Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Plague.1.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) st####.p####.net####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.163.com:80
- TCP(HTTP/1.1) bobo-pu####.n####.127.net:80
- TCP(HTTP/1.1) m.l####.net####.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(HTTP/1.1) mr.da.net####.com:80
- TCP and####.p####.126.net:6002
- TCP 42.1####.18.237:16165
Запросы DNS:
- a####.u####.com
- and####.p####.126.net
- ap.ga####.com
- ap1.ga####.com
- ap2.ga####.com
- b####.163.com
- bobo-pu####.n####.127.net
- cgi.con####.qq.com
- l####.b####.163.com
- m.l####.net####.com
- mr.da.net####.com
- pr.da.net####.com
- st####.p####.net####.com
- www.b####.com
Запросы HTTP GET:
- b####.163.com/spe-data/api/validateToken.htm?timestamp=####&token=####&r...
- bobo-pu####.n####.127.net/anchor_1435064607878_95971991.jpg
- bobo-pu####.n####.127.net/anchor_1449732309859_66913197.jpg
- bobo-pu####.n####.127.net/anchor_1455945509551_70301403.jpg
- bobo-pu####.n####.127.net/anchor_1457278935404_52738181.jpg
- bobo-pu####.n####.127.net/anchor_1458215809039_56411729.jpg
- bobo-pu####.n####.127.net/anchor_1458698163416_35678755.jpg
- bobo-pu####.n####.127.net/anchor_1459427747812_79976361.jpg
- bobo-pu####.n####.127.net/anchor_1460468543817_21541593.jpg
- bobo-pu####.n####.127.net/anchor_1461414183732_88869939.jpg
- bobo-pu####.n####.127.net/anchor_1463753196827_39947047.jpg
- bobo-pu####.n####.127.net/anchor_1466651112606_61213528.jpg
- bobo-pu####.n####.127.net/anchor_1469712138719_74400730.jpg
- bobo-pu####.n####.127.net/anchor_1471910437604_63531527.jpg
- bobo-pu####.n####.127.net/anchor_1472654311335_52977312.jpg
- bobo-pu####.n####.127.net/anchor_1472800094873_82264602.jpg
- bobo-pu####.n####.127.net/anchor_1475332657404_85080499.jpg
- bobo-pu####.n####.127.net/anchor_1475401286291_39444465.jpg
- bobo-pu####.n####.127.net/anchor_1476793455372_58076626.jpg
- bobo-pu####.n####.127.net/anchor_1477535706304_45217256.jpg
- bobo-pu####.n####.127.net/anchor_1479201480132_48256069.jpg
- bobo-pu####.n####.127.net/anchor_1481613382299_94497014.jpg
- bobo-pu####.n####.127.net/anchor_1482166225720_41623792.jpg
- bobo-pu####.n####.127.net/anchor_1482312291982_46199580.jpg
- bobo-pu####.n####.127.net/anchor_1482422149098_24599413.jpg
- bobo-pu####.n####.127.net/anchor_1483770483836_59172316.jpg
- bobo-pu####.n####.127.net/anchor_1485240989301_50185556.jpg
- bobo-pu####.n####.127.net/anchor_1485590553884_40755392.jpg
- bobo-pu####.n####.127.net/anchor_1485648763973_15223123.jpg
- bobo-pu####.n####.127.net/anchor_1487812959759_36990649.jpg
- bobo-pu####.n####.127.net/anchor_1492257082089_23357532.jpg
- bobo-pu####.n####.127.net/anchor_1492613757269_74498082.jpg
- bobo-pu####.n####.127.net/anchor_1494333482297_20320659.jpg
- bobo-pu####.n####.127.net/anchor_1494520745935_43240404.jpg
- bobo-pu####.n####.127.net/anchor_1496671946567_37507684.jpg
- bobo-pu####.n####.127.net/anchor_1498477391528_70838057.jpg
- bobo-pu####.n####.127.net/anchor_1498660884110_29636153.jpg
- bobo-pu####.n####.127.net/anchor_1503933572883_57658114.jpg
- bobo-pu####.n####.127.net/anchor_1504579384135_96211828.jpg
- bobo-pu####.n####.127.net/anchor_1504788073300_83590908.jpg
- bobo-pu####.n####.127.net/anchor_1506179299017_60022255.jpg
- bobo-pu####.n####.127.net/anchor_1511849082049_52715024.jpg
- bobo-pu####.n####.127.net/anchor_1524415641934_16037887.jpg
- bobo-pu####.n####.127.net/anchor_1546876506267_92919317.jpg
- bobo-pu####.n####.127.net/bobo_1468535858182_87929838.jpg
- bobo-pu####.n####.127.net/bobo_1473430752062_88319497.jpg
- bobo-pu####.n####.127.net/bobo_1479109957509_68401050.jpg
- bobo-pu####.n####.127.net/bobo_1487945959411_80015110.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1494068640255_96039705.jpeg
- bobo-pu####.n####.127.net/bobo_1498023848117_16084373.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500018084966_84077320.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500082801350_24880699.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500644690909_91969235.png?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500895463308_71380040.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500897063738_50551274.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1500905750709_40929067.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1502121580643_42257293.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1503056609511_90334524.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1506938207669_15527048.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1507459265050_82439703.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1514808218068_80780220.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1514944519881_55676412.jpeg
- bobo-pu####.n####.127.net/bobo_1521646884081_30339070.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1528615406873_41691691.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1528806516920_96958034.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1531244011837_53847100.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1531315269441_98009396.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1531810638411_73947437.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1535036031610_69480990.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1543853650092_11700341.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1544173696072_48238452.jpg?image####&qual...
