Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.BankBot.125
- Android.DownLoader.860.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) hd.a####.com:80
- TCP(HTTP/1.1) adv.jpi####.com:80
- TCP(HTTP/1.1) gl####.w.kunl####.####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) en####.tui####.com:80
- TCP(HTTP/1.1) dc.l####.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) acti####.russi####.cn:80
- TCP(HTTP/1.1) fp-st####.b0.a####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) api.zhuishu####.com:80
- TCP(HTTP/1.1) c.no####.net:80
- TCP(HTTP/1.1) fi####.d####.com:80
- TCP(HTTP/1.1) yun.d####.com:80
- TCP(HTTP/1.1) api.51aiz####.cn:80
- TCP(HTTP/1.1) zb####.v.qin####.com:80
- TCP(HTTP/1.1) src.r####.com.####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) adv.99y####.com:80
- TCP(HTTP/1.1) yun.russi####.cn.####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) yun.tuis####.com:80
- TCP(HTTP/1.1) mobjump####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(SSL/3.0) hunter-####.d####.com:443
- TCP(SSL/3.0) ip.goq####.com:443
- TCP(TLS/1.0) hotfix####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) an####.l####.com:443
- TCP(TLS/1.0) fp-st####.b0.a####.com:443
- TCP(TLS/1.0) ip.goq####.com:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) aliyuns####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) aliyuno####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) 1####.217.17.110:443
- TCP(TLS/1.0) is.sn####.com:443
- TCP(TLS/1.0) hunter-####.d####.com:443
Запросы DNS:
- a####.exc.mob.com
- a####.u####.com
- acti####.russi####.cn
- adv-u####.t####.u####.net
- adv.99y####.com
- adv.jpi####.com
- aliyuno####.oss-cn-####.aliy####.com
- aliyuns####.oss-cn-####.aliy####.com
- an####.l####.com
- and####.b####.qq.com
- api.51aiz####.cn
- api.zhuishu####.com
- c.no####.net
- cgi.con####.qq.com
- chap####.zhuishu####.com
- dc.l####.com
- en####.tui####.com
- fi####.d####.com
- hotfix####.oss-cn-####.aliy####.com
- hunter-####.d####.com
- ip.goq####.com
- is.sn####.com
- mobjump####.oss-cn-####.aliy####.com
- pi####.qq.com
- r####.wx.qq.com
- sdk.c####.com
- src.r####.com
- st####.ton####.net
- sta####.zhuishu####.com
- yun.d####.com
- yun.d####.com.cn
- yun.russi####.cn
- yun.tuis####.com
- yun.tuit####.com
Запросы HTTP GET:
- acti####.russi####.cn/activity/getAllSkin?timestamp=####&couponSkinId=##...
- acti####.russi####.cn/activity/getReturnPage?slotId=####&id=####&login=#...
- acti####.russi####.cn/activity/index?id=####&slotId=####&login=####&appK...
- acti####.russi####.cn/common/ip
- acti####.russi####.cn/domainWhite/getAll
- acti####.russi####.cn/statistics/activityPagePerf?group_type=####&platfo...
- api.zhuishu####.com/book/recommend?gender=####
- api.zhuishu####.com/mix-atoc/55eef8b27445ad27755670b9?view=####
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- en####.tui####.com/index/activity?appKey=####&adslotId=####
- fp-st####.b0.a####.com/tdu/tdu_js_file.js?partner=####&appName=####&even...
- gl####.w.kunl####.####.com/agent/http://img.1391.com/api/v1/bookcenter/c...
- gl####.w.kunl####.####.com/h5-tuia/couponPrize/lucky.png?nnn=####
- hd.a####.com/android/adv/qsz/advsdk/release/advsdk-release.enc
- hd.a####.com/android/adv/qsz/resource/ljsdk.dex
- mobjump####.oss-cn-####.aliy####.com/libs/aristotle_20191119_v50.zip
- src.r####.com.####.com/kubo/dex/luomi_9.1.24.dex
- yun.d####.com/figerprint/webfiger.cache.js?x=####
- yun.russi####.cn.####.com/h5-mami/activity/turnCircle/5.0/actBase_201809...
