Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.414.origin
- Android.DownLoader.455.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) o####.sjzs####.2####.com:80
- TCP(HTTP/1.1) i####.uc.cn:80
- TCP(HTTP/1.1) sjzs####.2####.com:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) a.i####.pp.cn:80
- TCP(HTTP/1.1) et2-####.wagbr####.ali####.com:80
- TCP(HTTP/1.1) android####.2####.com:80
- TCP(HTTP/1.1) t####.uc.cn:80
- TCP(HTTP/1.1) img.u####.pp.####.cn:80
- TCP p1.jz####.com:7801
- TCP p2.jz####.com:7803
- TCP t1.jz####.com:7101
- TCP t1.jz####.com:7102
- TCP p2.jz####.com:7802
- TCP t1.jz####.com:7103
Запросы DNS:
- a####.m.ta####.com
- a.i####.pp.cn
- acti####.pp.cn
- android####.2####.com
- android####.2####.com
- android####.2####.com
- android####.2####.com
- h####.ali####.com
- i####.uc.cn
- img.u####.pp.####.cn
- o####.sjzs####.2####.com
- p1.jz####.com
- p2.jz####.com
- p3.jz####.com
- se####.m.pp.cn
- sjzs####.2####.com
- t####.uc.cn
- t1.jz####.com
- t2.jz####.com
- t3.jz####.com
Запросы HTTP GET:
- a.i####.pp.cn//fs08/2018/08/03/1/f22990fffad500225d58ea789395e281.zip
- a.i####.pp.cn/fs08/2016/09/21/0/33911d2747a8d58da89919688e2f9fb1.png
- a.i####.pp.cn/fs08/2016/09/21/1/79f2186917a8a4f1640514656c302aa1.png
- a.i####.pp.cn/fs08/2016/09/21/10/3ff066186c020b2212f55499c359b88f.png
- a.i####.pp.cn/fs08/2016/09/21/11/d04aa5754f8e76db8cb0d3654edf00b2.png
- a.i####.pp.cn/fs08/2016/09/21/8/fb2b799d5ad57111ab7c44902e098bc7.png
- a.i####.pp.cn/fs08/2018/06/25/6/458a4c70319ef1a7ca2bb06ad792f330.jpg
- a.i####.pp.cn/fs08/2018/07/09/8/6180f35c351cc7904118185cd510283d.jpg
- a.i####.pp.cn/fs08/2018/07/21/11/e0f053f47dc6ba9b61d01aba62331ebe.jpg
- a.i####.pp.cn/fs08/2018/07/21/6/85b1d34c687325c56b29ef6f27120d70.jpg
- a.i####.pp.cn/fs08/2018/07/21/6/ecbbb9ece2f95f4d9fcc235eda6fe67b.jpg
- a.i####.pp.cn/upload_files/2015/11/23/pp_lottert_159/bg-btn-account.png
- a.i####.pp.cn/upload_files/2015/11/23/pp_lottert_159/bg-rule.png
- a.i####.pp.cn/upload_files/aty_template/common/pp_logo/pp_logo.png
- a.i####.pp.cn/upload_files/aty_template/lottery/guajiang/bg_lottery_main...
- a.i####.pp.cn/upload_files/aty_template/lottery/guajiang/lottery_bg.png
- a.i####.pp.cn/upload_files/aty_template/lottery/popup/close.png
- a.i####.pp.cn/upload_files/aty_template/lottery/popup/popup_update.png
- a.i####.pp.cn/upload_files/aty_template/lottery/preview.png
- a.i####.pp.cn/upload_files/aty_template/lottery/theme1/popup_btn.png
- a.i####.pp.cn/upload_files/aty_template/lottery/theme1/popup_prize_bg.png
- a.i####.pp.cn/upload_files/aty_template/lottery/yaojiang/lottery_area_1....
- a.i####.pp.cn/upload_files/common/app-icon-default.png
- android####.2####.com/fs04/2015/08/14/4/15f7b8baf5aeecb8a77b02462872c539...
- android####.2####.com/fs08/2016/06/08/5/1_b85000ee32fae7d7627555ae2a575f...
- android####.2####.com/fs08/2017/08/01/2/115_3c6dba6438b9d150ba8464dd089a...
- android####.2####.com/fs08/2018/07/26/0/109_61768622b80aa0d68d89d63040af...
- android####.2####.com/fs08/2018/08/01/3/110_11c018bbcbcf44fa76bd46ba2ab0...
- android####.2####.com/fs08/2018/08/01/8/109_c19c02e871e64c1d5f2060e4ee60...
