Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.15.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wx.q####.cn:80
- TCP(HTTP/1.1) hi.fi.ah####.com:80
- TCP(HTTP/1.1) tinyq####.ove####.b0.####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) api.h####.koudaib####.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) a####.b####.qq.com:8011
- TCP(TLS/1.0) i####.doub####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
Запросы DNS:
- a####.b####.qq.com
- a####.u####.com
- and####.b####.qq.com
- api.h####.koudaib####.com
- h####.h####.koudaib####.com
- hi.fi.ah####.com
- i####.doub####.com
- loc.map.b####.com
- q.q####.cn
- regi####.xm####.xi####.com
- res.h####.koudaib####.com
- wx.q####.cn
Запросы HTTP GET:
- api.h####.koudaib####.com/api/common/aver?version=####&channel=####&ts=#...
- api.h####.koudaib####.com/api/common/configs
- api.h####.koudaib####.com/api/search/configs
- api.h####.koudaib####.com/api/series/comments?sid=####&offset=####&count...
- api.h####.koudaib####.com/api/series/detailV3?sid=####
- api.h####.koudaib####.com/api/series/indexV2?offset=####&count=####
- api.h####.koudaib####.com/api/series/itemRefV3?pid=####
- api.h####.koudaib####.com/bbs/api/forum/posts?tid=####&page=####
- api.h####.koudaib####.com/bbs/api/forum/seriesTopics?sid=####&page=####
- api.h####.koudaib####.com/bbs/api/forum/topicInfo?tid=####
- hi.fi.ah####.com/l5
- tinyq####.ove####.b0.####.com/base_a_fbe5a77e71b223e35b60de4c4d52d370
- tinyq####.ove####.b0.####.com/bd_a_v1
- tinyq####.ove####.b0.####.com/hj_res/Fg1va-RL1MSvn68EwnMuEUfLaEMx.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/Fk2BP5EGzFDswZ0KbCLrFV2zvoY4.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FlvQoYQ_INM0z0CUnzIlmmqlmypx.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FnOh5ENwgXmXRT0P5q8_4_pOBSxk.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FnZwRQvARrOg0jBds-uTggNWjpdK.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FnvrIWVThxvCAb0Kul_DjsK9Coq2.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FoRatxXoe7r9SouhT0_yOtrIx0CR.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FopRlrRSpJS2pyhq6R5rq_Mju_u0.jpg?im...
- tinyq####.ove####.b0.####.com/hj_res/FtTruQfkNCgvARKLWdcuimXrWfPa.jpg?im...
- tinyq####.ove####.b0.####.com/qq_a_a69d0bd9609d7f9d8af716e2e4882d62
- tinyq####.ove####.b0.####.com/search_a_n_v1.js
- tinyq####.ove####.b0.####.com/yk_a_ae1dc0922b9db842062515acdd8a6b8c
- wx.q####.cn/mmopen/dua973Eyo6Dbf7iaVk24eYcJ4LFUFDn9j4buxo8icBwqDrJTNs9t9...
- wx.q####.cn/mmopen/ruZeDohm8l0mA4f6micNJiaL4DxIh3ppsm5mnBiaxdwFibky92zoq...
Запросы HTTP POST:
- a####.b####.qq.com:8011/rqd/async
- a####.u####.com/app_logs
- and####.b####.qq.com/rqd/async
- loc.map.b####.com/offline_loc
- loc.map.b####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/-1118661919-726006901
- <Package Folder>/cache/####/-11186619191759761614
- <Package Folder>/cache/####/-149953331-301421719
- <Package Folder>/cache/####/-494099951-1166297729
- <Package Folder>/cache/####/-494099951-1436793880
- <Package Folder>/cache/####/-49409995111890136
- <Package Folder>/cache/####/-9529348381814199803
- <Package Folder>/cache/####/1938720450-1187504448
- <Package Folder>/cache/####/3336504431953378779
- <Package Folder>/cache/####/410804788-1433676193
- <Package Folder>/cache/####/844535757-1609282166
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/hanjudb.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/firll.dat
- <Package Folder>/files/####/ofl.config
- <Package Folder>/files/####/ofl_location.db
- <Package Folder>/files/####/ofl_location.db-journal
- <Package Folder>/files/####/ofl_statistics.db
- <Package Folder>/files/####/ofl_statistics.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/3290457c.jar
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/security_info
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/9e984.xml
- <Package Folder>/shared_prefs/hanju_app_prefer.xml
- <Package Folder>/shared_prefs/mipush.xml
- <Package Folder>/shared_prefs/mipush_extra.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/034a46edc4bb5b3870f8c9ead92eb9c6fd6564a7....0.tmp
