Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.14.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 61.1####.36.100:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) hi.fi.ah####.com:80
- TCP(HTTP/1.1) v2.dwst####.com:80
- TCP(HTTP/1.1) api.tui####.b####.com:80
- TCP(HTTP/1.1) m1.dwst####.com:80
- TCP(HTTP/1.1) v3.dwst####.com:80
- TCP(HTTP/1.1) wup.z####.com:80
- TCP(HTTP/1.1) m2.dwst####.com:80
- TCP(HTTP/1.1) bi2.du####.com:80
- TCP 2####.108.23.105:5287
Запросы DNS:
- a####.u####.com
- api.tui####.b####.com
- bi2.du####.com
- hi.fi.ah####.com
- m1.dwst####.com
- m2.dwst####.com
- sa.tui####.b####.com
- v2.dwst####.com
- v3.dwst####.com
- wup.z####.com
- www.b####.com
Запросы HTTP GET:
- bi2.du####.com/apiBiList_cate_new.php?os=####&page=####&version=####&sma...
- bi2.du####.com/apiBiList_cate_new.php?type=####&os=####&page=####&versio...
- bi2.du####.com/apiMain_new.php?os=####&version=####
- bi2.du####.com/hot_search.php?os=####&funcName=####&version=####
- bi2.du####.com/upgrade/version_bi_new.php?isAutoRequest=####&os=####&ver...
- hi.fi.ah####.com/k6
- m1.dwst####.com/huodong/shouji3/201603/031/58/x5a72631576dbab6aff210da27...
- m1.dwst####.com/huodong/shouji3/201608/178/89/xa93ac2d8c3de1ee6575f70cb6...
- m1.dwst####.com/huodong/shouji3/201608/350/31/x7ae41647f5ea2e5ff4399ab43...
- m1.dwst####.com/huodong/shouji3/201608/490/55/x328fc4e15455d01d165cf66b3...
- m1.dwst####.com/huodong/shouji3/201608/961/56/x08bb33444e99b5b907f0d7ecd...
- m2.dwst####.com/bi_material/20160624/1accd9ff0b2a3e6d52e1dfe95ef7633f146...
- m2.dwst####.com/bi_material/20160701/9d8fe2ca788736fb6d3c7f76eaa5cf95146...
- m2.dwst####.com/bi_material/20160714/1537e231606255037c21156de70722a4146...
- m2.dwst####.com/bi_material/20160715/e720bab8f5b882d672f183898882ac5d146...
- m2.dwst####.com/bi_material/20161108/84f27d009fa704894fd1cf5d79340de1147...
- m2.dwst####.com/bi_material/20161108/f506885619871679b520d454c3b688a2147...
- m2.dwst####.com/bi_material/20161110/4cc1c23d50ecb0551ee88a99a3725a02147...
- m2.dwst####.com/bi_material/201706/05/5e2082b2f09f5121b5eebd25522aef9014...
- m2.dwst####.com/bi_material/201706/09/b20595e42a1e0b6e6fc9637a9727845e14...
- m2.dwst####.com/huodong/shouji3/201603/297/22/x635c072b252ce83442bb3523e...
- m2.dwst####.com/huodong/shouji3/201604/061/44/xf302f90f80be4d5e245097ba8...
- m2.dwst####.com/huodong/shouji3/201604/072/77/x4600d5f81c49fc04e7d417791...
- m2.dwst####.com/huodong/shouji3/201604/254/70/x5da8c3293f655e90a82dc99a8...
- m2.dwst####.com/huodong/shouji3/201604/258/85/x179f11be94b82a2274307d972...
- m2.dwst####.com/huodong/shouji3/201604/273/58/x770002d7c4fea7c1ce37d8d23...
- m2.dwst####.com/huodong/shouji3/201604/296/37/x11dab8feeb98bb141b4d4d4d6...
- m2.dwst####.com/huodong/shouji3/201604/335/47/xc22229fa5156c46ecb65bdf37...
- m2.dwst####.com/huodong/shouji3/201604/338/30/x38518afecfd6ee2be1cd1af08...
- m2.dwst####.com/huodong/shouji3/201604/345/14/x279c704e99cc35c94aa9ca00b...
- m2.dwst####.com/huodong/shouji3/201604/539/87/x1f69e267d26782e74dbf7220c...
