Android.Triada.720

Техническая информация

Вредоносные функции:

Загружает на исполнение код следующих детектируемых угроз:

Adware.Egame.1
Android.Triada.248.origin
Android.Triada.373.origin

Сетевая активность:

Подключается к:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) sd####.cm####.com:80
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) 1####.159.18.80:8000
TCP(HTTP/1.1) 2####.86.5.167:14840
TCP(HTTP/1.1) wap.cm####.com:7758
TCP(HTTP/1.1) app####.m####.cn:8080
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) s####.cdn.cmv####.cn:8080
TCP(HTTP/1.1) sdk.cm####.com:80
TCP(HTTP/1.1) drm.cm####.com:80
TCP(HTTP/1.1) 2####.111.8.140:8080
TCP(HTTP/1.1) int.d####.s####.####.cn:80
TCP(TLS/1.0) bj####.ads.oppomo####.com:443
TCP(TLS/1.0) u####.ads.oppomo####.com:443

Запросы DNS:

a####.u####.com
and####.b####.qq.com
app####.m####.cn
bj####.ads.oppomo####.com
drm.cm####.com
int.d####.s####.####.cn
s####.cmv####.cn
sd####.cm####.com
sdk.cm####.com
u####.ads.oppomo####.com
wap.cm####.com

Запросы HTTP GET:

drm.cm####.com/egsb/game/getclientProvince?tel=####&iccid=####&imsi=####
drm.cm####.com/egsb/startup/queryConfiguration?channelId=####&contentId=...
drm.cm####.com/egsb/verification/checkSDKModuleUpdate?sdkVersion=####&co...
s####.cdn.cmv####.cn:8080/MiguPay.SO30.Lib_052215_6EC0554B95153E04937EFB...
s####.cdn.cmv####.cn:8080/MiguPay.Sdk30.Lib_12003051_0D2430D03AC65FD8AFA...
sdk.cm####.com/download//encryptVersion/2018020110000014_201802011439320...
sdk.cm####.com/download//moduleVersion/marketing_109_20171020181419961.jar
sdk.cm####.com/download//moduleVersion/marketing_110_20171208111959003.jar

Запросы HTTP POST:

a####.u####.com/app_logs
and####.b####.qq.com/rqd/async
app####.m####.cn:8080/migusdk/tl/tcttl
app####.m####.cn:8080/migusdk/verification/checkSdkUpdate
drm.cm####.com/egsb/dataPlan/privateSwith
drm.cm####.com/egsb/desktopShortcut/queryAll
drm.cm####.com/egsb/discount/getPreQueryResult
drm.cm####.com/egsb/game/getPaymentCapability
drm.cm####.com/egsb/gshare/switches
drm.cm####.com/egsb/message/queryPushMessages
drm.cm####.com/egsb/otherPay/querySMSInterceptorConf
drm.cm####.com/egsb/publicService/getServerTime
drm.cm####.com/egsb/recommendGame/getAdvertisementList
drm.cm####.com/egsb/thirdPay/queryThirdPayInfo
drm.cm####.com/egsb/verification/checkEncryptUpdate
drm.cm####.com/egsb/verification/getUpdateUrl
int.d####.s####.####.cn/iplookup/iplookup.php
sd####.cm####.com/behaviorLogging/eventLogging/accept?
wap.cm####.com:7758/normandie/QueryConfigPolicy

Изменения в файловой системе:

Создает следующие файлы:

