Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Moplus.1
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.aut####.ca####.com:80
- TCP(HTTP/1.1) x.aut####.ca####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) s####.m.auto####.####.cn:80
- TCP(HTTP/1.1) app.s####.auto####.####.cn:80
- TCP(HTTP/1.1) al.auto####.com.cn:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) api.appj####.com:80
- TCP(HTTP/1.1) ba####.qich####.com:80
- TCP(TLS/1.0) c####.aut####.cn.####.com:443
- TCP(TLS/1.0) x.aut####.ca####.com:443
- TCP(TLS/1.0) sett####.crashly####.com:443
- TCP(TLS/1.0) ope####.b####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5226
Запросы DNS:
- a####.u####.com
- al.auto####.com.cn
- api.appj####.com
- app.s####.auto####.####.cn
- au.u####.co
- au.u####.com
- ba####.qich####.com
- bao####.aut####.cn
- c####.aut####.cn
- c####.aut####.cn
- c####.g####.ig####.com
- fi####.auto####.com.cn
- loc.map.b####.com
- m.b####.com
- mt####.go####.com
- ope####.b####.com
- s####.m.auto####.####.cn
- s.aut####.cn
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sett####.crashly####.com
- w####.aut####.cn
- x.aut####.cn
Запросы HTTP GET:
- al.auto####.com.cn/pv_count.php?SiteId=####&CategoryId=####&SubCategoryI...
- ba####.qich####.com/priceapi3.9.2/services/appStart/get?app=####&pm=####...
- ba####.qich####.com/priceapi3.9.2/services/cars/brands?ts=####&app=####&...
- ba####.qich####.com/priceapi3.9.2/services/focuspictures/get?version=####
- ba####.qich####.com/priceapi3.9.2/services/seriesprice/get?brandid=####&...
- ba####.qich####.com/priceapi3.9.2/services/seriessummary/get?seriesid=##...
- ba####.qich####.com/priceapi3.9.2/services/user/getseriesspec?userID=###...
- s####.m.auto####.####.cn/
- s####.m.auto####.####.cn/enroll/100212
- www.aut####.ca####.com/zx/newspic/2015/6/9/2015060910543572144.jpg
- www.aut####.ca####.com/zx/newspic/2015/6/9/2015060910560353093.jpg
- x.aut####.ca####.com/app/image/brands/1.png
- x.aut####.ca####.com/app/image/brands/12.png
- x.aut####.ca####.com/app/image/brands/14.png
- x.aut####.ca####.com/app/image/brands/221.png
- x.aut####.ca####.com/app/image/brands/3.png
- x.aut####.ca####.com/app/image/brands/33.png
- x.aut####.ca####.com/app/image/brands/35.png
- x.aut####.ca####.com/app/image/brands/38.png?r=####
- x.aut####.ca####.com/app/image/brands/62.png
- x.aut####.ca####.com/app/image/brands/71.png
- x.aut####.ca####.com/app/image/brands/76.png
- x.aut####.ca####.com/app/image/brands/8.png
- x.aut####.ca####.com/app/image/price/240x160_2871_1433753654000.png
- x.aut####.ca####.com/app/image/price/240x160_3068_1433753654000.png
- x.aut####.ca####.com/app/image/price/240x160_834_1433753654000.png
- x.aut####.ca####.com/bi/dealer/ah_dealer_es.20170306.min.js?v=####
- x.aut####.ca####.com/bi/dealer/ahas_auto.20170112.min.js?d=####
- x.aut####.ca####.com/bi/dealer/ahas_body.min.js?v=####
- x.aut####.ca####.com/bi/dealer/ahas_head.min.js?v=####
- x.aut####.ca####.com/bj/2015052513/1175436162_1432531433950.jpg
- x.aut####.ca####.com/dealer/dealerUI/vueComponent/ah-car/index-1.2.4.js
- x.aut####.ca####.com/dealer/dealerUI/vueComponent/ah-city/index-1.2.4.js
- x.aut####.ca####.com/dealer/dealerUI/vueComponent/ah-toast/index-1.2.2.js
- x.aut####.ca####.com/dealer/dealerUI/vueComponent/vue.min.js
- x.aut####.ca####.com/dealer/m/publicjs/formmisplacefixall_wx_v2.js
- x.aut####.ca####.com/dealertuancdn/tuan/common/app/pv-common.js?v=####
- x.aut####.ca####.com/dealertuancdn/tuan/common/app/pv.min.js?v=####
- x.aut####.ca####.com/dealertuancdn/tuan/common/create-order-facade-v2018...