- m2.dwst####.com/huodong/shouji3/201605/199/37/xb6ca7fefd99879a618b73a642...
- m2.dwst####.com/huodong/shouji3/201605/256/25/xeeeefbe60c6fe841fe85897c2...
- m2.dwst####.com/huodong/shouji3/201605/718/62/x2d1ba820510f706bac764f6ee...
- m2.dwst####.com/huodong/shouji3/201605/830/31/x9f02b2253548e8d424e75fb7e...
- m2.dwst####.com/huodong/shouji3/201803/023/06/79753f5fcc3de49213b8211a6c...
- m2.dwst####.com/huodong/shouji3/201803/023/28/4c183902dbc6dcafc247f983ef...
- m2.dwst####.com/huodong/shouji3/201803/027/19/6f409135e15334700eb083e226...
- m2.dwst####.com/huodong/shouji3/201803/027/66/2dd6a9cd776011297f5b1fa8cf...
- m2.dwst####.com/huodong/shouji3/201803/029/50/d81d268df778f4bd8509824f84...
- m2.dwst####.com/huodong/shouji3/201803/030/77/2fbd0991f74d5f1e4baf19f7e5...
- m2.dwst####.com/huodong/shouji3/201803/030/92/9db25e097bf1385e6369a0e48c...
- m2.dwst####.com/huodong/shouji3/201805/391/76/6c0e6466e176d40b393679ff37...
- m2.dwst####.com/huodong/shouji3/201805/731/67/3d57ae354bf76cac22257d2f50...
- m2.dwst####.com/picmbox/ZBT/source_img/20160307/QZJD_1.png
- m2.dwst####.com/picmbox/ZBT/source_img/20160317/XXCF_1.jpg
- v2.dwst####.com/bi/201712/08/3da024903e4d2a5af04e79647a640000.jpg?w=####...
- v2.dwst####.com/bi/201801/30/3da0248d31e86f5a9f5858c959c90000.jpg?w=####...
- v3.dwst####.com/bi/201804/26/3ad7a920a548e15ae75f761177110000.jpg?w=####...
- v3.dwst####.com/bi/201805/03/3ad7a92068b8ea5ae85fecc4edc40000.jpg?w=####...
- v3.dwst####.com/bi/201805/07/3ad7a920f80af05ae25f309531950000.jpg?w=####...
- v3.dwst####.com/bi/201805/08/3ad7a920078ef15ae75fa8faa9fa0000.jpg?w=####...
- v3.dwst####.com/bi/201805/08/3ad7a920b89bf15ae65fb024b1240000.jpg?w=####...
- v3.dwst####.com/bi/201805/14/3ad7a920591ef95ae75f4a184b180000.jpg?w=####...
Запросы HTTP POST:
- a####.u####.com/app_logs
- api.tui####.b####.com/rest/2.0/channel/3994159455821646740
- api.tui####.b####.com/rest/2.0/channel/channel
- bi2.du####.com/
- wup.z####.com/
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/3418514c.jar
- /data/data/####/bi_preference.xml
- /data/data/####/bindcache.xml
- /data/data/####/com.funsoft.kutu.push_sync.xml
- /data/data/####/com.funsoft.kutu.self_push_sync.xml
- /data/data/####/d4199.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/funbox_db_cache.db-journal
- /data/data/####/pst.xml
- /data/data/####/pushstat_4.6.2.db
- /data/data/####/pushstat_4.6.2.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/zb_user.xml
- /data/media/####/.cuid
- /data/media/####/4e4r0oRhpRzRNiGy3yvTGXsVdKo.1275657759.tmp
- /data/media/####/566e1iHtjcItGFZOr0WUL_LMgxc.101850115.tmp
- /data/media/####/6amML6eAmRpDxXtBSQBzYGSh8Js.-925733808.tmp
