Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) m.ka####.y####.com:80
- TCP(HTTP/1.1) l####.b####.com:80
- TCP(HTTP/1.1) cm.b####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) mo####.b####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) abc.y####.com:80
- TCP(HTTP/1.1) 2####.243.193.48:80
- TCP(HTTP/1.1) ka####.y####.com:80
- TCP(HTTP/1.1) d.y####.com:80
- TCP(HTTP/1.1) f.xingch####.com.####.com:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) upl####.y####.com.####.com:80
- TCP(HTTP/1.1) r.eli####.cn:80
- TCP(HTTP/1.1) m.o####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) mobads-####.b####.com:80
- TCP(HTTP/1.1) st####.y####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(TLS/1.0) mobads-####.b####.com:443
- TCP(TLS/1.0) st####.y####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) d.y####.com:443
Запросы DNS:
- a####.u####.com
- abc.y####.com
- b####.s####.b####.com
- cm.b####.com
- cm.pos.b####.com
- d.y####.com
- f.xingch####.com
- f10.b####.com
- f11.b####.com
- f12.b####.com
- hm.b####.com
- ka####.y####.com
- l####.b####.com
- m.ka####.y####.com
- m.m.ka####.####.com
- m.o####.com
- mo####.b####.com
- mobads-####.b####.com
- p####.zhanz####.b####.com
- r.eli####.cn
- st####.y####.com
- t.go.s####.com
- t11.b####.com
- upl####.y####.com
Запросы HTTP GET:
- abc.y####.com/bczdjqkgg?urv=####&jvq=####&qv=####&ygh=####&cff=####&qgz=...
- abc.y####.com/cheknvobtf?urv=####&jvq=####&qv=####&ygh=####&cne=####&cvf...
- abc.y####.com/guuzqky/qbw?c=####
- abc.y####.com/guuzqky/v?c=####
- abc.y####.com/nkiylizdi?urv=####&jvq=####&qv=####&ygh=####&prp=####&qvf=...
- abc.y####.com/qwfqfvebka?urv=####&jvq=####&qv=####&ygh=####&rkcf=####&qn...
- cm.b####.com/pixel?media_sign=####&media_site=####
- cm.b####.com/pixel?sspid=####&local_cookie=####&ver=####&ext=####
- d.y####.com/fzdhxdi.js
- f.xingch####.com.####.com/2011/gou.jar
- gd.a.s####.com/cm.gif?ver=####&mid=####&uid=####
- hm.b####.com/hm.js?c90425d####
- ka####.y####.com/hanjia/
- l####.b####.com/get?buttontype=####&cb=####&index=####&url=####
- m.ka####.y####.com/hanjia/
- m.ka####.y####.com/hanjia/222281.html
- m.ka####.y####.com/plus/count.php?view=####&aid=####&mid=####
- m.o####.com/kaoshi/plus/count.php?view=####&aid=####&mid=####
- mo####.b####.com/ads/ads.appcache
- mo####.b####.com/ads/css/min/main.css
- mo####.b####.com/ads/index.htm
- mo####.b####.com/ads/js/ads.trunk.js
- mo####.b####.com/ads/js/c.js
- mo####.b####.com/ads/pa/8/__pasys_remote_banner.php?bdr=####&os=####&v=#...
- mo####.b####.com/ads/pa/8/__xadsdk__remote__8.7032.jar
- mo####.b####.com/cpro/ui/mads.php?code2=####
- mo####.b####.com/cpro/ui/mads.php?code2=####&b1510833295709=####
- mo####.b####.com/cpro/ui/mads.php?code2=####&b1510833326051=####
- s####.jom####.com/push.js
- s####.jom####.com/static/css/like.css?cdnversion=####
- s####.jom####.com/static/images/like.png?cdnversion=####
- s####.jom####.com/static/js/like.js?cdnversion=####
- s####.jom####.com/static/js/like_shell.js?t=####
- si####.jom####.com/it/u=1419610088,1882284957&fm=76
- si####.jom####.com/it/u=1683915895,2210552451&fm=76
- si####.jom####.com/it/u=200453110,188098232&fm=76
- si####.jom####.com/it/u=2926996740,239580620&fm=76
- si####.jom####.com/it/u=3227345093,3696660730&fm=76
- si####.jom####.com/it/u=378635282,3328870175&fm=76
- si####.jom####.com/it/u=3987135111,4281533496&fm=76
- si####.jom####.com/it/u=4279886419,1517549850&fm=76
- si####.jom####.com/it/u=576137314,99320695&fm=76
- si####.jom####.com/it/u=615744892,2193840378&fm=76
- si####.jom####.com/it/u=909259076,1068574923&fm=76
- si####.jom####.com/it/u=911810454,4193382150&fm=76
- st####.y####.com/css/dede/list_kaoshi.css
- st####.y####.com/css/m/3g_default.css
- st####.y####.com/css/m/article.css
- st####.y####.com/js/index/jquery.min.js
- st####.y####.com/js/m/a.js
- st####.y####.com/js/m/s.js
- st####.y####.com/js/p/s.js
- st####.y####.com/js/uaredirect.js
- upl####.y####.com.####.com/default/267.jpg
- upl####.y####.com.####.com/default/360.jpg
- upl####.y####.com.####.com/default/498.jpg
- upl####.y####.com.####.com/default/508.jpg
- upl####.y####.com.####.com/default/559.jpg
Запросы HTTP POST:
- a####.u####.com/app_logs
- mobads-####.b####.com/brwhis.log
- r.eli####.cn/k1?requestId=####&g=####&ua=####
- r.eli####.cn/k2?protocol=####&version=####&cid=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__271e...0b.jar
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__e371...2d.jar
- <Package Folder>/app_database/ApplicationCache.db-journal
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/index
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/__x_adsdk_agent_header__.xml
- <Package Folder>/shared_prefs/__xadsdk_downloaded__version__.xml
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/shared_prefs/com.baidu.mobads.loader.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/Download/####/4.8_gou.jar.tmp
- <SD-Card>/dt/restime.dat
Другие:
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
