Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) resupg####.b####.huanj####.####.com:80
- TCP(HTTP/1.1) ada####.m.ta####.com:80
- TCP(HTTP/1.1) cdn.app.xingh####.####.com:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) k####.du####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) 1####.205.160.63:80
- TCP(HTTP/1.1) 47.92.1####.96:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(HTTP/1.1) ip.ch####.com:80
- TCP(HTTP/1.1) cdn.disp####.spcd####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) m####.h####.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) kk####.du####.com:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(TLS/1.0) cdn.app.xingh####.####.com:443
- TCP(TLS/1.0) kk####.du####.com:443
- TCP(TLS/1.0) co####.h####.com:443
- TCP(TLS/1.0) 1####.11.52.16:443
- TCP(TLS/1.0) c####.superma####.top:443
Запросы DNS:
- 1####.i####.com
- ad####.m.ta####.com
- ada####.m.ta####.com
- ag####.m.ta####.com
- and####.b####.qq.com
- api.1####.cn
- c####.superma####.top
- c.c####.com
- cdn.app.h####.top
- cdn.app.superma####.top
- cdn.app.xingh####.cn
- cdn.game####.org
- cdn.img.h####.top
- cdnreso####.du####.com
- co####.h####.com
- imgc####.qq.com
- ip.ch####.com
- k####.du####.com
- kk####.du####.com
- m####.h####.com
- mi.g####.qq.com
- mt####.go####.com
- oc.u####.com
- qzones####.g####.cn
- resupg####.b####.huanj####.com
- resupg####.du####.com
- s####.e.qq.com
- s11.c####.com
- z13.c####.com
Запросы HTTP GET:
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/z_stat.php?id=####&web_id=####
- cdn.app.xingh####.####.com/kkccms/thumb/mw/279.jpg
- cdn.app.xingh####.####.com/lupload/clo/he
- cdn.app.xingh####.####.com/upload/201801/30/app/20180130180118286.apk
- cdn.app.xingh####.####.com/upload/201801/30/img/20180130180110682.png
- cdn.disp####.spcd####.com/ic.asp
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- ip.ch####.com/getip.aspx
- k####.du####.com/api/advertising/dot.do?platform=####&adid=####&reqid=##...
- k####.du####.com/api/advertising/list.do?platform=####&appId=####&uuid=#...
- kk####.du####.com/banner/list.do?group=####&channel=####&platform=####
- kk####.du####.com/css/bootstrap.css
- kk####.du####.com/css/detail.css
- kk####.du####.com/detail/viewDetail.do?aid=####&token=####
- kk####.du####.com/index/listAd.do?page=####&size=####
- kk####.du####.com/js/detail.js?v=####
- mi.g####.qq.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&data...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.appcache
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.html
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/banner_close_b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg02.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg03.jpg
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg07.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/close02.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/close03.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/download_icon....
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/download_icon_...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/gdt_logo_black...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/icon-ad.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/sdk_bg.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tc-gdt-sdk-ope...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js-release/20170821/b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js/lib/require.js
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- resupg####.b####.huanj####.####.com/kkdict/ciku/391/ciku
- resupg####.b####.huanj####.####.com/kkdict/datum/398/datum
- resupg####.b####.huanj####.####.com/kkdict/voice/10/voice
- resupg####.b####.huanj####.####.com/kkdict/xiangjie/354/xiangjie
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
Запросы HTTP POST:
- ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
- and####.b####.qq.com/rqd/async?aid=####
- m####.h####.com/c.gif?act=####&smkdata=####&EC=####&appkey=####&item=###...
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- s####.e.qq.com/activate
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_112b751e-85a4-4da9-afdd-766b0248d3e2/6a51d...4d.jar
- <Package Folder>/app_112b751e-85a4-4da9-afdd-766b0248d3e2/e9fad...b5ae43
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/Matrix
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/ddexe
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/debuggerd
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/fileWork
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/insta...ery.sh
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/pidof
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/su
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/supolicy
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/toolbox
- <Package Folder>/app_3d342c75-5030-4403-b3a7-3aa94f14d446/wsroot.sh
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/Matrix
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/ddexe
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/debuggerd
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/device.db
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/fileWork
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/insta...ery.sh
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/pidof
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/root3
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/su
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/supolicy
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/toolbox
- <Package Folder>/app_513d32db-12d4-4d4d-978d-a449df396e24/wsroot.sh
- <Package Folder>/app_SGLib/lock.lock
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/Matrix
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/ddexe
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/debuggerd
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/fileWork
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/insta...ery.sh
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/pidof
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/su
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/supolicy
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/toolbox
- <Package Folder>/app_bc37cd2c-1ca1-44c2-8240-f83dd6e1ef39/wsroot.sh
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/Matrix
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/ddexe
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/debuggerd
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/fileWork
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/insta...ery.sh
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/pidof
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/su
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/supolicy
