Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Triada.440.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z####.heyc####.net:80
- TCP(HTTP/1.1) e####.hz####.cn:80
- TCP(HTTP/1.1) www.y####.cn:80
- TCP(HTTP/1.1) 7k####.46####.com:20351
- TCP(HTTP/1.1) www.zga####.cn:8080
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) al####.y####.cn:80
- TCP(TLS/1.0) waws-pr####.vip.azurewe####.####.net:443
Запросы DNS:
- 7k####.46####.com
- al####.y####.cn
- and####.b####.qq.com
- cgi.con####.qq.com
- code####.azurewe####.net
- e####.hz####.cn
- mt####.go####.com
- pi####.qq.com
- www.y####.cn
- www.zga####.cn
- z####.heyc####.net
Запросы HTTP GET:
- al####.y####.cn/author_cover/224a19226a36a6a852a26242184ff0f8.jpg_s80png
- al####.y####.cn/author_cover/6407be0e54fb2d6464ca24d4f8fcc687.jpg_s80png
- al####.y####.cn/author_cover/729323cbb4c35702034acb27115f5dd1.gif_s80png
- al####.y####.cn/author_cover/9923e20f5f94274ae67b7215ffba263b.jpg_s80png
- al####.y####.cn/author_cover/a346a25e8b76c7cae3b2bcd8ea470799.png_s80png
- al####.y####.cn/author_cover/b287fe4d26145ccd5bdac67a5238e4be.jpg_s80png
- al####.y####.cn/author_cover/d89323597e62d9e5a56249c9c20d7aa4.jpg_s80png
- al####.y####.cn/banner/1286d354f0f63035130ad3812d29856a.jpg_mbanner
- al####.y####.cn/banner/680660f145cda1a210fcf603cb09f75e.jpg_mbanner
- al####.y####.cn/banner/79482ad0554203a078c3b35752e08c00.jpg_mbanner
- al####.y####.cn/banner/7ff19a65ad8056abf0aae42ac8878b11.jpg_mbanner
- al####.y####.cn/banner/b79bfe9d53e325ad644daf4f4e67ce93.jpg_mbanner
- al####.y####.cn/banner/bd3b3697d8e8be01ecf9a454b88053db.jpg_mbanner
- al####.y####.cn/cover/07fb300aaa82f02230d6b60548846837.jpg_mbanner
- al####.y####.cn/cover/0ab1ab1350f5e0f94c5c2e226a757ee7.png_w680
- al####.y####.cn/cover/0d44db6979c30fce1000136272f71bd2.jpg_w680
- al####.y####.cn/cover/0e1994a41b5ef09683d1c16eda87a693.jpg_w360png
- al####.y####.cn/cover/1202e569a7dd406182446c35d5e66d01.jpg_w680
- al####.y####.cn/cover/1fc09d8a37066977b2d902491bff6700.jpg_mbanner
- al####.y####.cn/cover/21a8b011f02bff753401722d9abcb1a4.jpg_w680
- al####.y####.cn/cover/240a16d366b5221e7868ea926e810c87.jpg_mbanner
- al####.y####.cn/cover/30fa04d3dfc6f506e185efcd03856d97.jpg_w360png
- al####.y####.cn/cover/39fd10214087e2d0e40276d952611ca6.jpg_w680
- al####.y####.cn/cover/4347bfa44cda2168ef692cd508fa160c.jpg_w680
- al####.y####.cn/cover/475cefd735eaa19aeb2222558508fbcf.jpg_w360png
- al####.y####.cn/cover/65a844686d05a05bff0cac9d9926ad76.jpg_mbanner
- al####.y####.cn/cover/65f1006f49b27b81dd7cc1914f10a1b9.jpg_w360png
- al####.y####.cn/cover/65f1006f49b27b81dd7cc1914f10a1b9.jpg_w680
- al####.y####.cn/cover/73e015016bc8240848d0635f749c4942.jpg_w680
- al####.y####.cn/cover/7d08662524e7f390b65f5a26bcea6bae.jpg_w680
- al####.y####.cn/cover/8c24fb7f157e4450578172650628b55c.jpg_mbanner
- al####.y####.cn/cover/982053cb8c2dd16d1c935bca6f301b4e.jpg_mbanner
- al####.y####.cn/cover/a9c08cb0af4e40b6059131be603e71bb.png_w680
- al####.y####.cn/cover/c44204c4e0f9e560848b8d3196eff0c3.jpg_w680
