Техническая информация
Вредоносные функции:
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.0) tcms-a####.wan####.ta####.com:443
- TCP(HTTP/1.1) haowa####.oss.aliy####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) w####.q####.dn.####.com:80
- TCP(HTTP/1.1) c.d####.mob.com:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) tcms-op####.wan####.ta####.com:80
- TCP(HTTP/1.1) s.haowa####.com:8900
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) s.haowa####.com:8008
- TCP(TLS/1.0) a####.a####.m.####.com:443
- TCP umengj####.m.ta####.com:80
- TCP zhizhi####.com:5222
- TCP 2####.204.101.107:80
- TCP ope####.m.ta####.com:443
Запросы DNS:
- _ja####._####.zhizhi####.com
- _xmpp-c####._####.zhizhi####.com
- a####.exc.mob.com
- a####.m.ta####.com
- a####.m.ta####.com
- a####.u####.com
- ag####.m.ta####.com
- api.s####.mob.com
- c.d####.mob.com
- d####.d####.mob.com
- haowa####.oss.aliy####.com
- haowa####.qin####.com
- hotp####.wan####.ta####.com
- m.d####.mob.com
- msg.umengc####.com
- s.haowa####.com
- tcms-a####.wan####.ta####.com
- tcms-op####.wan####.ta####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- zhizhi####.com
Запросы HTTP GET:
- haowa####.oss.aliy####.com/05a782fdb8cd6755adaf07f3b2f0040d
- haowa####.oss.aliy####.com/0b0af23d2d74a530acd04c61e074ec6c
- haowa####.oss.aliy####.com/141a26ae0487f6ade6db909dd1b77bc2
- haowa####.oss.aliy####.com/14acfdbd5fd0e9c5e40918a71778d6af
- haowa####.oss.aliy####.com/2313779d1b60d704bd9dc87c7a0cf8f0
- haowa####.oss.aliy####.com/250f254fb96fe983e0d4472e99977c35
- haowa####.oss.aliy####.com/2936545ecfd59cc5fc33f8ed1cfa6417
- haowa####.oss.aliy####.com/2f62bd7ed9f68a3a421a1b28084266f0
- haowa####.oss.aliy####.com/455c26d21cfdf5167258318896285b3e
- haowa####.oss.aliy####.com/4dcba349f63aef64238daa2cfece3b04
- haowa####.oss.aliy####.com/57f75b8e64cafafce2ee7c2f17171695
- haowa####.oss.aliy####.com/5b24f7421e7b7ca55c4b53bcdb64e529
- haowa####.oss.aliy####.com/61774e10d78a12699b75c3fd4869d08e
- haowa####.oss.aliy####.com/6c0a8e5bccc10739648c8c5faa641499
- haowa####.oss.aliy####.com/6d6a4bfdd46394926a0ae40f2ee1150f
- haowa####.oss.aliy####.com/a75d8c589459b458b5a383370b6e8b34
- haowa####.oss.aliy####.com/a795a88c45d030ae767b30b6b80d65fd
- haowa####.oss.aliy####.com/a91c791ec27c8051886acea89988f843
- haowa####.oss.aliy####.com/b95c83456e211127a45621e64dfb6481
- haowa####.oss.aliy####.com/b9a70e19eb8112c9e83632d58181efb1
- haowa####.oss.aliy####.com/cf989b3bbe7227e075475d105a738a28
- haowa####.oss.aliy####.com/d189466b48f7ca394380d32fbc21a1f6
- haowa####.oss.aliy####.com/d922660b6d82eb5c924dc3e87989e93e
- haowa####.oss.aliy####.com/df122badcf4d3e782e5585684357fc7c
- haowa####.oss.aliy####.com/e64a0806b8b006f815ea63a579bd96d6
- haowa####.oss.aliy####.com/f96cd8acde67c8f766041968a1f72b92
- m.d####.mob.com/v4/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetAppreClassInfo?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/GetAppreciation?jid=####&acti...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetComList?noteid=####&visid=...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetInvcode?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/GetNewsList?jid=####&newsid=#...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetNoteInfo?noteid=####&jid=#...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetRecomUser?page=####&subtyp...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetUserInfo?jid=####&vsjid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/HuabarMarket?type=####&warety...