- bobo-pu####.n####.127.net/bobo_1547011357797_76461835.jpg?image####&qual...
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- m.l####.net####.com/api/accessToken?type=####
- m.l####.net####.com/chat/message/count.htm?userId=####&token=####&random...
- m.l####.net####.com/loginserver/distribute.do?data=####
- m.l####.net####.com/spe-data/api/anchor_online_count.htm
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRandomRecommendMess...
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRecommendGiftList.h...
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRecommendSendGiftDe...
- m.l####.net####.com/spe-data/api/banner.htm
- m.l####.net####.com/spe-data/api/common-config/get.htm?key=####
- m.l####.net####.com/spe-data/api/index/2.5/anchorList.htm?pageNo=####&pa...
- m.l####.net####.com/spe-data/api/index/2.5/tab_list.htm
- m.l####.net####.com/spe-data/api/punchedCard/getSignSwitchPunchCardValue...
- m.l####.net####.com/spe-data/api/room/getAnchorAndRoomInfo.htm?roomId=####
- m.l####.net####.com/spe-data/api/skin/getPics.htm?source=####&module=####
- m.l####.net####.com/spe-data/api/switch/getStatus.htm?codes=####
- m.l####.net####.com/spe-data/api/timer_game/get_timer.htm?userId=####
- m.l####.net####.com/special/boboandroidyeseversion
- m.l####.net####.com/special/boboandroidyeseversion/
- st####.p####.net####.com/dns/publicIps?domain=####
- st####.p####.net####.com/receiver/?action=####&data=NN####
Запросы HTTP POST:
- a####.u####.com/app_logs
- b####.163.com/logic/data/log/openApp.htm
- cgi.con####.qq.com/qqconnectutil/sdk
- mr.da.net####.com/receiver
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/NELoginConfig.xml
- /data/data/####/NetEasePushService.xml
- /data/data/####/classes.dex (deleted)
- /data/data/####/classes.jar
- /data/data/####/com.tencent.open.config.json.1102364892
- /data/data/####/com.yese.xiaognwoqptiewt_preferences.xml
- /data/data/####/dblew-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/location.db
- /data/data/####/location_zh_hant.db
- /data/data/####/mobidroid.sqlite-journal
- /data/data/####/tencent_analysis.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/vshow.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/.mid.txt
- /data/media/####/.nomedia
- /data/media/####/12vwakns2br7rtm3z0jdcb31d0.tmp
- /data/media/####/15yh2kz4aj5g882desaw5yohc0.tmp
- /data/media/####/16d8dwspkk7hb2htoan4s3m670.tmp
- /data/media/####/1askms2bh7aqllrivv55brxir0.tmp
- /data/media/####/1e3n8eeadoi8y8u1xk30rihph0.tmp
- /data/media/####/1k03q2cco2h6xvze0thhhpyq30.tmp
- /data/media/####/1k4i644a0l1vco2sms0kge97x0.tmp
- /data/media/####/1rlitl81g4b5zezptj8nabe9m0.tmp
- /data/media/####/1whms6wxs0tivk7qvfki7eicy0.tmp
- /data/media/####/20glq2fhzw35l8j1xwqcblxd40.tmp
- /data/media/####/23tgi8ufs6wmg8vm8yy1b9dn90.tmp
- /data/media/####/25b4dqaztjghj3wzi8avg80xs0.tmp
