Техническая информация
Вредоносные функции:
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) re####.52yu####.com:8090
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) api.52yu####.com:80
- TCP(HTTP/1.1) ia.z####.net:80
- TCP(HTTP/1.1) 1####.196.171.14:7777
- TCP(HTTP/1.1) re####.52yu####.com:80
- TCP(HTTP/1.1) w####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) 1####.196.171.201:5678
- TCP(HTTP/1.1) p.w####.com:8088
- TCP(HTTP/1.1) A####.aa.z####.com:7701
- TCP(HTTP/1.1) rtb.fas####.net:80
- TCP(HTTP/1.1) v.g####.qq.com:80
- TCP(HTTP/1.1) ic.o####.net:80
- TCP(HTTP/1.1) rs3.u####.net.####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
Запросы DNS:
- 140.86.31.####.arpa
- 143.86.31.####.arpa
- 164.86.31.####.arpa
- A####.aa.z####.com
- a####.u####.com
- and####.b####.qq.com
- api.52yu####.com
- dl.huih####.com
- ia.3####.cn
- ia.trave####.cn
- ia.z####.net
- ic.aili####.com
- ic.o####.net
- ic.yu####.cn
- joy.b####.com
- l.fas####.net
- p####.g####.cn
- p.w####.com
- re####.52yu####.com
- rs3.u####.net
- v.g####.qq.com
- w####.oss-cn-####.aliy####.com
Запросы HTTP GET:
- re####.52yu####.com/newad/css/index.css
- re####.52yu####.com/newad/css/swiper.min.css
- re####.52yu####.com/newad/img/adimg2/1.png
- re####.52yu####.com/newad/img/adimg2/2.png
- re####.52yu####.com/newad/img/adimg2/3.png
- re####.52yu####.com/newad/img/adimg2/4.png
- re####.52yu####.com/newad/img/adimg2/5.png
- re####.52yu####.com/newad/img/adimg2/6.png
- re####.52yu####.com/newad/img/adimg2/7.png
- re####.52yu####.com/newad/img/adimg2/rili_banner.png
- re####.52yu####.com/newad/img/adimg3/a1 .jpg
- re####.52yu####.com/newad/img/adimg3/a2 .jpg
- re####.52yu####.com/newad/img/adimg3/a3 .jpg
- re####.52yu####.com/newad/img/adimg3/a4 .jpg
- re####.52yu####.com/newad/img/adimg3/a5 .jpg
- re####.52yu####.com/newad/img/icon_btm_1.png
- re####.52yu####.com/newad/img/icon_btm_2.png
- re####.52yu####.com/newad/img/icon_btm_3.png
- re####.52yu####.com/newad/img/icon_btm_4.png
- re####.52yu####.com/newad/img/menu_1.png
- re####.52yu####.com/newad/img/menu_2.png
- re####.52yu####.com/newad/img/menu_3.png
- re####.52yu####.com/newad/img/menu_4.png
- re####.52yu####.com/newad/img/menu_5.png
- re####.52yu####.com/newad/img/menu_6.png
- re####.52yu####.com/newad/img/menu_7.png
- re####.52yu####.com/newad/img/menu_8.png
- re####.52yu####.com/newad/index.html?id=####
- re####.52yu####.com/newad/js/indexstyle.js
- re####.52yu####.com/newad/js/swiper-3.4.1.jquery.min.js
- re####.52yu####.com/newad/js/zepto.min.js
- re####.52yu####.com/noainshangcheng/css/common.css
- re####.52yu####.com/noainshangcheng/css/style.css
- re####.52yu####.com/noainshangcheng/img/back@2x.png
- re####.52yu####.com/noainshangcheng/img/cart.png
- re####.52yu####.com/noainshangcheng/index.html?id=####
- re####.52yu####.com/noainshangcheng/js/adress.js
- re####.52yu####.com/noainshangcheng/js/demoUtils.js
- re####.52yu####.com/noainshangcheng/js/fx.js
- re####.52yu####.com/noainshangcheng/js/iscroll.js
- re####.52yu####.com/noainshangcheng/js/loaddata.js
- re####.52yu####.com/noainshangcheng/js/zepto.min.js
- re####.52yu####.com/noainshangcheng/rmhd/css/common.css
- re####.52yu####.com/noainshangcheng/rmhd/css/detailstyle.css
- re####.52yu####.com/noainshangcheng/rmhd/css/swiper.min.css
- re####.52yu####.com/noainshangcheng/rmhd/html/detail.html?ji_id=####
- re####.52yu####.com/noainshangcheng/rmhd/html/detail.json
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/0_R7S.png
