Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.192.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) m####.qy.net:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) t7z.c####.i####.com:80
- TCP(HTTP/1.1) fc####.b####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) i####.i####.com:80
- TCP(HTTP/1.1) secu####.i####.com:80
- TCP(HTTP/1.1) iqiy####.com.edg####.net:80
- TCP(HTTP/1.1) t####.jom####.com:80
- TCP(HTTP/1.1) ch####.jom####.com:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) d####.b####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) mipc####.jom####.com:80
- TCP(HTTP/1.1) 1####.232.231.93:80
- TCP(HTTP/1.1) ssls####.jom####.com:80
- TCP(HTTP/1.1) c####.m.i####.com:80
- TCP(HTTP/1.1) i####.com.edg####.net:80
- TCP(TLS/1.0) m####.qy.net:443
- TCP(TLS/1.0) c####.i####.com:443
- TCP(TLS/1.0) c####.b####.com:443
- TCP(TLS/1.0) t####.jom####.com:443
- TCP(TLS/1.0) secu####.i####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) mipc####.jom####.com:443
- TCP(TLS/1.0) i####.b####.com:443
- TCP(TLS/1.0) d####.b####.com:443
- TCP(TLS/1.0) cambria####.cdn.bc####.####.com:443
Запросы DNS:
- b.scoreca####.com
- c####.b####.com
- c####.baidu####.cn
- c####.i####.com
- c####.m.i####.com
- c.mi####.com
- cambria####.cdn.bc####.com
- cg.0####.com
- cg.m####.com
- d####.b####.com
- fc####.b####.com
- g####.bdst####.com
- hm.b####.com
- i####.i####.com
- m####.qy.net
- m.b####.com
- m.i####.com
- m.iqiy####.com
- mip-rui####.mi####.com
- mipc####.bdst####.com
- p####.iqiy####.com
- p####.iqiy####.com
- pub.m.i####.com
- s.bdst####.com
- secu####.i####.com
- sp1.b####.com
- st####.i####.com
- statics####.i####.com
- t10.b####.com
- t11.b####.com
- t12.b####.com
- t7z.c####.i####.com
- t8.b####.com
- t9.b####.com
- w####.pcon####.com.cn
- w####.qy.net
- www.iqiy####.com
- zh####.b####.com
Запросы HTTP GET:
- b.scoreca####.com.####.net/beacon.js
- box.jom####.com/common/openjs/openBox.js?_v=####
- box.jom####.com/it/u=1886309944,1451944498&fm=58
- box.jom####.com/it/u=1896311174,798654439&fm=58
- box.jom####.com/it/u=1969291302,3436839348&fm=58
- box.jom####.com/it/u=2071741171,1169508723&fm=58
- box.jom####.com/it/u=2989590044,1184865074&fm=58
- box.jom####.com/it/u=3025731618,1555699111&fm=58
- box.jom####.com/it/u=3458634310,2539167038&fm=58
- box.jom####.com/it/u=3713429897,4169243263&fm=58
- box.jom####.com/it/u=375489876,2639580422&fm=58
- box.jom####.com/it/u=3856078779,2060907481&fm=58
- box.jom####.com/it/u=4016486117,3508225515&fm=58
- box.jom####.com/it/u=4023672138,3742263748&fm=58
- box.jom####.com/it/u=4218045044,1692329411&fm=58
- c####.m.i####.com/jp/tmts/3667653009/7e3796c4bc9bd2753efda49471786f60/?u...
- ch####.jom####.com/it/u=341949464,3402234316&fm=190&app=57&size=r3,2&n=0...
- ch####.jom####.com/it/u=50952364,1895238756&fm=190&app=7&size=r3,2&n=0&g...
- d####.b####.com/x.gif?he=[mag####&prot_ver=####&app_id=####&rnd=####&log...
