Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.396.origin
- Android.DownLoader.576.origin
- Android.DownLoader.675.origin
- Android.DownLoader.698.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) o####.sjzs####.2####.com:80
- TCP(HTTP/1.1) a.i####.pp.cn:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) android####.2####.com:80
- TCP(HTTP/1.1) sjzs####.2####.com:80
- TCP(HTTP/1.1) h####.ali####.com:80
- TCP(TLS/1.0) 1####.217.17.46:443
- TCP s1.u####.com:7701
- TCP k1.yo####.com:7501
- TCP k2.yo####.com:7502
- TCP k2.yo####.com:7503
- TCP p3.i####.com:7803
- TCP s3.u####.com:7703
- TCP s1.u####.com:7801
- TCP s1.u####.com:7702
- TCP s1.u####.com:7802
Запросы DNS:
- a####.m.ta####.com
- a.i####.pp.cn
- android####.2####.com
- android####.2####.com
- android####.2####.com
- h####.ali####.com
- k1.yo####.com
- k2.yo####.com
- k3.yo####.com
- o####.sjzs####.2####.com
- p1.i####.com
- p2.i####.com
- p3.i####.com
- s1.u####.com
- s2.u####.com
- s3.u####.com
- sjzs####.2####.com
Запросы HTTP GET:
- a.i####.pp.cn/fs08/2016/09/21/0/33911d2747a8d58da89919688e2f9fb1.png
- a.i####.pp.cn/fs08/2016/09/21/1/79f2186917a8a4f1640514656c302aa1.png
- a.i####.pp.cn/fs08/2016/09/21/10/3ff066186c020b2212f55499c359b88f.png
- a.i####.pp.cn/fs08/2016/09/21/11/d04aa5754f8e76db8cb0d3654edf00b2.png
- a.i####.pp.cn/fs08/2016/09/21/8/fb2b799d5ad57111ab7c44902e098bc7.png
- a.i####.pp.cn/fs08/2018/05/02/3/94be361aa562febca469b0f57bfbc3b4.jpg
- a.i####.pp.cn/fs08/2018/05/02/5/2f28b330ed061f705b9999d8659e0192.jpg
- a.i####.pp.cn/fs08/2018/05/02/6/44844f219bba2844abcb8411503f1bd1.jpeg
- a.i####.pp.cn/fs08/2018/05/02/6/4d01f8f161e0414fdef0e9bd0795807a.jpg
- android####.2####.com//fs08/2018/04/13/10/110_5eee6c78c24026cdc246f3197c...
- android####.2####.com//fs08/2018/04/13/4/110_21cd368e6d35069dfda07c73b5b...
- android####.2####.com//fs08/2018/04/13/5/110_e05b0d3128f7ad2d186991a0e45...
- android####.2####.com//fs08/2018/04/13/8/110_94ecd51282fcae94fa976d2f3c1...
- android####.2####.com/fs04/2015/08/14/4/15f7b8baf5aeecb8a77b02462872c539...
- android####.2####.com/fs08/2016/06/06/0/1_a664ab5a12b2f07952ca9835f77347...
- android####.2####.com/fs08/2016/06/07/4/1_e68da416952088725a9bc14673241c...
- android####.2####.com/fs08/2016/06/07/5/1_17f473e074578260d0d7b6db4b269e...
- android####.2####.com/fs08/2016/06/08/5/1_b85000ee32fae7d7627555ae2a575f...
- android####.2####.com/fs08/2016/06/09/4/1_21c91c73aef69d16b34ac7e49c8d64...
- android####.2####.com/fs08/2017/04/19/1/106_6cb2cd7558513cacf6041477a2d2...
- android####.2####.com/fs08/2017/07/04/2/110_4e7af64010e33c94f91fae9f73b0...
- android####.2####.com/fs08/2017/08/01/2/115_3c6dba6438b9d150ba8464dd089a...
- android####.2####.com/fs08/2017/08/11/10/2_df4546def9b01aeed81de3815959b...
- android####.2####.com/fs08/2017/10/09/1/110_40ff77a971b1a0155f91381a17d2...
- android####.2####.com/fs08/2018/01/17/7/110_8285bd261606a3ca21e7350764d3...
- android####.2####.com/fs08/2018/04/11/10/110_79b3b9cbad52b3b5cbdcd8a6fc8...
- android####.2####.com/fs08/2018/04/13/0/110_c235f26a5b97595716412e4bc672...
- android####.2####.com/fs08/2018/04/25/0/110_f7c2719355abf275528a975398a4...
- android####.2####.com/fs08/2018/04/25/3/110_85b2a1dfc209dee3fcef4826afff...
