Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.859.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) panrisc####.uich####.y####.net:80
- TCP(HTTP/1.1) u####.umengc####.com:80
- TCP(HTTP/1.1) 2####.195.1.254:8080
- TCP(HTTP/1.1) c.d####.mob.com:80
- TCP(HTTP/1.1) tinyali####.c####.l####.####.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) na61-####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) ada####.m.ta####.com:80
- TCP(HTTP/1.1) a####.ums.mob.com:80
- TCP(HTTP/1.1) hk.wagbr####.non####.####.com:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) uich####.com:80
- TCP(HTTP/1.1) a####.cms.mob.com:80
- TCP(HTTP/1.1) ad####.m.ta####.com:80
- TCP(HTTP/1.1) wp.uich####.com:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) msg.umengc####.com:80
- TCP(HTTP/1.1) qp.yunanfu####.com.####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) 1####.205.203.102:8010
- TCP(HTTP/1.1) api.m.ta####.com:80
- TCP(TLS/1.0) s####.g.doublec####.net:443
- TCP(TLS/1.0) api.9i####.com.####.com:443
- TCP(TLS/1.0) mi.g####.qq.com:443
- TCP(TLS/1.0) stc.x####.us:443
- TCP(TLS/1.0) sd.x####.us.####.com:443
- TCP(TLS/1.0) v2.g####.qq.com:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) a.x####.us:443
- TCP(TLS/1.0) img.x####.us.####.com:443
- TCP(TLS/1.0) v.g####.qq.com:443
- TCP(TLS/1.0) v.x####.us:443
- TCP(TLS/1.0) p####.tc.qq.com:443
Запросы DNS:
- a####.cms.mob.com
- a####.exc.mob.com
- a####.m.ta####.com
- a####.u####.com
- a####.ums.mob.com
- a.x####.us
- ad####.m.ta####.com
- ada####.m.ta####.com
- api####.a####.com
- api.9i####.com
- api.s####.mob.com
- c.d####.mob.com
- d####.d####.mob.com
- fb.u####.com
- i.g####.qq.com
- im####.9l####.com
- img.x####.us
- int.d####.s####.####.cn
- m.d####.mob.com
- mi.g####.qq.com
- msg.umengc####.com
- oc.u####.com
- p####.g####.cn
- p####.ugd####.com
- q####.qq.com
- qp.yunanfu####.com
- qzones####.g####.cn
- r####.wx.qq.com
- res####.a####.com
- s####.g.doublec####.net
- sd.x####.us
- sdk.c####.com
- stc.x####.us
- u####.umengc####.com
- u####.umengc####.com
- uich####.com
- v.g####.qq.com
- v.x####.us
- v2.g####.qq.com
- wb.110.ta####.com
- wp.uich####.com
- www.google-####.com
- www.uich####.com
- y####.al####.com
Запросы HTTP GET:
- a####.m.ta####.com/rest/abtest?ak=####&av=####&c=####&v=####&s=####&d=##...
- ad####.m.ta####.com/rest/gc2?ak=####&av=####&c=####&d=####&sv=####&t=###...
- api.m.ta####.com/activeip/?appkey=####&ttid=####&deviceId=####&imei=####...
- api.m.ta####.com/spdyip/?appkey=####&ttid=####&deviceId=####&imei=####&n...
- m.d####.mob.com/v4/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
- panrisc####.uich####.y####.net/bossLocker-store/search/hottest.json
- panrisc####.uich####.y####.net/ums3-client2/app/dd/client.json
- panrisc####.uich####.y####.net/ums3-client2/files/0122b0783b574c089ac22b...
- panrisc####.uich####.y####.net/ums3-client2/files/15843d71d6be410c8c022c...
- panrisc####.uich####.y####.net/ums3-client2/files/247491aef9d6489196a024...
- panrisc####.uich####.y####.net/ums3-client2/files/6462239fed694b199f5054...
- panrisc####.uich####.y####.net/ums3-client2/files/759e932d413d4b058988c1...
