550.jpg
- gm.mm####.com/9.gif?abc=####&rnd=####
- gs.a.s####.com/c/7/nJ/j6naeEv.jpg
- gs.a.s####.com/c/F/RY/vmyMn2y.jpg
- gs.a.s####.com/c/V/Nb/eyE3e2u.jpg
- gs.a.s####.com/c/Y/J3/6zmQrA3.jpg
- gs.a.s####.com/c/u/F7/jyMFrqe.jpg
- gs.a.s####.com/c/wapChange/201311_25_5/a5e5mw6370302201340.jpg
- gs.a.s####.com/c/wapChange/201311_8_16/a9l2q77165093770340.jpg
- gs.a.s####.com/c/wapChange/20138_25_17/a3ndzp1484552883340.jpg
- gs.a.s####.com/c/wapChange/20138_25_17/a98rq91484559942340.jpg
- gs.a.s####.com/c/wapChange/20138_25_17/a9fcba1484564136340.jpg
- gs.a.s####.com/c/wapChange/20142_23_23/a10i50559108145520.jpg
- gs.a.s####.com/c/wapChange/20142_23_23/a2rxut559121334520.jpg
- gs.a.s####.com/c/wapChange/20142_23_23/a8b0r6559116740520.jpg
- gs.a.s####.com/c/wapChange/20145_25_6/a03twz1203769296323.jpg
- gs.a.s####.com/c/wapChange/20145_25_6/a3h8711203777655323.jpg
- gs.a.s####.com/c/wapChange/20145_25_6/a6nyiw1203773647323.jpg
- gs.a.s####.com/c/wapChange/201510_18_13/a3qj3h3246681391352.jpg
- gs.a.s####.com/c/wapChange/201510_18_13/a813243246744547352.jpg
- gs.a.s####.com/c/wapChange/201510_18_13/a8nxhv3246755598352.jpg
- gs.a.s####.com/c/wapChange/201610_27_10/a0xmgf4273783263855.jpeg
- gs.a.s####.com/c/wapChange/201610_8_18/a25vsr7569199620708.jpeg
- gs.a.s####.com/c/wapChange/201611_12_12/a55kv19527320365325.jpg
- gs.a.s####.com/c/wapChange/201611_17_21/a04ulf016697065275.jpg
- gs.a.s####.com/c/wapChange/201611_17_21/a66mto016682236581.jpg
- gs.a.s####.com/c/wapChange/201611_17_21/a9j3cx016638508240.jpg
- gs.a.s####.com/c/wapChange/201612_17_8/a132me69155666057596.jpeg
- gs.a.s####.com/c/wapChange/201612_17_8/a5bnrh69155717994596.jpeg
- gs.a.s####.com/c/wapChange/201612_17_8/a7vjin69155699956596.jpeg
- gs.a.s####.com/c/wapChange/20161_19_5/a70j7o1861198007352.jpg
- gs.a.s####.com/c/wapChange/20161_30_19/a1dvcl0321920563352.jpeg
- gs.a.s####.com/c/wapChange/20163_26_15/a0yfyj825077817855.jpg
- gs.a.s####.com/c/wapChange/20169_27_11/a0vqpo82460922794596.jpg
- gs.a.s####.com/c/wapChange/20169_28_19/a1m3gi95975495320596.jpeg
- gs.a.s####.com/c/wapChange/20169_28_19/a2bn4l95975545259596.jpeg
- gs.a.s####.com/c/wapChange/20169_28_19/a5gq0h0082308611352.jpeg
- gs.a.s####.com/c/wapChange/201712_29_17/a2abyr3686038023178.jpeg
- gs.a.s####.com/c/wapChange/201712_29_17/a34q6r3594220381672.jpeg
- gs.a.s####.com/c/wapChange/201712_29_17/a5z6zd3594197740060.jpeg
- gs.a.s####.com/c/wapChange/20171_14_13/a0jl4o4858032803542.jpeg
- gs.a.s####.com/c/wapChange/20171_14_13/a0k34y4857985152542.jpeg
- gs.a.s####.com/c/wapChange/20171_14_13/a3tsrv4858017359542.jpeg
