Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.RemoteCode.127.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) m####.lyi####.com:80
- TCP(HTTP/1.1) up####.sdk.jig####.cn:80
- TCP(HTTP/1.1) img.lyi####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
- TCP(TLS/1.0) hs.cb####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) api.s####.com:443
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) o####.map.b####.com:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) s####.j####.cn:443
- TCP(TLS/1.0) m####.lyi####.com:443
- TCP(TLS/1.0) 2####.58.212.174:443
- TCP(TLS/1.0) hs-pa####.b0.a####.com:443
- TCP(TLS/1.0) loc.map.b####.com:443
- TCP(TLS/1.0) img.lyi####.com:443
- TCP 1####.202.138.13:7006
- UDP s.j####.cn:19000
Запросы DNS:
- aexcep####.b####.qq.com
- and####.b####.qq.com
- api.map.b####.com
- api.s####.com
- hs-pa####.s####.com
- hs.cb####.com
- img.lyi####.com
- loc.map.b####.com
- log.u####.com
- m####.lyi####.com
- o####.map.b####.com
- s####.j####.cn
- s####.u####.com
- s.j####.cn
- t####.j####.cn
- up####.sdk.jig####.cn
Запросы HTTP GET:
- img.lyi####.com/attachment/ilife1688/image/20180413/3.jpg
- img.lyi####.com/attachment/ilife1688/image/20180413/6.jpg
- img.lyi####.com/attachment/ilife1688/image/20180613/2018061310112946793....
- img.lyi####.com/attachment/ilife1688/image/20180613/2018061310241533213....
- img.lyi####.com/attachment/ilife1688/image/20180621/2018062117433348216....
- img.lyi####.com/attachment/ilife1688/image/20180712/2018071216523955450....
- img.lyi####.com/attachment/ilife1688/image/20180712/2018071216530627202....
- img.lyi####.com/attachment/ilife1688/image/20180712/2018071216531841557....
- img.lyi####.com/attachment/ilife1688/image/20180712/2018071216532828029....
- img.lyi####.com/attachment/ilife1688/image/20180712/2018071216534911416....
- img.lyi####.com/attachment/ilife1688/image/20180801/2018080109460211771....
- img.lyi####.com/attachment/ilife1688/image/20180801/2018080109461873648....
- img.lyi####.com/attachment/ilife1688/image/20180801/2018080109464691064....
- img.lyi####.com/attachment/ilife1688/image/20180801/2018080109471689733....
- img.lyi####.com/attachment/ilife1688/image/20181012/2018101218140377528....
- img.lyi####.com/attachment/ilife1688/public/upload/ad/2018/03-03/56eae73...
- img.lyi####.com/attachment/image/0/2018/06/A1AIGnIZuGfNIVnnetnOet7fVQ1au...
- img.lyi####.com/attachment/image/0/2018/06/E06yzwCwr3RPergEtK0qrQWKr63z3...
- img.lyi####.com/attachment/image/0/2018/06/E7FFcCNeK4tqTEfEzFCZf4FjFNC9f...
- img.lyi####.com/attachment/image/0/2018/06/H5Qriqp75REA1bRmC1BMCMRavQ018...
- img.lyi####.com/attachment/image/0/2018/06/Hp84lY4588lL89Np8830leZ0NL4l5...
- img.lyi####.com/attachment/image/0/2018/06/KLegU5lnD7XHA8a851ZlAgeBxGbXN...
- img.lyi####.com/attachment/image/0/2018/06/NC3cHZiZr74kVvkacpZvCEA0vpRVe...
- img.lyi####.com/attachment/image/0/2018/06/Siv3WyywyMZtV5wB5oMYH3V5IKK5M...
- img.lyi####.com/attachment/image/0/2018/06/TCcfGqGzWXKQyfG263TPCW3xJ3n2N...
- img.lyi####.com/attachment/image/0/2018/06/VPME1nUO1ynN2ToOm332ep1EkBTGN...
- img.lyi####.com/attachment/image/0/2018/06/Z04DR2dQCAbDdQRaBBKrDzw8QVDbg...
- img.lyi####.com/attachment/image/0/2018/06/blMTsIFDzqLrcQGT3S7qGTI967rgC...
- img.lyi####.com/attachment/image/0/2018/06/eNF96DW524Z75rOw872329d677r99...