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/1.jpg
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/2.jpg
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/3.jpg
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/4.jpg
- re####.52yu####.com/noainshangcheng/rmhd/img/R7S/banner.webp
- re####.52yu####.com/noainshangcheng/rmhd/js/detail.js
- re####.52yu####.com/noainshangcheng/rmhd/js/fx.js
- re####.52yu####.com/noainshangcheng/rmhd/js/httphijack1.0.0.js
- re####.52yu####.com/noainshangcheng/rmhd/js/swiper-3.4.1.jquery.min.js
- re####.52yu####.com/noainshangcheng/rmhd/js/zepto.min.js
- re####.52yu####.com:8090/nmzj/phone/1495856207872.png
- re####.52yu####.com:8090/nmzj/phone/1495868564971.png
- re####.52yu####.com:8090/nmzj/phone/1495868704504.png
- re####.52yu####.com:8090/nmzj/phone/1504852889176.png
- re####.52yu####.com:8090/nmzj/phone/1505297151549.png
- re####.52yu####.com:8090/nmzj/phone/1505297484963.png
- re####.52yu####.com:8090/nmzj/phone/1505299095930.png
- re####.52yu####.com:8090/nmzj/phone/1505299385176.png
- re####.52yu####.com:8090/nmzj/phone/1505299983069.png
- re####.52yu####.com:8090/nmzj/phone/s16pro.png
- re####.52yu####.com:8090/nmzjapi/data/accerssories/show?jsoncallback=###...
- re####.52yu####.com:8090/nmzjapi/data/advertiseBis/state?jsoncallback=##...
- re####.52yu####.com:8090/nmzjapi/data/resp/ads?uuid=####&imei=####&imsi=...
- re####.52yu####.com:8090/nmzjapi/data/resp/report?uuid=####&imei=####&im...
- re####.52yu####.com:8090/nmzjapi/data/resp/sdkaccess?uuid=####&imei=####...
- re####.52yu####.com:8090/nmzjapi/data/resp/sdkads?uuid=####&imei=####&im...
- re####.52yu####.com:8090/nmzjapi/data/resp/splash?uuid=####&imei=####&im...
- re####.52yu####.com:8090/nmzjapi/data/resp/update?uuid=####&imei=####&im...
- rtb.fas####.net/imp?e=####&pid=####&sid=####
- s####.tc.qq.com/gdt/0/DAAPxKVAUAALQABNBY9vq0DcsiSS5g.jpg/0?ck=####
- v.g####.qq.com/gdt_stats.fcg?count=####&viewid0=####
- w####.oss-cn-####.aliy####.com/ad.png
Запросы HTTP HEAD:
- rs3.u####.net.####.com/iad/1075/SK1075/0012/1/V.1.17122101(NYX)/974e86fe...
- rs3.u####.net.####.com/iad/db/20171221/apptype.db
Запросы HTTP POST:
- A####.aa.z####.com:7701/adv/dgfly
- A####.aa.z####.com:7701/index.php
- a####.u####.com/app_logs
- and####.b####.qq.com/rqd/async?aid=####
- api.52yu####.com/RequestApi.ashx
- ia.z####.net/ps/actionLog.do
- ia.z####.net/ps/active.do
- ia.z####.net/ps/appShare.do
- ia.z####.net/ps/getAppType.do
- ia.z####.net/ps/getConfig.do
- ia.z####.net/ps/getDspConfig.do
- ia.z####.net/ps/newUserApp.do
- ia.z####.net/ps/platformStat.do
- ia.z####.net/ps/platformStatConfirm.do
- ia.z####.net/ps/updatesdk.do
- ia.z####.net/ps/userAppInfo.do
- ia.z####.net/ps/userFloatPermiss.do
- ia.z####.net/ps/userMobileInfo.do
- ia.z####.net/ps/userSdkInfo.do
- ic.o####.net/domain/domainConfig.do
- p.w####.com:8088/plgn/s.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_crashrecord/1004
- <Package Folder>/app_ext/####/47e8d199a346981a279e6a2bc0fc9481
- <Package Folder>/app_ext/####/47e8d199a346981a279e6a2bc0fc9481.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/data_3 (deleted)
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/index
- <Package Folder>/databases/Framework.db
- <Package Folder>/databases/Framework.db-journal
- <Package Folder>/databases/PlatformCore.db
- <Package Folder>/databases/PlatformCore.db-journal
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/downloadapk.db-journal
