Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.RemoteCode.907
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a.esp####.edg####.net:80
- TCP(HTTP/1.1) www.e####.com:80
- TCP(HTTP/1.1) secure-####.imrworl####.com:80
- TCP(HTTP/1.1) tr####.go.com:80
- TCP(HTTP/1.1) cd####.imrworl####.com:80
- TCP(HTTP/1.1) w88.e####.com:80
- TCP(HTTP/1.1) p####.chart####.net:80
- TCP(HTTP/1.1) espndo####.tt.om####.net:80
- TCP(HTTP/1.1) tpc.googles####.com:80
- TCP(HTTP/1.1) cdn.e####.com.####.net:80
- TCP(HTTP/1.1) sp.analy####.y####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) gose####.com.edg####.net:80
- TCP(HTTP/1.1) st####.ads-twi####.com:80
- TCP(HTTP/1.1) i####.de####.net:80
- TCP(HTTP/1.1) one####.fan.api.####.com:80
- TCP(HTTP/1.1) pag####.googles####.com:80
- TCP(HTTP/1.1) cm.everest####.net:80
- TCP(HTTP/1.1) bat-bin####.a-####.a-ms####.net:80
- TCP(HTTP/1.1) t####.co:80
- TCP(HTTP/1.1) cdn.optimi####.com:80
- TCP(HTTP/1.1) e####.com:80
- TCP(HTTP/1.1) a2.esp####.edg####.net:80
- TCP(HTTP/1.1) cdn.registe####.go.####.net:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) s####.adobe####.com:443
- TCP(TLS/1.0) www.googlea####.com:443
- TCP(TLS/1.0) securep####.g.doublec####.net:443
- TCP(TLS/1.0) s.y####.com:443
- TCP(TLS/1.0) cdn.m####.disney####.####.net:443
- TCP(TLS/1.0) syndica####.twi####.com:443
- TCP(TLS/1.0) con####.face####.net:443
- TCP(TLS/1.0) t####.blu####.com.####.net:443
- TCP(TLS/1.0) sb.scoreca####.com.####.net:443
- TCP(TLS/1.0) 1####.217.17.142:443
- TCP(TLS/1.0) a.esp####.edg####.net:443
- TCP(TLS/1.0) 13.35.2####.103:443
- TCP(TLS/1.0) broad####.e####.com:443
- TCP(TLS/1.0) ads.twi####.com:443
- TCP(TLS/1.0) l####.optimi####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) f####.wac.1####.####.net:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) cdn.optimi####.com:443
- TCP(TLS/1.0) s####.go.com:443
- TCP(TLS/1.0) cs1-l####.8####.e####.net:443
- TCP(TLS/1.0) waws-pr####.vip.azurewe####.####.net:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) cdn.registe####.go.####.net:443
- TCP(TLS/1.0) san-del####.a####.com.####.net:443
- TCP(TLS/1.0) t####.ti####.com.####.net:443
- TCP(TLS/1.0) wild####.b####.com.####.net:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) t####.co:443
- TCP(TLS/1.0) pri####.thewalt####.com:443
- TCP(TLS/1.0) cdn-pri####.thewalt####.com.####.net:443
- TCP(TLS/1.0) www.e####.com:443
Запросы DNS:
- a.esp####.com
- a1.esp####.com
- a2.esp####.com
- a3.esp####.com
- a4.esp####.com
- adser####.go####.com
- agl####.go.com
- analy####.twi####.com
- b.scoreca####.com
- bat.b####.com
- broad####.e####.com
- c.cintnet####.com
- cd####.imrworl####.com
- cdn-pri####.thewalt####.com
- cdn.e####.com
- cdn.m####.disney####.com
- cdn.optimi####.com
- cdn.registe####.go.com
- cdn.u####.go.com
- cm.everest####.net
- con####.face####.net
- dpm.de####.net
- e####.com
- entitle####.a####.a####.com
- espndo####.tt.om####.net
- f####.e####.de####.net
- f####.f####.net
- googl####.g.doublec####.net
- l####.optimi####.com
- one####.fan.api.####.com
- p####.chart####.net
- pag####.googles####.com
- plat####.twi####.com
- pri####.thewalt####.com
- s####.go.com
- s.y####.com
- sb.scoreca####.com
- se####.esp####.com
- secure####.imrworl####.com
- securep####.g.doublec####.net
- sp.a####.a####.com
- sp.analy####.y####.com
- ssl.gst####.com
- st####.ads-twi####.com
- syndica####.twi####.com
- t####.b####.com
- t####.blu####.com
- t####.co
- t####.ti####.com
- tpc.googles####.com
- tr####.e####.com
- w88.e####.com
- www.e####.com
- www.face####.com
- www.go####.com
- www.googlea####.com
- www.googlet####.com
- www.googlet####.com
- www.gst####.com
Запросы HTTP GET:
- a.esp####.edg####.net/ad/doubleclick/ads.js
- a.esp####.edg####.net/combiner/i?img=####&h=####&w=####
- a.esp####.edg####.net/combiner/i?img=####&h=####&w=####&cquality=####
- a.esp####.edg####.net/combiner/i?img=####&h=####&w=####&scale=####&cqual...