- s.haowa####.com:8900/RegisterDemo1/servlet/SyncSp?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/UpLoadUmToken?jid=####&passwd...
- tcms-a####.wan####.ta####.com:443/imlogingw/tcp60login?devid=####&ver=####
- tcms-op####.wan####.ta####.com/getapprule?appkey=####&appId=####
- w####.q####.dn.####.com/00522ded7110061af0ed943baff9a039
- w####.q####.dn.####.com/1b9dae476c81d19256699c664547d159
- w####.q####.dn.####.com/2018-03-17-21-43-07cnavd2fm-0.png
- w####.q####.dn.####.com/2018-03-21-00-24-5229g1uk8p-0.png
- w####.q####.dn.####.com/2018-03-28-18-40-11325a1hnw-0.png
- w####.q####.dn.####.com/2018-04-02-18-22-54o3xm7o5o-0.png
- w####.q####.dn.####.com/2018-04-02-20-47-03pdt3mwom-0.png
- w####.q####.dn.####.com/3a7d3e42447ce365fcd06fa0a317e147
- w####.q####.dn.####.com/3bc39e607e5c3e5e9884957674d04690
- w####.q####.dn.####.com/3e8119482822230c9b88b34c2bab2213
- w####.q####.dn.####.com/403f2a7e22b4208c888bbeafa3cc2b1e
- w####.q####.dn.####.com/412240e262357972b2c36bd468d7aa13
- w####.q####.dn.####.com/4918b5208c6a92492b3f589a2ce78b78
- w####.q####.dn.####.com/4a719f5b182395d90af9ce2eb571e4a0
- w####.q####.dn.####.com/4c54d5bdc602bfcdad37f7b6685065e1
- w####.q####.dn.####.com/5059458ca6e04473b0842e703609222b
- w####.q####.dn.####.com/57b04359fff19755e6d3354ed7712423
- w####.q####.dn.####.com/58089e31c090a413928eeab1e8efd6b0
- w####.q####.dn.####.com/67924a35e0584abed318c1b647e3c8af
- w####.q####.dn.####.com/80cd15493cd6a3ed3056bb98967b1cbc
- w####.q####.dn.####.com/928df2946582c6db70ef4b26393f7919
- w####.q####.dn.####.com/932553cc7bdb8d8753547feca1d96140
- w####.q####.dn.####.com/97c3c018c8e3d8a768b2618634e424c6
- w####.q####.dn.####.com/b6c25d84ee6d2bd1cd7b797a3047cc86
- w####.q####.dn.####.com/d6adf95f5f8c6582e3c784cc4132931a
- w####.q####.dn.####.com/dac5298eab34d9b9d6dce47838184677
- w####.q####.dn.####.com/db0d18bd2f2d50b65bb4f87573b91a16
- w####.q####.dn.####.com/dfcdbc27f0e46f4d027620bc46008709
- w####.q####.dn.####.com/ed72401e5b1e0ddf45d3bd9bdc84765f
- w####.q####.dn.####.com/f5992663ee0b8ac12985611fbd84dcf7
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- a####.m.ta####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=##...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- a####.u####.com/app_logs
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/log4
- api.s####.mob.com/snsconf
- c.d####.mob.com/v3/cdata
- d####.d####.mob.com/dgen
- d####.d####.mob.com/dinfo
- d####.d####.mob.com/dsign
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-r92M_fi5KQIqStFqmznJ3IpmW4.657571986.tmp
- /data/data/####/-v7AOZe8o4plHV53v1G6bTgp_j8.-2023088643.tmp
- /data/data/####/.duid
- /data/data/####/.imprint
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.vpl_lock
- /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
- /data/data/####/1yNFlwYDA-xHdM2kZHughsMXdZ8.1157847580.tmp