- al####.y####.cn/cover/c988b59f69fce8959c6a1127d5421cf3.jpg_mbanner
- al####.y####.cn/cover/cdd86db83354dd78641efe24192a6d8d.jpg_w680
- al####.y####.cn/cover/d7094568ae06fcc471770b57648c6a9a.jpg_mbanner
- al####.y####.cn/news/40ccd5effef98391ebb73a16914dd67c.jpg_w180png
- al####.y####.cn/news/454abe097ed1d795f5ff692277b9d7de.jpg_w180png
- al####.y####.cn/news/83dfe4ccc4257b0fa8d4a2fda5eaed87.jpg_w180png
- al####.y####.cn/news/8582b9cb2648a287fd3edc856d081017.jpg_w180png
- al####.y####.cn/news/adf420b65e4b9044e422daa9280caecf.jpg_w180png
- al####.y####.cn/news/fd47d6b5b84af1f4fed1b47b68dba477.jpg_w180png
- al####.y####.cn/open_screen/774187555c6035ffa325bfe7a6321dec.jpg_mw680
- al####.y####.cn/static/dist/images/author.png
- al####.y####.cn/tags_cover/0f7343440f63bc8e68370abf50b457d3.jpg_wh180png
- al####.y####.cn/tags_cover/59ad62fbb7a315c56e80214ff78d1e8e.jpg_wh180png
- al####.y####.cn/tags_cover/706f29e591955eb088ec7cc68468cc88.jpg_wh180png
- al####.y####.cn/tags_cover/709fadde7a39d04c71ff1be24cb30c2b.jpg_wh180png
- al####.y####.cn/tags_cover/ab8c0f39f0a51c5432703def09565781.jpg_wh180png
- al####.y####.cn/tags_cover/d352801fd9413d5926dbc9616d747355.jpg_wh180png
- al####.y####.cn/topic_cover/1a29b7686345ea7fc53576c87eda3503.jpg_w360png
- al####.y####.cn/topic_cover/1a29b7686345ea7fc53576c87eda3503.jpg_wh180png
- al####.y####.cn/topic_cover/25607aabdf093b9262616df3f91b5104.jpg_w360png
- al####.y####.cn/topic_cover/25607aabdf093b9262616df3f91b5104.jpg_wh180png
- al####.y####.cn/topic_cover/4785b9cba4cdf66cae064d2712240a47.jpg_w360png
- al####.y####.cn/topic_cover/4785b9cba4cdf66cae064d2712240a47.jpg_wh180png
- al####.y####.cn/topic_cover/665fa9837294db87cb4d3a432cca6e52.jpg_w360png
- al####.y####.cn/topic_cover/665fa9837294db87cb4d3a432cca6e52.jpg_wh180png
- al####.y####.cn/topic_cover/7444ce9be9d4eb5bb92c072f56cd3f5d.jpg_w360png
- al####.y####.cn/topic_cover/77f35bd5cee476964a7dbc36295a0a3a.jpg_w360png
- al####.y####.cn/topic_cover/77f35bd5cee476964a7dbc36295a0a3a.jpg_wh180png
- al####.y####.cn/topic_cover/7a79f357cf2304f43d86275d89d1853e.jpg_w360png
- al####.y####.cn/topic_cover/7a79f357cf2304f43d86275d89d1853e.jpg_wh180png
- al####.y####.cn/topic_cover/8868be7fe7dc121953d5845474824b4d.jpg_w360png
- al####.y####.cn/topic_cover/8868be7fe7dc121953d5845474824b4d.jpg_wh180png
- al####.y####.cn/topic_cover/9abe72694b1586071128044c3e9e623e.jpeg_w360png
- al####.y####.cn/topic_cover/9abe72694b1586071128044c3e9e623e.jpeg_wh180png
- al####.y####.cn/topic_cover/ac79e72acfbb9e0853ae1da04f90f36a.jpg_w360png
- al####.y####.cn/topic_cover/ac79e72acfbb9e0853ae1da04f90f36a.jpg_wh180png
- al####.y####.cn/topic_cover/d3f8d73041499ef43d5e23f78a0e79a4.jpg_w360png
- al####.y####.cn/topic_cover/d8ccbb7a56d998672a648d28bf4411c2.jpg_w360png
- al####.y####.cn/topic_cover/e132e1af7a6a93a231de653fe3c6f5c3.jpg_w360png
- al####.y####.cn/topic_cover/e132e1af7a6a93a231de653fe3c6f5c3.jpg_wh180png
- al####.y####.cn/topic_cover/e17c9f06e6b6d24a44d58ca608434a33.jpg_w360png