- a.esp####.edg####.net/combiner/i?img=####&transparent=####&w=####&h=####
- a.esp####.edg####.net/combiner/i?img=####&w=####&h=####
- a.esp####.edg####.net/combiner/i?img=####&w=####&h=####&scale=####&cqual...
- a.esp####.edg####.net/combiner/i?img=####&w=####&h=####&transparent=####
- a.esp####.edg####.net/combiner/i?img=/i/teamlogos/leagues/500/mlb.png?w=...
- a.esp####.edg####.net/combiner/i?img=/i/teamlogos/leagues/500/nba.png?w=...
- a.esp####.edg####.net/combiner/i?img=/i/teamlogos/leagues/500/nfl.png?w=...
- a.esp####.edg####.net/combiner/i?img=/i/teamlogos/leagues/500/nhl.png?w=...
- a.esp####.edg####.net/favicon.ico
- a.esp####.edg####.net/js/omniture/tracking.js
- a.esp####.edg####.net/media/motion/2018/1105/dm_181105_COM_espnW_Notre_D...
- a.esp####.edg####.net/media/motion/2018/1105/dm_181105_mma_elbowknockout...
- a.esp####.edg####.net/media/motion/2018/1105/dm_181105_nba_get_up_stephe...
- a.esp####.edg####.net/photo/2018/0401/r350271_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/0915/r431653_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1101/r457468_1296x518_5-2.jpg
- a.esp####.edg####.net/photo/2018/1102/r458006_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1103/r458265_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1103/r458503_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1103/r458540_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r458895_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r458919_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r458989_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r459014_1296x518_5-2.jpg
- a.esp####.edg####.net/photo/2018/1104/r459069_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r459083_1296x518_5-2.jpg
- a.esp####.edg####.net/photo/2018/1104/r459094_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1104/r459130_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1105/r458463_2_1296x518_5-2.jpg
- a.esp####.edg####.net/photo/2018/1105/r459341_1296x729_16-9.jpg
- a.esp####.edg####.net/photo/2018/1105/r459381_1140x641_16-9.jpg
- a.esp####.edg####.net/photo/2018/1105/r459389_1296x729_16-9.jpg
- a.esp####.edg####.net/prod/scripts/analytics/at.r2.js
- a.esp####.edg####.net/prod/scripts/prebid1.15.0.js
- a.esp####.edg####.net/redesign/0.419.7/css/one-feed-refresh.css
- a.esp####.edg####.net/redesign/0.419.7/css/page.css
- a.esp####.edg####.net/redesign/0.419.7/css/shell-mobile.css
- a.esp####.edg####.net/redesign/0.419.7/js/espn-analytics.js
- a.esp####.edg####.net/redesign/0.419.7/js/espn-critical-mobile.js
- a.esp####.edg####.net/redesign/0.419.7/js/espn-defer-low.js
- a.esp####.edg####.net/redesign/0.419.7/js/espn-defer-mobile.js
- a.esp####.edg####.net/redesign/0.419.7/js/personalized-one-feed.min.js
- a.esp####.edg####.net/redesign/0.419.7/node_modules/espn-lazysizes/lazys...
