Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c####.mi####.dev.####.com:80
- TCP(HTTP/1.1) nav.cn.ron####.com:80
- TCP(HTTP/1.1) cdn.img.fly####.####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) m####.52####.com:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) mhdu####.1####.com.####.com:80
- TCP(TLS/1.0) s####.ml####.cc:443
- TCP(TLS/1.0) t####.c####.q####.####.com:443
- TCP(TLS/1.0) s####.cn.ron####.com:443
- TCP(TLS/1.0) w####.che####.top:443
- TCP(TLS/1.0) redi####.network####.com:443
- TCP(TLS/1.0) dc1.network####.com:443
- TCP(TLS/1.0) cdn####.appa####.com.####.cn:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP c####.g####.ig####.com:5225
- TCP sdk.o####.t####.####.net:5224
- TCP 1####.92.22.214:8629
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.u####.com
- c####.g####.ig####.com
- c-h####.g####.com
- cdn####.appa####.com
- cdn.img.fly####.top
- d####.mi####.xi####.com
- dc1.network####.com
- m####.1####.com
- m####.52####.com
- m####.52####.com
- mhdu####.1####.com
- mt####.go####.com
- nav.cn.ron####.com
- oc.u####.com
- pub-####.qin####.com
- redi####.network####.com
- regi####.xm####.xi####.com
- s####.cn.ron####.com
- s####.ml####.cc
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- st####.suiyue####.com
- w####.che####.top
Запросы HTTP GET:
- cdn.img.fly####.####.com/upload/201708/4/img/20170804163317464.png
- cdn.img.fly####.####.com/upload/201711/28/img/20171128171551888.png
- cdn.img.fly####.####.com/upload/201711/29/img/20171129172413161.png
- cdn.img.fly####.####.com/upload/201712/29/img/20171229134026631.png
- m####.52####.com/comic/getproad?adgroupid=####&appVersionName=####&appTy...
- mhdu####.1####.com.####.com/upload/fm/yzrm1215.jpg
- t####.c####.q####.####.com/tdata_EDT356
- t####.c####.q####.####.com/tdata_Soq141
- t####.c####.q####.####.com/tdata_TSb400
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- up####.v.qin####.com/bookcenter/coverimages/148269/148269_58800bfa648040...
- up####.v.qin####.com/bookcenter/coverimages/148966/47417fbb6c63457eac71b...
- up####.v.qin####.com/bookcenter/coverimages/149514/149514_3e1df2a7005346...
- up####.v.qin####.com/bookcenter/coverimages/150686/c3640360a8aa4e89b30b9...
- up####.v.qin####.com/bookcenter/coverimages/150698/a93e5f836c714ff4b8328...
- up####.v.qin####.com/bookcenter/coverimages/166123/166123_7b37c418391a4a...
- up####.v.qin####.com/bookcenter/coverimages/166129/166129_200f119e3a3243...
- up####.v.qin####.com/bookcenter/coverimages/166131/166131_f902ac2b45924e...
- up####.v.qin####.com/bookcenter/coverimages/166377/166377_9e67476c470f4d...
- up####.v.qin####.com/bookcenter/coverimages/166380/166380_1a799907f91b4e...
- up####.v.qin####.com/bookcenter/coverimages/166465/166465_5af02a7135da40...
- up####.v.qin####.com/bookcenter/coverimages/167570/167570_8ab4eacf34e744...
- up####.v.qin####.com/bookcenter/coverimages/168407/168407_fae5722d3efd4b...
- up####.v.qin####.com/bookcenter/coverimages/168408/168408_779ddf4ae55c4b...
- up####.v.qin####.com/bookcenter/coverimages/170456/16b98ab285e04b46b943d...
- up####.v.qin####.com/bookcenter/coverimages/173515/173515_5c373c63714048...
- up####.v.qin####.com/bookcenter/coverimages/173712/173712_5b01051a648b40...
- up####.v.qin####.com/bookcenter/coverimages/173732/173732_2b94610f93794e...
- up####.v.qin####.com/bookcenter/coverimages/176258/176258_2cca2ddb335943...
- up####.v.qin####.com/bookcenter/coverimages/176271/176271_69ff019fe74844...
- up####.v.qin####.com/bookcenter/coverimages/176465/67dab7a1448f4b9eb9802...
- up####.v.qin####.com/bookcenter/coverimages/176850/b57bb6731aa9466a8759c...
