Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.683.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.0) pis.al####.com:80
- TCP(HTTP/1.1) we####.xu####.org.cn:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) 1####.43.165.214:80
- TCP(HTTP/1.1) www.e####.com.cn:80
- TCP(HTTP/1.1) 1####.31.42.175:80
- TCP(HTTP/1.1) we####.114fa####.cn:80
- TCP(HTTP/1.1) wx.u####.com:80
- TCP(HTTP/1.1) qb.w####.com:80
- TCP(HTTP/1.1) www.hu####.org:80
- TCP(HTTP/1.1) tg####.1####.cn:80
- TCP(HTTP/1.1) i.b####.com:80
- TCP(HTTP/1.1) m.c####.cn:80
- TCP(HTTP/1.1) 1####.224.218.140:8089
- TCP(HTTP/1.1) m.dac####.com:80
- TCP(HTTP/1.1) l####.189.cn:80
- TCP(HTTP/1.1) a####.yangk####.com:80
- TCP(HTTP/1.1) api.xci####.com:19999
- TCP(HTTP/1.1) a####.ikamo####.cn:80
- TCP(HTTP/1.1) w####.800.189.cn:80
- TCP(HTTP/1.1) www.s####.org:80
- TCP(HTTP/1.1) pss.al####.com:80
- TCP(HTTP/1.1) www.jd.com.####.com:80
- TCP(HTTP/1.1) rxy.bo####.com:8080
- TCP(HTTP/1.1) 59.1####.7.58:8080
- TCP(HTTP/1.1) m.sup####.cn:80
- TCP(HTTP/1.1) www.xiangch####.com:80
- TCP(HTTP/1.1) yo####.ergo-####.cn:80
- TCP(HTTP/1.1) b####.jd.com:80
- TCP(HTTP/1.1) ev####.pi####.com:80
- TCP(HTTP/1.1) m.j####.com:80
- TCP(HTTP/1.1) we####.sh####.net:80
- TCP(HTTP/1.1) da####.c####.qini####.com:80
- TCP(HTTP/1.1) m.bidce####.com.cn:80
- TCP(HTTP/1.1) n####.e####.com:80
- TCP(HTTP/1.1) po####.rifes####.com:8080
- TCP(HTTP/1.1) www.zqw####.com:80
- TCP(HTTP/1.1) s####.xianji####.com:80
- TCP(HTTP/1.1) www.o####.org:80
- TCP(HTTP/1.1) e####.f####.com:80
- TCP(HTTP/1.1) i####.g####.p####.com:80
- TCP(HTTP/1.1) hub.sinopec####.com:80
- TCP(HTTP/1.1) www.kl####.com:80
- TCP(HTTP/1.1) pus.al####.com:80
- TCP(HTTP/1.1) all.b####.cn.####.cn:80
- TCP(HTTP/1.1) skl.hell####.com:80
- TCP(HTTP/1.1) h5.5####.com:80
- TCP(HTTP/1.1) api.xianjin####.com:80
- TCP(HTTP/1.1) www.y####.com.cn:80
- TCP(HTTP/1.1) www.1010####.com:80
- TCP(HTTP/1.1) we####.f####.com:80
- TCP(HTTP/1.1) www.liyu####.com.####.com:80
- TCP(HTTP/1.1) api.zhuangd####.com:80
- TCP(HTTP/1.1) da####.zd####.com:80
- TCP(HTTP/1.1) pass####.iza####.com:80
- TCP(HTTP/1.1) ap####.g####.com:80
- TCP(HTTP/1.1) www.lxzb####.com:80
- TCP(HTTP/1.1) m####.su####.com:80
- TCP(HTTP/1.1) m.51a####.com:80
- TCP(HTTP/1.1) wap.51du####.com:80
- TCP(HTTP/1.1) www.bam####.com:80
- TCP(HTTP/1.1) www.lvba####.net:80
- TCP(HTTP/1.1) h5.ev####.com:80
- TCP(HTTP/1.1) fe####.chinalo####.com:80
- TCP(TLS/1.0) www.y####.com:443
- TCP(TLS/1.0) m.d####.360.cn:443
- TCP(TLS/1.0) m.jiedian####.com:443
- TCP(TLS/1.0) api.lewa####.com:443
- TCP(TLS/1.0) uac.1####.com:443
- TCP(TLS/1.0) m####.su####.com:443
- TCP(TLS/1.0) api.shou####.com:443
- TCP(TLS/1.0) www.renre####.com:443
- TCP(TLS/1.0) m.cre####.com:443
- TCP(TLS/1.0) trad####.jieda####.com:443
- TCP(TLS/1.0) api.fangtan####.com:443
- TCP(TLS/1.0) www.5####.cn:443
- TCP(TLS/1.0) man####.lq####.com:443
- TCP(TLS/1.0) pl####.zho####.com:443