- gs.a.s####.com/c/wapChange/20171_23_13/a1x4v1446010045398.jpeg
- gs.a.s####.com/c/wapChange/20171_23_13/a3v3gy446042786567.jpeg
- gs.a.s####.com/c/wapChange/20171_23_13/a8214082576956622405.jpeg
- gs.a.s####.com/c/wapChange/20174_25_9/a427y48374708844013.jpeg
- gs.a.s####.com/c/wapChange/20175_7_10/a6uesl59809475354405.jpg
- gs.a.s####.com/c/wapChange/20175_7_10/a83dxg59809463607405.jpg
- gs.a.s####.com/c/wapChange/20175_7_10/a8x42z59809452774405.jpg
- gs.a.s####.com/c/wapChange/20178_14_6/a0haea9454252790542.jpg
- gs.a.s####.com/c/wapChange/20178_14_6/a631tu9454242343542.jpg
- gs.a.s####.com/c/wapChange/20178_14_6/a69c4o9454218774542.jpg
- gs.a.s####.com/c/wapChange/20178_31_18/a05fr08186452291938.jpeg
- gs.a.s####.com/c/wapChange/20178_31_18/a24gip8186411853938.jpeg
- gs.a.s####.com/c/wapChange/20178_31_18/a8hoyr8186442109938.jpeg
- gs.a.s####.com/c/wapChange/20181_19_13/a69jv41038520050505.jpeg
- gs.a.s####.com/c/wapChange/20181_8_12/a3hu4b6325645574026.jpg
- gs.a.s####.com/c/wapChange/20181_8_12/a68pyh6325601901026.jpg
- gs.a.s####.com/c/wapChange/20181_8_12/a783ef6325621184026.jpg
- gs.a.s####.com/c/wapChange1/20167_6_22/a1rutt18335754219310.jpg
- gs.a.s####.com/c/wapChange1/20167_6_22/a6zs7r18335765376310.jpg
- gs.a.s####.com/c/wapChange1/20167_6_22/a9ndza18335732164310.jpg
- h5.1####.com/
- h5.1####.com/?
- h5.1####.com/?ac=####&callback=####&newsId=####&typeId=####&past=####&pa...
- h5.1####.com/api/hot.json
- h5.1####.com/favicon.ico
- h5.1####.com/static/css/common.css
- h5.1####.com/static/css/main.css
- h5.1####.com/static/image/big.png
- h5.1####.com/static/image/img2.png
- h5.1####.com/static/image/jia.png
- h5.1####.com/static/image/logo.png
- h5.1####.com/static/image/logo/1430195668@2x.png
- h5.1####.com/static/image/logo/1430195699@2x.png
- h5.1####.com/static/image/logo/1430195773@2x.png
- h5.1####.com/static/image/logo/1430195934@2x.png
- h5.1####.com/static/image/logo/1430195989@2x.png
- h5.1####.com/static/image/logo/1463545746@2x.png
- h5.1####.com/static/image/logo/1463545813@2x.png
- h5.1####.com/static/image/logo/1463545853@2x.png
- h5.1####.com/static/image/logo/1463545942@2x.png
- h5.1####.com/static/image/logo/1463556231@2x.png
- h5.1####.com/static/image/logo/1496376776@2x.png
- h5.1####.com/static/image/logo/cpjihua.jpg
- h5.1####.com/static/image/logo/jmyp.jpg
- h5.1####.com/static/image/logo/tm1221.jpg
- h5.1####.com/static/image/logo/xlxw.png
- h5.1####.com/static/image/s.png
- h5.1####.com/static/js/jquery-2.1.4.min.js
- hm.b####.com/h.js?76f0775####
- hpd.b####.com/v.gif?logid=####&ssid=####&sid=####&from=####&pu=####&ct=#...