- yun.russi####.cn.####.com/h5-mami/h5-discern-simulator-1.0.19.min.js?t=#...
- yun.russi####.cn.####.com/h5-mami/insurance/taobao/clipboard.min.js
- yun.russi####.cn.####.com/mami-media/img/12hvqip0j7.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/1as65nrdw0.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/1n1fz4ba7p.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/2d8ooehycw.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/aauhm5yr1r.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/ajj8qizyko.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/j0lueut1rx.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/kbv48gn7wh.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/kpt1wo69ih.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/qux0vjbqaq.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/vlsy7wxx50.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/wl2tljln4l.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/xhuejr13m8.jpg?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/yvk33lntl5.png?x-oss-process=####
- yun.russi####.cn.####.com/newactivity/assets/actBase.89cb4bfd.js
- yun.russi####.cn.####.com/newactivity/assets/actBase.e3ec4c0b.css
- yun.russi####.cn.####.com/newactivity/assets/actCommon.87b11218.css
- yun.russi####.cn.####.com/newactivity/assets/actCommon.d43ff6ce.js
- yun.russi####.cn.####.com/newactivity/assets/gyroscope.90b7461a.js
- yun.russi####.cn.####.com/newactivity/assets/pluginActCommon.d4420345.js
- yun.russi####.cn.####.com/newactivity/assets/touchs.3bae3309.js
- yun.russi####.cn.####.com/newactivity/assets/turnCircle-1.0.5953b65b.css
- yun.russi####.cn.####.com/newactivity/assets/turnCircle-1.0.dc01d5a8.js?...
- yun.tuis####.com/h5-mami/activity/components/incentive/gift.png?x-oss-pr...
- yun.tuis####.com/h5-mami/activity/hand.png
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/bg-back.png
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/bg-front.png
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/button.png
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/index_201806221917.css
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/index_201806221917.js
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/mao.png
- yun.tuis####.com/h5-mami/couponPrize/1.22.8/redpacks.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/bg-back-green.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/bg-front-green.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/bg-front-low.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/body-green.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/body.png
- yun.tuis####.com/h5-mami/couponPrize/1.22/win-tip.png
- yun.tuis####.com/h5-mami/couponPrize/3.8/halo2.png
- yun.tuis####.com/h5-mami/couponPrize/close.png
- yun.tuis####.com/h5/activity/turntable_circle/images/radius-1.png
- yun.tuis####.com/h5/activity/turntable_circle/images/radius-2.png
- yun.tuis####.com/h5/activity/turntable_circle/images/rule.png?x-oss-proc...
- yun.tuis####.com/h5/showCouponPrize/4.0.0/assets/light.png
- yun.tuis####.com/newactivity/assets/encourageIcon.792d512b.css
- yun.tuis####.com/newactivity/assets/encourageIcon.a1c34420.js
- yun.tuis####.com/newactivity/assets/encourageLayer.09421f78.css
- yun.tuis####.com/newactivity/assets/encourageLayer.ac5e8fd2.js
- yun.tuis####.com/newactivity/assets/showThanks.18de8f8a.css
- yun.tuis####.com/newactivity/assets/showThanks.baa45fac.js
- yun.tuis####.com/tuia/hunter/2.3.0/hunter.js
- zb####.v.qin####.com/chapter/http://book.my716.com/getBooks.aspx?method=...
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- a####.u####.com/app_logs
- acti####.russi####.cn/activity/getLimitTimes
- acti####.russi####.cn/pluginTools/responsiveIndex
- acti####.russi####.cn/pluginTools/timingIndex
- acti####.russi####.cn/statistics/activityPagePerf?type=####&skinName=###...