- TCP(TLS/1.0) h5.q####.qq.com:443
- TCP(TLS/1.0) www.zzf####.com:443
- TCP(TLS/1.0) cc####.cib.com.cn:8010
- TCP(TLS/1.0) bbc.zhongtu####.com:443
- TCP(TLS/1.0) pin####.qq.com:443
- TCP(TLS/1.0) dl.dxzj####.com:443
- TCP(TLS/1.0) epass####.didi####.com.cn:443
- TCP(TLS/1.0) acco####.c####.com.####.net:443
- TCP(TLS/1.0) ap####.g####.com:443
- TCP(TLS/1.0) re####.hu####.qq.com:443
- TCP(TLS/1.0) s####.we####.com:443
- TCP(TLS/1.0) j####.wola####.com:443
- TCP(TLS/1.0) www.p####.com:443
- TCP(TLS/1.0) www.nu####.cn:443
- TCP(TLS/1.0) wap.51du####.com:443
- TCP(TLS/1.0) m####.2d####.com:443
- TCP(TLS/1.0) uss.leno####.com:443
- TCP(TLS/1.0) m.360ha####.com:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) wx.s####.com.cn:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) l####.lon####.com.####.com:443
- TCP(TLS/1.0) pns.al####.com:443
- TCP(TLS/1.0) wap.kaisu####.net:443
- TCP(TLS/1.0) www.q####.com:443
- TCP(TLS/1.0) p####.tc.qq.com:443
- TCP(TLS/1.0) wx.nic####.com:443
- TCP(TLS/1.0) apf####.z####.com:443
- TCP(TLS/1.0) www.wans####.com:443
- TCP(TLS/1.0) j.api.auto####.####.cn:443
- TCP(TLS/1.0) m.feibo####.com:443
- TCP(TLS/1.0) l####.4####.top:443
- TCP(TLS/1.0) 8.gd1####.cn:443
- TCP(TLS/1.0) m.5####.com.cn:443
- TCP(TLS/1.0) app.99bic####.com:443
- TCP(TLS/1.0) api.tea####.com:443
- TCP(TLS/1.0) ws####.su####.com:443
- TCP(TLS/1.0) app####.charger####.com:443
- TCP(TLS/1.0) m.bidce####.com.cn:443
- UDP 1####.168.103.254:4466
Запросы DNS:
- 8.gd1####.cn
- a####.ikamo####.cn
- a####.w####.cn
- a####.yangk####.com
- acco####.c####.com
- ap####.g####.com
- apf####.z####.com
- api.fangtan####.com
- api.lewa####.com
- api.pass####.p####.com
- api.s####.b####.com
- api.shou####.com
- api.tea####.com
- api.xci####.com
- api.xianjin####.com
- api.zhuangd####.com
- app####.charger####.com
- app.99bic####.com
- app.b####.cn
- app.cas####.cn
- b####.jd.com
- bbc.zhongtu####.com
- cc####.cib.com.cn
- cdn.app.ne####.top
- cdn.img.p####.top
- da####.zd####.com
- dl.dxzj####.com
- e####.f####.com
- epass####.didi####.com.cn
- ev####.pi####.com
- fe####.chinalo####.com
- h5.5####.com
- h5.ev####.com
- h5.q####.qq.com
- hm.b####.com
- hub.sinopec####.com
- i.b####.com
- i.p####.com
- img.we####.com
- j####.wola####.com
- j.api.auto####.####.cn
- l####.189.cn
- l####.4####.top
- l####.dain####.cn
- l####.f####.cn
- l####.lon####.com
- m####.2d####.com
- m####.su####.com
- m.360ha####.com
- m.5####.com.cn
- m.51a####.com
- m.bidce####.com.cn
- m.c####.cn
- m.cre####.com
- m.d####.360.cn
- m.dac####.com
- m.enjoy####.cn
- m.feibo####.com
- m.h####.com
- m.j####.com
- m.j####.com
- m.jiedian####.com
- m.sup####.cn
- man####.lq####.com
- n####.e####.com
- p####.zhanz####.b####.com
- pass####.1####.cn
- pass####.bank####.com
- pass####.iza####.com
- paypass####.su####.com
- pi####.qq.com
- pin####.qq.com
- pis.al####.com
- pl####.zho####.com
- pns.al####.com
