Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) po.funs####.com:80
- TCP(HTTP/1.1) i####.funs####.com:80
- TCP(HTTP/1.1) fun.adx.adma####.####.cn:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) m.i####.com:80
- TCP(HTTP/1.1) funshio####.cn.miao####.com:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) mc.funs####.com:80
- TCP(HTTP/1.1) s####.funs####.net:80
- TCP a.p####.funs####.com:80
Запросы DNS:
- a.p####.funs####.com
- aa0.pub.funs####.com
- and####.b####.qq.com
- c####.funs####.com
- fun.adx.adma####.####.cn
- funshio####.cn.miao####.com
- i####.funs####.com
- i####.funs####.com
- i####.funs####.com
- icon####.p####.funs####.com
- img.funs####.com
- m.i####.com
- mc.funs####.com
- pam.funs####.com
- po.funs####.com
- pst.funs####.com
- pub.funs####.com
- s####.funs####.net
- up####.funs####.com
Запросы HTTP GET:
- fun.adx.adma####.####.cn/madv?tid=####&imei=####&adrid=####&mac=####&med...
- funshio####.cn.miao####.com/x/gif?m2=####&m6a=####&ns=####
- i####.funs####.com/sdw?oid=####&w=####&h=####
- m.i####.com/cfg/appkey-77971174c3591e16
- mc.funs####.com/interface/config?client=####&file=####&fmt=####&ver=####
- mc.funs####.com/interface/deliver?ap=####&deliver_ver=####&uid=####&isvi...
- mc.funs####.com/interface/deliver?deliver_ver=####&ap=####&uid=####&isvi...
- mc.funs####.com/interface/materials?ap=####&client=####&uid=####&isvip=#...
- po.funs####.com/aggregate/apad/apad.lua?c9187de####
- po.funs####.com/fpupdate/INI/config_update_funplayer.txt
- po.funs####.com/interface/?object_id=####&v=####&id=####&uid=####&os_ver...
- po.funs####.com/v5/config/cache?cl=####&ve=####
- po.funs####.com/v5/config/general?cl=####&ve=####
- po.funs####.com/v5/config/init?cl=####&ve=####&mac=####&uc=####&apptype=...
- po.funs####.com/v5/config/log?cl=####&ve=####&mac=####&uc=####&apptype=#...
- po.funs####.com/v6/aggregate/init?cl=####&ve=####&mac=####&uc=####&si=##...
- po.funs####.com/v7/config/channel?cl=####&ve=####&mac=####&uc=####&si=##...
- po.funs####.com/v7/config/homepage?cl=####&ve=####&mac=####&uc=####&si=#...
- po.funs####.com/v7/config/personal?fudid=####&pg=####&sz=####&cl=####&ve...
- s####.funs####.net/ecom-ad/app_adaxp?dev=####&ver=####&fudid=####&sid=##...
- s####.funs####.net/ecom-ad/app_mzipdx?dev=####&ver=####&fudid=####&sid=#...
- s####.funs####.net/ecom_mobile/bootstrap?dev=####&ver=####&fudid=####&si...
- s####.funs####.net/ecom_mobile/fplay?dev=####&ver=####&fudid=####&sid=##...
- s####.funs####.net/ecom_mobile/servicehb?dev=####&ver=####&fudid=####&si...