- adv.99y####.com/adv/dayActive
- adv.99y####.com/adv/getTask
- adv.99y####.com/adv/pluginFeedback
- adv.99y####.com/adv/pluginReq
- adv.99y####.com/adv/taskFedback
- adv.jpi####.com/adv/pluginReq
- and####.b####.qq.com/rqd/async?aid=####
- api.51aiz####.cn/api/cmcc/activetoday
- api.51aiz####.cn/api/cmcc/check?sdk=####&app=####
- api.51aiz####.cn/api/cmcc/config?sdk=####&app=####
- api.51aiz####.cn/api/cmcc/register?sdk=####&app=####
- c.no####.net/e/a/t
- dc.l####.com/adLogs/adLog
- dc.l####.com/hLogs/saveHeartbeatLog
- dc.l####.com/startLog/startLog
- dc.l####.com/wLog/wLog
- fi####.d####.com/fingerprint/UVCount
- fi####.d####.com/fingerprint/userFind
- pi####.qq.com/mstat/report
- sdk.c####.com/versiontapi.php?v=####&type=####
Запросы HTTP OPTIONS:
- fi####.d####.com/fingerprint/UVCount
- fi####.d####.com/fingerprint/userFind
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/._MIME.MF
- /data/data/####/.duid
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.vpl_lock
- /data/data/####/1002
- /data/data/####/1004
- /data/data/####/61561a876896a2a77dd8fe35b4403c0b.db
- /data/data/####/75e6dbe2f26ce903d5507769b82e7a59f813bbdecc519a8....0.tmp
- /data/data/####/99fa89db37b9859fdb387aa6b1199ad2.db
- /data/data/####/9c3d140d5d1dd05fa78c6bea638152b0fe736a29a7a7602....0.tmp
- /data/data/####/CachedGeoposition.db
- /data/data/####/CachedGeoposition.db-journal
- /data/data/####/EjHxTEyytr.jar
- /data/data/####/JSON.xml
- /data/data/####/MIME.MF
- /data/data/####/Ql9mrNl.jar
- /data/data/####/RKnxuJHqsN.jar
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/a5bb8a5fa8d5fd2f3683fae6cb07615031911a2f58605c5....0.tmp
- /data/data/####/ax_c.xml
- /data/data/####/b1176c73c3ea877dce91ab3569bebf4d4e36b59846e6b38....0.tmp
- /data/data/####/b19288e.dex
- /data/data/####/b8881e73f05504043fc6a898e9a60e350d139a03f703029....0.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cmcc.xml
- /data/data/####/com.tencent.open.config.json.1106413839
- /data/data/####/com.zhangchen.reader.BETA_VALUES.xml
- /data/data/####/com.zhangchen.reader_preference.xml
- /data/data/####/com.zhangchen.reader_preferences.xml
- /data/data/####/crashrecord.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/domain_1
- /data/data/####/downloader.db-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f1457f082411ff8cda8638ce1809c3c06bc84547a3f70e8....0.tmp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/gg.dex
- /data/data/####/index
- /data/data/####/journal.tmp
- /data/data/####/libjiagu886892094.so
- /data/data/####/local_crash_lock
- /data/data/####/mc177.dex
- /data/data/####/mc_cache.xml
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/native_record_lock
- /data/data/####/security_info
- /data/data/####/temp_file
- /data/data/####/temp_file (deleted)
- /data/data/####/tencent_analysis.db-journal
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ttopensdk.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/x9.so
- /data/media/####/-1515527597
- /data/media/####/-1741312354
- /data/media/####/-943431157
- /data/media/####/.artc_lock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.du_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.gm_lock
- /data/media/####/.im_lock
- /data/media/####/.lesd_lock
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.pkg_lock
- /data/media/####/.pkgs_lock
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/.ss_lock
- /data/media/####/.wkl
- /data/media/####/1.txt
- /data/media/####/2.txt
- /data/media/####/3.txt
- /data/media/####/4.txt
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop
- cat /sys/class/net/wlan0/address
- chmod 0755 <Package Folder>/app_ht_sdk/check/MIME.MF
- chmod 0755 <Package Folder>/app_ht_sdk/check/__MACOSX/._MIME.MF
- chmod 0755 <Package Folder>/app_ht_sdk/check/x9.so
- getprop
- getprop ro.build.version.emui
- getprop ro.letv.release.version
- getprop ro.vivo.os.build.display.id
Загружает динамические библиотеки:
- Bugly
- MtaNativeCrash
- libjiagu886892094
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- AES-GCM-NoPadding
- ARCFOUR
- DES
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