- x.aut####.ca####.com/dealertuancdn/tuan/common/gt.js?v=####
- x.aut####.ca####.com/dealertuancdn/tuan/common/smscode-validate-facade-v...
- x.aut####.ca####.com/dealertuancdn/tuan/common/tuan-subject24-stat.min.j...
- x.aut####.ca####.com/dealertuancdn/tuan/m/static/js/vue/plugin/scrolling...
- x.aut####.ca####.com/dealertuancdn/tuan/m/static/js/vue/plugin/vue-lock-...
- x.aut####.ca####.com/dealertuancdn/tuan/m/static/seriesdetail/css/newtua...
- x.aut####.ca####.com/dealertuancdn/tuan/m/static/seriesdetail/img/price-...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/css/app.afefc7c55bd27...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/js/0.298dbed6ddda7aa4...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/js/2.226a75615727a6d1...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/js/app.a8a72273af1baf...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/js/manifest.cdec29f7c...
- x.aut####.ca####.com/dealertuancdn/tuan/spa/static/js/vendor.b3cdbf3befc...
- x.aut####.ca####.com/mass/zepto-1.2.min.js
Запросы HTTP POST:
- a####.u####.com/app_logs
- api.appj####.com/appjiagu
- app.s####.auto####.####.cn/pv_activity.php
- app.s####.auto####.####.cn/pv_clientdata.php
- app.s####.auto####.####.cn/pv_event.php
- app.s####.auto####.####.cn/pv_upload.php
- ba####.qich####.com/priceapi3.9.2/services/push/reg
- ba####.qich####.com/priceapi3.9.2/services/user/setfavcity
- sdk.o####.p####.####.com/api.php?action=####&format=####
- sdk.o####.p####.####.com/api.php?action=####&session_last=####&format=##...
- wap.n.sh####.com/xcloudboss?r=####&pkgname=####&ver=####&pu=####
- wap.n.sh####.com/xcloudboss?r=####&type=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/5C5B6F290362-0001-08EC-7FC63C771D67BeginSession.cls_temp
- /data/data/####/5C5B6F290362-0001-08EC-7FC63C771D67SessionApp.cls_temp
- /data/data/####/5C5B6F290362-0001-08EC-7FC63C771D67SessionDevice.cls_temp
- /data/data/####/5C5B6F290362-0001-08EC-7FC63C771D67SessionOS.cls_temp
- /data/data/####/5C5B6F290362-0001-08EC-7FC63C771D67SessionUser.cls_temp
- /data/data/####/5C5B6F2B00A3-0002-08EC-7FC63C771D67BeginSession.cls_temp
- /data/data/####/5C5B6F2B00A3-0002-08EC-7FC63C771D67SessionApp.cls_temp
- /data/data/####/5C5B6F2B00A3-0002-08EC-7FC63C771D67SessionDevice.cls_temp
- /data/data/####/5C5B6F2B00A3-0002-08EC-7FC63C771D67SessionOS.cls_temp
- /data/data/####/5C5B6F2B00A3-0002-08EC-7FC63C771D67SessionUser.cls_temp
- /data/data/####/5C5B6F2B01D8-0001-0912-7FC63C771D67BeginSession.cls_temp
- /data/data/####/5C5B6F2B01D8-0001-0912-7FC63C771D67SessionApp.cls_temp
- /data/data/####/5C5B6F2B01D8-0001-0912-7FC63C771D67SessionDevice.cls_temp
- /data/data/####/5C5B6F2B01D8-0001-0912-7FC63C771D67SessionOS.cls_temp
- /data/data/####/5C5B6F2B01D8-0001-0912-7FC63C771D67SessionUser.cls_temp
- /data/data/####/5C5B6F2F00B2-0001-0945-7FC63C771D67BeginSession.cls_temp
- /data/data/####/5C5B6F2F00B2-0001-0945-7FC63C771D67SessionApp.cls_temp
- /data/data/####/5C5B6F2F00B2-0001-0945-7FC63C771D67SessionDevice.cls_temp
- /data/data/####/5C5B6F2F00B2-0001-0945-7FC63C771D67SessionOS.cls_temp
- /data/data/####/5C5B6F2F00B2-0001-0945-7FC63C771D67SessionUser.cls_temp
- /data/data/####/5C5B6F32017E-0001-09A0-7FC63C771D67BeginSession.cls_temp