<Package Folder>/2068.dex
<Package Folder>/2231.dex
<Package Folder>/2380.dex
<Package Folder>/app_cache/Iwnb.dex
<Package Folder>/cache/####/marketing_109.dex
<Package Folder>/cache/2068.dex (deleted)
<Package Folder>/cache/2231.dex (deleted)
<Package Folder>/databases/MiguSdkDb-journal
<Package Folder>/databases/bugly_db_legu-journal
<Package Folder>/databases/cc.db
<Package Folder>/databases/cc.db-journal
<Package Folder>/databases/ua.db
<Package Folder>/databases/ua.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/files/####/SD2h4HuhG2owfl18.dex
<Package Folder>/files/####/SD2h4HuhG2owfl18.zip
<Package Folder>/files/####/Se5_EdhFCmRxcOGm3tZONw==
<Package Folder>/files/####/_yTApX8OwfEsdqMUdaUQ1Q==
<Package Folder>/files/####/activity_main.xml
<Package Folder>/files/####/adapter_demo_layout.xml
<Package Folder>/files/####/exchangeIdentity.json
<Package Folder>/files/####/g_color.xml
<Package Folder>/files/####/g_strings.xml
<Package Folder>/files/####/g_strings_gamepad.xml
<Package Folder>/files/####/g_strings_leaderboard.xml
<Package Folder>/files/####/g_styles.xml
<Package Folder>/files/####/game_arrow_big.png
<Package Folder>/files/####/game_arrow_little.png
<Package Folder>/files/####/game_arrow_text.png
<Package Folder>/files/####/game_businesscard.png
<Package Folder>/files/####/game_check_success.png
<Package Folder>/files/####/game_checkbox_mark.png
<Package Folder>/files/####/game_contacts.png
<Package Folder>/files/####/game_failure.png
<Package Folder>/files/####/game_grey_logo.png
<Package Folder>/files/####/game_loading.png
<Package Folder>/files/####/game_logo.png
<Package Folder>/files/####/game_network.png
<Package Folder>/files/####/game_people.png
<Package Folder>/files/####/game_piccode_refresh_touched.png
<Package Folder>/files/####/game_save.png
<Package Folder>/files/####/game_show_pwd.png
<Package Folder>/files/####/game_start_logo.png
<Package Folder>/files/####/game_success.png
<Package Folder>/files/####/gray.png
<Package Folder>/files/####/icon_about.png
<Package Folder>/files/####/icon_annoucement_close.png
<Package Folder>/files/####/icon_back.png
<Package Folder>/files/####/icon_bind_email.png
<Package Folder>/files/####/icon_bind_tel.png
<Package Folder>/files/####/icon_businesscard.png
<Package Folder>/files/####/icon_center_about.png
<Package Folder>/files/####/icon_center_arrow.png
<Package Folder>/files/####/icon_center_look.png
<Package Folder>/files/####/icon_center_save.png
<Package Folder>/files/####/icon_check_failure.png
<Package Folder>/files/####/icon_checkbox.png
<Package Folder>/files/####/icon_close.png
<Package Folder>/files/####/icon_common_problem.png
<Package Folder>/files/####/icon_compact_close.png
<Package Folder>/files/####/icon_discount_icon.png
<Package Folder>/files/####/icon_edit_del.png
<Package Folder>/files/####/icon_email_icon.png
<Package Folder>/files/####/icon_extend.png
<Package Folder>/files/####/icon_firends_circle.png
<Package Folder>/files/####/icon_full_arrow_down.png
<Package Folder>/files/####/icon_full_arrow_up.png
<Package Folder>/files/####/icon_grey_contacts.png
<Package Folder>/files/####/icon_head.png
<Package Folder>/files/####/icon_hide_pwd.png
<Package Folder>/files/####/icon_magnet_draghide.png
<Package Folder>/files/####/icon_magnet_gameshare.png
<Package Folder>/files/####/icon_magnet_help.png
<Package Folder>/files/####/icon_magnet_onlineservice.png
<Package Folder>/files/####/icon_magnet_startlogin.png
<Package Folder>/files/####/icon_magnet_welfare.png
<Package Folder>/files/####/icon_notification.png
<Package Folder>/files/####/icon_online_service.png
<Package Folder>/files/####/icon_people.png
<Package Folder>/files/####/icon_personal_bg.png
<Package Folder>/files/####/icon_personal_bg_l.png
<Package Folder>/files/####/icon_piccode.png
<Package Folder>/files/####/icon_piccode_refresh.png
<Package Folder>/files/####/icon_qq.png
<Package Folder>/files/####/icon_recommend_flow_one.png
<Package Folder>/files/####/icon_recommend_flow_third.png
<Package Folder>/files/####/icon_recommend_flow_two.png
<Package Folder>/files/####/icon_recommend_hall.png
<Package Folder>/files/####/icon_rightextend.png
<Package Folder>/files/####/icon_security_setting.png
<Package Folder>/files/####/icon_service_tel.png
<Package Folder>/files/####/icon_share_game.png
<Package Folder>/files/####/icon_shrink.png
<Package Folder>/files/####/icon_sina.png
<Package Folder>/files/####/icon_sms.png
<Package Folder>/files/####/icon_tel.png
<Package Folder>/files/####/icon_transaction_detail.png
<Package Folder>/files/####/icon_upgrade_pass.png
<Package Folder>/files/####/icon_wechat.png
