Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.1.origin
- Android.Xiny.231.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) r1.b####.co:80
- TCP(HTTP/1.1) statis####.gioneem####.net:80
- TCP(HTTP/1.1) co####.a####.a####.####.com:80
- TCP(HTTP/1.1) ali.f####.cdn.####.com:80
- TCP(HTTP/1.1) nwallpa####.gioneem####.net:80
- TCP(HTTP/1.1) busi####.yiqiclo####.com:9090
- TCP(HTTP/1.1) ea.sno####.1####.com:18088
- TCP(HTTP/1.1) en.sno####.1####.com:8088
- TCP(TLS/1.0) d####.fl####.com:443
- TCP(TLS/1.0) api-####.coo####.org:443
Запросы DNS:
- ali.f####.cdn.####.com
- api-####.coo####.org
- asse####.gioneem####.net
- busi####.yiqiclo####.com
- co####.in####.com
- d####.fl####.com
- dv2####.yiqi####.com
- ea.sno####.1####.com
- en.sno####.1####.com
- nwallpa####.gioneem####.net
- r1.b####.co
- r1.s####.co
- r1.x####.co
- statis####.gioneem####.net
Запросы HTTP GET:
- ali.f####.cdn.####.com/2018/02/28/182023699.zip
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201604/grwm110759/3....
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201604/hdsy110848/3....
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201604/r2s0110837/3....
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201606/9mgj163633/3....
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201606/qg8k163505/3....
- nwallpa####.gioneem####.net/attachs/theme/livepaper/201606/wls9163357/3....
- nwallpa####.gioneem####.net/attachs/theme/subjectImage/201701/58734f7640...
- nwallpa####.gioneem####.net/attachs/theme/subjectImage/201702/58aa96cf67...
- nwallpa####.gioneem####.net/attachs/theme/subjectImage/201705/59117fc3e7...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201606/2syy112758/2s...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201606/5gp8112846/5g...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201606/jwca112824/jw...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201606/nnof145925/nn...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201606/vakd112738/va...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201610/6vty115022/6v...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201610/8b6t111202/8b...
- nwallpa####.gioneem####.net/attachs/theme/typeImage/201610/xa6w111648/xa...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2016/05/2rfsqll55...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2016/10/gm2kecn1h...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2017/02/qhrir8ke3...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2017/04/435c1qn56...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2017/06/8ioagorjl...
- nwallpa####.gioneem####.net/attachs/theme/wallpaper/hd/2017/06/njgqt3emr...
- nwallpa####.gioneem####.net/wallpaper/Belleslettres?networktype=####&ver...
- nwallpa####.gioneem####.net/wallpaper/Clientconf?networktype=####&server...
- nwallpa####.gioneem####.net/wallpaper/getfeedback?networktype=####&versi...
- nwallpa####.gioneem####.net/wallpaper/upgrade?networktype=####&server_la...
- nwallpa####.gioneem####.net/wallpapercomposite/home415?pageno=####&netwo...
- nwallpa####.gioneem####.net/wallpaperdynamic/list?pageno=####&networktyp...
- nwallpa####.gioneem####.net/wallpaperhome/category408?pageno=####&networ...
- nwallpa####.gioneem####.net/wallpaperhome/startup?pageno=####&networktyp...
- nwallpa####.gioneem####.net/wallpaperreplace/hdlist?pageno=####&networkt...
- nwallpa####.gioneem####.net/wallpaperreplace/moodlist?pageno=####&networ...
- nwallpa####.gioneem####.net/wallpaperreplace/newspiclist?pageno=####&net...
- nwallpa####.gioneem####.net/wallpaperupdate/number?pageno=####&networkty...
- r1.b####.co/c/d_ab
- r1.b####.co/de
- r1.b####.co/v1/c/sf
- statis####.gioneem####.net/?BI_PARAMS=####
- statis####.gioneem####.net/amigopaperstatistics/Active?imei=####&channel...
- statis####.gioneem####.net/amigopaperstatistics/Guide?imei=####&channel=...
- statis####.gioneem####.net/amigopaperstatistics/Home?imei=####&channel=#...
- statis####.gioneem####.net/amigopaperstatistics/Welcome?imei=####&channe...
