Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.MobiDash.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) udc.s####.b####.com:80
- TCP(HTTP/1.1) c####.b####.com:80
- TCP(HTTP/1.1) m.b####.com:80
- TCP(HTTP/1.1) u.d####.com:80
- TCP(HTTP/1.1) uf####.b####.com:80
- TCP(HTTP/1.1) tu.d####.cn:80
- TCP(HTTP/1.1) nrc.d####.com:80
- TCP(HTTP/1.1) st####.s####.b####.com:80
- TCP(TLS/1.0) so####.bdst####.com:443
Запросы DNS:
- api.s####.b####.com
- app.s####.b####.com
- c####.b####.com
- f####.d####.com
- m.b####.com
- nrc.d####.com
- p####.dianx####.com
- so####.bdst####.com
- st####.s####.b####.com
- tls.d####.com
- tu.d####.cn
- u.d####.com
- udc.s####.b####.com
- uf####.b####.com
Запросы HTTP GET:
- nrc.d####.com/feedback/notify?model=####&is=####&signmd5=####&op=####&ve...
- nrc.d####.com/get?model=####&is=####&signmd5=####&op=####&vendor=####&lo...
- st####.s####.b####.com/approot/100032/a6/ec/2_com.baidu.superservice_5.2...
- st####.s####.b####.com/build/1502/4d/d9/201703281549.zip
- tu.d####.cn/ggjc/update/20151127/7672b8ff8aa64ae89d886be1700d0f00-47.db?...
- tu.d####.cn/ggjc/update/20170719/db00e716eea6b6c46fe075dda0aaf3c7-23.db?...
- u.d####.com/api/apps/check_update?ver=####&sig=####&uv=####&sd=####&mode...
- udc.s####.b####.com/root/setting?appkey=####×tamp=####&sign=####
- udc.s####.b####.com/root/supercheck?appkey=####×tamp=####&cate=####...
- udc.s####.b####.com/root/supercheck?appkey=####×tamp=####&type=####...
- udc.s####.b####.com/v1/sdk/pl?d=####&vl=####&sign=####&appkey=####×...
- udc.s####.b####.com/v1/zeus/ml?appkey=####×tamp=####&sign=####
- udc.s####.b####.com/zeus/upgrade?appkey=####×tamp=####&sign=####&ap...
Запросы HTTP POST:
- c####.b####.com/batsdk/api_int/newsync2
- m.b####.com/api?action=####&from=####&token=####&type=####&index=####
- m.b####.com/api?from=####&token=####&type=####&index=####
- nrc.d####.com/2.0/cu?auth_ver=####&appkey=####&nonce=####&model=####&is=...
- nrc.d####.com/api/data?token=####&tk=bPcW####&sv=####
- nrc.d####.com/api/tokens?tk=bPcW####&sv=####
- udc.s####.b####.com/v1/report?appkey=####×tamp=####&sign=####&msg_i...