- a.esp####.edg####.net/redesign/assets/img/icons/shim2.gif
- a.esp####.edg####.net/redesign/assets/img/logos/espn-404@2x.png
- a.esp####.edg####.net/redesign/assets/img/logos/espnplus/ePlus2.svg
- a.esp####.edg####.net/redesign/assets/img/logos/logo-espn-82x20.png
- a.esp####.edg####.net/wireless/mw5/r1/images/bookmark-icons-v2/espn-icon...
- a2.esp####.edg####.net/combiner/i?img=####
- a2.esp####.edg####.net/combiner/i?img=####&h=####&w=####
- a2.esp####.edg####.net/combiner/i?img=####&w=####&h=####&scale=####&cqua...
- a2.esp####.edg####.net/fonts/1.0.56/ESPNIcons/ESPNIcons.ttf
- a2.esp####.edg####.net/fonts/1.0.63/ESPNIcons/ESPNIcons.ttf
- b.scoreca####.com.####.net/b2?c1=####&c2=####&ns__t=####&ns_c=####&cv=##...
- b.scoreca####.com.####.net/b?c1=####&c2=####&ns__t=####&ns_c=####&cv=###...
- bat-bin####.a-####.a-ms####.net/action/0?ti=####&Ver=####&mid=####&pi=##...
- bat-bin####.a-####.a-ms####.net/bat.js
- cd####.imrworl####.com/conf/P07264C85-15CD-4A80-8E56-B5BFA6D93296.js
- cd####.imrworl####.com/novms/html/ls.html
- cd####.imrworl####.com/novms/js/2/configs/glcfg510.js
- cd####.imrworl####.com/novms/js/2/ggcmb510.js
- cd####.imrworl####.com/novms/js/2/nlsSDK600.bundle.min.js
- cdn.e####.com.####.net/core/api/v0/nav/index?&device=####&country=####&l...
- cdn.e####.com.####.net/core/format/modules/head/i18n?edition-host=####&l...
- cdn.optimi####.com/js/310987714.js
- cdn.registe####.go.####.net/denied/unid.denied.js
- cdn.registe####.go.####.net/js/unid.min.js
- cm.everest####.net/cm/dd?d_uuid=####
- e####.com/
- espndo####.tt.om####.net/m2/espndotcom/mbox/json?mbox=####&mboxSession=#...
- gose####.com.edg####.net/stat/cto-espn.js
- i####.de####.net/ibs:dpid=411&dpuuid=W_CtGAAADGJI-Tx0
- i####.de####.net/id?d_visid_ver=####&d_fieldgroup=####&d_rtbd=####&d_ver...
- one####.fan.api.####.com/apis/v3/cached/contentEngine/oneFeed/frontpage?...
- p####.chart####.net/ping?h=####&p=####&u=####&d=####&g=####&g0=####&g1=#...
- pag####.googles####.com/pagead/osd.js
- secure-####.imrworl####.com/cgi-bin/gn?prd=####&c9=####&c13=####&session...
- sp.analy####.y####.com/sp.pl?a=####&jsonp=####&d=####&n=####&.yp=####&f=...
- st####.ads-twi####.com/uwt.js
- t####.co/i/adsct?p_id=####&p_user_id=####&txn_id=####&events=####&tw_sal...
- tpc.googles####.com/safeframe/1-0-30/html/container.html
- tr####.go.com/capmon/GetDE?set=####¶m=####¶m=####¶m=####&par...
- w88.e####.com/b/ss/wdgespcom,wdgespge/1/JS-2.8.2/s72979515988845?AQB=###...
- w88.e####.com/id?d_visid_ver=####&d_fieldgroup=####&mcorgid=####&mid=###...
- www.e####.com/
- www.e####.com/core/l?a=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.edata
- /data/data/####/classes.dex
- /data/data/####/classes.dex (deleted)
- /data/data/####/classes.dve
- /data/data/####/classes.jar
- /data/data/####/com.SecShell.tmp2283
- /data/data/####/com.SecShell.tmp2310
- /data/data/####/com.SecShell.tmp2336
- /data/data/####/com.SecShell.tmp2570
- /data/data/####/com.SecShell.tmp2599
Другие:
Загружает динамические библиотеки:
- SecShell
Использует специальную библиотеку для скрытия исполняемого байткода.