Запросы HTTP POST:
- busi####.yiqiclo####.com:9090/cloudfont/fontverifyquery
- busi####.yiqiclo####.com:9090/cloudfont/fontverifyqueryuseractionstat
- co####.a####.a####.####.com/config-server/v1/config/secure.cfg
- ea.sno####.1####.com:18088/ping
- ea.sno####.1####.com:18088/sdk/api/msg/error
- ea.sno####.1####.com:18088/sdk/api/regclient
- en.sno####.1####.com:8088/sdk/api/ad/hull_v2
- en.sno####.1####.com:8088/sdk/api/log/record
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/28C947A96E7BA72B9CD82682FEF88691
- <Package Folder>/cache/####/2FEC0515A1888665F69943E8C6E4D567
- <Package Folder>/cache/####/369569834134E35A3087CCB6CAF7856B
- <Package Folder>/cache/####/3F40F06A7CCD26B334128068EA2B456B
- <Package Folder>/cache/####/408D5BD0E5CD4132F0C1591DA7C9B449
- <Package Folder>/cache/####/40CE32D682211F19ED6D5C17912AD3FA
- <Package Folder>/cache/####/423CDF4FA60F222B34CC1C0DC3E14E0D
- <Package Folder>/cache/####/4864D436C28A00E4960058725FBF5448
- <Package Folder>/cache/####/6117A8F429B353F1C1E2AE1C3915627B
- <Package Folder>/cache/####/73A919568A6A8B299B11F8B161136F88
- <Package Folder>/cache/####/792D3EEA3C6ACFED6D44D704F82779CA
- <Package Folder>/cache/####/8DE75680360F33EEA05413A71B477228
- <Package Folder>/cache/####/9538043CEC457A16C9F1EBE543883400
- <Package Folder>/cache/####/962FCB46E62FE397F4DEC4BC678ECF69
- <Package Folder>/cache/####/9DF67CA13457FB7A203E2B6643132FD1
- <Package Folder>/cache/####/BED31929B07046531CDA7CE56AFE1379
- <Package Folder>/cache/####/C252C303F46C7078714621F9C0C6CB6D
- <Package Folder>/cache/####/C3D77D8F6D80E21060898C628092AADD
- <Package Folder>/cache/####/DD385AD3920B55D8926BD9F40E5ADFFB
- <Package Folder>/cache/####/installationId
- <Package Folder>/databases/com.im_5.3.1.db
- <Package Folder>/databases/com.im_5.3.1.db-journal
- <Package Folder>/databases/db_snowfox.db
- <Package Folder>/databases/db_snowfox.db-journal
- <Package Folder>/databases/snowfoxad_msg.db
- <Package Folder>/databases/snowfoxad_msg.db-journal
- <Package Folder>/databases/statistics.db-journal
- <Package Folder>/databases/wallpaper.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/aybsng
- <Package Folder>/files/####/qvqtqk
- <Package Folder>/files/####/sf_file_provider.dat
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsData_S...HY_216
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsMain
- <Package Folder>/files/.yflurrydatasenderblock.f07942a9-c6a7-4d...612264
- <Package Folder>/files/.yflurryreport.-24fdb7128c8fe88c
- <Package Folder>/files/<Package>.zip
- <Package Folder>/files/<Package>.zip (deleted)
- <Package Folder>/files/coolook_bk.db
- <Package Folder>/files/coolook_bk.db-journal
- <Package Folder>/files/dat.dat
- <Package Folder>/files/lib_v22h1.dat
- <Package Folder>/files/libtencentloc.so
- <Package Folder>/files/mesosphere_v22h1.jar
- <Package Folder>/files/snowfox_mid_v22h1.so
- <Package Folder>/files/snowfox_sdk_so-v22h1.jar
- <Package Folder>/files/snowfox_v22h1.jar
- <Package Folder>/files/snowfox_v22h1.so
- <Package Folder>/servi
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Access_Preferences.xml
- <Package Folder>/shared_prefs/FLURRY_SHARED_PREFERENCES.xml
- <Package Folder>/shared_prefs/LocationSDK.xml
- <Package Folder>/shared_prefs/bi_static_share_data.xml
- <Package Folder>/shared_prefs/com.im.keyValueStore.aes_key_store.xml
- <Package Folder>/shared_prefs/com.im.keyValueStore.config_store.xml
- <Package Folder>/shared_prefs/com.im.keyValueStore.sdk_version_store.xml
- <Package Folder>/shared_prefs/com.im.keyValueStore.uid_store.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/coolook_sdk.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/snowfoxprf.xml
- <Package Folder>/shared_prefs/sp_cache.xml
- <Package Folder>/shared_prefs/sp_cache.xml (deleted)
- <Package Folder>/shared_prefs/sp_cache.xml.bak
- <Package Folder>/shared_prefs/youju_device_pre.xml
- <Package Folder>/shared_prefs/youju_device_pre.xml (deleted)
- <Package Folder>/shared_prefs/youju_sdk_pre.xml
- <SD-Card>/AmigoPaper/####/-1192127375.tmp
- <SD-Card>/AmigoPaper/####/-1253139301.tmp
- <SD-Card>/AmigoPaper/####/-1353433138.tmp
- <SD-Card>/AmigoPaper/####/-1376297043.tmp
- <SD-Card>/AmigoPaper/####/-138376773.tmp
- <SD-Card>/AmigoPaper/####/-1407920877.tmp
- <SD-Card>/AmigoPaper/####/-1722609374.tmp
- <SD-Card>/AmigoPaper/####/-175168062.tmp
- <SD-Card>/AmigoPaper/####/-1801153906.tmp
- <SD-Card>/AmigoPaper/####/-1892687319.tmp
- <SD-Card>/AmigoPaper/####/-1958845893.tmp
- <SD-Card>/AmigoPaper/####/-2025284493.tmp
- <SD-Card>/AmigoPaper/####/-352444980.tmp
- <SD-Card>/AmigoPaper/####/-628113598.tmp
- <SD-Card>/AmigoPaper/####/-777653149.tmp
- <SD-Card>/AmigoPaper/####/-931633687.tmp
- <SD-Card>/AmigoPaper/####/-945830394.tmp
- <SD-Card>/AmigoPaper/####/.nomedia
- <SD-Card>/AmigoPaper/####/1523202800.tmp
- <SD-Card>/AmigoPaper/####/156675194.tmp
- <SD-Card>/AmigoPaper/####/1642171099.tmp
- <SD-Card>/AmigoPaper/####/1645327439.tmp
- <SD-Card>/AmigoPaper/####/313505691.tmp
- <SD-Card>/AmigoPaper/####/508489985.tmp
- <SD-Card>/AmigoPaper/####/583736354.tmp
- <SD-Card>/AmigoPaper/####/619454187.tmp
- <SD-Card>/AmigoPaper/####/648948925.tmp
- <SD-Card>/AmigoPaper/####/info.txt
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/dev_526b9763.txt
- <SD-Card>/Android/####/imei.txt
- <SD-Card>/Android/####/pid
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.coolook.backupr.init.CkBackupService
- chmod 777 <Package Folder>/servi
- dd if <Package Folder>/lib/libservi.so of <Package Folder>/servi
- sh
Загружает динамические библиотеки:
- qvqtqk
- servi
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-nopadding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
