Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Appsad.11.origin
- Android.DownLoader.465.origin
- Android.DownLoader.478.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) cdn.melod####.com:80
- TCP(HTTP/1.1) p####.musi####.du####.com:80
- TCP(HTTP/1.1) 2####.177.13.68:8288
- TCP(HTTP/1.1) t####.bruce####.com:80
- TCP(HTTP/1.1) dpl.b####.com:80
- TCP(HTTP/1.1) afftrac####.com:80
- TCP(HTTP/1.1) theappw####.com:80
- TCP(HTTP/1.1) us-scp####.ali####.com:80
- TCP(HTTP/1.1) besta####.com:80
- TCP(HTTP/1.1) img####.lst.fm.####.net:80
- TCP(HTTP/1.1) s####.mob####.b####.com:80
- TCP(HTTP/1.1) c####.jq####.com:80
- TCP(HTTP/1.1) a####.google####.com:80
- TCP(HTTP/1.1) www.ip####.com:80
- TCP(HTTP/1.1) l.a####.com:80
- TCP(HTTP/1.1) u####.b####.com:80
- TCP(HTTP/1.1) www.musicoo####.com:80
- TCP(HTTP/1.1) api.mob####.b####.com:80
- TCP(HTTP/1.1) kar####.com:80
- TCP(HTTP/1.1) pl####.mob####.b####.com:80
- TCP(HTTP/1.1) api.mo####.sdk.####.com:80
- TCP(HTTP/1.1) pub.reachef####.com:80
- TCP(HTTP/1.1) www.mmmmmm####.com:80
- TCP(HTTP/1.1) pic.a####.com:80
- TCP(HTTP/1.1) www.admobim####.com:80
- TCP(HTTP/1.1) go-rill####.afft####.com:80
- TCP(TLS/1.0) m.ali####.com:443
- TCP(TLS/1.0) www.liveade####.com:443
- TCP(TLS/1.0) c.n####.com:443
- TCP(TLS/1.0) us-scp####.ali####.com:443
- TCP(TLS/1.0) c####.b####.com:443
- TCP(TLS/1.0) gj.mm####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) r1---sn####.googlev####.com:443
- TCP(TLS/1.0) api.face####.com:443
- TCP(TLS/1.0) i.y####.com:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
Запросы DNS:
- a####.google####.com
- afftrac####.com
- api.mo####.sdk.####.com
- api.mob####.b####.com
- as####.al####.com
- besta####.com
- c####.ali####.com
- c####.ali####.com
- c####.b####.com
- c####.jq####.com
- c.n####.com
- cdn.melod####.com
- dpl.b####.com
- g####.face####.com
- gj.mm####.com
- go-rill####.afft####.com
- i.y####.com
- img####.lst.fm
- img.melod####.com
- kar####.com
- l.a####.com
- m.ali####.com
- m.amt####.com
- p####.musi####.du####.com
- pic.a####.com
- pl####.mob####.b####.com
- pub.reachef####.com
- r1---sn####.googlev####.com
- redire####.googlev####.com
- s####.mob####.b####.com
- ssl.google-####.com
- t####.bruce####.com
- theappw####.com
- tra####.bruce####.com
- u####.b####.com
- u.al####.com
- www.admobim####.com
- www.ip####.com
- www.liveade####.com
- www.mmmmmm####.com
- www.musicoo####.com
Запросы HTTP GET:
- a####.google####.com/ajax/libs/jqueryui/1.11.2/jquery-ui.min.js
- afftrac####.com/mnz/v1?placement=####&source=####
- api.mo####.sdk.####.com/adunion/slot/getDlAd?h=####&w=####&model=####&ve...
- api.mo####.sdk.####.com/adunion/slot/getSrcPrio?h=####&w=####&model=####...
- api.mob####.b####.com/index.php?r=####&appid=####
- api.mob####.b####.com/strategy/api/v1/rule/get?p=####&hp=####&l=####&c=#...
- besta####.com/?r=####&zoneid=####&pbk3=####&empty=####&var=####&ymid=###...
