Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Mobikok.1.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) serv####.m####.com:80
- TCP(HTTP/1.1) www.4g####.net:80
- TCP(HTTP/1.1) smart####.google####.com:80
- TCP(HTTP/1.1) m####.eas####.me:80
- TCP(HTTP/1.1) www.greatmo####.mobi:80
- TCP(HTTP/1.1) int.d####.s####.####.cn:80
- TCP(HTTP/1.1) afftrac####.com:80
- TCP(HTTP/1.1) t####.sm4####.com:80
- TCP(HTTP/1.1) m.z####.cc:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) www.apxadtr####.net:80
- TCP(HTTP/1.1) u.nice####.me:80
- TCP(HTTP/1.1) s####.traffil####.com:80
- TCP(HTTP/1.1) www.l####.com:80
- TCP(HTTP/1.1) youcanw####.com:80
- TCP(HTTP/1.1) t.nice####.me:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) c####.jq####.com:80
- TCP(HTTP/1.1) www.bigt####.com:80
- TCP(HTTP/1.1) api.ki####.com:80
- TCP(HTTP/1.1) td.crwdc####.net:80
- TCP(HTTP/1.1) api.bi####.com:80
- TCP(HTTP/1.1) jsc.m####.com:80
- TCP(HTTP/1.1) cm.m####.com:80
- TCP(HTTP/1.1) pag####.googles####.com:80
- TCP(HTTP/1.1) s2s.go2af####.com:80
- TCP(HTTP/1.1) m####.tr####.com:80
- TCP(HTTP/1.1) tretras####.com:80
- TCP(HTTP/1.1) a####.google####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) go-rill####.afft####.com:80
- TCP(HTTP/1.1) m.ta####.com:80
- TCP(HTTP/1.1) ap####.mobi:80
- TCP(HTTP/1.1) musicst####.18####.com:80
- TCP(HTTP/1.1) vi####.faceboo####.com:80
- TCP(TLS/1.0) p####.lead####.com:443
- TCP(TLS/1.0) con####.face####.net:443
- TCP(TLS/1.0) djjcyqv####.cloudf####.net:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) adser####.go####.nl:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) m.ta####.com:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) i.vime####.com:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) a####.google####.com:443
- TCP(TLS/1.0) d####.fl####.com:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) c.n####.com:443
- TCP(TLS/1.0) smarto####.site:443
Запросы DNS:
- a####.google####.com
- adser####.go####.com
- adser####.go####.nl
- afftrac####.com
- ap####.mobi
- api.bi####.com
- api.ki####.com
- b.scoreca####.com
- bcp.crwdc####.net
- bestper####.site
- c####.jq####.com
- c####.mm####.com
- c.c####.com
- c.n####.com
- cdn.m####.com
- cm.m####.com
- cm.ste####.com
- con####.face####.net
- d####.fl####.com
- djjcyqv####.cloudf####.net
- f####.google####.com
- go-rill####.afft####.com
- googl####.g.doublec####.net
- i.vime####.com
- ilv####.com
- imgg####.m####.com
- int.d####.s####.####.cn
- jsc.m####.com
- m####.eas####.me
- m.ta####.com
- m.z####.cc
- musicst####.18####.com
- offer####.online
- p####.lead####.com
- pag####.googles####.com
- s####.traffil####.com
- s13.c####.com
- s19.c####.com
- s2s.go2af####.com
- serv####.m####.com
- smart####.google####.com
- smarto####.site
- t####.sm4####.com
- t.nice####.me
- tj.wu####.com
- trac####.want-to####.com
- u.nice####.me
- vi####.faceboo####.com
- www.4g####.net
- www.apxadtr####.net
- www.bigt####.com
- www.duol####.com
- www.google-####.com
- www.greatmo####.mobi
- www.l####.com
- www.six####.com
- www.ta####.com
- youcanw####.com
- z7.c####.com
- z8.c####.com
Запросы HTTP GET:
- a####.google####.com/ajax/libs/jqueryui/1.11.2/jquery-ui.min.js
- afftrac####.com/mnz/v1?placement=####&source=####
- ap####.mobi/red/fc487c12-bfa1-11e5-a414-0cc47a44dbaa/?alg=####&clickid=#...
