Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.433.origin
- Android.Triada.311.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) g.cn.miao####.com:80
- TCP(HTTP/1.1) usa.gd.a.####.com:80
- TCP(HTTP/1.1) cdn.guoma####.com:80
- TCP(HTTP/1.1) wu####.e####.s####.com:80
- TCP(HTTP/1.1) www.qchann####.cn:80
- TCP(HTTP/1.1) wx.q####.cn:80
- TCP(HTTP/1.1) gdv.a.s####.com:80
- TCP(HTTP/1.1) 39d0825####.cdn.so####.####.com:80
- TCP(HTTP/1.1) x.j####.com:80
- TCP(HTTP/1.1) n.dingd####.com:8066
- TCP(HTTP/1.1) www.j####.com:80
- TCP(HTTP/1.1) im####.s####.com.####.com:80
- TCP(HTTP/1.1) pmptrac####.gen####.net:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) g####.tove####.s####.####.com:80
- TCP(HTTP/1.1) cdn.z####.com:80
- TCP(HTTP/1.1) gs.a.s####.com:80
- TCP(TLS/1.0) c####.l.qq.com:443
- TCP(TLS/1.0) wu####.e####.s####.com:443
- TCP(TLS/1.0) i####.jd.com:443
- TCP(TLS/1.0) m.reac####.cn:443
- TCP(TLS/1.0) gdv.a.s####.com:443
- TCP(TLS/1.0) 39d0825####.cdn.so####.####.com:443
Запросы DNS:
- 29e5534####.cdn.so####.com
- 39d0825####.cdn.so####.com
- 47f72d1####.cdn.so####.com
- 5b0988e####.cdn.so####.com
- a####.s####.com
- a####.u####.com
- adv-sv-####.f####.cn
- adv-sv-####.f####.cn
- api.k.s####.com
- c####.l.qq.com
- c####.tv.itc.cn
- cdn.guoma####.com
- cdn.xha####.com
- cdn.z####.com
- clk.op####.com
- g.cn.miao####.com
- hot####.sogo####.com
- i####.360bu####.com
- i####.jd.com
- i####.sogo####.com
- i.go.s####.com
- im####.s####.com
- imp.op####.com
- js.s####.com
- js.tv.i####.cn
- k.s####.com
- m.reac####.cn
- m.s####.com
- mp.s####.com
- mt####.go####.com
- n.dingd####.com
- n.migo####.com
- pmptrac####.gen####.net
- pv.s####.com
- s.go.s####.com
- sta####.itc.cn
- static-####.360bu####.com
- t####.sogo####.com
- txt.go.s####.com
- v2.s####.com
- wu####.e####.s####.com
- www.qchann####.cn
- wx.q####.cn
- x.j####.com
Запросы HTTP GET:
- 39d0825####.cdn.so####.####.com/adv/producer/sendLog?type=####&ad_type=#...
- 39d0825####.cdn.so####.####.com/be_fox_say3?cityCode=####&adposId=####&c...
- 39d0825####.cdn.so####.####.com/hot_word.json?callback=####&_=####
- 39d0825####.cdn.so####.####.com/wap/images/ifeng_pic_6.jpg
- 39d0825####.cdn.so####.####.com/wap/images/sg_logo.png
- 39d0825####.cdn.so####.####.com/wap/js/anticheat-min.js
- cdn.guoma####.com/s?z####
- cdn.z####.com/m/AC046D1A6FB640A4B62BB6CF9E6F6F7B6C
- cdn.z####.com/m/AC568CDF52764B53AEF1498003A3C53C70
- cdn.z####.com/m/AC6ECA4EB1E9FFA399C2C3A69844DBA9A2
- g####.tove####.s####.####.com/app/a/200630/6f6f89fd237d76ed0dcec30c3ad6d...
- g####.tove####.s####.####.com/c_fill,w_150,h_100,g_faces,q_70/images/201...
- g####.tove####.s####.####.com/c_fill,w_600,h_300,g_faces/images/20180227...
- g####.tove####.s####.####.com/mobile/css/images/copy-link-eb50753f.png
- g####.tove####.s####.####.com/mobile/css/images/huyou-5be60233.png
- g####.tove####.s####.####.com/mobile/css/images/index-win-bar-close-118a...
- g####.tove####.s####.####.com/mobile/css/images/index-win-close-d68ddac0...
