Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.864.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.24.75.75:80
- TCP(HTTP/1.1) gamean####.cdn.bc####.####.com:80
- TCP(TLS/1.0) h####.b####.com:443
- TCP(TLS/1.0) xx####.cdn.bc####.####.com:443
Запросы DNS:
- gamean####.cdn.bc####.com
- h####.b####.com
- xx####.cdn.bc####.com
Запросы HTTP GET:
- gamean####.cdn.bc####.####.com/Lutube/1-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/10-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/11-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/12-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/14-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/2-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/3-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/31-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/32-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/33-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/34-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/35-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/4-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/5-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/51-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/52-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/54-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/55-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/56-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/57-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/58-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/6-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/7-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/8-1.jpg
- gamean####.cdn.bc####.####.com/Lutube/9-1.jpg
- gamean####.cdn.bc####.####.com/photo/108.png
- gamean####.cdn.bc####.####.com/photo/111.png
- gamean####.cdn.bc####.####.com/photo/123.png
- gamean####.cdn.bc####.####.com/photo/127.png
- gamean####.cdn.bc####.####.com/photo/134.png
- gamean####.cdn.bc####.####.com/photo/178.png
- gamean####.cdn.bc####.####.com/photo/179.png
- gamean####.cdn.bc####.####.com/photo/181.png
- gamean####.cdn.bc####.####.com/photo/188.png
- gamean####.cdn.bc####.####.com/photo/194.png
- gamean####.cdn.bc####.####.com/photo/198.png
- gamean####.cdn.bc####.####.com/photo/20.png
- gamean####.cdn.bc####.####.com/photo/203.png
- gamean####.cdn.bc####.####.com/photo/210.png
- gamean####.cdn.bc####.####.com/photo/212.png
- gamean####.cdn.bc####.####.com/photo/221.png
- gamean####.cdn.bc####.####.com/photo/222.png
- gamean####.cdn.bc####.####.com/photo/230.png
- gamean####.cdn.bc####.####.com/photo/233.png
- gamean####.cdn.bc####.####.com/photo/241.png
- gamean####.cdn.bc####.####.com/photo/248.png
- gamean####.cdn.bc####.####.com/photo/25.png
- gamean####.cdn.bc####.####.com/photo/250.png
- gamean####.cdn.bc####.####.com/photo/267.png
- gamean####.cdn.bc####.####.com/photo/288.png
- gamean####.cdn.bc####.####.com/photo/289.png
- gamean####.cdn.bc####.####.com/photo/293.png
- gamean####.cdn.bc####.####.com/photo/33.png
- gamean####.cdn.bc####.####.com/photo/36.png
- gamean####.cdn.bc####.####.com/photo/37.png
- gamean####.cdn.bc####.####.com/photo/39.png
- gamean####.cdn.bc####.####.com/photo/42.png
- gamean####.cdn.bc####.####.com/photo/57.png
- gamean####.cdn.bc####.####.com/photo/71.png
- gamean####.cdn.bc####.####.com/photo/73.png
- gamean####.cdn.bc####.####.com/photo/76.png
- gamean####.cdn.bc####.####.com/photo/95.png
- gamean####.cdn.bc####.####.com/photo/96.png
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0593e046252261b31378e88f0205429e70257fb455c9975....0.tmp
- /data/data/####/08f4af50ed996cf75dbe1d10bdb7a23e.0.tmp
- /data/data/####/08f4af50ed996cf75dbe1d10bdb7a23e.1.tmp
- /data/data/####/1c52d052971ffac07e8ba304afeef527.0.tmp