- android####.2####.com/fs08/2018/04/26/6/110_81d0fbbfe8c32494991d829f53e0...
- android####.2####.com/fs08/2018/04/26/6/110_a74da36fb12c89b2b16974c99557...
- android####.2####.com/fs08/2018/04/27/3/109_83293b0a433471dca789dd086b1b...
- android####.2####.com/fs08/2018/04/27/6/109_8f6f5c1821cb3541d78032d4b0c1...
- android####.2####.com/fs08/2018/05/02/6/110_5a9cd7a300dff5ac24b59bcb3c19...
- android####.2####.com/fs08/2018/05/02/8/110_864fe4a9915542110e7416eb9189...
- android####.2####.com/fs08/2018/05/03/10/110_70d0b922fc746c8aff90aae5efd...
- o####.sjzs####.2####.com/api/sm/appsugs?t=####&fr=####&q=####
- o####.sjzs####.2####.com/api/sm/recs?ua=####&vid=####&q=####&caller=####...
- o####.sjzs####.2####.com/relay/download/plugin?url=ito####
Запросы HTTP POST:
- a####.m.ta####.com/rest/gc?ak=####&av=####&c=####&v=####&s=####&d=####&s...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- h####.ali####.com/utdid_pp_helper/get_aid/?auth[token]=####&type=####&id...
- o####.sjzs####.2####.com/api/behavior.score.getScore
- o####.sjzs####.2####.com/api/combine
- o####.sjzs####.2####.com/api/log.upload
- o####.sjzs####.2####.com/api/logmd.upload
- o####.sjzs####.2####.com/api/op.activiy.simpleActiviy.getByAppId
- o####.sjzs####.2####.com/api/op.ad.getAds
- o####.sjzs####.2####.com/api/op.config.getSplashScreenConfig
- o####.sjzs####.2####.com/api/op.config.list
- o####.sjzs####.2####.com/api/op.task.list
- o####.sjzs####.2####.com/api/resource.gift.getInstalledGift
- o####.sjzs####.2####.com/api/search.hotword.getListV1
- sjzs####.2####.com/api/client.plugin.sync
- sjzs####.2####.com/api/combine
- sjzs####.2####.com/api/log.getSecurityId
- sjzs####.2####.com/api/log.setPromoter
- sjzs####.2####.com/api/log.upload
- sjzs####.2####.com/api/op.ad.getAdses
- sjzs####.2####.com/api/op.rec.app.getHotApps
- sjzs####.2####.com/api/resource.app.checkUpdateV1
- sjzs####.2####.com/api/search.hotword.getListV1
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/Alvin2.xml
- /data/data/####/AppStore.xml
- /data/data/####/ContextData.xml
- /data/data/####/OfJbkLdFbPOMbGyP.xml
- /data/data/####/UTMCBase.xml
- /data/data/####/UTMCConf-713044748.xml
- /data/data/####/UTMCLog-713044748.xml
- /data/data/####/a
- /data/data/####/app_setting_prefs.xml
- /data/data/####/busybox
- /data/data/####/config_1.xml
- /data/data/####/db_downloader-journal
- /data/data/####/downloader_pref.xml
- /data/data/####/fcut_appInfo_pre.xml
- /data/data/####/fcut_appInfo_pre.xml.bak
- /data/data/####/fcut_conf_pre.xml
- /data/data/####/fcut_conf_pre.xml.bak
- /data/data/####/fcut_trategy_pre.xml
- /data/data/####/plugin_info
- /data/data/####/po_download.db-journal
- /data/data/####/pp.plugin.floatwindow_internal.apk
- /data/data/####/pp.plugin.lucky.apk
- /data/data/####/pp.plugin.lucky.apk_1.1_3.apk.tp
- /data/data/####/pp_db_2-journal
- /data/data/####/pp_http_db-journal
- /data/data/####/qui_download.db-journal
- /data/data/####/release.ini
- /data/data/####/share_data.xml
- /data/data/####/ybappInfo_pre.xml
- /data/data/####/ybconf_pre.xml
- /data/data/####/yo_fconf_pre.xml
- /data/data/####/yoappInfo_pre.xml
- /data/data/####/yoconf_pre.xml
- /data/data/####/yop_download.db-journal
- /data/data/####/yotrategy_pre.xml
- /data/media/####/03bf567758927c56856032ff21cba52f.0
- /data/media/####/053ce70650d0297602bc7f0d7060d25b.0
