Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.860.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.3k7.net:80
- TCP(HTTP/1.1) m####.cn:80
- TCP(HTTP/1.1) dc.l####.com:80
- TCP(HTTP/1.1) mv.iall####.com:80
- TCP(HTTP/1.1) api.mag####.com:80
- TCP(HTTP/1.1) pat.f####.com.####.net:80
- TCP(HTTP/1.1) img1-do####.b0.a####.com:80
- TCP(HTTP/1.1) wa####.cn:80
- TCP(HTTP/1.1) src.r####.com.####.com:80
- TCP(HTTP/1.1) weib####.g####.sina####.com:80
- TCP(HTTP/1.1) img.tai####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) i####.doub####.com:80
- TCP(HTTP/1.1) bb####.cn:80
- TCP(TLS/1.0) an####.l####.com:443
- TCP(TLS/1.0) m####.do####.com:443
- TCP(TLS/1.0) img1-do####.b0.a####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) ali-s####.j####.cn:443
- TCP(TLS/1.0) i####.doub####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) videoti####.gslawye####.com:443
- TCP(TLS/1.0) s####.j####.cn:443
- UDP s.j####.cn:19000
- TCP 1####.230.236.34:7001
- UDP easytom####.com:19000
Запросы DNS:
- a####.3k7.net
- ali-s####.j####.cn
- an####.l####.com
- api.mag####.com
- bb####.cn
- c.c####.com
- dc.l####.com
- easytom####.com
- i####.doub####.com
- i####.doub####.com
- img.tai####.com
- m####.cn
- m####.do####.com
- mv.iall####.com
- pat.f####.com
- plb####.u####.com
- qp.yunanfu####.com
- s####.j####.cn
- s.j####.cn
- s96.c####.com
- sdk.c####.com
- sis.j####.io
- src.r####.com
- t####.j####.cn
- u####.u####.com
- videoti####.gslawye####.com
- wa####.cn
- ww1.sin####.cn
- z2.c####.com
Запросы HTTP GET:
- a####.3k7.net/jx/ag.php?url=####
- api.mag####.com/api/app/member/ver2/user/login/2/286?time=####&model=###...
- api.mag####.com/api/app/video/ver2/video/queryClassifyList/2/286?time=##...
- api.mag####.com/api/app/video/ver2/video/queryVideoInfoPage/2/286?pageSi...
- bb####.cn/?qsse=####&distributor=####
- bb####.cn/activity1/main1/
- bb####.cn/assets/25717f98/css/font-awesome.min.css
- bb####.cn/assets/25717f98/fonts/fontawesome-webfont.ttf?v=####
- bb####.cn/assets/47067ce2/css/bootstrap.css
- bb####.cn/assets/47067ce2/js/bootstrap.js
- bb####.cn/assets/49e999d0/css/common.css?v=####
- bb####.cn/assets/49e999d0/css/index.css
- bb####.cn/assets/49e999d0/images/bg_head_01.png
- bb####.cn/assets/49e999d0/images/bg_head_03.png
- bb####.cn/assets/49e999d0/images/bg_head_05.png
- bb####.cn/assets/49e999d0/images/bg_index_more.png
- bb####.cn/assets/49e999d0/images/cartton_place_holder.png
- bb####.cn/assets/49e999d0/images/footer_icon_1_c.png
- bb####.cn/assets/49e999d0/images/footer_icon_2_n.png
- bb####.cn/assets/49e999d0/images/footer_icon_3_n.png?v=####
- bb####.cn/assets/49e999d0/images/footer_icon_4_n.png?v=####
- bb####.cn/assets/49e999d0/images/footer_icon_5_n.png?v=####
- bb####.cn/assets/49e999d0/images/head_line.gif
- bb####.cn/assets/49e999d0/images/icon_06.png
- bb####.cn/assets/49e999d0/images/icon_h2_1.png
- bb####.cn/assets/49e999d0/images/icon_h2_3.png
- bb####.cn/assets/49e999d0/images/top_logo_1.png
- bb####.cn/assets/49e999d0/images/top_logo_2.png
- bb####.cn/assets/49e999d0/images/top_logo_3.png
- bb####.cn/assets/49e999d0/images/top_logo_4.png
- bb####.cn/assets/49e999d0/js/distribution.js