- api.bi####.com/sdkOffer?os=####&model=####&gaid=####&imei=####&androidId...
- api.ki####.com/click?tid=####
- api.ki####.com/express?tid=####
- b.scoreca####.com.####.net/b2?c1=7&c2=15208452&c3=110&ns__t=151083551797...
- b.scoreca####.com.####.net/b?c1=####&c2=####&c3=####&ns__t=####&ns_c=###...
- b.scoreca####.com.####.net/b?c1=7&c2=15208452&c3=110&ns__t=1510835517974...
- b.scoreca####.com.####.net/beacon.js
- c####.jq####.com/jquery-1.11.1.min.js
- c####.jq####.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js
- cm.m####.com/i.js
- cm.m####.com/setmuidn/?muidn=####
- go-rill####.afft####.com/click?aid=####&linkid=####&s2=####&s1=####
- int.d####.s####.####.cn/iplookup/iplookup.php?format=####
- jsc.m####.com/2221/2221164_370x200.jpg
- jsc.m####.com/2221/2221166_370x200.jpg
- jsc.m####.com/2386/2386485_370x200.jpg
- jsc.m####.com/2555/2555468_370x200.jpg
- jsc.m####.com/2565/2565388_370x200.jpg
- jsc.m####.com/images/mgid_logo_mini_43x20.png
- jsc.m####.com/s/i/sixtest.com.193931.js?t=####
- jsc.m####.com/s/i/sixtest.com.194023.js?t=####
- m####.eas####.me/uploads/cc86d2caedc89e450893edff40f4beba.jar
- m####.eas####.me/uploads/e5d949e68cf89532cb24ae415977e87f.jar
- m####.eas####.me/uploads/ea4fd36ab988b1bc78088f4253c8c95b.jar
- m####.eas####.me/uploads/f4f1f0cc5315a131a34cc31237852002.jar
- m####.tr####.com/click/aZEu8ZTY1uY5yOfR?affid=####&&c1=####
- m####.tr####.com/main/d.php?s=1&link=http://youcanwinthis.com/nl/tr_free...
- m.ta####.com/?sprefer=####
- m.z####.cc/static/h5_games/dh/css/main.min.css?151511####
- m.z####.cc/static/h5_games/dh/js/zl_hm.js?151511####
- musicst####.18####.com/uploads/images/20171220/q9xuarrmkaxrnqwa.png
- offer####.online/r/483d5812-0193-11e8-b56d-1144566c8356/0/
- offer####.online/r/483d5812-0193-11e8-b56d-1144566c8356/1/
- offer####.online/r/48577184-0193-11e8-be19-11452e43f473/0/
- offer####.online/r/48577184-0193-11e8-be19-11452e43f473/1/
- pag####.googles####.com/pagead/js/adsbygoogle.js
- pag####.googles####.com/pagead/js/r20180122/r20170110/show_ads_impl.js
- s####.traffil####.com/TrafficCop.aspx?CampaignUid=####&SourceId=####&Pub...
- s2s.go2af####.com/click?pid=####&offer_id=####
- s2s.go2af####.com/click?pid=####&offer_id=####&sub1=####&sub2=####
- serv####.m####.com/193931/1?w=660&h=182&cols=2&pv=5&cbuster=151083551737...
- serv####.m####.com/194023/1?w=660&h=182&cols=2&pv=5&cbuster=151083553535...
- smart####.google####.com/?utm_medium=####&utm_campaign=####&1=####&cid=#...
- t####.sm4####.com/click?cid=####&s1=####&s2=####
- t.nice####.me/b623b7c7-a461-4c1b-9085-faf4bd87a08b
- td.crwdc####.net/map/c=9380/tp=MGID/tpid=i0otsqAu9RLl
- td.crwdc####.net/map/ct=y/c=9380/tp=MGID/tpid=i0otsqAu9RLl
- tretras####.com/55K39/N-7P/Oerf/YaaPe2WRVZ5lZxs3BIiYiZ7_bHHhvSwwgn5hPHpE...