- <Package Folder>/databases/dsp_sdk.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/files/####/.294aa539fe2d133566a86a2e461662d4
- <Package Folder>/files/####/.cddcdbe624161637624a5242be28b42f
- <Package Folder>/files/####/13694abe62e8447e23c3e4c7416e4c7b.jar
- <Package Folder>/files/####/20171116
- <Package Folder>/files/####/294aa539fe2d133566a86a2e461662d4.jar.tmp
- <Package Folder>/files/####/action_stats.dat
- <Package Folder>/files/####/active_init.dat
- <Package Folder>/files/####/appType.db
- <Package Folder>/files/####/app_bid
- <Package Folder>/files/####/app_caller
- <Package Folder>/files/####/app_history.dat
- <Package Folder>/files/####/app_init.dat
- <Package Folder>/files/####/app_mid
- <Package Folder>/files/####/app_type_info.dat
- <Package Folder>/files/####/app_type_task.dat
- <Package Folder>/files/####/cddcdbe624161637624a5242be28b42f.tmp
- <Package Folder>/files/####/common
- <Package Folder>/files/####/device_ip.dat
- <Package Folder>/files/####/download_cache.dat
- <Package Folder>/files/####/float_info.dat
- <Package Folder>/files/####/mobile_init.dat
- <Package Folder>/files/####/mutex.dat
- <Package Folder>/files/####/sdk_init.dat
- <Package Folder>/files/####/sdk_task.dat
- <Package Folder>/files/####/sdk_version.dat
- <Package Folder>/files/####/service_info.dat
- <Package Folder>/files/####/update_script.dat
- <Package Folder>/files/.impri32
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/security_info
- <Package Folder>/files/temp_p.jar
- <Package Folder>/files/umeng_it.cac32
- <Package Folder>/shared_prefs/USERINFO.xml
- <Package Folder>/shared_prefs/_activity_timer.xml
- <Package Folder>/shared_prefs/_bactive.xml
- <Package Folder>/shared_prefs/_bdmtj.xml
- <Package Folder>/shared_prefs/_plgm.xml
- <Package Folder>/shared_prefs/_plsw.xml
- <Package Folder>/shared_prefs/_rest_p.xml
- <Package Folder>/shared_prefs/_shrtct.xml
- <Package Folder>/shared_prefs/_stai.xml
- <Package Folder>/shared_prefs/_umngmtj.xml
- <Package Folder>/shared_prefs/_up_m.xml
- <Package Folder>/shared_prefs/_yuntu2.xml
- <Package Folder>/shared_prefs/_yuntu2_app.xml
- <Package Folder>/shared_prefs/_yuntu2_interval_ad.xml
- <Package Folder>/shared_prefs/_yuntu2_unlock.xml
- <Package Folder>/shared_prefs/_yuntu2_wh_timer.xml
- <Package Folder>/shared_prefs/_yuntu2_wifi.xml
- <Package Folder>/shared_prefs/crashrecord.xml
- <Package Folder>/shared_prefs/dev_info.xml
- <Package Folder>/shared_prefs/ip_cache.xml
- <Package Folder>/shared_prefs/p.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/taohuareader.xml
- <Package Folder>/shared_prefs/umeng_general_conf32.xml
- <Package Folder>/shared_prefs/zz_dsp.xml
- <SD-Card>/.android/system.dat
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/app_mutex.lock
- <SD-Card>/config/setting.dat
- <SD-Card>/data/config.dat
- <SD-Card>/muse/60de964faca3b28751963ba08dd48880
- <SD-Card>/system_meta.config
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- cat /proc/meminfo
- cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- getprop
- getprop ro.miui.ui.version.name
- getprop ro.yunos.version
- ls /sys/devices/system/cpu
- ping -c 2 113.31.86.139
- ping -c 2 113.31.86.143
- ping -c 2 ia.37xh.cn
- ping -c 2 ia.travel345.cn
- ping -c 2 ic.ailife88.com
- ping -c 2 ic.yule37.cn
Загружает динамические библиотеки:
- Bugly
Использует следующие алгоритмы для шифрования данных:
- AES-GCM-NoPadding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