- bb####.cn/assets/49e999d0/js/theme.js
- bb####.cn/assets/612fd1c7/yii.js
- bb####.cn/assets/e6f03b2a/jquery.js
- bb####.cn/css/main.css
- bb####.cn/img/ranking.png
- bb####.cn/img/recommend.png
- bb####.cn/img/savings.png
- bb####.cn/img/vip.png
- bb####.cn/js/common.js
- bb####.cn/js/config.js?1####
- bb####.cn/js/phone.js
- bb####.cn/plugins/baiduTemplate.js
- bb####.cn/plugins/bootstrap/bootstrap.hover.dropdown.js
- bb####.cn/plugins/bootstrap/bootstrap.hover.tab.js
- bb####.cn/plugins/jquery/jquery.cookie.js
- bb####.cn/plugins/jquery/jquery.hotkeys.js
- bb####.cn/plugins/jquery/jquery.image.js
- bb####.cn/plugins/jquery/jquery.lazyload.min.js
- bb####.cn/plugins/toastr/toastr.min.css
- bb####.cn/plugins/toastr/toastr.min.js
- i####.doub####.com/view/photo/l/public/p2545212145.jpg
- i####.doub####.com/view/photo/s_ratio_poster/public/p2275471226.jpg
- i####.doub####.com/view/photo/s_ratio_poster/public/p2405823742.jpg
- i####.doub####.com/view/photo/s_ratio_poster/public/p2533370401.jpg
- img.tai####.com/slide/2018-09-08/5b93872069edc.jpg
- img.tai####.com/slide/2018-09-08/5b938a9040ad8.jpg
- img1-do####.b0.a####.com/view/photo/l/public/p2533944918.jpg
- m####.cn/images/block/201902/1550760080wyW99RTiYxk2nzG2.jpg
- m####.cn/images/block/201902/1550760768pELNWCOLdCQhOMc1.jpg
- m####.cn/images/block/201902/1550761806SjcCHHnKC6SEuQXe.jpg
- m####.cn/images/block/201902/1550763964yotUNFEGvrfJQFYs.jpg
- m####.cn/images/block/201903/1552916005IAA99V23DDMYT7-3.jpg
- m####.cn/images/cover/201812/1544345531o2Kcf5spdXImi1iC.jpg
- m####.cn/images/cover/201812/15443487139Znp-00I9jvDzbXH.jpg
- m####.cn/images/cover/201901/15469428936sFohrhdTn-AXSN2.jpg
- m####.cn/images/cover/201901/1547387491StOQTT-DV2bX5FPw.jpg
- m####.cn/images/cover/201902/1550761233MAGMaCdd8lPmcskO.jpg
- m####.cn/images/cover/201902/1550761563M-Piv-elbQISgLDw.jpg
- m####.cn/images/cover/201902/1550762497wIK856ROGTM0ZHKE.jpg
- m####.cn/images/cover/201902/1550762588wV3305BPOwWgCJ-Q.jpg
- m####.cn/images/cover/201902/1550770375JLbMBSD6iVOD8Yqc.jpg
- m####.cn/images/cover/201902/1550770965BxhzV4_8K5jqB5oZ.jpg
- m####.cn/images/cover/201902/1550773979-K3-LgZDj8iNsHDa.jpg
- m####.cn/images/cover/201902/1550774414kuxpxfC7fPLmcgzq.jpg
- m####.cn/images/cover/201903/1551931870sfrG5kpo0jF2C12N.jpg
- m####.cn/images/cover/201903/1552294853hGIa0Co82DuY1TQQ.jpg
- m####.cn/images/cover/201903/1552294930ukwKXorcE_ymyXTL.jpg
- m####.cn/images/cover/201903/155229546642XIdwdeXMBnObQh.jpg
- m####.cn/images/cover/201903/1552719563nTI6J3zJx3CuEG70.jpg
- m####.cn/images/default/avatar.png
- mv.iall####.com/mahua/img/20190124/52/744b0a79254e5a3221d9b4b984b311.jpg
- mv.iall####.com/mahua/m_img/m_20180718_734/m_20180718_734.jpg
- mv.iall####.com/mahua/m_img/m_20180720_773/m_20180720_773.jpg
- mv.iall####.com/mahua/m_img/m_20180731_1006/m_20180731_1006.jpg
- mv.iall####.com/mahua/m_img/m_20180814_1232/m_20180814_1232.jpg
- mv.iall####.com/mahua/m_img/m_20180820_1471/m_20180820_1471.jpg
- mv.iall####.com/mahua/m_img/m_20180904_2012/m_20180904_2012.jpg
- mv.iall####.com/mahua/m_img/m_20181011_3685/m_20181011_3685.jpg
- mv.iall####.com/mahua/m_img/m_20181031_4769/m_20181031_4769.jpg