- panrisc####.uich####.y####.net/ums3-client2/files/77d8cae08df940909feb63...
- panrisc####.uich####.y####.net/ums3-client2/files/7b890b87bfa046b1b064cf...
- panrisc####.uich####.y####.net/ums3-client2/files/7f64d4b5ca174e79be16ba...
- panrisc####.uich####.y####.net/ums3-client2/files/899614748a5c448099fbcf...
- panrisc####.uich####.y####.net/ums3-client2/files/b0627830ef9942ff9798c2...
- panrisc####.uich####.y####.net/ums3-client2/files/c41cdc55f0264d85b788fc...
- panrisc####.uich####.y####.net/ums3-client2/files/c5bf38ad76c24426846449...
- panrisc####.uich####.y####.net/ums3-client2/files/ca4bf2fff3e440eebf78e5...
- panrisc####.uich####.y####.net/ums3-client2/files/category/d381bb1ccbf94...
- panrisc####.uich####.y####.net/ums3-client2/files/d6235562272644fbbcd265...
- panrisc####.uich####.y####.net/ums3-client2/files/e113258c5f824b07a37ef8...
- panrisc####.uich####.y####.net/ums3-client2/files/ed75ad5917254dbea0045f...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/10137350054444597...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/21089882969233506...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/23831066418926174...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/29452130409558015...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/30888982924344538...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/32717377501961228...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/34527741890932570...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/40778664880023162...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/51111910181111163...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/55686499395089346...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/56489150471498391...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/63819865320294163...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/65300322259543887...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/71263751957241897...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/77229195250564727...
- panrisc####.uich####.y####.net/ums3-client2/files/poll/82583522876872410...
- panrisc####.uich####.y####.net/ums3-client3/app/f/topic.json
- panrisc####.uich####.y####.net/ums3-client3/app/home_1.json
- panrisc####.uich####.y####.net/ums3-client3/app/m/hottest/p1/o2.json
- panrisc####.uich####.y####.net/ums3-client3/app/newest/p1/o1.json
- panrisc####.uich####.y####.net/ums3-client3/app/sphome.json
- panrisc####.uich####.y####.net/ums3-client3/home/getHPFeatured.json
- qp.yunanfu####.com.####.com/kubo/
- qp.yunanfu####.com.####.com/kubo/dex/luomi10.27.dex
- qp.yunanfu####.com.####.com/kubo/hongbao/hb6/chaishenye_1.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb6/chaishenye_2.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb7/hongbao1.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb7/hongbao2.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb8/hongbao1.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb8/hongbao2.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb8/hongbao3.png
- qp.yunanfu####.com.####.com/kubo/hongbao/hb8/hongbao4.png
- tinyali####.c####.l####.####.com/image/201903/21/06eef1e8d38856c422ef48f...
- tinyali####.c####.l####.####.com/image/201903/21/223f27379aced33238817fe...
- tinyali####.c####.l####.####.com/image/201903/21/3594bd69f3cd43dd37e06b2...
- tinyali####.c####.l####.####.com/image/201903/21/b554a91a8800545d3e0605f...
- tinyali####.c####.l####.####.com/image/201903/21/df25df25636b4c66e4d144a...
- tinyali####.c####.l####.####.com/image/201903/21/ee4992ba77a20d08ead2e3f...
- u####.umengc####.com/rest/api3.do?t=####&deviceId=####&imei=####&appKey=...
- u####.umengc####.com/rest/api3.do?ttid=####&t=####&deviceId=####&imei=##...
- u####.umengc####.com/rest/api3.do?ttid=####&t=####&imei=####&appKey=####...