- www.apxadtr####.net/iclk/redirect.php?apxcode=####&id=####&dv2=####
- www.apxadtr####.net/iclk/redirect.php?code=####&id=####&dv2=####
- www.greatmo####.mobi/?sl=####&data1=####&data2=####&data3=####
- www.l####.com/
- www.l####.com/?ac=####&id=####&channel=####
- www.l####.com/?channel=####&cid=####
- www.l####.com/a/topic.js?t=####
- www.l####.com/static/games/images/def.png
- www.l####.com/static/js/dh_main.js?151511####
- www.l####.com/static/smalltests/css/style.css?151684####
- www.l####.com/static/smalltests/fonts/game.ttf?6vu####
- www.l####.com/static/zl/comm/js/jquery-3.2.1.min.js?151684####
- www.l####.com/static/zl/comm/js/layer/layer.js?151684####
- www.l####.com/static/zl/comm/js/layer/need/layer.css?2####
- www.l####.com/static/zl/comm/js/lazyload.min.js?151684####
- www.ta####.com/
- youcanw####.com/bundles/common.css?v=####
- youcanw####.com/bundles/common.js?v=####
- youcanw####.com/bundles/tester.js?v=####
- youcanw####.com/bundles/tester_brand_spotify.css?v=####
- youcanw####.com/bundles/tester_color_white.css?v=####
- youcanw####.com/bundles/tester_extra_empty.css?v=####
- youcanw####.com/bundles/tester_layout_layout-technique.css?v=####
- youcanw####.com/bundles/tester_main_style.css?v=####
- youcanw####.com/nl/tr_freemusic?clickid=####&networkid=####&pubid=####&e...
- youcanw####.com/uploads/landings/1457/main/1_b85b654cbd76545544c283d4668...
- youcanw####.com/uploads/landings/1457/main/2_99447c4d4142187461e4038ce33...
- youcanw####.com/uploads/landings/1457/main/3_99447c4d4142187461e4038ce33...
- youcanw####.com/uploads/landings/1457/preLander/1_b85b654cbd76545544c283...
Запросы HTTP POST:
- api.bi####.com/un
- m####.eas####.me/task/get
- m####.eas####.me/task/update
- u.nice####.me/api/message
- vi####.faceboo####.com/api/o
- vi####.faceboo####.com/api/va
- www.4g####.net/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=###...
- www.bigt####.com/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=#...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/index
- <Package Folder>/cache/MaiKen.jar
- <Package Folder>/cache/Mobikoko.jar
- <Package Folder>/cache/Sol.jar
- <Package Folder>/cache/cloudMob.jar
- <Package Folder>/databases/db_systemservice-journal
- <Package Folder>/databases/easv.data-journal
- <Package Folder>/databases/plug.dataBase
- <Package Folder>/databases/plug.dataBase-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/vok2v.o
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsData_A...WR_226
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsMain
- <Package Folder>/files/.yflurrydatasenderblock.64f9ba13-3a70-46...5dcbe9
- <Package Folder>/files/DEAB89CE10FEAA11
- <Package Folder>/files/cc.jar
- <Package Folder>/shared_prefs/MobikokCache_Type_2.xml
- <Package Folder>/shared_prefs/MobikokConfig_Type_2.xml
- <Package Folder>/shared_prefs/MobikokConfig_Type_2.xml.bak
- <Package Folder>/shared_prefs/MobikokConfig_Type_2.xml.bak (deleted)
- <Package Folder>/shared_prefs/SpZvPrefs.xml
- <Package Folder>/shared_prefs/UIDPREFERENCES.xml
- <Package Folder>/shared_prefs/cool_share.xml
- <Package Folder>/shared_prefs/local_storage0.xml
- <Package Folder>/shared_prefs/local_storage1.xml
- <Package Folder>/shared_prefs/local_storage33.xml
- <Package Folder>/shared_prefs/local_storage999.xml
- <Package Folder>/shared_prefs/sp.xml
- <Package Folder>/shared_prefs/sp.xml.bak
- <Package Folder>/shared_prefs/w2g6c1f3x0.xml
Другие:
Запускает следующие shell-скрипты:
- cat /sys/class/net/wlan0/address
Загружает динамические библиотеки:
- daemon_api20
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
- DESede
Использует следующие алгоритмы для расшифровки данных:
- DES
- DES-CBC-PKCS5Padding
- DESede
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