- besta####.com/afu.php?zoneid=####&var=####&ymid=####
- c####.jq####.com/jquery-1.11.1.min.js
- c####.jq####.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js
- cdn.melod####.com/api/getimg?id=####
- cdn.melod####.com/it/u=1106813296,4136742686&fm=0
- cdn.melod####.com/it/u=1320188806,2113554748&fm=0
- cdn.melod####.com/it/u=1439927797,831975440&fm=0
- cdn.melod####.com/it/u=1989213506,1802282262&fm=0
- cdn.melod####.com/it/u=1994487687,312024960&fm=0
- cdn.melod####.com/it/u=2093123711,2376394586&fm=0
- cdn.melod####.com/it/u=2198423453,612116307&fm=0
- cdn.melod####.com/it/u=2222711848,3610725882&fm=0
- cdn.melod####.com/it/u=2285882911,2091349739&fm=0
- cdn.melod####.com/it/u=2291294654,758576833&fm=0
- cdn.melod####.com/it/u=2313332953,3110960381&fm=0
- cdn.melod####.com/it/u=2349714895,1205602247&fm=0
- cdn.melod####.com/it/u=2365646421,2153922483&fm=0
- cdn.melod####.com/it/u=3720864484,1610881239&fm=0
- cdn.melod####.com/it/u=4188779745,3691172266&fm=0
- cdn.melod####.com/it/u=63596428,924173244&fm=0
- cdn.melod####.com/it/u=762803048,1527074941&fm=0
- cdn.melod####.com/it/u=778982934,2708272449&fm=0
- cdn.melod####.com/it/u=84550378,3979334010&fm=0
- cdn.melod####.com/it/u=84775942,3486327613&fm=0
- cdn.melod####.com/it/u=979702313,3019215326&fm=0
- dpl.b####.com/M01/01/AF/CvJJDVobwKaAZK7jABLXMEmvcM44.0.zip
- go-rill####.afft####.com/click?aid=####&linkid=####&s1=####&s2=####
- img####.lst.fm.####.net/i/u/500x500/5547a37c4c474a6b8e3c626788c372a7.jpg
- kar####.com/15w53/sV8D/v1sT/5xdC_TLKvA-oemeEdPmTzaWAxDjgzlKwYe9jihv-iM_b...
- pic.a####.com/img2/t4964v731.png
- pub.reachef####.com/ra/369/1042/p/m/7798D839-35C1-5275-6DC9-14F3-25F8FEF...
- t####.bruce####.com/ck.php?line_item_id=####&click_id=####&subid_spx=####
- t####.bruce####.com/ck.php?line_item_id=####&subid_spx=####&click_id=####
- t####.bruce####.com/ck_jump?id=cz0y####&__if=####&__type=####
- theappw####.com/red/90269fac-3a23-11e6-8be6-0cc47a44dbaa/?alg=####&sourc...
- u####.b####.com/setting/grobal_strategy?p=####&hp=####&l=####&c=####&pro...
- us-scp####.ali####.com/rd/kdopppr6?pid=####&tp1=####&cv=####&cn=####
- www.ip####.com/json
- www.musicoo####.com/dutube/api/appversion?pro=####
- www.musicoo####.com/dutube/api/musicapp?la=####&env=####
- www.musicoo####.com/dutube/api/musicapplist?type=####&artist_id=####&la=...
- www.musicoo####.com/dutube/api/musicapplist?type=####&artist_id=####&pn=...
- www.musicoo####.com/dutube/api/musicapplist?type=####&pn=####&rn=####&la...
- www.musicoo####.com/dutube/api/musicapplist?type=####&rn=####&pn=####&&l...
- www.musicoo####.com/dutube/api/musicapplist?type=####&rn=####&pn=####&ar...
- www.musicoo####.com/dutube/api/musicapplist?type=####&rn=####&pn=####&la...
- www.musicoo####.com/dutube/api/musicdl?vid=####&type=####&single=####&lv...
- www.musicoo####.com/dutube/api/musicsearch?&rn=####&pn=####&q=####&ts=##...
Запросы HTTP POST:
- l.a####.com/l.php
- p####.musi####.du####.com/api/data?token=####&tk=Bnr5####&sv=####
- p####.musi####.du####.com/api/tokens?tk=Bnr5####&sv=####
- pl####.mob####.b####.com/ad_app_dex_new.php
- s####.mob####.b####.com/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
- www.admobim####.com/surl/api2_reg.action?ecy=####
- www.mmmmmm####.com/osp/oaen_get.action?tasktype=####&imei=####&imsi=####...