- /data/data/####/24c110e1f76093b35c3c2df1927aab79.0
- /data/data/####/3aA_6CmTT6w4bDo9mcNyqkPy9b0.97403259.tmp
- /data/data/####/4204fbd1b719d3fefcbafa8736959d27-journal
- /data/data/####/50xTjmgOpoCaKW08ck7RvTMIPjA.-1027136586.tmp
- /data/data/####/5RGVrPrzYNYoPD6YjpqpbQYywsc.1602754357.tmp
- /data/data/####/7kYtr9bJN3JcYzl9AhlSHoOkCVk.516266454.tmp
- /data/data/####/7weAFJ25FpuMtCDOoPwX6QKW6QY.-1837515714.tmp
- /data/data/####/807OBh_sIXXIRSiBPaRoRamouak.21907201.tmp
- /data/data/####/8PNHUHvpapFlGi1D4uYkBNVGVsY.-1144389440.tmp
- /data/data/####/8QXKAKyYo4QfhwJq0crP5XfxMs4.1327642499.tmp
- /data/data/####/8Ze5TD4TweUuCLXcmrbCdTlYLiw.544628888.tmp
- /data/data/####/ACCS_BINDumeng;52a0242156240b5b4a0104f9.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/BaB4ST7Q762WsCejODVerfIuw7Q.-1579693916.tmp
- /data/data/####/BepKfjX5BDBzrXCurKWL-jQ6VSs.645773593.tmp
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/FumZkCqQIlA06BN1OQBMAOZzya0.-395256487.tmp
- /data/data/####/G74tXbcFenEyiWNzBsmPxYgZl4Q.499246923.tmp
- /data/data/####/H7zVnX3YAdEP0ZW5m0n5E9bgx5o.-1293721097.tmp
- /data/data/####/IvmVrCEMvRq63gy6f-TsvDsgah0.-787046489.tmp
- /data/data/####/KeyStore.bks
- /data/data/####/L6H7tWO6n1EhqfPO0O1tQTJwhT8.375622921.tmp
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/NNTS0XesLSoruo-gI0Rt4uLx90s.1676308343.tmp
- /data/data/####/Nd688u_NRaRpQ5xXLxQuFsS25qI.-385499465.tmp
- /data/data/####/ORca5pZEGaD5mmQpGa4ahlIEdCQ.-869968631.tmp
- /data/data/####/PeIRrGJ5hp6hNcnFGpS3_F8ZO5k.1886397346.tmp
- /data/data/####/PoKOdyDPiB1D_A_jqdXegPzkCQY.-1534954149.tmp
- /data/data/####/QtKiox-_hbhKQA4NMSakZ_4Kfv4.-1839145234.tmp
- /data/data/####/T6x2HdNr7ZGiHX2tqtPwEfgUpfM.-364010916.tmp
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/UTCommon.xml
- /data/data/####/UTMCConf-818791854.xml
- /data/data/####/UTMCLog-818791854.xml
- /data/data/####/XKSKHWeLTbKkD2W5768E8bUc8ts.-240088285.tmp
- /data/data/####/XVf2_jPOV7vkvw-vasCaczd1Jyw.391064638.tmp
- /data/data/####/YTivTK5vGyxkCGH2t8urfsHhiNw.-1813820879.tmp
- /data/data/####/ZEhbw3g99WgDEFE-Wh9cUB1v39s.-1189295349.tmp
- /data/data/####/ZPZbdNWo_N3tdS5VEHC0_vj7QBM.282731536.tmp
- /data/data/####/_bBLBV1Ke6rmy9jdS7PdT9CnxTw.1369223101.tmp
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/bUfCg807JY8s0PZfW-m0wAvLSEE.-952118280.tmp
- /data/data/####/bvPwtytFistcOc0COIsV0n5xlxQ.537192499.tmp
- /data/data/####/bxHjUPFuWgO9GkAP9BnMLwrbxiE.429605574.tmp
- /data/data/####/c3A_CRbWGgOXbbrqPczIUGxqRhs.-1241417133.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/channel_pre.xml
- /data/data/####/cn_feng_skin_pref.xml
- /data/data/####/com.haowan.huabar-1.apk.classes-666334594.zip
- /data/data/####/com.haowan.huabar_2045
- /data/data/####/com.haowan.huabar_TcmsService_2103
- /data/data/####/com.haowan.huabar_preferences.xml