- /data/data/####/1c52d052971ffac07e8ba304afeef527.1.tmp
- /data/data/####/1e3939a466f5e7cc480a7987891b3d37.0.tmp
- /data/data/####/1e3939a466f5e7cc480a7987891b3d37.1.tmp
- /data/data/####/1f2e1ca03e138bb76f1a61833142df4d.0.tmp
- /data/data/####/1f2e1ca03e138bb76f1a61833142df4d.1.tmp
- /data/data/####/2054295005a1c8e3529f04118381b7f2.0.tmp
- /data/data/####/2054295005a1c8e3529f04118381b7f2.1.tmp
- /data/data/####/2338d042eb8e64de38d4aa9a61217db0.0.tmp
- /data/data/####/2338d042eb8e64de38d4aa9a61217db0.1.tmp
- /data/data/####/2395733ad3cecdd716d9a917b937d4b5be53ce7753b0021....0.tmp
- /data/data/####/2429e8b7101d42a0e4bd24345e3b560d.0.tmp
- /data/data/####/2429e8b7101d42a0e4bd24345e3b560d.1.tmp
- /data/data/####/2686a0d7a1b76d9b88030bb4d5a57164.0.tmp
- /data/data/####/2686a0d7a1b76d9b88030bb4d5a57164.1.tmp
- /data/data/####/2a29404ee1fdc9f432b742c9eecece8b.0.tmp
- /data/data/####/2a29404ee1fdc9f432b742c9eecece8b.1.tmp
- /data/data/####/2c2e3e2b1f7e23f222cb2c83866ec0b4.0.tmp
- /data/data/####/2c2e3e2b1f7e23f222cb2c83866ec0b4.1.tmp
- /data/data/####/2d8b90459556bd80d489901d29ddc07e.0.tmp
- /data/data/####/2d8b90459556bd80d489901d29ddc07e.1.tmp
- /data/data/####/312bad76baf964eced3c53c0bbcc1147.0.tmp
- /data/data/####/312bad76baf964eced3c53c0bbcc1147.1.tmp
- /data/data/####/3551a4f52a4afb91f84f782fa1a9315c.0.tmp
- /data/data/####/3551a4f52a4afb91f84f782fa1a9315c.1.tmp
- /data/data/####/36b528b6c79731ef1321a18158d68795.0.tmp
- /data/data/####/36b528b6c79731ef1321a18158d68795.1.tmp
- /data/data/####/38425bf2aba0e71f356fae624c989a81.0.tmp
- /data/data/####/38425bf2aba0e71f356fae624c989a81.1.tmp
- /data/data/####/3967b9d91a9c23f6b857c2d96d89f8b0.0.tmp
- /data/data/####/3967b9d91a9c23f6b857c2d96d89f8b0.1.tmp
- /data/data/####/3aa0f95dfbcdaa68c2c28194e4511957581092d484bc32a....0.tmp
- /data/data/####/3e2dfadfedd9edcfe4ac2403ce27c0fef6ce4a0c8d8bb9b....0.tmp
- /data/data/####/40fdcd9331540e017f0e6a4c9bf5ac82.0.tmp
- /data/data/####/40fdcd9331540e017f0e6a4c9bf5ac82.1.tmp
- /data/data/####/416be489239e85119af352dbe3b87a5c1af09dd94edd082....0.tmp
- /data/data/####/41c64069b2b851872806ca5317c44bded46eb20d4b9788e....0.tmp
- /data/data/####/449b41a340cb3e9365c8f398852caff91c4e6f56b1b7fed....0.tmp
- /data/data/####/4518654c1fbd6b9a4011ad1c14f8aafb.0.tmp
- /data/data/####/4518654c1fbd6b9a4011ad1c14f8aafb.1.tmp
- /data/data/####/4fbb2d3cf2b316d58750645a1c006232ce3a3efaf18a3aa....0.tmp
- /data/data/####/50d345a6155ce67fb5b29d68e2ac9b1009450da2290a883....0.tmp
- /data/data/####/580eb0bfc209023ec640bef263b84fec.0.tmp
- /data/data/####/580eb0bfc209023ec640bef263b84fec.1.tmp
- /data/data/####/5e9122cf511906c0f03cb7b6941ad8da.0.tmp
- /data/data/####/5e9122cf511906c0f03cb7b6941ad8da.1.tmp
- /data/data/####/69e83ebbfc61476a44c7ef2cf897713638de7ce140a96cf....0.tmp
- /data/data/####/6a4f0b72d7fbecb89b3c6cd59bb7b464.0.tmp
- /data/data/####/6a4f0b72d7fbecb89b3c6cd59bb7b464.1.tmp
- /data/data/####/6a59a0526f0efa4f4a55628fa01dc2a2.0.tmp
- /data/data/####/6a59a0526f0efa4f4a55628fa01dc2a2.1.tmp
- /data/data/####/8abb40bfe40acbe3f25e269c798ff79d18c03435fcb68c0....0.tmp
- /data/data/####/8d54d12378726717a74cfff1c66f3019.0.tmp
- /data/data/####/8d54d12378726717a74cfff1c66f3019.1.tmp
- /data/data/####/916c56ad82d66c798d815c8eb24d71c040c72650817450e....0.tmp
- /data/data/####/9635e5908858e8171e9c872245b2c565.0.tmp
- /data/data/####/9635e5908858e8171e9c872245b2c565.1.tmp
- /data/data/####/971904bb1ebb46b1aefb52274757ff48.0.tmp
- /data/data/####/971904bb1ebb46b1aefb52274757ff48.1.tmp
- /data/data/####/97d0393f72c5be94614f4a980b05de3778a993d5875c7fa....0.tmp
- /data/data/####/9ec24eb7bcff1f4f35e36f5e4e8c94ba.0.tmp
- /data/data/####/9ec24eb7bcff1f4f35e36f5e4e8c94ba.1.tmp
- /data/data/####/PrefFirst.xml
- /data/data/####/User_Id.xml
- /data/data/####/User_Name.xml
- /data/data/####/__Baidu_Stat_SDK_SendRem.xml