- android####.2####.com/fs08/2018/08/06/7/110_f3a5eff8abe93f9d1e0cc116c014...
- android####.2####.com/fs08/2018/08/06/8/110_236a5905389a033eaab61341873c...
- android####.2####.com/fs08/2018/08/08/1/c0486cfb4c21c35de36703735dfa81a2...
- android####.2####.com/fs08/2018/08/08/11/41c55c08a25cef40c697137b6769606...
- android####.2####.com/fs08/2018/08/08/3/b6730f41d1fba3180113f43bb13bff41...
- android####.2####.com/fs08/2018/08/08/6/d54fb12e5c7b5875dc196c3ad6f1b6b3...
- android####.2####.com/fs08/2018/08/08/6/dfbbc0668d196bb1b8d746cd8e56abe0...
- android####.2####.com/fs08/2018/08/08/9/80cfe5149edd39c2e8fbb058e4bd327c...
- android####.2####.com/fs08/2018/08/09/8/110_8329ba4d50a84b3f2cf5a46e1e32...
- i####.uc.cn/s/uae/g/2u/operation/tpl4/single_app_list/1/my_lottery_bg.png
- img.u####.pp.####.cn/upload_files/2015/11/24/common/btn-colse.jpg
- img.u####.pp.####.cn/upload_files/2015/11/24/common/btn-down-warp.png
- img.u####.pp.####.cn/upload_files/2015/11/24/common/pic-guide.png
- o####.sjzs####.2####.com/api/proxyNew?urlKey=####&specialId=####&osVersi...
- o####.sjzs####.2####.com/api/proxyNew?urlKey=op.lucky.roll&refUrl=http:/...
- o####.sjzs####.2####.com/lucky/op.lucky.activity?activityId=837&refUrl=h...
- o####.sjzs####.2####.com/lucky/op.lucky.getAppState?activityId=837&appId...
- o####.sjzs####.2####.com/lucky/op.lucky.userInfo?activityId=837&userIdTy...
- o####.sjzs####.2####.com/public/css/operation_activity/tpl4/index.css?ec...
- o####.sjzs####.2####.com/public/img/activity/lottery_mask.png
- o####.sjzs####.2####.com/public/js/operation_activity/chunk/4.chunk.js?e...
- o####.sjzs####.2####.com/public/js/operation_activity/common/common.js?e...
- o####.sjzs####.2####.com/public/js/operation_activity/tpl4/index.js?ec9c...
- o####.sjzs####.2####.com/template/4/index.html?ch_src=####&ch=####&speci...
- sjzs####.2####.com/relay/download/plugin?url=ito####
- t####.uc.cn/collect?appid=277c899c7008&app_key=qsc25ygshaq5p76j<=ppweb...
- t####.uc.cn/collect?appid=29d38cf5412c&app_key=qsc25ygshaq5p76j<=fact-...
Запросы HTTP POST:
- a####.m.ta####.com/rest/gc?ak=####&av=####&c=####&v=####&s=####&d=####&s...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- et2-####.wagbr####.ali####.com/utdid_pp_helper/get_aid/?auth[token]=####...
- o####.sjzs####.2####.com/api/combine
- o####.sjzs####.2####.com/api/log.upload
- o####.sjzs####.2####.com/api/logmd.upload
- o####.sjzs####.2####.com/api/resource.app.checkUpdateV1
- sjzs####.2####.com/api/client.plugin.sync
- sjzs####.2####.com/api/combine
- sjzs####.2####.com/api/log.getSecurityId
- sjzs####.2####.com/api/log.setPromoter
- sjzs####.2####.com/api/log.upload
- sjzs####.2####.com/api/op.ad.getAds
- sjzs####.2####.com/api/op.ad.getAdses
- sjzs####.2####.com/api/op.config.getSplashScreenConfig
- sjzs####.2####.com/api/op.config.list
- sjzs####.2####.com/api/op.rec.app.getHotApps
- sjzs####.2####.com/api/op.task.list
- sjzs####.2####.com/api/resource.app.checkUpdateV1
- sjzs####.2####.com/api/resource.gift.getInstalledGift
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0356507059351895.db-journal
- /data/data/####/15338143549401.jar
- /data/data/####/15338144122121.jar
- /data/data/####/15338144134371.jar
- /data/data/####/15339931510681.jar
- /data/data/####/Alvin2.xml
- /data/data/####/AppStore.xml
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/ContextData.xml