<Package Folder>/files/####/icon_window.png
<Package Folder>/files/####/layout_main.xml
<Package Folder>/files/####/libmiguED.so
<Package Folder>/files/####/main.xml
<Package Folder>/files/####/main_menu_item.xml
<Package Folder>/files/####/messageapp.xml
<Package Folder>/files/####/notification_message_icon.xml
<Package Folder>/files/####/notification_message_pic.xml
<Package Folder>/files/####/opening_sound.mp3
<Package Folder>/files/####/pay_icon_0.png
<Package Folder>/files/####/pay_icon_1.png
<Package Folder>/files/####/pay_icon_2.png
<Package Folder>/files/####/pay_icon_3.png
<Package Folder>/files/####/pay_icon_4.png
<Package Folder>/files/####/pay_icon_5.png
<Package Folder>/files/####/pay_icon_payment.png
<Package Folder>/files/####/pay_icon_phonenumber.png
<Package Folder>/files/####/pay_icon_telpoint.png
<Package Folder>/files/####/plus_businesscard.png
<Package Folder>/files/####/plus_check_success.png
<Package Folder>/files/####/plus_checkbox_mark.png
<Package Folder>/files/####/plus_contacts.png
<Package Folder>/files/####/plus_failure.png
<Package Folder>/files/####/plus_grey_logo.png
<Package Folder>/files/####/plus_loading.png
<Package Folder>/files/####/plus_logo.png
<Package Folder>/files/####/plus_network.png
<Package Folder>/files/####/plus_people.png
<Package Folder>/files/####/plus_piccode_refesh_touched.png
<Package Folder>/files/####/plus_save.png
<Package Folder>/files/####/plus_show_pwd.png
<Package Folder>/files/####/plus_start_logo.png
<Package Folder>/files/####/plus_success.png
<Package Folder>/files/####/qgHoH7C4rAenJDdhBmBSaA==.new
<Package Folder>/files/####/qraHWzdXXCzpltmkTmE1GQ==.new
<Package Folder>/files/####/shortcut_desktop_icon.png
<Package Folder>/files/####/tbijvg_f.dex
<Package Folder>/files/####/tbijvg_f.zip
<Package Folder>/files/####/yv4vHkv52gsW7nQf
<Package Folder>/files/.imprint
<Package Folder>/files/ED.ini
<Package Folder>/files/Iwnb
<Package Folder>/files/Iwnb.jar
<Package Folder>/files/MiguPay.Sdk30.Lib_12003049_2b7f405527637...02.cod
<Package Folder>/files/MiguPay.Sdk30.Lib_12003049_2b7f405527637...02.dat
<Package Folder>/files/MiguPay.Sdk30.Lib_12003051_6820f27d8eae4...02.cod
<Package Folder>/files/MiguPay.Sdk30.Lib_12003051_6820f27d8eae4...02.dat
<Package Folder>/files/MiguPay.Sdk30.Res_00026009_B23E4BF74564F...02.zip
<Package Folder>/files/deviceId2
<Package Folder>/files/exid.dat
<Package Folder>/files/libmgRun_05.22.09_01.so
<Package Folder>/files/libmgRun_05.22.15_01.so
<Package Folder>/files/local_crash_lock
<Package Folder>/files/mgAS.dat
<Package Folder>/files/mgSS.dat
<Package Folder>/files/mgid.dat
<Package Folder>/files/native_record_lock
<Package Folder>/files/playerData
<Package Folder>/files/rdata_commfxxyzgamewppgamehlqsgdzznearme...er.new
<Package Folder>/files/sdk_prefs
<Package Folder>/files/security_info
<Package Folder>/files/umeng_it.cache
<Package Folder>/mix.dex
<Package Folder>/shared_prefs/<System Property>miguSdk12345.xml
<Package Folder>/shared_prefs/Alvin2.xml
<Package Folder>/shared_prefs/CitiGame.ini.xml
<Package Folder>/shared_prefs/ContextData.xml
<Package Folder>/shared_prefs/gamedata.xml
<Package Folder>/shared_prefs/miguGameBillingRequestMonitor.xml
<Package Folder>/shared_prefs/savefile.xml
<Package Folder>/shared_prefs/share.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/tx_shell/libnfix.so
<Package Folder>/tx_shell/libshella-2.10.7.1.so
<Package Folder>/tx_shell/libufix.so
<Package Folder>/update/MiguPay.Sdk30.Lib_12003051_6820f27d8eae...02.cod
<Package Folder>/update/MiguPay.Sdk30.Lib_12003051_6820f27d8eae...02.dat
<Package Folder>/update/libmgRun_05.22.15_01.so
<Package Folder>/update/mgSS.dat
<SD-Card>/.DataStorage/ContextData.xml
<SD-Card>/.UTSystemConfig/####/Alvin2.xml
<SD-Card>/.mcs/mcs_msg.ini
<SD-Card>/Android/####/sysid.dat
<SD-Card>/Download/####/MiguPay.SO30.Lib_052215_6EC0554B95153E0...02.zip
<SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003051_0D2430D03AC6...02.zip
<SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003051_6820f27d8eae...02.cod
<SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003051_6820f27d8eae...02.dat
<SD-Card>/Download/####/MiguPay.Sdk30.Res_00026009_B23E4BF74564...02.zip
<SD-Card>/Download/####/ShareData.txt
<SD-Card>/Download/####/deviceId
<SD-Card>/Download/####/deviceId2
<SD-Card>/Download/####/libmgRun_05.22.15_01.so
<SD-Card>/Download/####/sdk_prefs.txt
<SD-Card>/cmgame/####/marketing_109.jar
<SD-Card>/cmgame/####/marketing_111.jar
<SD-Card>/cmgame/####/pushDB.txt
<SD-Card>/cmgame/####/pushTime.txt
<SD-Card>/cmgame/####/pushTotal.txt
<SD-Card>/migu/####/crypto.js
<SD-Card>/migu/####/crypto.zip