- uich####.com/huodong/cpmad1.txt
- wp.uich####.com/wp-content/uploads/2018/07/11.jpg
- wp.uich####.com/wp-content/uploads/2018/07/share.jpg
Запросы HTTP POST:
- a####.cms.mob.com/v2/cms/conf
- a####.cms.mob.com/v2/q/cms_article
- a####.cms.mob.com/v2/q/cms_category
- a####.exc.mob.com/errconf
- a####.m.ta####.com/rest/gc?ak=####&av=####&c=####&v=####&s=####&d=####&s...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- a####.u####.com/app_logs
- a####.ums.mob.com/conf
- a####.ums.mob.com/log
- ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
- api.s####.mob.com/conn
- api.s####.mob.com/snsconf
- c.d####.mob.com/v3/cdata
- d####.d####.mob.com/dinfo
- d####.d####.mob.com/dsign
- hk.wagbr####.non####.####.com/saveWb.json
- msg.umengc####.com/v2/alias
- msg.umengc####.com/v2/register
- na61-####.wagbr####.ali####.####.com/api/update.do
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- panrisc####.uich####.y####.net/boss-locker/account/tpadbyttsp/handy-regi...
- res####.a####.com/v3/config/resource?
- res####.a####.com/v3/log/init
- sdk.c####.com/versiontapi.php?v=####&type=####
- uich####.com/ums3-log/client/activate
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-12152784381298636903
- /data/data/####/.duid
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.vpl_lock
- /data/data/####/03352564ed01ef5e04070e52394e198cd085eb2ff48b003....0.tmp
- /data/data/####/04c7b7e870589f9054b9d4b8cf2b9b74b837b3b02654fa8....0.tmp
- /data/data/####/0a231bd8575dcf72.txt
- /data/data/####/10d1ca6ba8ba160c0be5e03e7f620b570e78675a9afcba7....0.tmp
- /data/data/####/13274c9d35156fba8514ee8dace5e397f1b2d0014ff4656....0.tmp
- /data/data/####/1329658566-262281881
- /data/data/####/13471438681210318931
- /data/data/####/1347143868381056044
- /data/data/####/1391264828-1465091291
- /data/data/####/1391264828-406419408
- /data/data/####/1391264828278474917
- /data/data/####/179536817-215948065
- /data/data/####/1d77ea041509fe06.lock
- /data/data/####/2071898235406109560
- /data/data/####/21c22f492aba3de8.lock
- /data/data/####/40e8ced2686b50500ec479f3ebfa462c8cb57ea3cb422a9....0.tmp
- /data/data/####/4af49e14451afa816b0e700d8d71dd7c71a577f381162e0....0.tmp
- /data/data/####/5fe3b9f3a1fb31a41329548dc9ae990d3a2addbaf073255....0.tmp
- /data/data/####/63d376d4cae19a78c25c09f529ea734613b9133b35a228a....0.tmp
- /data/data/####/650f0d5ec1a52f3a22db9603fc7b19938e68cd3049259f4....0.tmp
- /data/data/####/65108f1d951a7b4482f7c91da1db694db82f5fefd410e45....0.tmp
- /data/data/####/736192913-1383803219
- /data/data/####/8ea9d2b3be708ebc55cd431e93c4ba7c3d3b1043c9071e3....0.tmp
- /data/data/####/8ef9c457b3bbb403.lock
- /data/data/####/901900c989b08bccff66573370a3444101c002c2ad9e4a6....0.tmp
- /data/data/####/930a31b34bd52c08.lock
- /data/data/####/952bfbb05be1aa1abfc9ed8e7af25ea3d6a4948b04995e2....0.tmp
- /data/data/####/981074197-1022491187
- /data/data/####/9d44a621b3c6208697f4c3c058a361fff97fd7ee3687b29....0.tmp
- /data/data/####/AGOO_CONNECT.xml
- /data/data/####/AGOO_HOST.xml
- /data/data/####/Alvin2.xml
- /data/data/####/AppStore.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/DownloadTaskStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/PhoneUtil.xml
- /data/data/####/SGMANAGER_DATA2.tmp
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/UTCommon.xml
- /data/data/####/UTMCBase.xml
- /data/data/####/UTMCConf352142815.xml
- /data/data/####/UTMCLog352142815.xml
- /data/data/####/a745ccca173bc458c567acfbd80ecc5fd1955a6589200f6....0.tmp
- /data/data/####/ac27e2039a5086a65fef3c36e4f3e6076dddc2d9faf48d7....0.tmp