- img.lyi####.com/attachment/image/0/2018/06/fZ5pabTba980nB87EzN90b5se99V9...
- img.lyi####.com/attachment/image/0/2018/06/jtdo44EDA4tu8tzcUidEvO4O4TZ2m...
- img.lyi####.com/attachment/image/0/2018/06/nhZeP8Tx18E3XFL183nP2e3knk0Z3...
- img.lyi####.com/attachment/image/0/2018/06/o4Z4k1EWaKiI7InrAmiZ9eFR9NIV9...
- img.lyi####.com/attachment/image/0/2018/06/t688wWON35olSn2n3tOHH70wN2nW5...
- img.lyi####.com/attachment/image/0/2018/06/wPsdIP1bBz1d6wcrCE6pAsaenMzP1...
- img.lyi####.com/attachment/image/0/2018/06/xRmhxZNMwmNs74R47yp4Qm9R4h4wR...
- img.lyi####.com/attachment/image/0/2018/09/AGcJLzzcfD6WwL7CFp7GwrCGf6Zc4...
- img.lyi####.com/attachment/image/0/2018/09/JrT8CR9n2JgsRATJg1CA9jHGm9CRz...
- img.lyi####.com/attachment/image/0/2018/09/L09IT1yZNzggG0IR0tt5k0gRIP90W...
- img.lyi####.com/attachment/image/0/2018/09/RqL4inQz4c0jI12Vl7v4Jw4JZn10v...
- img.lyi####.com/attachment/image/0/2018/09/TfvmvI748ZmczfM57I5511511N785...
- img.lyi####.com/attachment/image/0/2018/09/TwcBx2zuWV5T21hqTA26b2LZZcLA3...
- img.lyi####.com/attachment/image/0/2018/09/fKk5t5K4TTeZt3TI0bg0FsV3QG5iG...
- img.lyi####.com/attachment/image/0/2018/09/gOOM887Mx2uII53Tu857ZE88a2mU2...
- img.lyi####.com/attachment/image/0/2018/09/nU2yDdmGn0UN6FLDc6LD21dMYoDo0...
- img.lyi####.com/attachment/image/0/2018/09/rrp1Lpz127PwWYNRsCoovP2CN1RcP...
- img.lyi####.com/attachment/image/0/2018/09/vaxCtlwi5Lw1p1CV0S1z1TssW1iQq...
- img.lyi####.com/upload/ad/180829/20576_1.jpg
- img.lyi####.com/upload/ad/180903/mrhh.jpg
- img.lyi####.com/upload/ad/180903/zwcg.jpg
- m####.lyi####.com/index.php?m=####&androidversion=####&c=####&a=####&pag...
- m####.lyi####.com/index.php?m=####&androidversion=####&c=####&a=####&ver...
- m####.lyi####.com/index.php?m=####&c=####&a=####&width=####&height=####&...
- m####.lyi####.com/public/upload/head_pic/20180820/2723889c569af720d40157...
- m####.lyi####.com/public/upload/store/1/seller//bec8a399c49cfe156fad3f81...
Запросы HTTP POST:
- aexcep####.b####.qq.com:8012/rqd/async
- and####.b####.qq.com/rqd/async
- m####.lyi####.com/index.php?m=####&androidversion=####&c=####&a=####
- m####.lyi####.com/index.php?m=####&c=####&a=####
- up####.sdk.jig####.cn/v1/push/sdk/postlist
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/1539440417915.log
- /data/data/####/1794b89f-08a6-4a6f-b0ac-669aa25414cc
- /data/data/####/17bb5cbed571d9f66a54af3e3c35489f4a9adbe3685ebb6....0.tmp
- /data/data/####/1da1e33b9ca5131aec969a15283e0d2bdb1897a129f7d4d....0.tmp
- /data/data/####/1ee83ee42af6eecbc0549e5837af63d5def3bfbac54ec8b....0.tmp
- /data/data/####/225ddcbd83b29be769179b098ac3b39d44074740b2c4a77....0.tmp
- /data/data/####/30afdddeb8ba767490c3fa5eddc7b3961b0b4d4b91360c7....0.tmp
- /data/data/####/335c1837-eebd-4041-a188-9a995ce769f6
- /data/data/####/3b98fcfe-ac3b-4832-b10d-cf69d234714a
- /data/data/####/3f645972cb9925a1996b95ad56d23845b1833a2b08262c2....0.tmp
- /data/data/####/4009cf4a60d2183de4aaa64da46b7c0351237b8fca73ef8....0.tmp
- /data/data/####/4d7eb47d-cdfd-4832-b6f0-1c39bda96d2b
- /data/data/####/684ec457531d8710aec90dc1ad8638199a19110d4ed692f....0.tmp
- /data/data/####/6c2abcc9bab713c7220fa9f0c558778d32f6fe8c9435854....0.tmp