Другие:

Запускает следующие shell-скрипты:

/system/bin/sh -c getprop ro.aa.romver
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.build.rom.id
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.version.emui
/system/bin/sh -c getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.lenovo.series
/system/bin/sh -c getprop ro.lewa.version
/system/bin/sh -c getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.vivo.os.build.display.id
/system/bin/sh -c type su
chmod 700 <Package Folder>/tx_shell/libnfix.so
chmod 700 <Package Folder>/tx_shell/libshella-2.10.7.1.so
chmod 700 <Package Folder>/tx_shell/libufix.so
getprop ro.aa.romver
getprop ro.board.platform
getprop ro.build.fingerprint
getprop ro.build.nubia.rom.name
getprop ro.build.rom.id
getprop ro.build.tyd.kbstyle_version
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.gn.gnromvernumber
getprop ro.lenovo.series
getprop ro.lewa.version
getprop ro.meizu.product.model
getprop ro.miui.ui.version.name
getprop ro.vivo.os.build.display.id
getprop ro.yunos.version
logcat -d -v threadtime

Загружает динамические библиотеки:

Bugly
libmiguED
libnfix
libshella-2.10.7.1
libufix
megjb
nfix
ufix

Использует следующие алгоритмы для шифрования данных:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-GCM-NoPadding
DES-ECB-PKCS5Padding
RSA-ECB-PKCS1Padding

Использует следующие алгоритмы для расшифровки данных:

AES-CBC-PKCS5Padding
AES-GCM-NoPadding
DES-CBC-PKCS5Padding
DES-ECB-PKCS5Padding
RSA-ECB-PKCS1Padding

Использует специальную библиотеку для скрытия исполняемого байткода.

Осуществляет доступ к информации о геолокации.

Осуществляет доступ к информации о сети.

Осуществляет доступ к информации о телефоне (номер, imei и тд.).

Осуществляет доступ к информации об установленных приложениях.

Добавляет задания в системный планировщик.

Отрисовывает собственные окна поверх других приложений.

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней