Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.687.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.DownLoader.687.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c####.baidust####.com:80
- TCP(HTTP/1.1) c.d####.mob.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) up####.app.2####.com:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) ti####.2####.com:80
- TCP(HTTP/1.1) www.2####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) cm.pos.b####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) cm.g.doublec####.net:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) sh####.2####.com:80
- TCP(HTTP/1.1) wn.pos.b####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) reso####.msg.xi####.net:80
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) down####.app.2####.com:80
- TCP(HTTP/1.1) c####.jd.com:80
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP(TLS/1.0) ti####.2####.com:443
- TCP 4####.62.94.2:443
Запросы DNS:
- a####.exc.mob.com
- a####.u####.com
- amap####.cn-hang####.oss####.####.com
- api.s####.mob.com
- app.50####.org
- c####.baidust####.com
- c####.jd.com
- c.d####.mob.com
- cm.g.doublec####.net
- cm.pos.b####.com
- d####.d####.mob.com
- down####.app.2####.com
- f10.b####.com
- f11.b####.com
- f12.b####.com
- hm.b####.com
- m.d####.mob.com
- pos.b####.com
- regi####.xm####.xi####.com
- res####.a####.com
- reso####.msg.xi####.net
- sh####.2####.com
- t10.b####.com
- t11.b####.com
- t12.b####.com
- ti####.2####.com
- un####.50####.org
- up####.app.2####.com
- wn.pos.b####.com
- www.2####.com
Запросы HTTP GET:
- c####.baidust####.com/cpro/exp/closead/img/bd_logo.png
- c####.baidust####.com/cpro/exp/closead/img/bg_rb.png
- c####.baidust####.com/cpro/exp/other/img/lu_hot_word.png
- c####.baidust####.com/cpro/ui/c.js
- c####.baidust####.com/cpro/ui/noexpire/img/2.0.1/bg.png
- c####.baidust####.com/cpro/ui/noexpire/img/4.0.0/pc_ads.1x.png
- c####.baidust####.com/cpro/ui/noexpire/img/4.0.0/pc_ads_bear.1x.png
- c####.baidust####.com/cpro/ui/noexpire/js/4.0.0/adClosefeedbackUpgrade.m...
- c####.baidust####.com/cpro/ui/noexpire/js/4.0.1/adClosefeedbackUpgrade.m...
- c####.jd.com/du?&baidu_error=####×tamp=####
- cm.g.doublec####.net/pixel?google_nid=####&googl####
- cm.g.doublec####.net/pixel?google_nid=####&google_cm=####&google_tc=####
- cm.pos.b####.com/gpixel?google_gid=####&google_cver=####
- cm.pos.b####.com/pixel?dspid=####
- down####.app.2####.com/lord/jweather/261000/CryptLordHeart-jweather.jar?...
- hm.b####.com/hm.js?a3f2879####
- m.d####.mob.com/cconf?appkey=####&plat=####&apppkg=####&appver=####&netw...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118753&dc=3&di=u3118753&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118755&dc=3&di=u3118755&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118756&dc=3&di=u3118756&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118758&dc=3&di=u3118758&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118762&dc=3&di=u3118762&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118763&dc=3&di=u3118763&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118764&dc=3&di=u3118764&dr...
- pos.b####.com/lcrm?conwid=100&conhei=30&rdid=3118765&dc=3&di=u3118765&dr...
- pos.b####.com/lcrm?conwid=1000&conhei=100&rdid=2678481&dc=3&di=u2678481&...
- pos.b####.com/lcrm?conwid=1000&conhei=100&rdid=2683267&dc=3&di=u2683267&...
- pos.b####.com/lcrm?conwid=400&conhei=30&rdid=3131175&dc=3&di=u2511149&dr...
- pos.b####.com/lcrm?di=u2511149&dri=0&dis=0&dai=1&ps=110x1000&enu=encodin...
- pos.b####.com/lcrm?di=u2678481&dri=0&dis=0&dai=3&ps=1279x0&coa=at=3&rsi0...
- pos.b####.com/lcrm?di=u2683267&dri=0&dis=0&dai=2&ps=457x0&coa=at=3&rsi0=...
- pos.b####.com/lcrm?di=u3118753&dri=0&dis=0&dai=4&ps=1549x60&enu=encoding...
- pos.b####.com/lcrm?di=u3118755&dri=0&dis=0&dai=5&ps=1549x70&enu=encoding...
- pos.b####.com/lcrm?di=u3118756&dri=0&dis=0&dai=6&ps=1549x70&enu=encoding...
- pos.b####.com/lcrm?di=u3118758&dri=0&dis=0&dai=7&ps=1549x70&enu=encoding...
- pos.b####.com/lcrm?di=u3118762&dri=0&dis=0&dai=8&ps=1549x70&enu=encoding...
- pos.b####.com/lcrm?di=u3118763&dri=0&dis=0&dai=9&ps=1549x70&enu=encoding...
- pos.b####.com/lcrm?di=u3118764&dri=0&dis=0&dai=10&ps=1549x70&enu=encodin...
- pos.b####.com/lcrm?di=u3118765&dri=0&dis=0&dai=11&ps=1549x70&enu=encodin...
- reso####.msg.xi####.net/gslb/?ver=####&type=####&conpt=####&uuid=####&li...
- sh####.2####.com/api/getStatisticListNew.php?promotion_method=####
- sh.wagbr####.aliyun####.com/sdkcoor/android/x86/libJni_wgs2gcj.so
- si####.jom####.com/it/u=1151341747,1367584340&fm=76
- si####.jom####.com/it/u=156075104,2246419176&fm=76
- si####.jom####.com/it/u=1679641094,1262805421&fm=76
- si####.jom####.com/it/u=1725549277,2395329452&fm=76
- si####.jom####.com/it/u=2097101055,3088285180&fm=76
- si####.jom####.com/it/u=2983823920,2063248843&fm=76
- si####.jom####.com/it/u=3048029442,350010249&fm=76
- si####.jom####.com/it/u=314378415,266657983&fm=76
- si####.jom####.com/it/u=349741439,4037373093&fm=76
- si####.jom####.com/it/u=438645045,38794372&fm=76
- si####.jom####.com/it/u=442542726,3325403362&fm=76
- si####.jom####.com/it/u=545590370,3679183423&fm=76
- si####.jom####.com/it/u=556448211,2086886922&fm=76
- si####.jom####.com/it/u=623031443,2281079941&fm=76
- si####.jom####.com/it/u=962174786,4172286414&fm=76
- ti####.2####.com/?vmod=####
- ti####.2####.com/api/getAdsPositionInfo.json?channel=####&platform=####&...
- ti####.2####.com/api/getCalendarSwitch.php?channel=####&mktime=####&toke...
- ti####.2####.com/api/getCitiesTemp.php?cityId=####&isInternational=####&...
- ti####.2####.com/api/getWeatherInfo.php
- ti####.2####.com/ifr_http.htm?/tianqi.2345.com/?vmod=####&t=####
- ti####.2####.com/js/citySelectData2.js
- ti####.2####.com/js/common2_v20160923084755.js?ver=####
- ti####.2####.com/js/interCitySelectData.js
- ti####.2####.com/js/jquery-ui-autocomplete.custom.js
- ti####.2####.com/js/jquery.js
- ti####.2####.com/js/map/china.js
- ti####.2####.com/js/map_v20160922035127.js?ver=####
- ti####.2####.com/js/qrCode_v20160530.js
- ti####.2####.com/js/raphael-min.js
- ti####.2####.com/js/storage.js
- ti####.2####.com/public/banner.php?ifCleverExplorer=####
- ti####.2####.com/t/detect2009v2_defaultCiyt.php
- ti####.2####.com/t/map_js/china.js?_=####
- ti####.2####.com/theme2/css/global2_v20160908054247.css?ver=####
- ti####.2####.com/theme2/css/wea_index2_v20160921082803.css
- ti####.2####.com/theme2/images/favorite_btn.png
- ti####.2####.com/theme2/images/favorite_icon.png?150450####
- ti####.2####.com/theme2/images/glass01.cur
- ti####.2####.com/theme2/images/glass02.cur
- ti####.2####.com/theme2/images/global-141121.png
- ti####.2####.com/theme2/images/index.png
- ti####.2####.com/theme2/images/local.png
- ti####.2####.com/theme2/images/tianqi-mobile.jpg
- ti####.2####.com/theme2/images/w_day.png
- ti####.2####.com/theme2/images/w_day_l.png
- ti####.2####.com/theme2/images/yingshidaquan160524.jpg
- ti####.2####.com/theme2/img/authority239x54.png
- ti####.2####.com/theme2/img/big-iPhone.jpg
- ti####.2####.com/theme2/img/big-qrcode.jpg
- ti####.2####.com/theme2/img/haze-230x150.jpg
- ti####.2####.com/theme2/img/logo160722.png
- ti####.2####.com/theme2/img/map-250x156.jpg
- ti####.2####.com/theme2/img/qr_tianqi_v20160524.png
- ti####.2####.com/theme2/img/rader-188x132.jpg
- ti####.2####.com/theme2/img/rainfall-230x150.jpg
- ti####.2####.com/theme2/img/satellite-cloud-250x156.jpg
- ti####.2####.com/theme2/img/temperature-230x150.jpg
- ti####.2####.com/theme2/img/traffic-230x150.jpg
- ti####.2####.com/theme2/img/video-250x188-new.jpg
- wn.pos.b####.com/adx.php?c=####
- www.2####.com/js/index/activity/20171111/widget.min.js
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- a####.u####.com/app_logs
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/data2
- api.s####.mob.com/log4
- api.s####.mob.com/snsconf
- c.d####.mob.com/cdata
- d####.d####.mob.com/dinfo
- d####.d####.mob.com/dsign
- up####.app.2####.com/index.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/index
- <Package Folder>/cache/ApplicationCache.db-journal
- <Package Folder>/databases/ThrowalbeLog.db-journal
- <Package Folder>/databases/calendar2345.db-journal
- <Package Folder>/databases/geofencing.db
- <Package Folder>/databases/geofencing.db-journal
- <Package Folder>/databases/hmdb
- <Package Folder>/databases/hmdb-journal
- <Package Folder>/databases/logdb.db
- <Package Folder>/databases/logdb.db-journal
- <Package Folder>/databases/sdk_usbhelper.db
- <Package Folder>/databases/sdk_usbhelper.db-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/tj2345.db
- <Package Folder>/databases/tj2345.db-journal
- <Package Folder>/databases/weather2345.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/####/3394997208195.0
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/journal
- <Package Folder>/files/####/journal.tmp
- <Package Folder>/files/####/loctemp.so
- <Package Folder>/files/.imprint
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.statistics
- <Package Folder>/files/<Package>;pushservice
- <Package Folder>/files/CryptLordHeart.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>54
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/XMPushServiceConfig.xml
- <Package Folder>/shared_prefs/city_data.xml
- <Package Folder>/shared_prefs/mipush.xml
- <Package Folder>/shared_prefs/mipush_account.xml
- <Package Folder>/shared_prefs/mipush_extra.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/networkreference.xml
- <Package Folder>/shared_prefs/pref.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/tj2345_event.xml
- <Package Folder>/shared_prefs/tongji2345.xml
- <Package Folder>/shared_prefs/tongji2345_app_use.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/xml/sdk_<Package>.xml
- <Package Folder>/xml/sdk_app_used_data.xml
- <Package Folder>/xml/sdk_config_data.xml
- <Package Folder>/xml/sdk_device_data.xml
- <Package Folder>/xml/sdk_sdk_data.xml
- <Package Folder>/xml/sdk_server_path_list.xml
- <Package Folder>/xml/sdk_server_watch_list.xml
- <Package Folder>/xml/sdk_upgrade_data.xml
- <Package Folder>/xml/sdk_watch_list.xml
- <SD-Card>/.CryptLord/####/sdk_<Package>.xml
- <SD-Card>/.CryptLord/####/sdk_app_used_data.xml
- <SD-Card>/.CryptLord/####/sdk_config_data.xml
- <SD-Card>/.CryptLord/####/sdk_device_data.xml
- <SD-Card>/.CryptLord/####/sdk_sdk_data.xml
- <SD-Card>/.CryptLord/####/sdk_server_path_list.xml
- <SD-Card>/.CryptLord/####/sdk_server_watch_list.xml
- <SD-Card>/.CryptLord/####/sdk_upgrade_data.xml
- <SD-Card>/.CryptLord/####/sdk_usbhelper.db
- <SD-Card>/.CryptLord/####/sdk_usbhelper.db-journal
- <SD-Card>/.CryptLord/####/sdk_watch_list.xml
- <SD-Card>/.CryptLord/CryptLordHeart.jar
- <SD-Card>/.system_uuid
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/CryptLordHeart-jweather.jar
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.ccLock
- <SD-Card>/Mob/####/.ccc
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/Mob/####/.usLock
- <SD-Card>/Mob/.dk
- <SD-Card>/amap/####/alsn.db
- <SD-Card>/amap/####/alsn.db-journal
Другие:
Запускает следующие shell-скрипты:
- app_process /system/bin com.android.commands.pm.Pm list packages
- getprop gsm.denqin.meid
- getprop ro.miui.ui.version.name
- grep -E -v root|shell|system
- pm list packages
- ps
- sh
- top -d 0 -n 1
Загружает динамические библиотеки:
- neh
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