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/toolbox
- <Package Folder>/app_c4e16187-3e6e-46bd-85ba-99c2643cac16/wsroot.sh
- <Package Folder>/app_crashrecord/1002
- <Package Folder>/app_crashrecord/1004
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/Matrix
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/ddexe
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/debuggerd
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/fileWork
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/insta...ery.sh
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/pidof
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/su
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/supolicy
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/toolbox
- <Package Folder>/app_e31ab37d-b683-4cb0-b926-8d050c10dc55/wsroot.sh
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp.sig
- <Package Folder>/app_e_qq_com_plugin/update_lc
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.sig
- <Package Folder>/app_e_qq_com_setting/gdt_suid
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.sig
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/Matrix
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/ddexe
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/debuggerd
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/fileWork
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/insta...ery.sh
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/pidof
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/su
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/supolicy
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/toolbox
- <Package Folder>/app_ffa45cb0-fb1c-42f8-9925-03d2a8948a84/wsroot.sh
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/245dbee8-daad-4465-b158-243f085d28a2
- <Package Folder>/app_subox_download/3f6afc69-b6d2-4ba8-bcfa-999970d03dd7
- <Package Folder>/app_subox_download/87aaef42-76e8-4ac9-95fb-2558bd613bea
- <Package Folder>/app_subox_download/d3bc2b96-0b79-4b1b-bc48-e6e291b2af1f
- <Package Folder>/app_subox_download/e2ebcd63-b75d-489c-b1d2-37adae745628
- <Package Folder>/app_subox_download/ea65b982-a515-4208-ba3f-573a4a0c777d
- <Package Folder>/app_subox_download/ec7046ec-1655-4b1d-bcc2-e66630d78ce8
- <Package Folder>/app_subox_download/f711ec40-542d-4040-90c6-be94f4fb3da6
- <Package Folder>/cache/####/-1937040388
- <Package Folder>/cache/####/12802779551625817334
- <Package Folder>/cache/####/1534594157
- <Package Folder>/cache/####/1863153819
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/index
- <Package Folder>/cache/V2.9.4.txt
- <Package Folder>/code_cache/####/<Package>-1.apk.classes-1962323543.zip
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/Dict.db-journal
- <Package Folder>/databases/GDTSDK.db
- <Package Folder>/databases/GDTSDK.db-journal
- <Package Folder>/databases/MessageStore.db-journal
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/databases/accs.db-journal
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/message_accs_db
- <Package Folder>/databases/message_accs_db-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/ut.db
- <Package Folder>/databases/ut.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/files/####/account.doing
- <Package Folder>/files/####/folder_bundle.doing
- <Package Folder>/files/####/ib_favorite_history.doing
- <Package Folder>/files/####/ib_favorite_mywordlist.doing
- <Package Folder>/files/####/ib_news_collected_news.doing
- <Package Folder>/files/####/op_folder_bundle.doing
- <Package Folder>/files/####/op_item_bundle.doing
- <Package Folder>/files/####/ver_bundle.doing
- <Package Folder>/files/DaemonServer
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/agoo.pid
- <Package Folder>/files/ap.Lock
- <Package Folder>/files/bj.jar
- <Package Folder>/files/ge.jar
- <Package Folder>/files/hdid.bck
- <Package Folder>/files/hdid_v2
- <Package Folder>/files/hdstatis_cache_5f348fdb
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/mobclick_agent_cached_<Package>12369
- <Package Folder>/files/security_info
- <Package Folder>/shared_prefs/<Package>.BETA_VALUES.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/ACCS_SDK.xml
- <Package Folder>/shared_prefs/ACCS_SDK_CHANNEL.xml
- <Package Folder>/shared_prefs/Agoo_AppStore.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/BUGLY_COMMON_VALUES.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/UTCommon.xml
- <Package Folder>/shared_prefs/_kksync_config.xml
- <Package Folder>/shared_prefs/count.xml
- <Package Folder>/shared_prefs/crashrecord.xml
- <Package Folder>/shared_prefs/daily_active.xml
- <Package Folder>/shared_prefs/daily_things.xml
- <Package Folder>/shared_prefs/desktop_short_cut.xml
- <Package Folder>/shared_prefs/hd_default_pref.xml
- <Package Folder>/shared_prefs/hd_default_pref.xml.bak
- <Package Folder>/shared_prefs/hd_default_pref_-1317938754.xml
- <Package Folder>/shared_prefs/hd_default_pref_1695137469.xml
- <Package Folder>/shared_prefs/hdcltid.xml
- <Package Folder>/shared_prefs/hdcommon_config_cache_pref.xml
- <Package Folder>/shared_prefs/hdcommon_config_cache_pref_-1317938754.xml
- <Package Folder>/shared_prefs/hdcommon_config_cache_pref_1695137469.xml
- <Package Folder>/shared_prefs/kkdict_kksync.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/online_daily_things.xml
- <Package Folder>/shared_prefs/onlineconfig_agent_online_setting...e>.xml
- <Package Folder>/shared_prefs/share.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/vbz.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.android/Global
- <SD-Card>/.android/hdcltid.ini
- <SD-Card>/.hiidosdk/Device
- <SD-Card>/.hiidosdk/Device_v2
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/1865fc9edf7b16979d5e52efb3b36593.apk
- <SD-Card>/Android/####/ApplicationCache.db-journal
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/e415067c100c4285ac82fcd326ccba0b
- <SD-Card>/Android/####/fdc0334672a10
- <SD-Card>/hiidosdk/####/hdstatis_20171116.log
- <SD-Card>/kkdict/####/datum
- <SD-Card>/kkdict/####/datum.db.tmp
- <SD-Card>/kkdict/####/material.db
- <SD-Card>/kkdict/####/voice
- <SD-Card>/kkdict/####/voice.db.tmp
- <SD-Card>/kkdict/####/xiangjie
- <SD-Card>/kkdict/####/xiangjie.db.tmp
- <SD-Card>/kkdict/####/zidian_full.db
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:53d0ce2556240b59c3060ded","utdid":"Wg2EH7wOUIkDAGdzx1FWDofs","sdkVersion":"212"} -I agoodm.m.taobao.com -O 80 -T -Z
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/1865fc9edf7b16979d5e52efb3b36593.apk
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- getprop
- ps
- sh
Загружает динамические библиотеки:
- Bugly
- bspatch
- tnet-3.1
- ut_c_api
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- DES
- RSA-ECB-PKCS1Padding
Осуществляет доступ к интерфейсу камеры.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