- up####.v.qin####.com/bookcenter/coverimages/176904/176904_37813c8a93c541...
- up####.v.qin####.com/bookcenter/coverimages/177060/177060_799346d4da8943...
- up####.v.qin####.com/bookcenter/coverimages/177657/177657_3e79fb87eec94a...
- up####.v.qin####.com/bookcenter/coverimages/179346/179346_30dbb4fb12ee46...
- up####.v.qin####.com/bookcenter/coverimages/180913/180913_66396ea0f6bb45...
- up####.v.qin####.com/bookcenter/coverimages/181650/181650_1a34cab7f2c847...
- up####.v.qin####.com/bookcenter/coverimages/184656/184656_fb6fdbfdc5fc40...
- up####.v.qin####.com/bookcenter/coverimages/185218/185218_2261ad037fa04c...
- up####.v.qin####.com/bookcenter/coverimages/187240/187240_5aff0a4bbeb04e...
- up####.v.qin####.com/bookcenter/coverimages/188101/ee2fce8b367d4d03ae50e...
- up####.v.qin####.com/bookcenter/coverimages/205037/2015163_747e38d84a294...
- up####.v.qin####.com/bookcenter/coverimages/218938/2097453_d681e07447dd4...
- up####.v.qin####.com/bookcenter/coverimages/218955/2097456_a3ccd930cbc14...
- up####.v.qin####.com/bookcenter/coverimages/218956/2097454_554716e520e14...
- up####.v.qin####.com/bookcenter/coverimages/218961/2097458_735a8bd5e6cf4...
- up####.v.qin####.com/bookcenter/coverimages/245831/2189960_d2b1c18352d74...
- up####.v.qin####.com/upload/mhfm/171229/tjxsn.jpg
Запросы HTTP POST:
- a####.u####.com/app_logs
- c####.mi####.dev.####.com/mistats/v2
- c-h####.g####.com/api.php?format=####&t=####
- m####.52####.com/MHD.Interface/api/Encryption/GetKey
- m####.52####.com/comic_v2/appversion?token=####&channel=####&appversion=...
- m####.52####.com/comic_v2/bigbooksource_v3?token=####&channel=####&appve...
- m####.52####.com/comic_v2/comicsdetail_v2?token=####&channel=####&appver...
- m####.52####.com/comic_v2/comicsfilterlist_v2?token=####&channel=####&ap...
- m####.52####.com/comic_v2/getconfig?token=####&channel=####&appversion=#...
- m####.52####.com/comic_v2/gettoken?e=####
- m####.52####.com/comic_v2/gltj?e=####
- m####.52####.com/comic_v2/partlistbybook_v4?token=####&channel=####&appv...
- nav.cn.ron####.com/navipush.json
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_crashrecord/1004
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/code_cache/####/<Package>-1.apk.classes-1090176052.zip
- <Package Folder>/code_cache/####/<Package>-1.apk.classes-985398382.zip
- <Package Folder>/databases/<Package>-journal
- <Package Folder>/databases/Comics.db-journal
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/geofencing.db
- <Package Folder>/databases/geofencing.db-journal
- <Package Folder>/databases/mistat.db
- <Package Folder>/databases/mistat.db-journal
- <Package Folder>/databases/mwsdk_analytics.db-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/x_h.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/42eb0243a17f
- <Package Folder>/files/NBSUserAction
- <Package Folder>/files/gdaemon_20161017
- <Package Folder>/files/increment_cache_file
- <Package Folder>/files/init.pid
- <Package Folder>/files/init_c1.pid
- <Package Folder>/files/mobclick_agent_cached_<Package>6
- <Package Folder>/files/oh.jar
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/files/tdata_Soq141
- <Package Folder>/files/tdata_Soq141.jar
- <Package Folder>/files/tdata_TSb400
- <Package Folder>/files/tdata_TSb400.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/ADHOC_SHARED_PREFERENCE.xml
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/DownloadPath.xml
- <Package Folder>/shared_prefs/FirstEnter.xml
- <Package Folder>/shared_prefs/RongPush.xml
- <Package Folder>/shared_prefs/Statistics.xml
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/shared_prefs/ar.xml
- <Package Folder>/shared_prefs/channel.xml