- <SD-Card>/Android/####/0f759ba1ccd075b6008ee1de01720f26118fbed3....0.tmp
- <SD-Card>/Android/####/111daad1af2a3f2cbf1f23e704e5eec22f81db03....0.tmp
- <SD-Card>/Android/####/13032d1202d241f733bfbba11a94f1cf805b07c8....0.tmp
- <SD-Card>/Android/####/13a847e8bf3768f6fccaef6dcb7e03ada17803e2....0.tmp
- <SD-Card>/Android/####/19035042c836bf6d32741cdca78feca04024046a....0.tmp
- <SD-Card>/Android/####/1acf7b4501ccec6979cdb9ff0eadd459cddad4ce....0.tmp
- <SD-Card>/Android/####/2716c78ca9d8ce3ac504b307426aa236816d1cd3....0.tmp
- <SD-Card>/Android/####/2774a0f299684607eae0a999a2acfb3a69a3c684....0.tmp
- <SD-Card>/Android/####/2eb5d2543b5e1f85c6f22b721aa3012856b5acdd....0.tmp
- <SD-Card>/Android/####/33313c4482f79c6aff5fe627eae08cd226c76bdc....0.tmp
- <SD-Card>/Android/####/35cff064e0030ac72acf671d0c72cbe46a83f9e1....0.tmp
- <SD-Card>/Android/####/3c0cddd1317938a63eb25d24a8c914e0ff695daf....0.tmp
- <SD-Card>/Android/####/41b42ed54f604ccd61e56df962eca811accdf3a1....0.tmp
- <SD-Card>/Android/####/4260979ea796a5bb1d4a0b343387c7277192cfef....0.tmp
- <SD-Card>/Android/####/4b2c833f981e4cdf4d0403ad9115eac0408e291b....0.tmp
- <SD-Card>/Android/####/50e9a1215cfbc1a9c6b12f1d4f9532ead81ab505....0.tmp
- <SD-Card>/Android/####/683db89467214a4b1a3ca9883723285bcf40df7f....0.tmp
- <SD-Card>/Android/####/6871466b2f1765a3215263f0a65342d63c0c9e1f....0.tmp
- <SD-Card>/Android/####/71cf2d3b17c1f567f0c0c19199086df07d80166c....0.tmp
- <SD-Card>/Android/####/7d268f1fca0d5361d917d69cab0dcafb56b80fdc....0.tmp
- <SD-Card>/Android/####/806bcae66af7642edff760849a6de4a946288f75....0.tmp
- <SD-Card>/Android/####/a0a9f112a10ee05bed0dabcc6be458320528d2f5....0.tmp
- <SD-Card>/Android/####/a29a9b47aca6e7e6b7ca597c94c7685a73cb5013....0.tmp
- <SD-Card>/Android/####/baaa73608f68bf4928da626bfe75dbdabf905068....0.tmp
- <SD-Card>/Android/####/be40d286169bc577f6fa195eb982bfebc636ae18....0.tmp
- <SD-Card>/Android/####/be6676070164f034898f582e68c3965a36ad73bb....0.tmp
- <SD-Card>/Android/####/cd206efb35442e3343b8b03e216850b24a5b642c....0.tmp
- <SD-Card>/Android/####/d7ca1d7cc8f2c8bddcc13d0afb7f52638a99a7bf....0.tmp
- <SD-Card>/Android/####/dd18efff5b091c09d7132d82604d84bc1e9e59d4....0.tmp
- <SD-Card>/Android/####/de3ddfc40803d94064ec111a9452bb496720baee....0.tmp
- <SD-Card>/Android/####/e026903c80ecaa654d112a2c1d12ebc55726d1c1....0.tmp
- <SD-Card>/Android/####/f7aa2b3301f95773a5f3850fb60f51db36024a5b....0.tmp
- <SD-Card>/Android/####/journal
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/log.lock
- <SD-Card>/Android/####/log1.txt
- <SD-Card>/Tencent/####/com.tencent.mobileqq_connectSdk.17.11.16.11.log
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/baidu/####/conlts.dat
- <SD-Card>/baidu/####/ller.dat
- <SD-Card>/baidu/####/ls.db
- <SD-Card>/baidu/####/ls.db-journal
- <SD-Card>/baidu/####/yoh.dat
- <SD-Card>/baidu/####/yol.dat
- <SD-Card>/baidu/####/yom.dat
- <SD-Card>/hanju/####/24c4b4cada2ab4bb020208832bca1c96.js_temp
- <SD-Card>/hanju/####/666e5d5c241067f94c3486ed77537a0a.js_temp
- <SD-Card>/hanju/####/c842503a8125b0bbe0c7ef8641e5931d.js_temp
- <SD-Card>/hanju/####/d54ba221b0ca9f5057ac0ea1bff938aa.js_temp
- <SD-Card>/hanju/####/search_a_n_v1.js_temp
- <SD-Card>/hanju/.nomedia
- <SD-Card>/test.0
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop androVM.vbox_dpi
- /system/bin/sh -c getprop gsm.sim.state
- /system/bin/sh -c getprop gsm.sim.state2
- /system/bin/sh -c getprop qemu.sf.fake_camera
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.debuggable
- /system/bin/sh -c getprop ro.genymotion.version
- /system/bin/sh -c getprop ro.secure
- /system/bin/sh -c type su
- getprop androVM.vbox_dpi
- getprop gsm.sim.state
- getprop gsm.sim.state2
- getprop qemu.sf.fake_camera
- getprop ro.board.platform
- getprop ro.debuggable
- getprop ro.genymotion.version
- getprop ro.secure
Загружает динамические библиотеки:
- Bugly
- locSDK6a
- ndkbitmap
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- AES-GCM-NoPadding
- DES
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