- al####.y####.cn/topic_cover/e17c9f06e6b6d24a44d58ca608434a33.jpg_wh180png
- al####.y####.cn/topic_cover/f06f52f6e2921fd6fc9e41a3e9618873.jpg_w360png
- al####.y####.cn/topic_cover/f06f52f6e2921fd6fc9e41a3e9618873.jpg_wh180png
- al####.y####.cn/topic_cover/fcd7227628d7f3d6f5fe437f1743d3a5.jpg_w360png
- al####.y####.cn/topic_cover/fcd7227628d7f3d6f5fe437f1743d3a5.jpg_wh180png
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- e####.hz####.cn/op/wwdkthqihbvh965
- www.y####.cn/app/find/get_finds
- www.y####.cn/app/home/get_home_docs_by_page?page=####
- www.y####.cn/app/news/get_news_by_page?tab_id=####&page=####
Запросы HTTP POST:
- 7k####.46####.com:20351/dsd/
- and####.b####.qq.com/rqd/async
- pi####.qq.com/mstat/report
- www.y####.cn/app/home/init?v=####
- www.zga####.cn:8080/sdk/reportUuAdAppInstall
- www.zga####.cn:8080/sdk/requestUuAdStatus
- z####.heyc####.net/getlist
- z####.heyc####.net/xlogin
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0124bcedeac7e2a0b908280ff63d99e367e6967ca396193....0.tmp
- /data/data/####/0435e4d456242b04c74d1b7d1e3da49eb7851dd65f75449....0.tmp
- /data/data/####/0BEE572CEEA232710D01589064229940.xml
- /data/data/####/0d99b1daf360d94e71b55fda5c62ab501e06da25b355b9d....0.tmp
- /data/data/####/0e391ff1e6db5d195ece4b0ab1454f7af0402e19f60ce34....0.tmp
- /data/data/####/10cb753b9aafe1ed85ed05a9c8c3689544b176cd710cbe5....0.tmp
- /data/data/####/1a23e216b5262446b90bb7b3459d530e402ae82b687b3a7....0.tmp
- /data/data/####/237dae956b3e7a15df85a543cf7c57fff5f75c2bc1a1c96....0.tmp
- /data/data/####/249b6096422f9685c08142083e20a70a7fc2b69b4bf7432....0.tmp
- /data/data/####/26af63b008f695d109d8de4d7fd5e1eeb3c579870a2799d....0.tmp
- /data/data/####/2823eb9d5d20de12bf52db68f2f1cd3e3787a9aee3064f7....0.tmp
- /data/data/####/29efaef3c194d2e75b889ee72abbd5403c14e7ef03f3a9c....0.tmp
- /data/data/####/4c0c73f03a10564bc7c1ea3984b913d329b2a29206ed0e6....0.tmp
- /data/data/####/5a2492f8037fd8b76c695a6154e03c161c87012f75008b8....0.tmp
- /data/data/####/5d030939935276ea2472daef278102682d8b1ec9dcacf1b....0.tmp
- /data/data/####/5e97f738996f259f0289566d7a374fb47f2e697f1a03f35....0.tmp
- /data/data/####/6576e099c62304207492727a91c650ea74a321c5b0a0cb9....0.tmp
- /data/data/####/6908bff40eb72d9332260a678ede58d844c7e381dccdbe9....0.tmp
- /data/data/####/6af779c5a1d4f1ba608b57bef4fad1ee55c2a3c9d92d1ac....0.tmp
- /data/data/####/6d3046d639d0734011f8a1f53a2ed79fb92d83a11072610....0.tmp
- /data/data/####/73fa1cc311e03ba1436c93ba5489c9f32aca9d50a290926....0.tmp
- /data/data/####/7fc48052d38cb5ff5caf618b52f192256a022ffc8a82f88....0.tmp
- /data/data/####/836f75efffcf36c1142720c29a5ac18ddb66070acdba206....0.tmp
- /data/data/####/889d5a3c0f6fe18c8bfeddae1db6074b6b2551b76b09efe....0.tmp
- /data/data/####/8c8702324d2c629006e92d14f3bc4582db615032cfc6ed4....0.tmp
- /data/data/####/9631fdc25e1fee4f9a932c95c34e5a0e56282845b95463a....0.tmp
- /data/data/####/9M0DKKwn9D7W65UdvVz39xsjuI4.-806554896.tmp
- /data/data/####/CodePush.xml