- www.mmmmmm####.com/osp/oaen_reg.action
- www.mmmmmm####.com/osp/oaen_reg.action?tasktype=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.mbj/####/classes.zip
- <Package Folder>/app_libs/.atmp9.jar
- <Package Folder>/app_libs/.atmp_8.log
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/cache/temp.jar
- <Package Folder>/databases/d-journal
- <Package Folder>/databases/download-journal
- <Package Folder>/databases/google_analytics_v4.db-journal
- <Package Folder>/databases/i-journal
- <Package Folder>/databases/my.db-journal
- <Package Folder>/databases/sk
- <Package Folder>/databases/sk-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/z
- <Package Folder>/databases/z-journal
- <Package Folder>/files/####/51.x-5.2.0.apk
- <Package Folder>/files/####/PlugShareData
- <Package Folder>/files/####/plugxml.xml
- <Package Folder>/files/Plugin.zip
- <Package Folder>/files/fb1.db
- <Package Folder>/files/gaClientId
- <Package Folder>/files/google.db
- <Package Folder>/files/prinstall.db
- <Package Folder>/shared_prefs/ActivatePreUtil.xml
- <Package Folder>/shared_prefs/AdsBusiness-data.xml
- <Package Folder>/shared_prefs/BusinessPreUtil.xml
- <Package Folder>/shared_prefs/D810hunter_config.xml
- <Package Folder>/shared_prefs/D810other_config.xml
- <Package Folder>/shared_prefs/D810service_config.xml
- <Package Folder>/shared_prefs/D810sp_config.xml
- <Package Folder>/shared_prefs/FBAdPrefs.xml
- <Package Folder>/shared_prefs/LoginPreUtil.xml
- <Package Folder>/shared_prefs/OfferPreUtil.xml
- <Package Folder>/shared_prefs/SDKIDFA.xml
- <Package Folder>/shared_prefs/_toolbox_prefs.xml
- <Package Folder>/shared_prefs/ad_setting.xml
- <Package Folder>/shared_prefs/aps.xml
- <Package Folder>/shared_prefs/apsad.xml
- <Package Folder>/shared_prefs/apscomm.xml
- <Package Folder>/shared_prefs/arrkiiad.xml
- <Package Folder>/shared_prefs/batsdk_app_life.xml
- <Package Folder>/shared_prefs/batsdk_crash_switch.xml
- <Package Folder>/shared_prefs/batsdk_user_info.xml
- <Package Folder>/shared_prefs/caller_sdk.xml
- <Package Folder>/shared_prefs/com.google.android.gms.analytics.prefs.xml
- <Package Folder>/shared_prefs/d.xml
- <Package Folder>/shared_prefs/device_info.xml
- <Package Folder>/shared_prefs/h.xml
- <Package Folder>/shared_prefs/i.xml
- <Package Folder>/shared_prefs/musicool_preference.xml
- <Package Folder>/shared_prefs/rt.xml
- <Package Folder>/shared_prefs/settingsLog.xml
- <Package Folder>/shared_prefs/t_ini.xml
- <Package Folder>/shared_prefs/utils.xml
- <Package Folder>/shared_prefs/v71.xml
- <SD-Card>/.androidsystem/####/files.db
- <SD-Card>/.androidsystem/####/gads.db
- <SD-Card>/.androidsystem/####/syncfiles_dap.db
- <SD-Card>/.userReturn
- <SD-Card>/LogN/####/sp
- <SD-Card>/MusiCool/####/-5ECh1U3dgWHJOoZ1cUAL6gCJmQ.-1483550443.tmp
- <SD-Card>/MusiCool/####/1n9bEt785LYVk9kN6odX6QTmPRI.-256746056.tmp
- <SD-Card>/MusiCool/####/6IojDseil_It6INV8BXhPsD8SKo.774549788.tmp
- <SD-Card>/MusiCool/####/7nkLFLLaE9r5iOTcW5jUG-3GrMU.971490209.tmp
- <SD-Card>/MusiCool/####/98txr73ZLtjU55xL_3KQA63n21A.1846641460.tmp