- /data/data/####/__local_ap_info_cache.json
- /data/data/####/__local_last_session.json
- /data/data/####/__local_stat_cache.json
- /data/data/####/__send_data_1555340855478
- /data/data/####/a3b515d0ed77d345ceb72b07cabd97f73d7bc6e2ae1da61....0.tmp
- /data/data/####/a5104e8b38e53dc2207cee717c945715.0.tmp
- /data/data/####/a5104e8b38e53dc2207cee717c945715.1.tmp
- /data/data/####/aa3a68623e3e7c5ecf7d0afddeed4151.0.tmp
- /data/data/####/aa3a68623e3e7c5ecf7d0afddeed4151.1.tmp
- /data/data/####/ab98bd835309d3ca969e577764ec1f893c6edb7f8bfcca2....0.tmp
- /data/data/####/adInfo.xml
- /data/data/####/af4eb324227cd99270123b6c96ee2c8c.0.tmp
- /data/data/####/af4eb324227cd99270123b6c96ee2c8c.1.tmp
- /data/data/####/afe2cc5ea2f738edcb7f1b6734fb4218.0.tmp
- /data/data/####/afe2cc5ea2f738edcb7f1b6734fb4218.1.tmp
- /data/data/####/b17c9b1382a882d8af60ee0a19dc49a6.0.tmp
- /data/data/####/b17c9b1382a882d8af60ee0a19dc49a6.1.tmp
- /data/data/####/b27d90401be4de4b9088246285afb0bd.0.tmp
- /data/data/####/b27d90401be4de4b9088246285afb0bd.1.tmp
- /data/data/####/b45f727b37cce77f5eb4355e4d8421eb.0.tmp
- /data/data/####/b45f727b37cce77f5eb4355e4d8421eb.1.tmp
- /data/data/####/b7d4937a98286f0708da238dbe1b4205.0.tmp
- /data/data/####/b7d4937a98286f0708da238dbe1b4205.1.tmp
- /data/data/####/b88dfc2b5eeb2955976b697ff365d8c4.0.tmp
- /data/data/####/b88dfc2b5eeb2955976b697ff365d8c4.1.tmp
- /data/data/####/baidu_mtj_sdk_record.xml
- /data/data/####/baidu_mtj_sdk_record.xml.bak
- /data/data/####/bba10d0967255499246dc1188a340c72.0.tmp
- /data/data/####/bba10d0967255499246dc1188a340c72.1.tmp
- /data/data/####/bc957c3090f6122f2e8d0ec3ddcd9820.0.tmp
- /data/data/####/bc957c3090f6122f2e8d0ec3ddcd9820.1.tmp
- /data/data/####/c37812f087da1b0c77f800d0d0e4fe908cc5de83677c951....0.tmp
- /data/data/####/cc8547a8ccc2919fb3365f33c0df4285.0.tmp
- /data/data/####/cc8547a8ccc2919fb3365f33c0df4285.1.tmp
- /data/data/####/classes.dex
- /data/data/####/classes.dve
- /data/data/####/classes.jar
- /data/data/####/com.SecShell.tmp2270
- /data/data/####/com.SecShell.tmp2302
- /data/data/####/d35121a30be7cdd845e949bc76d27b91.0.tmp
- /data/data/####/d35121a30be7cdd845e949bc76d27b91.1.tmp
- /data/data/####/d3546fe0289cdc94cab9f2eff42ef157ebfaddc45af45c0....0.tmp
- /data/data/####/d75adf21f4405fb5076076b2c8277f59.0.tmp
- /data/data/####/d75adf21f4405fb5076076b2c8277f59.1.tmp
- /data/data/####/d79bd6ab8d68ab57757f5449a17852a7.0.tmp
- /data/data/####/d79bd6ab8d68ab57757f5449a17852a7.1.tmp
- /data/data/####/d8fe91830d8f25e0aaab64f96d0c779c.0.tmp
- /data/data/####/d8fe91830d8f25e0aaab64f96d0c779c.1.tmp
- /data/data/####/db_point_nice-journal
- /data/data/####/dc2840347e0c4956bae1e9126fa2ffddee5ec19da0d9910....0.tmp
- /data/data/####/dd6ccd7bf88bef4db840b7842dd6479d86507ea8827f15e....0.tmp
- /data/data/####/e354e7b5dc92565f202943ae52f6fc23.0.tmp
- /data/data/####/e354e7b5dc92565f202943ae52f6fc23.1.tmp
- /data/data/####/e5465afce2d7e20ad1450c47b4e8435a.0.tmp
- /data/data/####/e5465afce2d7e20ad1450c47b4e8435a.1.tmp
- /data/data/####/ee83fb0e229c948ded42747a509784b8.0.tmp
- /data/data/####/ee83fb0e229c948ded42747a509784b8.1.tmp
- /data/data/####/f3e5ea48fbc788f24ece015711d321c38cd5a180fe402bc....0.tmp
- /data/data/####/filesstring.xml
- /data/data/####/journal.tmp
- /data/data/####/libcuid.so
- /data/data/####/tab_index0.xml
- /data/data/####/tab_index1.xml
- /data/data/####/tab_index2.xml
- /data/data/####/zhkj.db
- /data/data/####/zhkj.db-journal
- /data/media/####/.confd
- /data/media/####/.confd-journal
- /data/media/####/.cuid
- /data/media/####/.cuid2
- /data/media/####/.timestamp
Другие:
Запускает следующие shell-скрипты:
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
Загружает динамические библиотеки:
- SecShell
- crash_analysis
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