- /data/data/####/7c252d9d-879a-4a66-be9a-17e653eda544
- /data/data/####/88e2745fc1c61fb242feee45b97a55e62e7367196cfe839....0.tmp
- /data/data/####/918ae55be6335921655da77e5e1b1069e4759310e8661f9....0.tmp
- /data/data/####/97f390bb42351d426710165210766433bb2f0b54d4aaac6....0.tmp
- /data/data/####/9eab8cbbd035b8c306f5d29d33e0e8f7ab7287147f154c2....0.tmp
- /data/data/####/9f7610d386ff3b2166eea9c44da075f2d9ed351227f8939....0.tmp
- /data/data/####/CookiePrefsFile.xml
- /data/data/####/JPushSA_Config.xml
- /data/data/####/OZIASmJ2kVdRkQZnKTbz0F3yHJM.-1592031073.tmp
- /data/data/####/SaGYySHQlqWlLuW5wfbbaw84Kkg.1468909105.tmp
- /data/data/####/VeAyYV6UhhIqV7R7Od7Abb18tDo.-1318950750.tmp
- /data/data/####/WtYrP3MkkLF09kCDQ7KtYUeYZps.-391580097.tmp
- /data/data/####/XfV1a757liGvQRNapyeHuw5enQo.1632761129.tmp
- /data/data/####/a14052d402b2522a40e066b85fd63d9cd4a700d1f8a87d1....0.tmp
- /data/data/####/appPackageNames_v2
- /data/data/####/asfDDeKgu66WhGfolt8evc7OGsE.-186574540.tmp
- /data/data/####/authStatus_com.greenLeafShop.mall;remote.xml
- /data/data/####/bugly_db_legu-journal
- /data/data/####/cf68468c1b7909e7c0e9ac202c64b4ba3333dd0333a1f68....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/dRTNeudWXHSpiZtqVhHsnpdk3Ok.-1320879315.tmp
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/dc8b857d-dce1-4d2f-8c16-fe765936a1aa
- /data/data/####/ee24917ffea92cebcdfd80f6ce1b9df39e4c49419586d2b....0.tmp
- /data/data/####/f9f38125-4d1a-4a58-91f9-cf01e2968878
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/feb7aadfe42b9bc1bd16382db2f989b26c8f6baf4ce7016....0.tmp
- /data/data/####/firll.dat
- /data/data/####/gal.db
- /data/data/####/gal.db-journal
- /data/data/####/hst.db
- /data/data/####/hst.db-journal
- /data/data/####/index
- /data/data/####/jb_sp.xml
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/libcuid.so
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.0.2.so
- /data/data/####/libufix.so
- /data/data/####/libweexjsb.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/ofl.config
- /data/data/####/ofl_location.db
- /data/data/####/ofl_location.db-journal
- /data/data/####/ofl_statistics.db
- /data/data/####/ofl_statistics.db-journal
- /data/data/####/security_info
- /data/data/####/sobot_chat_20181013_log.txt
- /data/data/####/sobot_config.xml
- /data/data/####/sp.txt
- /data/data/####/tpshop.xml
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.cuid
- /data/media/####/.cuid2
- /data/media/####/.push_deviceid
- /data/media/####/conlts.dat
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/phone_uuid.tmp
- /data/media/####/yoh.dat
- /data/media/####/yol.dat
- /data/media/####/yom.dat
Другие:
Запускает следующие shell-скрипты:
- /data/app-lib/<Package>-1/libweexjsb.so 58 0
- /data/app-lib/<Package>-1/libweexjsb.so 61 0
- /data/app-lib/<Package>-1/libweexjsb.so 63 0
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.0.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- ps
Загружает динамические библиотеки:
- Bugly
- bitmaps
- jcore123
- libnfix
- libshella-2.9.0.2
- libufix
- locSDK7a
- memchunk
- nfix
- pl_droidsonroids_gif
- ufix
- weexjsc
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