- <Package Folder>/shared_prefs/com.manhuamiao.xml
- <Package Folder>/shared_prefs/com.networkbench.agent.impl.v2_<Package>.xml
- <Package Folder>/shared_prefs/crashrecord.xml
- <Package Folder>/shared_prefs/dsi.xml
- <Package Folder>/shared_prefs/getui_sp.xml
- <Package Folder>/shared_prefs/gx_sp.xml
- <Package Folder>/shared_prefs/isTip.xml
- <Package Folder>/shared_prefs/isfirst.xml
- <Package Folder>/shared_prefs/mipush.xml
- <Package Folder>/shared_prefs/mipush_extra.xml
- <Package Folder>/shared_prefs/mistat.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/onlineconfig_agent_online_setting...e>.xml
- <Package Folder>/shared_prefs/persistent_data.xml
- <Package Folder>/shared_prefs/sharetime.xml
- <Package Folder>/shared_prefs/sv.xml (deleted)
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/welcomeadinfo.xml
- <SD-Card>/Adhoc/ADHOC_CLIENT_ID
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/24b21b6a6a3b5
- <SD-Card>/Android/####/8037297323f14
- <SD-Card>/Android/####/a1b663bc2b4ad
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/b8ac660157a9e
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/VisitActivity/####/-1003581714
- <SD-Card>/VisitActivity/####/-101914101
- <SD-Card>/VisitActivity/####/-107004219
- <SD-Card>/VisitActivity/####/-1178937111
- <SD-Card>/VisitActivity/####/-1214930044
- <SD-Card>/VisitActivity/####/-1541295659
- <SD-Card>/VisitActivity/####/-1595482656
- <SD-Card>/VisitActivity/####/-169620885
- <SD-Card>/VisitActivity/####/-1999556688
- <SD-Card>/VisitActivity/####/-2122355964
- <SD-Card>/VisitActivity/####/-397311089
- <SD-Card>/VisitActivity/####/-538452387
- <SD-Card>/VisitActivity/####/-70955249
- <SD-Card>/VisitActivity/####/-764188015
- <SD-Card>/VisitActivity/####/-85535563
- <SD-Card>/VisitActivity/####/1009219750
- <SD-Card>/VisitActivity/####/1054161986
- <SD-Card>/VisitActivity/####/1151571799
- <SD-Card>/VisitActivity/####/1235079127
- <SD-Card>/VisitActivity/####/1274650904
- <SD-Card>/VisitActivity/####/1309882324
- <SD-Card>/VisitActivity/####/1424394920
- <SD-Card>/VisitActivity/####/1425473575
- <SD-Card>/VisitActivity/####/1427869146
- <SD-Card>/VisitActivity/####/1532999828
- <SD-Card>/VisitActivity/####/1564100044
- <SD-Card>/VisitActivity/####/164214925
- <SD-Card>/VisitActivity/####/1710296126
- <SD-Card>/VisitActivity/####/1927850628
- <SD-Card>/VisitActivity/####/2000666684
- <SD-Card>/VisitActivity/####/2008167131
- <SD-Card>/VisitActivity/####/2033468734
- <SD-Card>/VisitActivity/####/2057093551
- <SD-Card>/VisitActivity/####/277494370
- <SD-Card>/VisitActivity/####/312889069
- <SD-Card>/VisitActivity/####/387788190
- <SD-Card>/VisitActivity/####/56882971
- <SD-Card>/VisitActivity/####/706242680
- <SD-Card>/VisitActivity/####/747710822
- <SD-Card>/VisitActivity/####/760701660
- <SD-Card>/libs/<Package>.bin
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/libs/test.log
- <SD-Card>/manhuamiao/####/0.txt
- <SD-Card>/manhuamiao/####/150686.txt
- <SD-Card>/manhuamiao/####/69117p.txt
- <SD-Card>/manhuamiao/####/69117s.txt
- <SD-Card>/manhuamiao/####/96418p.txt
- <SD-Card>/manhuamiao/####/96418s.txt
- <SD-Card>/manhuamiao/####/comicShareCP.txt
- <SD-Card>/manhuamiao/####/config.txt
- <SD-Card>/manhuamiao/####/rdoconfig.txt
- <SD-Card>/manhuamiao/####/showgame.txt
- <SD-Card>/manhuamiao/.nomedia
- <SD-Card>/system/####/tdata_Soq141
- <SD-Card>/system/####/tdata_TSb400
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.manhuamiao.getui.GetuiPushService 24675 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- mount
Загружает динамические библиотеки:
- Bugly
- RongIMLib
- getuiext2
- nbsdc2.1
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