- up####.v.qin####.com/sdw?oid=####&w=####&h=####
Запросы HTTP POST:
- and####.b####.qq.com/rqd/async
- m.i####.com/rec/se?_iwt_t=####&sv=####
- mc.funs####.com/interface/mc?mcid=####
- po.funs####.com/v2/app/register
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_lib/####/libBugly.so
- <Package Folder>/app_lib/####/libMMANDKSignature.so
- <Package Folder>/app_lib/####/libfsp2p.so
- <Package Folder>/app_lib/####/libfsplayer_arm.so
- <Package Folder>/app_lib/####/libfsplayer_armv7neon.so
- <Package Folder>/app_lib/####/libluajava.so
- <Package Folder>/app_lib/####/libmresearch.so
- <Package Folder>/app_lib/####/libshella-2.10.6.0.so
- <Package Folder>/app_lib/####/libshellx-2.10.6.0.so
- <Package Folder>/app_lib/####/libsuperapp_base.so
- <Package Folder>/app_lib/####/libsuperapp_ex.so
- <Package Folder>/app_lib/####/libweibosdkcore.so
- <Package Folder>/databases/_ire-journal
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/databases/funshion.db-journal
- <Package Folder>/databases/utsdk-journal
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/native_record_lock
- <Package Folder>/files/security_info
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/MATSharedPreferences.xml
- <Package Folder>/shared_prefs/cn.com.mma.mobile.tracking.other.xml
- <Package Folder>/shared_prefs/fudid.xml
- <Package Folder>/shared_prefs/funshion.xml
- <Package Folder>/shared_prefs/funshion.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/preference_aggregate.xml
- <Package Folder>/tx_shell/libnfix.so
- <Package Folder>/tx_shell/libshella-2.10.6.0.so
- <Package Folder>/tx_shell/libufix.so
- <SD-Card>/.fudid
- <SD-Card>/funshion/####/1a812fa45faa5f227738cfd6a543a0faad6b930a.cache
- <SD-Card>/funshion/####/1jignf3386pfnlxo6ccszql23.0.tmp
- <SD-Card>/funshion/####/1jvnr7mgkf5o4o9sttqqve87e.0.tmp
- <SD-Card>/funshion/####/1p0xosmqw8342os2u9nkxjohc.0.tmp
- <SD-Card>/funshion/####/2lh2c9mgsoikon3vskv9ywlfv.0.tmp
- <SD-Card>/funshion/####/2pyxudd7o9wrl53xr4246tb1.0.tmp
- <SD-Card>/funshion/####/2zh6dnjazeolvyykgu9xfrn07.0.tmp
- <SD-Card>/funshion/####/39dk41l8ud594z7ggbym2zxyd.0.tmp
- <SD-Card>/funshion/####/3ilc7gx0inyjq8fg781qa0r2a.0.tmp
- <SD-Card>/funshion/####/4beaaeef8f9363a13e907bb18fece469685a1766.cache
- <SD-Card>/funshion/####/4jjan83dk0nuy2h4huv2ay1kx.0.tmp
- <SD-Card>/funshion/####/56pf67eso9s8xdfwcc1x822wp.0.tmp
- <SD-Card>/funshion/####/59lb7j91sewo77jl76r1d5gbd.0.tmp
- <SD-Card>/funshion/####/5g4m35uyn8dlxlevaok0420su.0.tmp
- <SD-Card>/funshion/####/5mindfxtnl94khwxvreys9xah.0.tmp
- <SD-Card>/funshion/####/5pkez7gupyw8jt8zefoqczbvb.0.tmp
- <SD-Card>/funshion/####/60f3tf0pvsocp3eul61n4o1wz.0.tmp
- <SD-Card>/funshion/####/6cb391yr9s3aaex4zl32i8idv.0.tmp
- <SD-Card>/funshion/####/6iwwaufedn2lp0w96cfwsgni1.0.tmp
- <SD-Card>/funshion/####/6m99xj4kxl88jfxna6f28og7b.0.tmp
- <SD-Card>/funshion/####/6pylvd98bh12q4krbsjang79o.0.tmp
- <SD-Card>/funshion/####/6tkdbz0myl1qvu0991wtg870l.0.tmp
- <SD-Card>/funshion/####/7cpx7w9i095finp6yp3245zdx.0.tmp
- <SD-Card>/funshion/####/7ec84e1b222b88bd6b09524f629ee5dffc2a3ad6.cache
- <SD-Card>/funshion/####/7f5lqmog3zzv93qwpvkzyw9ra.0.tmp
- <SD-Card>/funshion/####/8414f4685b1e719530fe3cf6967ee0f2ef0c4a35.cache
- <SD-Card>/funshion/####/ac14cc0dec597a2c73cbee695cc9e9e9898b7720.cache
- <SD-Card>/funshion/####/c9187def2e7a5d4cf44f8fd5e0568cc7
- <SD-Card>/funshion/####/cache.rules.tmp
- <SD-Card>/funshion/####/config.ini.tmp
- <SD-Card>/funshion/####/funshion.ini
- <SD-Card>/funshion/####/funshion_apad_2.2.0.5_afaf7dfd447e_20171116.log
- <SD-Card>/funshion/####/i2xqbv2giadjz8e9zjq4eh8r.0.tmp
- <SD-Card>/funshion/####/journal.tmp
- <SD-Card>/funshion/####/p2p_config.ini
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.6.0.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Загружает динамические библиотеки:
- Bugly
- fsp2p
- libfsp2p
- libnfix
- libshella-2.10.6.0
- libufix
- mresearch
- nfix
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