- /data/data/####/com.haowan.huabar_preferences.xml (deleted)
- /data/data/####/ed2U-tyXyagCM33xbLpFDhYBOj0.-114876479.tmp
- /data/data/####/eudemon
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fslZ61FptCVaPj4i-yduI8KOj40.958412361.tmp
- /data/data/####/gUGyv6_L4GKccV6H_z7H3N8lP2Q.1615015704.tmp
- /data/data/####/gX7fvFHUGe2jnugn8Llj1fgAa98.-1340870055.tmp
- /data/data/####/gZRyOzLjTLVWy3i6PG5wustRRZk.1228458847.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/lDA9yLkew7ELQ0qo42epYz_-0dc.-786934212.tmp
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/meRjMCGs6hHOZTtMVOoHEWff2Lw.-1791079140.tmp
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/oetMDKOK1-9rO7kYCuDoH1wGTxw.336080845.tmp
- /data/data/####/paintgame.db
- /data/data/####/paintgame.db-journal
- /data/data/####/phJVm6kqjemc1l0XfuCgQlC0J0o.-65928410.tmp
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/sp.lock
- /data/data/####/tcms_setting_sp.xml
- /data/data/####/tz2g7tWrCYnDOpwBiGpKi8DA9N4.1556470407.tmp
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/wiZonORma0aMS2UJALpzxkWuI14.1574074433.tmp
- /data/data/####/xJr-PliiG5tU71SCTjCXfiEaJ3U.-844096924.tmp
- /data/data/####/ywAccount.xml
- /data/data/####/ywPrefsTools.xml
- /data/data/####/zElgAT-H3L52bBERDG75OJyjkWY.62746735.tmp
- /data/data/####/zxu3znWtavy65ni2wu4rMJwzKOo.7424065.tmp
- /data/media/####/.al
- /data/media/####/.artc_lock
- /data/media/####/.bar
- /data/media/####/.dh-journal
- /data/media/####/.dhlock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.lecd
- /data/media/####/.lesd_lock
- /data/media/####/.nomedia
- /data/media/####/.nulal
- /data/media/####/.nulplt
- /data/media/####/.pkg_lock
- /data/media/####/.plst
- /data/media/####/.rc_lock
- /data/media/####/.serveruuid
- /data/media/####/.slw
- /data/media/####/1522766401737.db
- /data/media/####/1522766412172.db
- /data/media/####/1522766431270.db
- /data/media/####/1e677c6bcfe54402af8178a023e0ed9c
- /data/media/####/2_20180403_r
- /data/media/####/6c709c11d2d46a7b
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/alsn20170807.db
- /data/media/####/alsn20170807.db-journal
- /data/media/####/dd7893586a493dc3
- /data/media/####/deviceToken
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:52a0242156240b5b4a0104f9","utdid":"WsOSQNx7WS8DAGdzx1EBeQ3m","sdkVersion":"220"} -I agoodm.m.taobao.com -O 80 -T -Z
- app_process /system/bin com.android.commands.pm.Pm list packages
- cat /proc/cpuinfo | grep Serial
- chmod 500 <Package Folder>/files/DaemonServer
- getprop
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- ls -l /system/xbin/su
- pm list packages
- sh
- top -d 0 -n 1
Загружает динамические библиотеки:
- fb_jpegturbo
- imagepipeline
- inet.2.0
- securitysdk-3.1
- tnet-3.1
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