- /data/data/####/agoo.pid
- /data/data/####/ap.Lock
- /data/data/####/bf063435829050fc9483d3199735de2b94007bf8d9b6413....0.tmp
- /data/data/####/c9045d12e5edfbb2469b97bcef291d44c7154971b4d6bf5....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cmssdk_1
- /data/data/####/com.change.unlock_preferences.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/db_jone-journal
- /data/data/####/dcSharedPreferences.dat.xml
- /data/data/####/dianrui_cache.xml
- /data/data/####/e97141f127fd4d5434d1fbe26de51bb2d8b08230aa6b62c....0.tmp
- /data/data/####/ed1f5e140beb341cd7fbbcfec65961c33907d5f0fde25b1....0.tmp
- /data/data/####/evernote_jobs.db-journal
- /data/data/####/evernote_jobs.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f3e848623bb500cd8c0dc9aecb767925d18fd16739d2191....0.tmp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/fb_audio_switch.xml
- /data/data/####/feedback_push.xml
- /data/data/####/index
- /data/data/####/journal.tmp
- /data/data/####/last_known_location.xml
- /data/data/####/libjiagu-1716457141.so
- /data/data/####/libsgmainso-5.1.81.so.tmp
- /data/data/####/lock.lock
- /data/data/####/luomi77.dex
- /data/data/####/luomi_cache.xml
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/onlineconfig_agent_online_setting_com.change.unlock.xml
- /data/data/####/s_update.xml
- /data/data/####/share_sdk_1
- /data/data/####/sp.lock
- /data/data/####/sp_content_provider.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_feedback_user_info.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umssdk_1
- /data/data/####/ut.db
- /data/data/####/ut.db-journal
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.al
- /data/media/####/.artc_lock
- /data/media/####/.dh-journal
- /data/media/####/.dhlock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.digap
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.lecd
- /data/media/####/.lesd_lock
- /data/media/####/.mcli
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.nulal
- /data/media/####/.nulplt
- /data/media/####/.pkg_lock
- /data/media/####/.plst
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/6c709c11d2d46a7b
- /data/media/####/8b8a016b2c95bf4314ed38a3de7f711e
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/c46d8469aefa35e14c0dd1c0efed2677
- /data/media/####/chaishenye_1.png
- /data/media/####/chaishenye_2.png
- /data/media/####/dd7893586a493dc3
- /data/media/####/fm.txt
- /data/media/####/hid.dat
- /data/media/####/hongbao1.png
- /data/media/####/hongbao2.png
- /data/media/####/hongbao3.png
- /data/media/####/hongbao4.png
- /data/media/####/journal.tmp
- /data/media/####/log_bosslocker_2019-03-23.txt
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -a <Package>.intent.action.COCKROACH --es cockroach cockroach-PPreotect --es pack <Package> --user 0 -f <Package Folder> -t 60 -c agoo.pid -P <Package Folder> -K 9527 -U tb_android_daemon_1.1.0 -L http://100.69.168.33/agoo/report -D {"package":"<Package>","appKey":"umeng:52a5846456240bff1a04aee0","utdid":"XJZT/JPaKu0DAGdzx1HKcdIS","sdkVersion":"20150423"} -I 100.69.168.33 -O 80 -T -Z
- app_process /system/bin com.android.commands.pm.Pm list packages
- cat /sys/class/net/wlan0/address
- chmod 500 <Package Folder>/files/DaemonServer
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Загружает динамические библиотеки:
- libjiagu-1716457141
- sgmainso-5.1
- tnet-2.0
- un7z
- ut_c_api
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-ECB-ZeroBytePadding
- DESede
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- DESede
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