- po####.rifes####.com
- proxy####.aliv####.com
- pss.al####.com
- pus.al####.com
- qb.w####.com
- qzones####.g####.cn
- re####.hu####.qq.com
- reg.su####.com
- rxy.bo####.com
- s####.we####.com
- s####.xianji####.com
- skl.hell####.com
- tg####.1####.cn
- trad####.jieda####.com
- uac.1####.com
- uss.leno####.com
- w####.800.189.cn
- w####.gd11####.cn
- w####.jd.com
- wap.51du####.com
- wap.kaisu####.net
- we####.114fa####.cn
- we####.f####.com
- we####.sh####.net
- we####.xingyun####.net
- we####.xu####.org.cn
- wob####.1####.com
- www.1010####.com
- www.5####.cn
- www.bam####.com
- www.e####.com.cn
- www.hu####.org
- www.kl####.com
- www.liyu####.com
- www.lvba####.net
- www.lxzb####.com
- www.nu####.cn
- www.o####.org
- www.p####.com
- www.q####.com
- www.renre####.com
- www.s####.org
- www.wans####.com
- www.xiangch####.com
- www.y####.com
- www.y####.com.cn
- www.zqw####.com
- www.zzf####.com
- wx.nic####.com
- wx.s####.com.cn
- wx.u####.com
- yo####.ergo-####.cn
Запросы HTTP GET:
- a####.ikamo####.cn/hotelfinder/HotelFinder.php|||uid=0&type=send_verify_...
- a####.yangk####.com/mobile/code/request?pdduid=####
- all.b####.cn.####.cn/pk/GetCode.ashx?mobile=####&&action=####
- ap####.g####.com/404.htm
- ap####.g####.com/Webank/getVerifyCode|||phone=9/
- api.xci####.com:19999/customer/customer/sendVcodeMsg.json|||operationTyp...
- api.xianjin####.com/user/reg-get-code|||source=21&phone=9
- api.zhuangd####.com/api/sendSms?phone=####&ver=####&via=####
- b####.jd.com/H5Promote.json/?functionId=####&body=####&platCode=####&dev...
- da####.c####.qini####.com/upload/201809/25/img/20180925182241271.png
- da####.zd####.com/daogou/webService?mobile=####&methodName=####&type=####
- e####.f####.com/hibox/weixin/getVerifyCode?mobilePhone=####&verifyCodeTy...
- ev####.pi####.com/api/getValidCode?userId=####&appId=####&subsys=####&ca...
- fe####.chinalo####.com/feidandriver/visit/driver/verifyMobile.do?phone=#...
- h5.5####.com/Service/AppData.ashx?action=####&tell=####&type=####
- h5.ev####.com/evcardregister/index.php/home/registervo/sendsms.html|||mo...
- hub.sinopec####.com/sms/createSMS|||phone=9&tempCode=wechat_zc
- i####.g####.p####.com/2015usercenter/api/sendphonecode/?phoneNum=####&ty...
- i####.g####.p####.com/api/phonecode/?from=####&version=####&format=####&...
- i.b####.com/register/sendMobileCode?traceID=####&systemID=####¶ms=####
- l####.189.cn/web/login/ajax|||m=sendrandompwd&account=9&uType=201&pid=18
- m####.su####.com/epwm/message/sendRegistValidateCode.htm|||tel=9
- m.51a####.com/msv2/sms/send?callback=####&mobile=####&type=####&_=####
- m.bidce####.com.cn/JsonHandler/QuickRegisterValidateCode.aspx?mobiles=##...
- m.c####.cn/nopage/404/?aspxerr####
- m.c####.cn/person/reg/getcode2/|||tel=9
- m.dac####.com/sendSmsVerifyCodes?mobile=####&random=####&_=####
- m.j####.com/?err=####
- m.j####.com/mobileauth/getcode?validatecode=####&type=####&mobile=####&_...