- /data/data/####/5C5B6F32017E-0001-09A0-7FC63C771D67SessionApp.cls_temp
- /data/data/####/5C5B6F32017E-0001-09A0-7FC63C771D67SessionDevice.cls_temp
- /data/data/####/5C5B6F32017E-0001-09A0-7FC63C771D67SessionOS.cls_temp
- /data/data/####/UMS_CarCar_pv.xml
- /data/data/####/UMS_Device_ID.xml
- /data/data/####/UMS_Online_Setting.xml
- /data/data/####/UMS_SeriesDrawerSeriesDrawer_pv.xml
- /data/data/####/UMS_Session_ID.xml
- /data/data/####/UMS_Session_ID_Save_Time.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/ah_price.db-journal
- /data/data/####/ahprice.xml
- /data/data/####/ahpriceconfig.xml
- /data/data/####/com.crashlytics.android.internal.D.xml
- /data/data/####/com.crashlytics.prefs.xml
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.cubic.choosecar.push_sync.xml
- /data/data/####/com.cubic.choosecar_preferences.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/firll.dat
- /data/data/####/gxdbapp.db-journal
- /data/data/####/gxsdkdb.db
- /data/data/####/gxsdkdb.db-journal
- /data/data/####/index
- /data/data/####/initialization_marker
- /data/data/####/jiagu.lock
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.cubic.choosecar56
- /data/data/####/mobclick_agent_online_setting_com.cubic.choosecar.xml
- /data/data/####/moplus_psetting.xml
- /data/data/####/moplus_server_config.db-journal
- /data/data/####/offinfo.dat
- /data/data/####/pst.xml
- /data/data/####/sa_d1a88d90-1866-4446-ac9c-67a053fd85f8_1549496106427.tap
- /data/data/####/session_analytics.tap
- /data/data/####/session_analytics.tap.tmp
- /data/data/####/stop.lock
- /data/data/####/tj.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/-1168033122.tmp
- /data/media/####/-1380273991.tmp
- /data/media/####/-1384891596.tmp
- /data/media/####/-1412597226.tmp
- /data/media/####/-143348022.tmp
- /data/media/####/-1495714116.tmp
- /data/media/####/-1497561158.tmp
- /data/media/####/-1553895939.tmp
- /data/media/####/-1555742981.tmp
- /data/media/####/-1605132774.tmp
- /data/media/####/-166428355.tmp
- /data/media/####/-1817062243.tmp
- /data/media/####/-1842899955.tmp
- /data/media/####/-2058283793.tmp
- /data/media/####/-3114864.tmp
- /data/media/####/-418365748.tmp
- /data/media/####/-770467573.tmp
- /data/media/####/-95081875.tmp
- /data/media/####/.cuid
- /data/media/####/1034731685.tmp
- /data/media/####/1035086409.tmp
- /data/media/####/1246763830.tmp
- /data/media/####/1415728305.tmp
- /data/media/####/774320432.tmp
- /data/media/####/781042925.tmp
- /data/media/####/782889967.tmp
- /data/media/####/787507572.tmp
- /data/media/####/896516625.tmp
- /data/media/####/app.db
- /data/media/####/autoshare.sub.data
- /data/media/####/com.cubic.choosecar.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/imsi.db
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/mobclick_agent_cached_com.cubic.choosecar
- /data/media/####/yoh.dat
- /data/media/####/yol.dat
- /data/media/####/yom.dat
Другие:
Загружает динамические библиотеки:
- BaiduMapSDK_v2_4_1
- bspatch
- encrypt
- jiagu
- libjiagu
- locSDK5
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
- desede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Получает информацию об отправленых/принятых SMS.
