Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 15543584907: <SMS Content>
Скрывает свою иконку с экрана устройства.
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) s.jia####.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) st####.xqy.cc:80
- TCP(HTTP/1.1) www.555555####.com:80
- TCP(HTTP/1.1) www.7####.com:8888
- TCP(HTTP/1.1) m.ta####.com:80
- TCP(HTTP/1.1) www.94####.com:80
- TCP(HTTP/1.1) www.678####.com:80
- TCP(HTTP/1.1) qq.cdn-dns####.com:1818
- TCP(HTTP/1.1) cou####.5####.com:80
- TCP(TLS/1.0) m.ta####.com:443
- TCP(TLS/1.0) ti####.c####.l####.####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) c.c####.com:443
Запросы DNS:
- 9####.cn
- X####
- c####.mm####.com
- c.c####.com
- cou####.5####.com
- cou####.5####.com
- m.ta####.com
- qq.cdn-dns####.com
- qr.x####.cc
- s.jia####.com
- s4.c####.com
- st####.xqy.cc
- www.111111####.com
- www.555555####.com
- www.678####.com
- www.7####.com
- www.94####.com
- www.ta####.com
- z11.c####.com
Запросы HTTP GET:
- cou####.5####.com/click.aspx?id=####&logo=####
- cou####.5####.com/sa.htm?id=####&refe=####&location=####&color=####&reso...
- m.ta####.com/?sprefer=####
- qq.cdn-dns####.com:1818/20180118/BZYDiw7i/1.jpg
- qq.cdn-dns####.com:1818/20180129/1mfRV1XC/1.jpg
- qq.cdn-dns####.com:1818/20180129/8aNrtsGR/1.jpg
- qq.cdn-dns####.com:1818/20180129/H5WeQ1lJ/1.jpg
- qq.cdn-dns####.com:1818/20180129/JfzGvio8/1.jpg
- qq.cdn-dns####.com:1818/20180129/Vr4pdbvZ/1.jpg
- qq.cdn-dns####.com:1818/20180129/gwLML3gH/1.jpg
- qq.cdn-dns####.com:1818/20180129/pc0HWNbk/1.jpg
- qq.cdn-dns####.com:1818/20180303/CckkLZOg/1.jpg
- qq.cdn-dns####.com:1818/20180303/DNSO4QCZ/1.jpg
- qq.cdn-dns####.com:1818/20180303/LwT4xM3F/1.jpg
- qq.cdn-dns####.com:1818/20180303/Q7E3QMLb/1.jpg
- qq.cdn-dns####.com:1818/20180303/oWGFo4Ra/1.jpg
- qq.cdn-dns####.com:1818/20180303/yJU64ZFr/1.jpg
- qq.cdn-dns####.com:1818/20180305/1u99DJf3/1.jpg
- qq.cdn-dns####.com:1818/20180305/359qoPuZ/1.jpg
- qq.cdn-dns####.com:1818/20180305/4u5kwXs9/1.jpg
- qq.cdn-dns####.com:1818/20180305/56EVsk5J/1.jpg
- qq.cdn-dns####.com:1818/20180305/5HRGzLLe/1.jpg
- qq.cdn-dns####.com:1818/20180305/6YYlfjHT/1.jpg
- qq.cdn-dns####.com:1818/20180305/DVHew5Ep/1.jpg
- qq.cdn-dns####.com:1818/20180305/EWVtLjwF/1.jpg
- qq.cdn-dns####.com:1818/20180305/FtlWZDTO/1.jpg
- qq.cdn-dns####.com:1818/20180305/GzxorArk/1.jpg
- qq.cdn-dns####.com:1818/20180305/PPaYfEqO/1.jpg
- qq.cdn-dns####.com:1818/20180305/Px0maSKy/1.jpg
- qq.cdn-dns####.com:1818/20180305/X7d8T2x5/1.jpg
- qq.cdn-dns####.com:1818/20180305/XToAhWaf/1.jpg
- qq.cdn-dns####.com:1818/20180305/a7Mllwn8/1.jpg
- qq.cdn-dns####.com:1818/20180305/afIeQApU/1.jpg
- qq.cdn-dns####.com:1818/20180305/cmlSkV7p/1.jpg
- qq.cdn-dns####.com:1818/20180305/gFwUFiJG/1.jpg
- qq.cdn-dns####.com:1818/20180305/gd64lHne/1.jpg
- qq.cdn-dns####.com:1818/20180305/iXqa9gur/1.jpg
- qq.cdn-dns####.com:1818/20180305/kzGXDHBH/1.jpg
- qq.cdn-dns####.com:1818/20180305/m4t6wQP7/1.jpg
- qq.cdn-dns####.com:1818/20180305/mBWXxk1G/1.jpg
- qq.cdn-dns####.com:1818/20180305/rO5JkAd1/1.jpg
- qq.cdn-dns####.com:1818/20180305/rXr7aImZ/1.jpg
- qq.cdn-dns####.com:1818/20180305/rejJnHBY/1.jpg
- qq.cdn-dns####.com:1818/20180305/w3qxr2uG/1.jpg
- qq.cdn-dns####.com:1818/20180305/wfA6V6Iy/1.jpg