- m.sup####.cn/wap/api/otp/sendLoginVcode?_pt=####&mobile=####
- n####.e####.com/h5/sms/send_sms.html?mobile=####&yzm=####&template=####&...
- pass####.iza####.com/comm/sendSmsVerifyCode.do|||mobile=9&imgVerifyVal=&...
- po####.rifes####.com:8080/PortalServer-App/new/aaa_usr_usr005?ptype=####...
- pus.al####.com/kernal/sdkcontrol/vod_android-mobile_x86_9.1.1.1220.jpg
- qb.w####.com/credit/web/credit-user/reg-get-code?clientType=####&appVers...
- rxy.bo####.com:8080/boya-access/api/v1/mobile/sendSms|||transBody={"phon...
- s####.jom####.com/push.js
- s####.jom####.com/s.gif?l=/www.husini.org/sms/index.php?hm=####&ok=####
- s####.xianji####.com/credit-user/reg-get-code?clientType=####&appVersion...
- skl.hell####.com/EnjoyMobileCRM/Card/GetVeryCode|||sPhoneNo=9&sMsgType=会...
- tg####.1####.cn/user/login/get_code|||mobile=9
- ti####.c####.l####.####.com/swenjian/fiv
- w####.800.189.cn/error_page/errorPage.html
- w####.800.189.cn/wxpublic/openId/getSmsCode.do|||phoneId=9&openId=oRcCet...
- wap.51du####.com/ddlc/Verify|||phone=9&type=type_sign_up
- we####.114fa####.cn/family-services-114-wechat/login/sms|||mobile=9
- we####.f####.com/h5/park/sendVerifiCode?phone=####
- we####.sh####.net/wechatshop/sendCode.html?mobile=####&_=####
- we####.xu####.org.cn/wxserver/wx/verifycode|||mobile=9&mode=0&t=15151203...
- www.1010####.com/do/common/sendSmsCommon|||mobile=9&businessFlag=WXHD
- www.bam####.com/m/uc/send_sms|||phone=9
- www.e####.com.cn/wap/personelCenter/mobileAndEmail/validateCode|||entryI...
- www.hu####.org/sms/css.css
- www.hu####.org/sms/index.php?hm=####&ok=####
- www.jd.com.####.com/?l=####&err=####
- www.kl####.com/include/getmobilecode.html|||mobile=9&name=%u6797%u534E&s...
- www.liyu####.com.####.com/favicon.ico
- www.liyu####.com.####.com/h5/sqbspread?appId=####&sqbkl=####
- www.lvba####.net/api/common/sms|||mobile=9&tempid=d5bac713-f09b-4d2e-8aa...
- www.lxzb####.com/auth/smscode.ashx?action=####&aid=####&mb=####&t=####
- www.o####.org/api/home/verify/index|||param_a=register&phone=9
- www.s####.org/volunteer/app/sendSMS?telNo=####
- www.xiangch####.com/wecat/ajax.aspx?action=####&mobile=####
- www.y####.com.cn/InterfaceOperater/NoCookieIndex|||interfaceurl=/system/...
- www.zqw####.com/wap/send_code.html|||telephone=9&signKey=
- wx.u####.com/wxAdmin/add_message?mobile=####
- yo####.ergo-####.cn/sms|||mobile=9
Запросы HTTP POST:
- pis.al####.com/p/pcdn/i.php?v=####
- pss.al####.com/iku/log/acc
- pss.al####.com/iku/log/acc?ver=####&flag=####&t=####&mytype=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/70d477e3-3fce-402c-8eca-29339f99ccf4
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/ApplicationCache.db-journal (deleted)
- /data/data/####/FayActivity.xml
- /data/data/####/KboService.jar
- /data/data/####/alldown.xml
- /data/data/####/bb0566ca-228c-40bc-8a59-5098973bbb61.jar
- /data/data/####/bzwn.db-journal
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/ebn.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/http_www.husini.org_0.localstorage-journal
- /data/data/####/https_share.weiyun.com_0.localstorage-journal
- /data/data/####/index
- /data/data/####/libpcdn_acc.zip
- /data/data/####/libpcdn_acc_new.so
- /data/data/####/pcdnconfigs.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.nomedia
- /data/media/####/c4229935f64f5
- /data/media/####/im316.tmp
- /data/media/####/myself.dat
Другие:
Загружает динамические библиотеки:
- libpcdn_acc
- luajava
- pcdn_acc
- ygsiyu
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