- g####.tove####.s####.####.com/mobile/css/images/logo-sohu-1be198ae.png
- g####.tove####.s####.####.com/mobile/css/images/qq-cf416dc2.png
- g####.tove####.s####.####.com/mobile/css/images/qzone-6a410289.png
- g####.tove####.s####.####.com/mobile/css/images/sicon-c6b75fb6.ttf
- g####.tove####.s####.####.com/mobile/css/images/sohu_text-43560455.png
- g####.tove####.s####.####.com/mobile/css/images/weibo-a34fddb3.png
- g####.tove####.s####.####.com/mobile/css/images/wx-47b0d11d.png
- g####.tove####.s####.####.com/mobile/css/images/wx_new-4f565da0.png
- g####.tove####.s####.####.com/mobile/css/images/wxf-4a6b5816.png
- g####.tove####.s####.####.com/mobile/css/images/wxf_new-9f44158a.png
- g####.tove####.s####.####.com/mobile/css/main-5c6f2fdc96.css
- g####.tove####.s####.####.com/mobile/js/lib-df3a81762f.js
- g####.tove####.s####.####.com/mobile/js/main-55949f45e4.js
- g####.tove####.s####.####.com/mobile/sohu-logo-d.png
- g####.tove####.s####.####.com/mobile/ucenter/images/ic_home_photo_gray.png
- g####.tove####.s####.####.com/q_70,c_fill,w_640,h_320,g_faces/c_cut,x_0,...
- g####.tove####.s####.####.com/q_70,c_fill,w_640,h_320,g_faces/c_cut,x_15...
- g####.tove####.s####.####.com/q_70,c_fill,w_640,h_320,g_faces/c_cut,x_28...
- g####.tove####.s####.####.com/q_70,c_fill,w_640,h_320,g_faces/c_cut,x_88...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/1ba6fc08...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/241c6235...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/2482746a...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/55e44cc7...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/79b9249f...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/7cd78850...
- g####.tove####.s####.####.com/q_70,c_zoom,w_640/images/20180227/aea7ece6...
- g.cn.miao####.com/x/k=2073344&p=7DIy5&dx=__IPDX__&rt=2&ns=95.211.190.198...
- gdv.a.s####.com/IdConverter/servlet/IdConverter?mpId=####&reqType=####
- gdv.a.s####.com/action.gif?actionId=####&SUV=####&_time_=####
- gdv.a.s####.com/api/topic/load?callback=####&page_size=####&topic_source...
- gdv.a.s####.com/content_ev.gif?location=####&relatedID=####&news=####&SU...
- gdv.a.s####.com/favicon.ico
- gdv.a.s####.com/ip/soip?_=####
- gdv.a.s####.com/prom_ev.gif?posId=####&itemId=####&SUV=####&_time_=####
- gdv.a.s####.com/pv.gif?t?=1510835247762546_800_600?r?=http://m.sohu.com/...
- gdv.a.s####.com/pv.gif?t?=1510835262965375_800_600?r?=http://m.sohu.com/...
- gdv.a.s####.com/pv.gif?t?=1510835265052775_800_600?r?=http://m.sohu.com/...
- gdv.a.s####.com/pv.gif?t?=1510835267531772_800_600?r?=http://m.sohu.com/...
- gdv.a.s####.com/pv.gif?t?=1510835268351500_800_600?r?=http://m.sohu.com/...
- gdv.a.s####.com/static/ui-open/3.1/js/open.min.js
- gdv.a.s####.com/suv/?t?=1510835236014618_800_600?r?=?url?=http://m.sohu....
- gs.a.s####.com/
- gs.a.s####.com/a/224261124_120802?_f=####
- gs.a.s####.com/a/224409768_120802
- gs.a.s####.com/ch/43
- gs.a.s####.com/ch/43/1456
- gs.a.s####.com/m/player.css
- gs.a.s####.com/m/player/inc-all.js
- gs.a.s####.com/media/120802
- gs.a.s####.com/public-api/articles/pv?articleIds=####&callback=####&_=####
- gs.a.s####.com/public-api/authors/pv?authorIds=####&callback=####&_=####
- gs.a.s####.com/public-api/frag/bussiness_touch_index?callback=####&_=####
- gs.a.s####.com/pv.js?_t=####
- gs.a.s####.com/relevanceNews?articleId=####&channelId=####&title=####&au...
- im####.s####.com.####.com/bill/r2018/0227/ChAKr1qUu0qAF_0JAACu4kKNJrY235...
- im####.s####.com.####.com/bill/s2016/jscript/lib/sjs/matrix/ad/tf.js
- im####.s####.com.####.com/bill/s2017/front/middle/final-new-1221.min.js
- im####.s####.com.####.com/bill/s2017/materials/jd/0921/3272.html?clkm=//...
- im####.s####.com.####.com/saf/a2017/1216/ChAKr1o0lNeAefojAAA3VBbZ6qY9972...
- im####.s####.com.####.com/saf/a2018/0202/ChAKr1p0LPeAagIgAAC7RxLtnP83356...
- im####.s####.com.####.com/saf/a2018/0208/ChAKr1p73PWAeZLhAAAyBW57Nto4922...
- im####.s####.com.####.com/saf/a2018/0208/ChAKr1p73QuAaVEqAAAsNxvFHkA3032...
- im####.s####.com.####.com/saf/a2018/0222/ChAKr1qOac2ALNsSAAA61R2oifk5946...
- im####.s####.com.####.com/saf/a2018/0223/ChAKr1qPjaWAKHqQAAAxa1K7jgQ5962...