- qq.cdn-dns####.com:1818/20180305/xnFQX6Zn/1.jpg
- qq.cdn-dns####.com:1818/20180305/ze1Wgiw1/1.jpg
- s.jia####.com/qrcode.php?url=####
- st####.xqy.cc/download/logo/86b67e95-14b0-4ca3-a5f4-6f1a7b877fac.png
- st####.xqy.cc/qr/https://9dun.cn/p/RmY86.png?w=####
- ti####.c####.l####.####.com/app/8YNd
- www.555555####.com/
- www.555555####.com/imge/kt.png
- www.555555####.com/template/538porn/ads/all-top.js
- www.555555####.com/template/538porn/ads/d3.js
- www.555555####.com/template/538porn/ads/ddd.js
- www.555555####.com/template/538porn/ads/qun.js
- www.555555####.com/template/538porn/ads/tbwz.js
- www.555555####.com/template/538porn/ads/tj.js
- www.555555####.com/template/538porn/images/css/bootstrap.min.css
- www.555555####.com/template/538porn/images/css/color.css
- www.555555####.com/template/538porn/images/css/style.min.css
- www.555555####.com/template/538porn/images/css/swiper.min.css
- www.555555####.com/template/538porn/images/font/iconfont.css
- www.555555####.com/template/538porn/images/font/iconfont.ttf?t=####
- www.555555####.com/template/538porn/images/jquery/1.11.3/jquery.min.js
- www.555555####.com/template/538porn/images/js/LazyLoad.js
- www.555555####.com/template/538porn/images/js/bootstrap.min.js
- www.555555####.com/template/538porn/images/js/function.js
- www.555555####.com/template/538porn/images/js/history.js
- www.555555####.com/template/538porn/images/js/swiper.min.js
- www.555555####.com/template/538porn/images/logo.png
- www.555555####.com/template/538porn/images/logo_min.png
- www.555555####.com/template/538porn/images/play.png
- www.555555####.com/vodtypehtml/2.html
- www.555555####.com/vodtypehtml/favicon.ico
- www.678####.com/678be/20180220.gif
- www.678####.com/678be/7916.gif
- www.678####.com/678be/CollectionAPP.js
- www.678####.com/678be/app.jpg
- www.678####.com/678be/js2.gif
- www.678####.com/678be/jy.gif
- www.678####.com/678be/uds24com.gif
- www.678####.com/678be/wz2.gif
- www.678####.com/678be/xl1.gif
- www.678####.com/678be/xl8808.gif
- www.678####.com/678be/xl8809.gif
- www.678####.com/678be/xpj1.gif
- www.678####.com/goog/3691123.gif
- www.678####.com/goog/3792211.gif
- www.678####.com/goog/5456.gif
- www.678####.com/goog/56333.gif
- www.678####.com/goog/68684.gif
- www.678####.com/goog/79333.gif
- www.678####.com/goog/cld8808.gif
- www.678####.com/goog/cld8809.gif
- www.678####.com/goog/pj36.gif
- www.678####.com/goog/pkcp.gif
- www.678####.com/goog/waiwei.gif
- www.678####.com/goog/wangyi.gif
- www.678####.com/goog/xingguang.gif
- www.678####.com/goog/xl8808.gif
- www.678####.com/goog/xl8809.gif
- www.678####.com/goog/zhibo.gif
- www.678####.com/goog/zzyyzzyy.gif
- www.7####.com:8888/?a=####
- www.94####.com/
- www.ta####.com/
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_cache/ApplicationCache.db-journal
- <Package Folder>/cache/####/WebpageIcons.db-journal
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/libexec.so
- <SD-Card>/baidu/.cuid
- <SD-Card>/smGPSdw.txt
Другие:
Запускает следующие shell-скрипты:
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- libexec
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
Парсит информацию из смс сообщений.
Осуществляет доступ к информации об отправленых/принятых смс.