- udc.s####.b####.com/v1/zeus/build?appkey=####×tamp=####&sign=####
- udc.s####.b####.com/v1/zeus/slg?appkey=####×tamp=####&sign=####
- uf####.b####.com/?m=####&a=####
Изменения в файловой системе:
Создает следующие файлы:
- /system/etc/.has_dxsu_daemon
- /system/etc/install-recovery.sh
- /system/xbin/su
- <Package Folder>/app_app_apk/root1509858246.dat.jar
- <Package Folder>/app_ye_download/db_apptrash
- <Package Folder>/app_ye_download/db_process_whitelist
- <Package Folder>/cache/chattr
- <Package Folder>/cache/install-recovery.sh
- <Package Folder>/cache/su
- <Package Folder>/code_cache/####/MultiDex.lock
- <Package Folder>/code_cache/####/tmp-<Package>-1.apk.classes277597541.zip
- <Package Folder>/databases/app_control.db
- <Package Folder>/databases/app_control.db-journal
- <Package Folder>/databases/app_launch_cache.db-journal
- <Package Folder>/databases/baidu_localscan.db-journal
- <Package Folder>/databases/bw.db
- <Package Folder>/databases/bw.db (deleted)
- <Package Folder>/databases/bw.db-journal
- <Package Folder>/databases/d
- <Package Folder>/databases/d-journal
- <Package Folder>/databases/i
- <Package Folder>/databases/i-journal
- <Package Folder>/databases/jp.db
- <Package Folder>/databases/jp.db (deleted)
- <Package Folder>/databases/jp.db-journal
- <Package Folder>/databases/notify_items.sp-journal
- <Package Folder>/databases/perm.db-journal
- <Package Folder>/databases/pg.db-journal
- <Package Folder>/databases/root_report.db-journal
- <Package Folder>/databases/sk
- <Package Folder>/databases/sk-journal
- <Package Folder>/databases/smart_priv.db
- <Package Folder>/databases/smart_priv.db (deleted)
- <Package Folder>/databases/smart_priv.db-journal
- <Package Folder>/databases/ye_app_trash.db
- <Package Folder>/databases/ye_app_trash.db-journal
- <Package Folder>/databases/ye_largedirs.db
- <Package Folder>/databases/z
- <Package Folder>/databases/z-journal
- <Package Folder>/databases/zeus_unfinish_transaction.db-journal
- <Package Folder>/files/####/libr9.so
- <Package Folder>/files/####/libr9um.so
- <Package Folder>/files/####/loadr9
- <Package Folder>/files/####/r9-718ab04r9.ad.odex
- <Package Folder>/files/####/r9.jar
- <Package Folder>/files/####/sptool
- <Package Folder>/files/####/superservice.apk
- <Package Folder>/files/####/uni
- <Package Folder>/files/####/uniz742763729.out
- <Package Folder>/files/RHXfrXXLz
- <Package Folder>/files/authrate.dat
- <Package Folder>/files/be03bdfb7aec72fd9195311f2656619a
- <Package Folder>/files/bp-4.0-arm.src
- <Package Folder>/files/bp10
- <Package Folder>/files/bw.db
- <Package Folder>/files/chattr
- <Package Folder>/files/insdog
- <Package Folder>/files/jp.db
- <Package Folder>/files/permdata.dat
- <Package Folder>/files/proguard
- <Package Folder>/files/reinstall
- <Package Folder>/files/smart_priv.db
- <Package Folder>/files/smartpriv-1043679294.out
- <Package Folder>/files/smartpriv1777292411.out
- <Package Folder>/files/smartpriv913277897.out
- <Package Folder>/files/su
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/app-update-prefs.xml
- <Package Folder>/shared_prefs/batsdk_app_life.xml
- <Package Folder>/shared_prefs/batsdk_crash_switch.xml
- <Package Folder>/shared_prefs/batsdk_user_info.xml
- <Package Folder>/shared_prefs/config_update.xml
- <Package Folder>/shared_prefs/d.xml
- <Package Folder>/shared_prefs/h.xml
- <Package Folder>/shared_prefs/i.xml
- <Package Folder>/shared_prefs/loadercfg.xml
- <Package Folder>/shared_prefs/local_config.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/root_report.xml
- <Package Folder>/shared_prefs/root_report.xml.bak