- d####.b####.com/x.js?si=####&dm=####
- fc####.b####.com/w.gif?baiduid=####&query=####&queryUtf8=####&searchid=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?5df871a####
- i####.com.edg####.net/channel_list.html
- i####.com.edg####.net/css/2018090317/h5-comment-aura2.css
- i####.com.edg####.net/css/2018092517/h5-play-aura.css
- i####.com.edg####.net/css/2018102411/h5-aura.css
- i####.com.edg####.net/dianshiju/
- i####.com.edg####.net/ext/common/auraIcon20180622/iconfont.ttf
- i####.com.edg####.net/js/common/7d183edd03bc4414b315e8964fb41826.js
- i####.com.edg####.net/js/common/ares4-h5.min.js
- i####.com.edg####.net/js/html5/js/lib/clipboard.min.js
- i####.com.edg####.net/js/html5/js/lib/lib.2.0.8.min.js?sea1.2.####
- i####.com.edg####.net/js/html5/js/lib/qoe.3.0.3.min.js?v=####
- i####.com.edg####.net/js/html5/js/page/channelList/59f6cd4ad7!app.js
- i####.com.edg####.net/js/html5/js/page/newChannel/83569f0a57!app.js
- i####.com.edg####.net/js/html5/js/page/playSingle/75766f479c!app.js
- i####.com.edg####.net/w_19rs33efwd.html
- i####.i####.com/irt?_iwt_t=####&_iwt_id=####&_iwt_UA=####&r=####
- iqiy####.com.edg####.net/common/20171106/ac/1b/vip_100000_v_601_0_60.png
- iqiy####.com.edg####.net/common/20180322/b78ffa490af04be394dc908de16f1e3...
- iqiy####.com.edg####.net/common/20180509/70ea099b771d43189d4cf0d7ffd7a16...
- iqiy####.com.edg####.net/common/20180509/9c64fce5ad2940d289c84c5586085b0...
- iqiy####.com.edg####.net/common/20180510/d9bd60258fac424a8aa71068559efeb...
- iqiy####.com.edg####.net/common/20180627/reliao_1530091658440.png
- iqiy####.com.edg####.net/common/fix/h5-aura/channel-list-20180119.png
- iqiy####.com.edg####.net/common/fix/h5-aura/foot.png
- iqiy####.com.edg####.net/common/fix/h5-aura/imgLogo-b.png
- iqiy####.com.edg####.net/common/fix/h5-aura/imgLogo-s.png
- iqiy####.com.edg####.net/common/fix/h5-aura/iqiyi-logo.png
- iqiy####.com.edg####.net/common/fix/h5-aura/menu-more-icon.png
- iqiy####.com.edg####.net/common/fix/h5-aura/nav-linebg.png
- iqiy####.com.edg####.net/common/fix/h5-aura/picicon-bg-20180918.png
- iqiy####.com.edg####.net/common/fix/h5-aura/playPage-icon-20180920.png
- iqiy####.com.edg####.net/common/fix/h5-aura/player-bg.png
- iqiy####.com.edg####.net/common/fix/h5-aura/player-default-logo.png
- iqiy####.com.edg####.net/common/fix/h5-aura/tab-navbg-20171011.png
- iqiy####.com.edg####.net/common/fix/h5-v3/am-update-icon.png
- iqiy####.com.edg####.net/common/fix/h5-v3/horizontal-img-220-124.jpg
- iqiy####.com.edg####.net/common/fix/h5-v3/iqy-linklogo.png
- iqiy####.com.edg####.net/common/fix/h5-v3/player-tip-bg.jpg
- iqiy####.com.edg####.net/common/lego/20181029/47ed1bf96a104274b96d0c6efb...
- iqiy####.com.edg####.net/image/20181015/6a/c1/a_100035270_m_601_m12_195_...
- iqiy####.com.edg####.net/image/20181016/2c/be/a_100098518_m_601_m14_195_...
- iqiy####.com.edg####.net/image/20181019/54/2d/a_100194844_m_601_m4_195_2...
- iqiy####.com.edg####.net/image/20181030/3f/3f/a_100204163_m_601_m4_195_2...
- iqiy####.com.edg####.net/image/20181030/5c/88/a_100119712_m_601_m14_195_...
