Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.691.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.m####.com.####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) zhu####.cde####.com.####.com:80
- TCP(HTTP/1.1) m.m####.com:80
- TCP(HTTP/1.1) shl####.top:9999
- TCP(HTTP/1.1) me####.m####.com:80
- TCP(HTTP/1.1) me####.chin####.com:80
- TCP(HTTP/1.1) d####.cde####.com:80
- TCP(TLS/1.0) 1####.217.20.110:443
- TCP(TLS/1.0) z####.cde####.com:443
Запросы DNS:
- 24####.m####.com
- anal####.cde####.com
- d####.cde####.com
- hm.b####.com
- m.m####.com
- me####.chin####.com
- me####.m####.com
- shl####.top
- top.p####.net
- www.m####.com
- z####.cde####.com
- zhu####.cde####.com
Запросы HTTP GET:
- d####.cde####.com/bdp/get/uuid/?jsoncallback=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?32e12db####
- m.m####.com/css/common/2017lanmu.css
- m.m####.com/css/swiper.min.css
- m.m####.com/favicon.ico
- m.m####.com/hushi/
- m.m####.com/images/analytics/analytics.ico?action_name=####&idsite=####&...
- m.m####.com/images/common/2017lanmu/b01.png
- m.m####.com/images/common/2017lanmu/ico01.png
- m.m####.com/images/common/2017lanmu/ico02.png
- m.m####.com/images/common/2017lanmu/ico03.png
- m.m####.com/images/common/2017lanmu/ico04.png
- m.m####.com/images/common/2017lanmu/ico05.png
- m.m####.com/images/common/2017lanmu/ico07.png
- m.m####.com/images/common/2017lanmu/ico08.png
- m.m####.com/images/common/2017lanmu/ico09.png
- m.m####.com/images/common/2017lanmu/ico11.png
- m.m####.com/images/common/2017lanmu/ico12.png
- m.m####.com/images/common/2017lanmu/ico13.png
- m.m####.com/images/common/2017lanmu/ico14.png
- m.m####.com/images/common/2017lanmu/ico15.png
- m.m####.com/images/common/2017lanmu/xian01.png
- m.m####.com/images/common/acc.png
- m.m####.com/images/common/app3.png
- m.m####.com/images/common/footer01.png
- m.m####.com/images/common/footer02.png
- m.m####.com/images/common/footer03.png
- m.m####.com/images/common/footer04.png
- m.m####.com/images/common/footer05.png
- m.m####.com/js/BrowserCheck.js
- m.m####.com/js/baidutj.js
- m.m####.com/js/common/2017lanmu-analysis.js
- m.m####.com/js/common/2017lanmu.min.js
- m.m####.com/js/common/2017main.js
- m.m####.com/js/common/2017openApp.min.js
- m.m####.com/js/flexible.js
- m.m####.com/js/jquery-2.1.3.min.js
- m.m####.com/js/require.js
- m.m####.com/js/swiper.min.js
- m.m####.com/upload/html/2017/07/my250187.png
- m.m####.com/upload/html/2018/02/li080111.png
- m.m####.com/upload/html/2018/02/li080112.jpg
- m.m####.com/upload/html/2018/02/li080113.jpg
- m.m####.com/upload/html/2018/02/li080114.jpg
- m.m####.com/upload/html/2018/02/lj090524.jpg
- m.m####.com/upload/html/2018/03/lj020033.png
- m.m####.com/upload/html/2018/03/lj020034.png
- m.m####.com/upload/html/2018/03/lj020042.png
- m.m####.com/upload/html/2018/03/lj20036.png
- m.m####.com/upload/html/2018/05/lj80025.jpg
- m.m####.com/upload/html/2018/08/lj210052.png
- me####.chin####.com/collect/js/collect/visit.js
- me####.m####.com/css/member/dialog.css
- www.m####.com.####.com/asp/wangxiao/hushi/
- www.m####.com.####.com/css/common/2017lanmu_xuanke.min.css
- www.m####.com.####.com/css/headnew2017.css?v=####
- www.m####.com.####.com/css/hushi2018/index2017.min.css?v=####
- www.m####.com.####.com/global/js/uuid.js
- www.m####.com.####.com/global/poster.js
- www.m####.com.####.com/head/head_champion_new.js
- www.m####.com.####.com/hushi/
- www.m####.com.####.com/js/analysis/analytics.js
- www.m####.com.####.com/js/browserRedirect.js
- www.m####.com.####.com/js/browserRedirectIndex.js
- www.m####.com.####.com/js/common/2017lanmu-analysis.js
- www.m####.com.####.com/js/headnew2017.min.js
- www.m####.com.####.com/js/judgeBrowers.min.js
- www.m####.com.####.com/js/med66/analytics_m_med66.js
- www.m####.com.####.com/js/require.js
- zhu####.cde####.com.####.com/js/analysis/zhuge.min.js?v=####
- zhu####.cde####.com.####.com/ng/201612/115/c/icon.jpg
- zhu####.cde####.com.####.com/ng/201612/115/c/pic0nfFLn.png
- zhu####.cde####.com.####.com/ng/201703/170/c/icon.png
- zhu####.cde####.com.####.com/ng/201703/170/c/pic0.jpg
- zhu####.cde####.com.####.com/ng/201709/446/c/icon.png
- zhu####.cde####.com.####.com/ng/201709/446/c/pic0.jpg
- zhu####.cde####.com.####.com/ng/201805/787/c/icon.png
- zhu####.cde####.com.####.com/ng/201805/787/c/pic0.jpg
- zhu####.cde####.com.####.com/upload/html/2018/05/li070016.png
- zhu####.cde####.com.####.com/upload/html/2018/05/li070017.png
- zhu####.cde####.com.####.com/upload/html/2018/05/li070018.png
- zhu####.cde####.com.####.com/upload/html/2018/05/li070019.png
Запросы HTTP POST:
- shl####.top:9999/c798b/84e4d
- shl####.top:9999/dc3/085
- shl####.top:9999/o19e/994
- shl####.top:9999/sca35af/e58ea
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jar
- /data/data/####/twsdk.db-journal
- /data/data/####/userData.xml
- /data/data/####/userDatas.xml
- /data/data/####/webview.db-journal
- /data/media/####/0693d7ebc6f61a0d8754999fff1e0019.cach
- /data/media/####/0ad4eaf8240fa99496887e2e890efd08.cach
- /data/media/####/350b40e03cfb67a68396b46ecd1d9cf2.cach
- /data/media/####/78ae0d26ca18fbc260ab5a4955fe8c73.cach
- /data/media/####/9c8c53097faf307aca9ccfdd2d1fa124.cach
- /data/media/####/c87a3194690faa66bbca5dd741dc2d81.cach
- /data/media/####/f4c080ac4f1c26613bffa98078bd42e1.cach
- /data/media/####/fdfbf9c5d0ea165aa45d60ae95bcb84a.cach
Другие:
Использует следующие алгоритмы для расшифровки данных:
- DES
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