- /data/media/####/87YM6VseoF-Wj946eaRJKekY8AM.-383226151.tmp
- /data/media/####/A4RSSYIrex-IPg7yXCf1WJ4lPL4.-84080963.tmp
- /data/media/####/AOUIjRpiW7Xq0ML1kmtASHa13no.-1370748672.tmp
- /data/media/####/DpwM6Vqq0V558VMa0dMpYehXfxs.52352468.tmp
- /data/media/####/JjJJsAcwu82dOMMeJVqCaEIqvOc.-892623520.tmp
- /data/media/####/JxvptsI2c9vj6ZuUUdiJ6ya81vo.1376848698.tmp
- /data/media/####/L3batMbQq5CX7AdTC79gZmoxAtU.-2055624927.tmp
- /data/media/####/Lzk69duqVtNhwWXY_eceO3qKo98.131046948.tmp
- /data/media/####/ML3REGh87bkyIyUFw6hTNsoGaDo.-2088883654.tmp
- /data/media/####/MPYXVu10Xqj-KmNh_7TFqBccl1I.1673365682.tmp
- /data/media/####/OfFKbY-1O9L8z-VGZ7hcxU_rqcM.1265747276.tmp
- /data/media/####/Om0jfG_CEE-MLMhpoLOFBh8g-dg.349321479.tmp
- /data/media/####/P2uLTcK9V8hDmCTgcWkfPsHfj50.1146940191.tmp
- /data/media/####/QlnW5qI5wixQD404q41TyTCgADg.-1787275651.tmp
- /data/media/####/RxKsK5WA9OtbkqWjWlX18TpEJLE.-758964339.tmp
- /data/media/####/SK5yGLXwUP9zFVIUiLcDPPz5wrI.-982747992.tmp
- /data/media/####/VIk42PtTQaDHsjX228GY1RLF-Yk.1004030609.tmp
- /data/media/####/VKvQu6S8OK2jf1OTPC_HDxv2wQQ.748932921.tmp
- /data/media/####/XfxS4qVofo36dFkE6iiH8xUiETw.-1519135180.tmp
- /data/media/####/aJ1gH-cCx_rVUxOYv-heLC-B1XU.-1727723954.tmp
- /data/media/####/ajAIcQgvLPen36ahgj6GkXuuja4.-1370186854.tmp
- /data/media/####/apps
- /data/media/####/bYass2y8KLRaXzSNlcoFBdoE_0I.1578686400.tmp
- /data/media/####/c6-sUSk3G9vArBvTU9Ahw5Fpg4c.821074475.tmp
- /data/media/####/cygkOKBkfHma785uOULT5JKppII.230938658.tmp
- /data/media/####/dAO9lilMYJoFTBXpuAW-pkeiadY.-94837300.tmp
- /data/media/####/e2DmlcQE780vFWt8aMJ6xo7Mj3M.638352211.tmp
- /data/media/####/eB69Tv_8gGKA3eAEXXTNzjtt3PM.-1990642535.tmp
- /data/media/####/eEUW5QCbD_Bp00SYcbtErIOOodY.-865139966.tmp
- /data/media/####/epPObNfrilbv98DfQ4cB3UxF8ss.1120036452.tmp
- /data/media/####/erf7KLghOO5ISic6SzzzfPGlO8s.355909957.tmp
- /data/media/####/fUe3a0ETsMCudWtUTQ5B7ye6CGw.-1273695605.tmp
- /data/media/####/fs62VJx-TBGYYsXoBDtWvW8OqpE.1247282956.tmp
- /data/media/####/hIcTgCKQH2PRzblZJEe6PfOpdFU.-182707985.tmp
- /data/media/####/k9KPaSbRq3N7j7t1-e9VJHYU97E.-522803103.tmp
- /data/media/####/o4vxIVemhqaK0GlPf96BOjACmc0.-1125133004.tmp
- /data/media/####/obZsYw3Zs-wfanRxHeK27ZBbICc.311649615.tmp
- /data/media/####/qCnEd0N6V9EKwlfvNwgOfBzEALk.-2106773007.tmp
- /data/media/####/t5ZMdvlQXa8fei7SLhG9F1O1gtM.-874500640.tmp
- /data/media/####/t5pZCfm2TAOq-djiXPnT1OxF7BA.54188129.tmp
- /data/media/####/tWG4ing5lKG8kkaUMnm9bounNow.1486083813.tmp
- /data/media/####/t_C8Hh_Kl8y3TX9snXRx7V58_qU.-208176111.tmp
Другие:
Загружает динамические библиотеки:
- bdpush_V2_5
- bitmaps
- memchunk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