- iqiy####.com.edg####.net/image/20181030/77/3a/a_100138755_m_601_m15_480_...
- iqiy####.com.edg####.net/u6/image/20150428/ed/30/uv_4003063666_m_601_m0_...
- m####.qy.net/b?t=####&bstp=####&pf=####&p=####&p1=####&u=####&pu=####&bl...
- m####.qy.net/cp2.gif?p=####&rd=####&rc=####&t=####&e=####&y=####&u=####&...
- m####.qy.net/cp2.gif?p=####&t=####&lc=####&e=####&y=####&u=####&av=####&...
- m####.qy.net/cp2.gif?p=####&t=####&rc=####&rd=####&ai=####&e=####&y=####...
- m####.qy.net/jpb.gif?rdm=####&qtcurl=####&rfr=####&flshuid=####&lrfr=###...
- m####.qy.net/tmpstats.gif?type=####&des=####&mse=####&p2p=####&p=####
- m####.qy.net/v5/mbd/qos_http?total_tm=####&dns_tm=####&tcpconn_tm=####&r...
- m####.qy.net/vodpb.gif?rec=####&mse=####&url=####&fetch=####&rtc=####&ws...
- mipc####.jom####.com/static/az.gif?_=####
- mipc####.jom####.com/static/prefetch.html
- secu####.i####.com/api/getNewAdInfo?pageName=####&appNum=####&key=####&v...
- secu####.i####.com/common/jssdk/iqiyiJsBridge-v2-min.js
- ssls####.jom####.com/5foUcz3n1MgCo2Kml5_Y_D3/graph/static/resource/sdk/m...
- ssls####.jom####.com/5foUcz3n1MgCo2Kml5_Y_D3/graph/static/resource/sdk/v...
- t####.jom####.com/static/az.gif?_=####
- t####.jom####.com/timg?wisealaddin&size=f200_133&quality=100&sec=1540917...
- t7z.c####.i####.com/show2?e=AF48R####&h=####&a=####&u=####&p=####&s=####...
- t7z.c####.i####.com/track2?w=####&dts=####&nr=####&c=####&f=####&g=####&...
- wap.n.sh####.com/s?word=####
- www.a.sh####.com/5b1ZeDe5KgQFm2e88IuM_a/wbcj.gif?pid=####&lid=####&ts=##...
- www.a.sh####.com/5b1ZeDe5KgQFm2e88IuM_a/wbcj.gif?pid=####&ts=####&lid=##...
- www.a.sh####.com/error
- www.a.sh####.com/error.jsp?traceid=####
- www.a.sh####.com/his?callback=####&type=####&ishome=####&islogin=####&pi...
- www.a.sh####.com/rec?platform=####&ms=####&lsAble=####&rset=####&word=##...
- www.a.sh####.com/s?word=####
- www.a.sh####.com/s?word=####&rq=####&sa=####&rsf=####&pqid=####&rqid=###...
- www.a.sh####.com/se/static/ala_atom/app/recommend_list/bundle_826806a.js
- www.a.sh####.com/se/static/ala_atom/app/www_video_normal/bundle_39c2c90.js
- www.a.sh####.com/se/static/amd_modules/@baidu/atom-web-runtime_30eca1a.js
- www.a.sh####.com/se/static/amd_modules/@baidu/better-scroll/better-scrol...
- www.a.sh####.com/se/static/amd_modules/@baidu/better-scroll_3ccd1d2.js
- www.a.sh####.com/se/static/amd_modules/@baidu/jssdk/index_26b9d34.js
- www.a.sh####.com/se/static/amd_modules/@baidu/jssdk_b621e68.js
- www.a.sh####.com/se/static/amd_modules/@baidu/web-animations-js/web-anim...