- /data/media/####/2igxnbckd0kvcdfvu0qyen5ji0.tmp
- /data/media/####/2p87hng8d1fjq255ukt90be530.tmp
- /data/media/####/2sn4t0u5wdegrjokpcyhb9jxa0.tmp
- /data/media/####/2wkmpufgm7mja4nx25kc59xfj0.tmp
- /data/media/####/33816i1f4y7wfx4nl42nifwl50.tmp
- /data/media/####/39vz4ckcom8vp13uo07os0mk40.tmp
- /data/media/####/3azxte01o2m4ku99986h0izi30.tmp
- /data/media/####/3ba1ozejdnszld7k24a4f0qss0.tmp
- /data/media/####/3cbzhyyhmspfpl9oiwvge1viq0.tmp
- /data/media/####/3en3uokirkbi1tbk43pzy3sto0.tmp
- /data/media/####/3fg62415h3zapbq64ugwrfbvh0.tmp
- /data/media/####/3fx5e2p0of4wbhztvmiahasxx0.tmp
- /data/media/####/3hwbr2nmy4pevxbf5q21xxz610.tmp
- /data/media/####/3hytzjtok3lhwvc5eer02s4b50.tmp
- /data/media/####/3ifeloa33xxz3gxx1vucsh14s0.tmp
- /data/media/####/3lm9fwo7ofm0sllkxduzibe8b0.tmp
- /data/media/####/3lyga3ax49yo54ay3euex28zz0.tmp
- /data/media/####/3u5sq1allfyu5dkz9im6tbm570.tmp
- /data/media/####/3vury73xjdu3e5ho5p0ik3ndc0.tmp
- /data/media/####/3ziqvz6tctsbqrtxme3spczxs0.tmp
- /data/media/####/3zjao5vuvv1xpdjk07ktz76gg0.tmp
- /data/media/####/4gvydvhfxhp3g02repr7kyqy10.tmp
- /data/media/####/4jjc6mf26mzy9pt3vwtfelj270.tmp
- /data/media/####/4juhh2pqws9wyet4e1og0jh240.tmp
- /data/media/####/4sh5guj1di0lf582i1grfus330.tmp
- /data/media/####/4zyrpnizs635wssi3nnvegoa80.tmp
- /data/media/####/58e1b9vhujdqvpx7u7ewzvdpe0.tmp
- /data/media/####/59yupi9me7dzne5l9idzumjkg0.tmp
- /data/media/####/5ahbh6ya1on5d1nv7grd3kqhu0.tmp
- /data/media/####/5albrgiwmwjy5g2fvflyr78jx0.tmp
- /data/media/####/5bgankg5foggbzra56sxw2gz0.tmp
- /data/media/####/5j59onrgzx1l8v6apnbgi0c0u0.tmp
- /data/media/####/5l0g99mabldmq70zxy35w8gco0.tmp
- /data/media/####/5pgccy2sv96f2hms6uztu6vnw0.tmp
- /data/media/####/63ifcqjvp2him0tpqgut4tep40.tmp
- /data/media/####/65rr0pehl5c7wrlj70kcvitrk0.tmp
- /data/media/####/6gtfgemjjcynjxj9varav6snq0.tmp
- /data/media/####/6l76mgrp51gvthp7x614cg3iw0.tmp
- /data/media/####/6mx54zqbnvta4717bnvtdgt9p0.tmp
- /data/media/####/6ulnvavlc09qe47i8wmcuzay30.tmp
- /data/media/####/6vi1w4maz05xknujdq9szogj90.tmp
- /data/media/####/6w7nr1co4xv48l1mnxaxrwbcu0.tmp
- /data/media/####/74t7ctlq9slvswt1ibhs4gkh00.tmp
- /data/media/####/7iffjpkvcw86jynj2llq9pp830.tmp
- /data/media/####/bG9jYWxfaXAuZGF0
- /data/media/####/cmVnaXN0ZXJfZG9tYWluLmRhdA==
- /data/media/####/eipanxwmb4ldt63wyx2bnbr00.tmp
- /data/media/####/f1vrsn7ldz9um7pn757wkhn60.tmp
- /data/media/####/journal.tmp
- /data/media/####/prj47nw9gwwpcrm3hzpi10o70.tmp
- /data/media/####/u5mbfnp9o9rdtbqmdrovtzwh0.tmp
- /data/media/####/w8adejmbe2qrgfd9dylxfzhm0.tmp
- /data/media/####/ye971gu8so5yjnv1h5zslhx0.tmp
- /data/media/####/zhf262ai2gsdjnod3peigmjh0.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
Загружает динамические библиотеки:
- MtaNativeCrash
- nelogin
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- DES-ECB-PKCS5Padding
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