- <Package Folder>/shared_prefs/root_report.xml.bak (deleted)
- <Package Folder>/shared_prefs/rt.xml
- <Package Folder>/shared_prefs/superrootcfg.xml
- <Package Folder>/shared_prefs/superrootcfg.xml.bak
- <Package Folder>/shared_prefs/utils.xml
- <Package Folder>/shared_prefs/ye_db_configs.xml
- <Package Folder>/shared_prefs/ye_trash.xml
- <Package Folder>/shared_prefs/zeuscfg.xml
- <SD-Card>/.userReturn
- <SD-Card>/AndroidOptimizer/####/.trash_common_path_data
- <SD-Card>/baidu/.cuid
- <SD-Card>/baidu/su_log.txt
- <SD-Card>/dianxin/####/beeb3a80c2449fd5cad85f97fc3a601c.0
- <SD-Card>/dianxin/####/journal
- <SD-Card>/dianxin/####/journal.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/bp10 --check-version
- /system/bin/cat /proc/meminfo
- /system/bin/cat /sys/block/mmcblk0/device/cid
- /system/bin/cat /sys/block/mmcblk1/device/cid
- /system/bin/cat /sys/block/mmcblk2/device/cid
- /system/bin/cat /sys/block/mmcblk3/device/cid
- /system/bin/getenforce
- /system/bin/su
- /system/xbin/su
- /system/xbin/su --daemon
- /system/xbin/su -v
- <Package Folder>/cache/chattr +ai /system/xbin/su
- <Package Folder>/cache/chattr -ai /system/bin/su
- <Package Folder>/cache/chattr -ai /system/xbin/su
- <Package Folder>/files/bp10 --check-version
- <Package Folder>/files/insdog data/data/<Package>/ <Package> 1 1 fbc9c1b300253191762e2585c653abdd 598153950705653 100032 b64b1ca89c496c978f4d4c27df023349 f7d16bd9-b830-40fb-9bca-609503290782 18 tk=8FHS+uAmdoVL5OnXwoDb8g==&v=5.2.1&mode=<System Property>&pkg=<Package>&sdk=4.3.1&random=1510836083461
- chmod 664 <Package Folder>/files/zyi/libr9-56ab088r9.ad.so
- chmod 664 <Package Folder>/files/zyi/libr9um.so
- chmod 664 <Package Folder>/files/zyi/loadr9
- chmod 664 <Package Folder>/files/zyi/r9-718ab04r9.ad.jar
- chmod 664 <Package Folder>/files/zyi/sptool
- chmod 6755 /system/xbin/su
- chmod 751 <Package Folder>/files/insdog
- chmod 755 /system/etc/install-recovery.sh
- chmod 755 <Package Folder>/files/.tmp//uni
- chmod 755 <Package Folder>/files/bp10
- chmod 755 <Package Folder>/files/chattr
- chmod 755 <Package Folder>/files/proguard
- chmod 755 <Package Folder>/files/reinstall
- chmod 755 <Package Folder>/files/su
- chmod 766 <Package Folder>/files/.tmp//superservice.apk
- chmod 777 <Package Folder>/files/.tmp/uni
- dumpsys package com.baidu.superroot
- dumpsys package com.baidu.superservice
- dumpsys package com.dianxinos.superuser
- dumpsys package com.zhiqupk.root
- id
- ln -s /system/xbin/su /system/bin/su
- ls -l <Package Folder>
- mount -o remount,ro /dev/block/sda1 /system
- mount -o remount,rw /dev/block/sda1 /system
- ps
- rm /system/bin/su
- rm /system/xbin/su
- sh
- sh -c dumpsys package com.baidu.superroot 2>/dev/null
- sh -c dumpsys package com.baidu.superservice 2>/dev/null
- sh -c dumpsys package com.dianxinos.superuser 2>/dev/null
- sh -c dumpsys package com.zhiqupk.root 2>/dev/null
- sh <Package Folder>/files/bp10 --check-version
- sh <Package Folder>/files/insdog data/data/<Package>/ <Package> 1 1 fbc9c1b300253191762e2585c653abdd 598153950705653 100032 b64b1ca89c496c978f4d4c27df023349 f7d16bd9-b830-40fb-9bca-609503290782 18 tk=8FHS+uAmdoVL5OnXwoDb8g==&v=5.2.1&mode=<System Property>&pkg=<Package>&sdk=4.3.1&random=1510836083461
- su
- su -v
- sync
- touch /system/etc/.has_dxsu_daemon
Загружает динамические библиотеки:
- RHXfrXXLz
- blowfish
- libROOTJni
- libTrustGoJni
- libbaiduzeus
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- RSA
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CFB-NoPadding
- RSA-ECB-PKCS1Padding
Использует повышенные привилегии.
Использует права администратора.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