- www.a.sh####.com/se/static/amd_modules/@baidu/web-animations-js_8257915.js
- www.a.sh####.com/se/static/atom/search-ui/v2/core_0604eef.js
- www.a.sh####.com/se/static/atom/search-ui/v2/enhance_583a15c.js
- www.a.sh####.com/se/static/font/pmd/cicon_931bd66.ttf
- www.a.sh####.com/se/static/img/iphone/input_bearicon.png
- www.a.sh####.com/se/static/img/iphone/logo.png
- www.a.sh####.com/se/static/img/iphone/tab_loading__bg_logo_small.png
- www.a.sh####.com/se/static/js/bundles/ala-util_e35a0fc.js
- www.a.sh####.com/se/static/js/bundles/atom_0ec8a79.js
- www.a.sh####.com/se/static/js/dep/fingerprint2.min_c6eb516.js
- www.a.sh####.com/se/static/js/fusion/b-popup/b-popup_3e28331.js
- www.a.sh####.com/se/static/js/fusion/b-scroll/b-scroll_e0b3634.js
- www.a.sh####.com/se/static/js/fusion/b-scroll/bdscroll_3c59879.js
- www.a.sh####.com/se/static/js/fusion/b-scroll/scroll_1b8ba32.js
- www.a.sh####.com/se/static/js/fusion/b-share/b-share_4aecd60.js
- www.a.sh####.com/se/static/js/fusion/b-toast/b-toast_89597a6.js
- www.a.sh####.com/se/static/js/fusion/deps/aio_34bb973.js
- www.a.sh####.com/se/static/js/fusion/deps/detect_59e6096.js
- www.a.sh####.com/se/static/js/log/exp_db2b53e.js
- www.a.sh####.com/se/static/js/log/taiji_behavior_84e8fa7.js
- www.a.sh####.com/se/static/js/log/taiji_device_e2f4d3c.js
- www.a.sh####.com/se/static/js/modules/advanced_filter/advanced_filter_b0...
- www.a.sh####.com/se/static/js/modules/baiduappFixedButton_4edbe08.js
- www.a.sh####.com/se/static/js/modules/device_data_dep/h5_support_info_4f...
- www.a.sh####.com/se/static/js/modules/device_data_dep/murmur3_e901bf7.js
- www.a.sh####.com/se/static/js/modules/device_data_dep/support_fonts_ac84...
- www.a.sh####.com/se/static/js/modules/device_data_dep/zoom_info_abaf8bb.js
- www.a.sh####.com/se/static/js/modules/safariicon/safariicon_d1dec0d.js
- www.a.sh####.com/se/static/js/modules/vsl/vslNewUtil_9b32cc9.js
- www.a.sh####.com/se/static/js/modules/vsl/vslUtil_2dbd992.js
- www.a.sh####.com/se/static/wiseatom/feedback/pack_2cd71f9.js
- www.a.sh####.com/se/static/wiseatom/pagenav/pack_fa78789.js
- www.a.sh####.com/se/static/wiseatom/relative/pack_fda783c.js
- www.a.sh####.com/static/search/clear.png
- www.a.sh####.com/static/search/image_default.png
- www.a.sh####.com/static/search/sug_logo.png
- www.a.sh####.com/static/searchbox/openjs/share.js?v=####
- www.a.sh####.com/static/tj.gif?time=####
- www.a.sh####.com/su?pre=####&p=####&ie=####&json=####&from=####&sugsid=#...
- www.a.sh####.com/tc?tcreq4log=####&clk_type=####&vit=####&l=####&baiduid...
- www.a.sh####.com/tc?tcreq4log=####&ssid=####&from=####&bd_page_type=####...
Запросы HTTP POST:
- w####.pcon####.com.cn/ip.jsp?qq-pf-to=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/037a0530-40dd-4bcb-84c9-a818dfb633e8
- /data/data/####/Downloado
- /data/data/####/Downloado-journal
- /data/data/####/c
- /data/data/####/c.jar
- /data/data/####/configo.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/eca.db-journal
- /data/data/####/eck.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/index
- /data/data/####/t
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/com.solar.rain.jcoz.dex
- /data/media/####/dizigui.db
- /data/media/####/id
- /data/media/####/logo.png
Другие:
Загружает динамические библиотеки:
- 037a0530-40dd-4bcb-84c9-a818dfb633e8
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CFB-NoPadding
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS7Padding
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