- <SD-Card>/MusiCool/####/A7onHtwF1zc5HPLnn0zUAioPgMo.-364727342.tmp
- <SD-Card>/MusiCool/####/CK5G6SXReIhVo2SmqHQBG5wybMM.-1235841884.tmp
- <SD-Card>/MusiCool/####/HsfcrYOrsd-EapJC4occnP7ffX4.1105510560.tmp
- <SD-Card>/MusiCool/####/K-gJ_l4oWAkJB45n1_CMcZztpRg.-1864599343.tmp
- <SD-Card>/MusiCool/####/KGD3ZN7zKDWXchYpW3Zr32tqkEQ.313812324.tmp
- <SD-Card>/MusiCool/####/MUbEauNzVG2hH9u3tW3fBZ7RNAo.18745178.tmp
- <SD-Card>/MusiCool/####/NSXU9d3a1FICRV97o6q3KYFyZOM.-1045276375.tmp
- <SD-Card>/MusiCool/####/R2s-EfAvEZR8O3YK1eEn8s0eOxw.-565026039.tmp
- <SD-Card>/MusiCool/####/RCEVJ7-PHmHtJ5WSHHDZB90Jq9k.1902323586.tmp
- <SD-Card>/MusiCool/####/SmN0HWFDn0HBfv0AabbyiYWGqes.-1360786357.tmp
- <SD-Card>/MusiCool/####/TPIm7sdyqoaDiRxyMfqyZZy06bk.662905769.tmp
- <SD-Card>/MusiCool/####/TkpemKTk2iGKMChMFVgxxGal2EY.-399930846.tmp
- <SD-Card>/MusiCool/####/Vh2yassZPiA0on6a3JeAnI85Pm4.877724231.tmp
- <SD-Card>/MusiCool/####/WBkrRbPMoK2eE0dUBuwsvl45tiI.-1067405854.tmp
- <SD-Card>/MusiCool/####/WMiGKycBFiTp4LovnfcWaW9vL7s.-1746179421.tmp
- <SD-Card>/MusiCool/####/YMsBJ4MljGcF7FY5DFg0kiSq98c.1924277646.tmp
- <SD-Card>/MusiCool/####/YdHGcpc9iL_LH9YOe2w7G-1WQS4.813901667.tmp
- <SD-Card>/MusiCool/####/dAhaRpjtUhGqGst6g46e1BOyprw.1377798500.tmp
- <SD-Card>/MusiCool/####/fdDqZxYepn2ybRKXMawvz6dXG14.1575911075.tmp
- <SD-Card>/MusiCool/####/gLJgR7NbWuPlu0IEiHM0EAoRSTk.1136805741.tmp
- <SD-Card>/MusiCool/####/hME6saRod8qucEzLmdXit62XIu8.-1746978809.tmp
- <SD-Card>/MusiCool/####/htkwsci1vNxxA8bXjiSQp1_lJrg.1873760986.tmp
- <SD-Card>/MusiCool/####/iZst0r22wwSi-Ft6n9b3C9vGWZk.-1962323543.tmp
- <SD-Card>/MusiCool/####/jU1hJI1YbURzonN_pwh4UlOjY3A.1627251182.tmp
- <SD-Card>/MusiCool/####/kEJWf0D2XP5MwalivZmn6NTZGhQ.918605528.tmp
- <SD-Card>/MusiCool/####/kqHVqTTzMuv7xa0_t8E-zuLs9Jk.-520003196.tmp
- <SD-Card>/MusiCool/####/lZ-4bArFGXXCA1l_fyMziuNtkfE.1320973323.tmp
- <SD-Card>/MusiCool/####/lzD0mSneXQpXg7A2tHpHNnUf1cI.-2010733782.tmp
- <SD-Card>/MusiCool/####/mR9fXsk-uy7L-EUCf0NulrG5Dng.-1952538248.tmp
- <SD-Card>/MusiCool/####/nPEo8bkjK6Zvxhq2S4V5peZGj8A.-300105568.tmp
- <SD-Card>/MusiCool/####/otCo3YZSFX9pjl-3MMdDLx_NWkQ.1796101592.tmp
- <SD-Card>/MusiCool/####/qJ43VCwsn8dZhu4zyxUNZpJGfhI.-1070895034.tmp
- <SD-Card>/MusiCool/####/qzSHDacXJhHDt7kffwmXvZHnbeM.1356271871.tmp
- <SD-Card>/MusiCool/####/tasrv7JhraT7E6TpKwt8aCpfCRM.1684048419.tmp
- <SD-Card>/MusiCool/####/yityJcneoB6Yw_B81gAyUFNL5O8.-1187611905.tmp
- <SD-Card>/MusiCool/####/zL_jQPzweHcte-AgJ2L4EAGQW24.479081124.tmp
- <SD-Card>/baidu/####/journal.tmp
- <SD-Card>/baidu/.cuid
- <SD-Card>/report/.cuid
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/meminfo
- /system/bin/cat /sys/block/mmcblk0/device/cid
- /system/bin/cat /sys/block/mmcblk1/device/cid
- /system/bin/cat /sys/block/mmcblk2/device/cid
- /system/bin/cat /sys/block/mmcblk3/device/cid
Загружает динамические библиотеки:
- bitmaps
- memchunk
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
- DES-CBC-PKCS5Padding
- RSA
- desede-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- DES
- DES-CBC-PKCS5Padding
- desede-ECB-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