- mv.iall####.com/mahua/m_img/m_20181225_7363/m_20181225_7363.jpg
- pat.f####.com.####.net/uploads/picture/2016/01/09/1547029630.jpg
- pat.f####.com.####.net/uploads/picture/2016/03/16/1552702890.gif
- src.r####.com.####.com/kubo/dex/back.png
- src.r####.com.####.com/kubo/dex/luomi_9.1.24.dex
- src.r####.com.####.com/kubo/img/web_close.png
- wa####.cn/public/wap/images/arrow_right.png
- wa####.cn/public/wap/images/live_weixin.png
- weib####.g####.sina####.com/large/683cb5a1ly1fw941yr8ltj20ku0a076d.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1fw94icg6onj20st0dugor.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1fw94nmjbbgj20r80d2q5p.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1fz5e11lxkjj20k60bck4c.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1fz5ebsd9wej20qo0a2af8.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1fzl13lbclnj20q60cidhy.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g05x7amjxyj20m80dcjsw.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g0qksvvusjj20m80zkdjs.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g0qojtftnyj21pc0yigsl.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g0qok1w0jdj20eg085756.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g0qok5nd74j20fa0710tc.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g0qoko8vbqj20b906cq3c.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g101nq6fb1j20ve0exq7u.jpg
- weib####.g####.sina####.com/large/683cb5a1ly1g102tegbw7j20ee08cglx.jpg
Запросы HTTP POST:
- a####.3k7.net/
- a####.3k7.net/?service=####&id=####
- dc.l####.com/adLogs/adLog
- dc.l####.com/hLogs/saveHeartbeatLog
- dc.l####.com/startLog/startLog
- dc.l####.com/wLog/wLog
- sdk.c####.com/getsiteapi.php
- sdk.c####.com/sdkallapi.php
- sdk.c####.com/sdkapi.php
- sdk.c####.com/sdkreapi.php
- sdk.c####.com/versiontapi.php?v=####&type=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/02004552f073f2b232a54242cc146141cfde2e08156a9ba....0.tmp
- /data/data/####/08104cf5-8240-4cc3-9c18-877e45c4bf2d
- /data/data/####/081d6b323fcc59fe28afe90a160d180798c1fc4ce3d1e58....0.tmp
- /data/data/####/106980982c6ac89f7239e931643daa3c9e0b74e7b2fdab9....0.tmp
- /data/data/####/15231674-2fe8-4c12-8ade-d7a7f9de1212
- /data/data/####/187e1c9b0a324b76a97ff7dc479752c3dad1c395c41ef35....0.tmp
- /data/data/####/21095cb7f836b440a7d77cac0d9e082bb455fe7d6ede07f....0.tmp
- /data/data/####/21fbdd5e6aa937a0acd1c6971f4c27acdf72b9d26eae29f....0.tmp
- /data/data/####/316a66814575f177c000a787bff37e667e5a8f63be9d7b3....0.tmp
- /data/data/####/37eaef6017382cc7c2df786124c72a8cc020e0a71516d01....0.tmp
- /data/data/####/3bb8ac800b575e8cffcfacf59e7664c2ee5a0d398c0c41c....0.tmp
- /data/data/####/4134d407199ce5f5d2fe260ff9f27334f76978f3a0a97d1....0.tmp
- /data/data/####/455cd75e96c50fd4d89d07fae7df1b5edb031bda8f53a50....0.tmp
- /data/data/####/4ea7b32902f37e657c4c9cf8113f65e565ba514acfbf4ac....0.tmp
- /data/data/####/4fcc5e9413c222684fec9421d09a503ab9743bbb8c1f23b....0.tmp
- /data/data/####/533d1153dff4b1dad85980374f0f920c70efd4f5d328b67....0.tmp
- /data/data/####/592meiju_data.xml
- /data/data/####/5d3903001c92ae55d6caa56165471afa79564b1b258c553....0.tmp
- /data/data/####/6146266b-fd36-44f4-83bf-bb8e84e84178