- /data/media/####/12fcbe9b8f8645bf0d33fa775e3d34e4.0
- /data/media/####/1310f9db59a10f892e3548359ef16f97.t
- /data/media/####/1525370383538u.jar
- /data/media/####/1525370384023q.jar
- /data/media/####/1525370384237u.jar
- /data/media/####/1525370388401b.jar
- /data/media/####/15b3efde871274aae03d6e9e92660348.0
- /data/media/####/1779c30b24d11fea754e25c3a87b7a1d.0
- /data/media/####/255d70aa8390e9830641e0265dbb9962.0
- /data/media/####/296347717314c2c0132a162d61227a30.0
- /data/media/####/492c19ea949589d53bae921b1b749383.t
- /data/media/####/51c533f31fdf06e6c94aede33bd3bf8e.0
- /data/media/####/5a099234b243ee9936b67d33db442d80.0
- /data/media/####/5a99f890e623ba48dcc077dba6ead200.t
- /data/media/####/6ea9bab096ce2b7c72e8f805e0e5aa1b.0
- /data/media/####/782ed721fd1c9ee0898727fa110d8f35.0
- /data/media/####/8906dc1b96f487c6069965f2523ae3dd.0
- /data/media/####/8ad7cee8cf70fd57fd733084179e8886.0
- /data/media/####/8d80b71637b7b25351e3ef65cfd854b6.0
- /data/media/####/9188a74510f9e5e723e9569ad7f43ad7.0
- /data/media/####/91c381a5985539b8b869d8a27a225915.0
- /data/media/####/95209088d2db7b80f74708fab01e1bde.0
- /data/media/####/96b42270ece95ed840195db49cc594c7.t
- /data/media/####/982befb8a89227fb98a5dba22f87e8d5.0
- /data/media/####/9cf0bb5c74bf63f4b9ae9da1dd80334c.0
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/a02f4bad026396e576d74c2721d1810b.0
- /data/media/####/ab5d2e3741ac1602c776657dd8b773d7.t
- /data/media/####/ad38cf8946da2209c8076d31cf0c8afc.0
- /data/media/####/ba223d84a81478fa01915f9c4d2e2627.0
- /data/media/####/bb1711fdf666d2360d9ffa5174ed2d04.0
- /data/media/####/c644239db457f6fea49a8e92362b20ce.0
- /data/media/####/c8e4d47529bf6fdb044c1366a29bd4dd.0
- /data/media/####/c9153a0de497d1b7a4d5ae959ecf5fc4.0
- /data/media/####/cba03a90a95a98e1e5431d771794556e.0
- /data/media/####/d5c98db23e09ce487a21c8d727596343.0
- /data/media/####/db3cb156cbaf74f60891f46f96e59e10.0
- /data/media/####/e271ab14b8cb7558c7ff3878733a1434.t
- /data/media/####/eb16c666f7d8f55acbbe35e8e8f5b7ad.0
- /data/media/####/f7c0917f1646edf2d72d16c2373280f2.0
- /data/media/####/gifnoc.ini
- /data/media/####/journal.1
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/amodel/a com.android.browser/com.android.browser.BrowserActivity 0 <Package Folder>/amodel <Package Folder> http://sjzs-api.25pp.com/api/uninstall?content=aW1laT0zNTY1MDcwNTkzNTE4OTVgbW9kZWw9R1QtSTgxOTBgdWlkPWQwODBkM2EzN2IwYmU3YmM3YzE1YzBhNWFjNzZiYzY0YHV1aWQ9ZGVmYXVsdGByb209MThgdmVyPTkuMjEuNGBjaD1QTV8zMWBhY3Rpb249dW5pbnN0YWxsYHByb2R1Y3RpZD0yMDAxYHJlc29sdXRpb249NjAwKjc1MmBpbnN0YWxsdGltZT0yMDE4LTA1LTAzIDE3OjU5OjM3 null
- chmod 755 <Package Folder>/files/busybox
- chmod 775 <Package Folder>/amodel/a
- grep <Package Folder>/amodel/a
- sh
- sh <Package Folder>/amodel/a com.android.browser/com.android.browser.BrowserActivity 0 <Package Folder>/amodel <Package Folder> http://sjzs-api.25pp.com/api/uninstall?content=aW1laT0zNTY1MDcwNTkzNTE4OTVgbW9kZWw9R1QtSTgxOTBgdWlkPWQwODBkM2EzN2IwYmU3YmM3YzE1YzBhNWFjNzZiYzY0YHV1aWQ9ZGVmYXVsdGByb209MThgdmVyPTkuMjEuNGBjaD1QTV8zMWBhY3Rpb249dW5pbnN0YWxsYHByb2R1Y3RpZD0yMDAxYHJlc29sdXRpb249NjAwKjc1MmBpbnN0YWxsdGltZT0yMDE4LTA1LTAzIDE3OjU5OjM3 null
Загружает динамические библиотеки:
- pppmtools
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Может автоматически отправлять СМС-сообщения.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