- hpd.b####.com/v.gif?tid=####&ct=####&cst=####&logFrom=####&logInfo=####&...
- hpd.b####.com/v.gif?tid=####&funcSta=####&sourceSta=####&actionSta=####&...
- i####.de####.net/id/rd?d_visid_ver=####&d_rtbd=####&d_ver=####&d_verify=...
- i####.de####.net/id?d_visid_ver=####&d_rtbd=####&d_ver=####&d_verify=###...
- m.b####.com/?action=####&ms=####&version=####&callback=####&r=####&sid=#...
- m.b####.com/?tn=####&from=####
- m.b####.com/his?callback=####&type=####&pic=####&lid=####&ishome=####&ne...
- m.b####.com/s?from=####&word=####
- m.b####.com/se/static/img/iphone/logo.png
- m.b####.com/se/static/img/iphone/tab_loading__bg_logo.png
- m.b####.com/se/static/js/dep/atom.min_373895d.js
- m.b####.com/se/static/js/service/index_polymer_403e664.js
- m.b####.com/se/static/js/service/index_seloader_release.js?v=####
- m.b####.com/static/ecom/js/wise/home/nativeAds_68eb76d.js
- m.b####.com/static/index/plus/public/icon_police.png
- m.b####.com/static/index/plus/public/tab_news.png
- m.b####.com/static/search/baiduapp_icon.png
- m.b####.com/static/search/clear.png
- m.b####.com/tc?tcreq4log=####&r=####&logid=####&from=####&pu=####&ct=###...
- supermo####.jom####.com/static/wiseindex/cicons/cicon_213d92d.ttf
- supermo####.jom####.com/static/wiseindex/iconfont/iconfont_2681c2d.ttf
- supermo####.jom####.com/static/wiseindex/img/ns_diff_color_v3_991d8b3.png
- supermo####.jom####.com/static/wiseindex/img/screen_icon_new.png
- supermo####.jom####.com/static/wiseindex/js/package/newsActivity_f6d3b0f...
- supermo####.jom####.com/static/wiseindex/js/package/superframe_545f0a9.js
- tr####.go.com/capmon/GetDE?set=####¶m=####¶m=####¶m=####&par...
- v.1####.com.####.com/video/H5/static/images/s1212_800_150.jpg?v=####
- wap####.b####.com/static/tj.gif?_=####&cuid=####&pid=####&page=####&pos=...
- wei.sz####.top:9000/ad/cfg?did=####&cid=####&vid=####
- wei.sz####.top:9000/ad/list?did=####&cid=####&vid=####
- wei.sz####.top:9000/d/atv?did=####&cid=####&vid=####&no=####&ei=####&si=...
- www.b####.com/js/opensug.js
- www.e####.com/
- www.go####.com/complete/search?hl=####&client=####&q=####
- x####.tc.qq.com/infonew/0/sports_pics_-4256899.jpg/800
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/index
- <Package Folder>/daemon.t.tmp
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/btmp
- <Package Folder>/files/####/dji
- <Package Folder>/files/####/tk
- <Package Folder>/files/####/tmd
- <Package Folder>/files/####/tv.jar
- <Package Folder>/files/####/tver
- <Package Folder>/shared_prefs/<Package>lksp.xml
- <Package Folder>/shared_prefs/mm.xml
- <SD-Card>/com.android.system.atv.pk
- <SD-Card>/com.android.system.pk
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/daemon -p <Package>/daemon -r am startservice --user 0 -n <Package>/com.amb.uk.main.DmService -e key daemon -i 2120
- chmod 777 <Package Folder>/daemon
- sh <Package Folder>/daemon -p <Package>/daemon -r am startservice --user 0 -n <Package>/com.amb.uk.main.DmService -e key daemon -i 2120
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