- /data/data/####/61dcffdd-977d-4a69-87d9-d422c91a7206
- /data/data/####/6d3b53812165abc1f94fd704ff01bfad90384c2ff68a4d9....0.tmp
- /data/data/####/79c9e81aacb61f801c88320c7b5f064142ae74566d29bfb....0.tmp
- /data/data/####/83b3564668732f073ddd003cd35465c2f569a61950c8578....0.tmp
- /data/data/####/8724e5f7-d4cd-418d-8e7e-84dc8f62abc2
- /data/data/####/8d7092bef59176c8030fc9890e22d9b82ca313ed059fbcf....0.tmp
- /data/data/####/8ff6a1e715d6bb3d68f23176f3464a2b22c1613f5397213....0.tmp
- /data/data/####/9391a2a8a1aedbe25d3f9774e7616f199f78c80a76c7b31....0.tmp
- /data/data/####/94463900053a0a8bf3b83b2839f3b818aba00ff560465e5....0.tmp
- /data/data/####/98bb7766593622456d5a2cb5e3af812b221597aee39768a....0.tmp
- /data/data/####/98d5cbd72b3d17b9abb518c509af26e5b5605abf2571f9e....0.tmp
- /data/data/####/99854b3d1b01865f1c16e15d4ac160927f24123581d9e96....0.tmp
- /data/data/####/JPushSA_Config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a5708075bbfb37a945835519e3e94ee59adea25b48f088b....0.tmp
- /data/data/####/appPackageNames_v2
- /data/data/####/ax_c.xml
- /data/data/####/bd954e38437e27730b02c022d2fda766db8bc73603da187....0.tmp
- /data/data/####/c2b3135a6fd004a5cb8b3057e65fa938a309c46ac77d3f1....0.tmp
- /data/data/####/c603d0bbd8ff65a3bb0a4e19e9d1c8d4a5489293c90500b....0.tmp
- /data/data/####/c6c8c2ba22cbdf1c2714fa037b590fca47f89ff446e0f9f....0.tmp
- /data/data/####/caa8a773dfa15380b85902cd135cdc8608d7f24810875a3....0.tmp
- /data/data/####/ce222207a198a9073ef29a2eb835741c22bf8dc02944e4e....0.tmp
- /data/data/####/ce32a80c3929403144150d0ef69a0f85b5228cccb3c07c4....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.android.user.profile.xml.bak (deleted)
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTUyOTI5NDgzNTY1;
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/e29a5fc04cd9562c31f310e97506a0b6e8d865fdc019dd0....0.tmp
- /data/data/####/ea45f388096d997ad34a1b26a0d005df74ac09e089d9932....0.tmp
- /data/data/####/ec5eb91ac19f34d580c9b076c92845e1895aa2753b0d814....0.tmp
- /data/data/####/ef42ba28a731f9fa0288b05920d5d64c7668e5a195fdf2f....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/ff414a22f1563045697e0b04a14fd53bc3c50abb5f60cee....0.tmp
- /data/data/####/gg.dex
- /data/data/####/i==1.2.0&&5.0.12_1552929483608_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_uncaughtexception_file
- /data/data/####/libexec.so
- /data/data/####/log-manager.xml
- /data/data/####/mc177.dex
- /data/data/####/mc_cache.xml
- /data/data/####/meijuniaoV2.db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/pushcore_umeng_common_config.xml
- /data/data/####/t==8.0.0&&5.0.12_1552929484675_envelope.log
- /data/data/####/tmp-com.meiju592.app-1.apk.classes-1926217518.zip
- /data/data/####/tmp-com.meiju592.app-1.apk.classes883442590.zip
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/.umm.dat
- /data/media/####/7bd70717d290135b6a650889b7ec2d89.jpg
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- getprop ro.product.cpu.abi
- ls /
- ls /sys/class/thermal
- ps
- sh -c cat /proc/2282/wchan
- sh -c cat /proc/2325/wchan
Загружает динамические библиотеки:
- jcore125
- libexec
- native-signtools
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