- /data/data/####/HwRmhUqh3DG0SGME62poO0GSGS0.-36217261.tmp
- /data/data/####/JZmqRf1Dd4IyeGCjcIblhx2G3Aw.-825551793.tmp
- /data/data/####/MultiDex.lock
- /data/data/####/RKStorage-journal
- /data/data/####/VixVUoyWvJnnz84LRY15w18m3FE.1024533474.tmp
- /data/data/####/a25d37e34a794042a7df153330940c06289e1a18c56cce2....0.tmp
- /data/data/####/a263f09799e4162a5ce659d8e6a60b37c836c371cc87262....0.tmp
- /data/data/####/a33748203830c387a49971978bde4439b0ed6cd8d1d5788....0.tmp
- /data/data/####/a8e0edd316af78cf3175589fadef1ee1939863052f95e82....0.tmp
- /data/data/####/b0ac09b8bc8e278b4460798b1ae5b1c906bdb6bf9b4b5f6....0.tmp
- /data/data/####/bugly_db_legu-journal
- /data/data/####/ca04013501fd8e57970989b159821b9bee9af31bf150d39....0.tmp
- /data/data/####/cc8da2d7e2021233eebb9b5878f41d7b5f0ec6ce3e2ff1b....0.tmp
- /data/data/####/ccf95b3a78b32edb8831a4fd90a87806a2646652890428b....0.tmp
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.biujia.biusuqi_preferences.xml
- /data/data/####/com.tencent.open.config.json.1106928426
- /data/data/####/config.xml
- /data/data/####/d05acee30ec9e6ba6a91bf24d9048f5ab3122227ec7b3e7....0.tmp
- /data/data/####/dpi
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/e8f8d05d0597bb01974f9dcfaf856d2bf30fb31b6a532c5....0.tmp
- /data/data/####/eZw9ZpF4xCdqtkZrMaM4FU89SbE.2016959409.tmp
- /data/data/####/eaca6a7f140e05171974533d3ddb5b49781d12052a0520c....0.tmp
- /data/data/####/ed1a4f1f7d369fcd0fb9813086595e46f1b6e60a2db464c....0.tmp
- /data/data/####/hid.db
- /data/data/####/journal.tmp
- /data/data/####/jpush_uncaughtexception_file
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.0.2.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/rE_l3VxgRV55AN6ekG3ADVLWDYg.1635838748.tmp
- /data/data/####/security_info
- /data/data/####/tencent_analysis.db-journal
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal (deleted)
- /data/media/####/.nid
- /data/media/####/.nomedia
- /data/media/####/.uucrrux
- /data/media/####/72B14E1B9053D48FCCFBE2A8AB1922E2.temp
- /data/media/####/72B14E1B9053D48FCCFBE2A8AB1922E2.zip
- /data/media/####/com.tencent.mobileqq_connectSdk.18.11.15.01.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- cat /sys/class/android_usb/android0/idProduct
- cat /sys/class/android_usb/android0/idVendor
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.0.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- ls -l /dev
- ls -l /dev/block
- ls -l /dev/block/vold
- ls -l /dev/bus
- ls -l /dev/bus/usb
- ls -l /dev/bus/usb/001
- ls -l /dev/com.android.settings.daemon
- ls -l /dev/cpuctl
- ls -l /dev/cpuctl/apps
- ls -l /dev/cpuctl/apps/bg_non_interactive
- ls -l /dev/graphics
- ls -l /dev/input
- ls -l /dev/log
- ls -l /dev/pts
- ls -l /dev/snd
- ls -l /dev/socket
- ps
Загружает динамические библиотеки:
- Bugly
- MtaNativeCrash
- jcore123
- libfb
- libimagepipeline
- libnfix
- libreactnativejni
- libshella-2.9.0.2
- libufix
- libyoga
- nfix
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