- /data/data/####/E_ID356507059351895.db-journal
- /data/data/####/OfJbkLdFbPOMbGyP.xml
- /data/data/####/UTMCBase.xml
- /data/data/####/UTMCConf1527958813.xml
- /data/data/####/UTMCLog1527958813.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/a
- /data/data/####/app_setting_prefs.xml
- /data/data/####/busybox
- /data/data/####/config_1.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/db_downloader-journal
- /data/data/####/downloader_pref.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/fappInfo_f_356507059351895.xml
- /data/data/####/fconf_f_356507059351895.xml
- /data/data/####/ftrategy_f_356507059351895.xml
- /data/data/####/i.xml
- /data/data/####/i_fionf_pre356507059351895.xml
- /data/data/####/i_fionf_pre356507059351895.xml.bak
- /data/data/####/index
- /data/data/####/plugin_info
- /data/data/####/pp.plugin.floatwindow_internal.apk
- /data/data/####/pp.plugin.lucky.apk
- /data/data/####/pp.plugin.lucky.apk_1.1_3.apk.tp
- /data/data/####/pp_db_2-journal
- /data/data/####/pp_http_db-journal
- /data/data/####/release.ini
- /data/data/####/share_data.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/0c7674766274e849760a59220631b68d.t
- /data/media/####/1.n
- /data/media/####/12fcbe9b8f8645bf0d33fa775e3d34e4.n
- /data/media/####/19a8a162cdebd380e4717bd1540036db.t
- /data/media/####/2.n
- /data/media/####/296347717314c2c0132a162d61227a30.0
- /data/media/####/3.n
- /data/media/####/4.n
- /data/media/####/4fa991656319224d51e72fd246739435.t
- /data/media/####/5.n
- /data/media/####/6.n
- /data/media/####/782ed721fd1c9ee0898727fa110d8f35.0
- /data/media/####/865b7036c03e1f32e7563be8a622e5f1.0
- /data/media/####/8d80b71637b7b25351e3ef65cfd854b6.0
- /data/media/####/9cf0bb5c74bf63f4b9ae9da1dd80334c.0
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/ba223d84a81478fa01915f9c4d2e2627.0
- /data/media/####/c8e4d47529bf6fdb044c1366a29bd4dd.0
- /data/media/####/da055e13f213e760bf7437aa0022e950.0
- /data/media/####/deca8169b5be3db793a0f585927fec7a.t
- /data/media/####/ee58bf75b1de6cf558e698af08c2526f.t
- /data/media/####/f22990fffad500225d58ea789395e281.zip.tp
- /data/media/####/gifnoc.ini
- /data/media/####/journal.1
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/amodel/a com.android.browser/com.android.browser.BrowserActivity 0 <Package Folder>/amodel <Package Folder> http://sjzs-api.25pp.com/api/uninstall?content=aW1laT0zNTY1MDcwNTkzNTE4OTVgbW9kZWw9R1QtSTgxOTBgdWlkPWQwODBkM2EzN2IwYmU3YmM3YzE1YzBhNWFjNzZiYzY0YHV1aWQ9ZGVmYXVsdGByb209MThgdmVyPTYuMS4zYGNoPVBNXzMxYGFjdGlvbj11bmluc3RhbGxgcHJvZHVjdGlkPTIwMDFgcmVzb2x1dGlvbj02MDAqNzUyYGluc3RhbGx0aW1lPTIwMTgtMDgtMTEgMTM6MTI6Mjc= null
- chmod 755 <Package Folder>/files/busybox
- chmod 775 <Package Folder>/amodel/a
- grep <Package Folder>/amodel/a
- sh
- sh <Package Folder>/amodel/a com.android.browser/com.android.browser.BrowserActivity 0 <Package Folder>/amodel <Package Folder> http://sjzs-api.25pp.com/api/uninstall?content=aW1laT0zNTY1MDcwNTkzNTE4OTVgbW9kZWw9R1QtSTgxOTBgdWlkPWQwODBkM2EzN2IwYmU3YmM3YzE1YzBhNWFjNzZiYzY0YHV1aWQ9ZGVmYXVsdGByb209MThgdmVyPTYuMS4zYGNoPVBNXzMxYGFjdGlvbj11bmluc3RhbGxgcHJvZHVjdGlkPTIwMDFgcmVzb2x1dGlvbj02MDAqNzUyYGluc3RhbGx0aW1lPTIwMTgtMDgtMTEgMTM6MTI6Mjc= null
Загружает динамические библиотеки:
- pppmtools
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- DES
Может автоматически отправлять СМС-сообщения.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