- im####.s####.com.####.com/saf/a2018/0226/ChAKr1qTX4GAEPDdAACF0ipEVb81694...
- im####.s####.com.####.com/saf/a2018/0226/ChAKr1qTlu-ASsPqAAAz0yHPjdE1542...
- im####.s####.com.####.com/web/static/images/pic/preload.png
- n.dingd####.com:8066/c/1510835234180
- pmptrac####.gen####.net/sohu/win?&bidid=####&win=####&display####&_time_...
- usa.gd.a.####.com/cEVPwd/?itemspaceid=####&adps=####&apt=####&turn=####&...
- usa.gd.a.####.com/cNIfrd/?callback=####&itemspaceid=####&adps=####&apt=#...
- usa.gd.a.####.com/cWtZGd/?callback=####&itemspaceid=####&adps=####&apt=#...
- usa.gd.a.####.com/chCRkd/?itemspaceid=####&adps=####&apt=####&turn=####&...
- usa.gd.a.####.com/ciBjEd/?callback=####&itemspaceid=####&adps=####&apt=#...
- usa.gd.a.####.com/cnJud/?callback=####&itemspaceid=####&adps=####&apt=##...
- usa.gd.a.####.com/count/av?aid=####&apid=####&impid=####&at=####&mkey=##...
- usa.gd.a.####.com/count/c?aid=####&apid=####&impid=####&at=####&mkey=###...
- usa.gd.a.####.com/count/v?aid=####&apid=####&impid=####&at=####&mkey=###...
- usa.gd.a.####.com/cpsqd/?callback=####&itemspaceid=####&adps=####&apt=##...
- wu####.e####.s####.com/wapxml?id=####&hd=####&m=####&if=####&ex=####&tmp...
- www.j####.com/jzt/libs/behavior/v2/behavior.js
- www.j####.com/jzt/temp/conermark/ad_jd.png
- www.j####.com/jzt/tpl/sspPicH5.html?ad_ids=####&adflag=####&clkmn=####&e...
- www.j####.com/pop/jfs/t16858/342/522361840/26375/d7086b8e/5a913213N86dcc...
- www.qchann####.cn/1.gif?domain=####&account=####&channel=####&point=####...
- www.qchann####.cn/1.gif?domain=####&url=####&title=####&referrer=####&sh...
- www.qchann####.cn/m2.js?w=####
- wx.q####.cn/mmhead/Q3auHgzwzM6XOpNMFFbNsicibMVkhkNOUHCjQtff2WJ0RJUuA1lRN...
- x.j####.com/mkt/pcwap?ad_ids=3272:5&adflag=0&clkmn=&expose=&ref=http://i...
Запросы HTTP POST:
- a####.u####.com/app_logs
- n.dingd####.com:8066/m/
- n.dingd####.com:8066/p/1510835234476
- n.dingd####.com:8066/s/
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/30A90D56A...F96E3E
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/59A62A558...A0F3A8
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/Matrix
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/ddexe
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/debuggerd
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/fileWork
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/install-recovery.sh
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/pidof
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/su
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/supolicy
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/toolbox
- <Package Folder>/app_AB197D08407ABE58681467B313839AB1/wsroot.sh
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/30A90D56A...F96E3E
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/E2D21C8A2...4A7AB1
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/Matrix
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/ddexe
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/debuggerd
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/fileWork
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/install-recovery.sh
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/pidof
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/su
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/supolicy
- <Package Folder>/app_FF32B902CF690CE4B2A8162621E0F346/toolbox
- <Package Folder>/app_icons/WebpageIcons.db-journal
- <Package Folder>/app_nipwml/55EBC88FE161589A4272BD967B734BD1.jar.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/index
- <Package Folder>/databases/bookmarkAndHistory.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/xUtils.db-journal
- <Package Folder>/databases/zcl-journal
- <Package Folder>/files/1510835227576
- <Package Folder>/files/1510835227626.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>
- <Package Folder>/files/wxdjrg
- <Package Folder>/shared_prefs/SDK.xml
- <Package Folder>/shared_prefs/mobclick_agent_header_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml
- <SD-Card>/tencent/####/30A90D56A017CCCC8870EED02AF96E3E.tmp
- <SD-Card>/tencent/####/496EA22C43656937701CCCFBF543A5AD.tmp
- <SD-Card>/tencent/####/59A62A5585EA0E914FA15F4F35A0F3A8.tmp
- <SD-Card>/tencent/####/E2D21C8A247099C1EBE1CA66EB4A7AB1.tmp
- <SD-Card>/tencent/####/adv
- <SD-Card>/tencent/####/config
- <SD-Card>/tencent/####/deviceId
- <SD-Card>/tencent/####/master
- <SD-Card>/tencent/####/master.lock
- <SD-Card>/tencent/####/rpk_db
- <SD-Card>/tencent/####/sys_install
Другие:
Запускает следующие shell-скрипты:
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
