Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Spy.2442
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.b####.qq.com:8012
- TCP(HTTP/1.1) et2-na6####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) l####.cc:80
- TCP(HTTP/1.1) hbk.shu####.cn:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) dsp.b####.s####.com:80
- TCP(HTTP/1.1) api.katou####.com:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(HTTP/1.1) gl####.w.kunl####.####.com:80
- TCP(HTTP/1.1) a####.b####.qq.com:8011
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) w####.sprit####.cn.####.com:80
- TCP(TLS/1.0) 2####.107.1.97:443
- TCP(TLS/1.0) dai.shu####.cn:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) dcc.shu####.cn:443
- TCP(TLS/1.0) api.shu####.cn:443
- TCP(TLS/1.0) daa.shu####.cn:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP zb-cent####.m.ta####.com:443
Запросы DNS:
- a####.b####.qq.com
- a####.man.aliy####.com
- aexcep####.b####.qq.com
- amdc####.m.ta####.com
- and####.b####.qq.com
- api.katou####.com
- api.shu####.cn
- d####.shu####.cn
- daa.shu####.cn
- dai.shu####.cn
- dcc.shu####.cn
- dsp.b####.s####.com
- hbk.shu####.cn
- l####.cc
- log.u####.com
- msg.umengc####.com
- plb####.u####.com
- st####.1####.com
- u####.u####.com
- umen####.m.ta####.com
- w####.sprit####.cn
- www.b####.com
Запросы HTTP GET:
- et2-na6####.wagbr####.ali####.####.com/bar/get/5b73e7a7b27b0a610800010d/...
- gl####.w.kunl####.####.com/lw/img/2018/10/17/c9b4e8bcce79e5a77337d6cbd17...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/2470582eb9f90a88da...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/2dc886fbbca2c24b24...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/9fa830949b0158c36f...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/a821522d4131a08936...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/ed75e1258595eec52d...
- gl####.w.kunl####.####.com/qupost/image/sp/2018/10/17/ff134f20674ebd93b0...
- l####.cc/i/sdk/is_gal?imei_md5=####&os=####&p_chklst_version=####&retry_...
- w####.sprit####.cn.####.com/picture/2019/0424/2ba59eea669f11e9acd5842b2b...
- w####.sprit####.cn.####.com/picture/2019/0424/5cc05209aee36_wpd.jpg
- w####.sprit####.cn.####.com/picture/2019/0425/5cc1d4844c8b2_wpd.jpg
- w####.sprit####.cn.####.com/picture/2019/0425/5cc1d5cb4fdd8_wpd.jpg
- w####.sprit####.cn.####.com/picture/2019/0425/f1358a54-6702-11e9-9ada-d4...
- www.a.sh####.com/
Запросы HTTP POST:
- a####.b####.qq.com:8011/rqd/async
- a####.b####.qq.com:8012/rqd/async
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- and####.b####.qq.com/rqd/async
- api.katou####.com/config/appConfig
- api.katou####.com/config/upgrade/check
- api.katou####.com/news/channel/getList
- api.katou####.com/news/getList
- api.katou####.com/task/treasureBox/getExpireTime
- api.katou####.com/video/channel/getList
- api.katou####.com/video/getList
- dsp.b####.s####.com/ldsbid?dspsrc=####
- hbk.shu####.cn/report?v=####&c=####&e=####&t=####
- l####.cc/i/sdk/install
- l####.cc/i/sdk/open
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/20b7b7bf2699b2cad960388fd220bedfdd29e7b20949dc4....0.tmp
- /data/data/####/79b7edb2625923bcc89336b068cf52706f5f0ea548d6bf8....0.tmp
- /data/data/####/80b1d39ae5bce4bea6bb0526c274c0ad219d1c476c6511a....0.tmp
- /data/data/####/ACCS_BINDumeng;5b73e7a7b27b0a610800010d.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/LKME_Server_Request_Queue.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/a==7.5.3&&1.1.3_1556238679694_envelope.log
- /data/data/####/accs.db-journal
- /data/data/####/bc32ae91220144d9431a8f253a6433861488791e9614aaa....0.tmp
- /data/data/####/bugly_db_legu-journal
- /data/data/####/c91b3e275c700290e331d45418f00fa47c0744e7c80b239....0.tmp
- /data/data/####/com.news.tutoutiao_dna.xml
- /data/data/####/com.news.tutoutiao_preferences.xml
- /data/data/####/com.news.tutoutiao_prefs.xml
- /data/data/####/d5ff2575315f903c1983d257a998dcba68bfc5aba361414...00dc.0
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4Njc4NTY1;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4Njg3MTUz;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4Njk0MTg1;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzA4MjI3;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzAxMjQz;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzE0NDM0;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzE2Njgw;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzE4NDY1;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzEwNDAz;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzEyMjE5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzI0MjQ2;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzI2MDU5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzIxOTUx;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzM0MTcy;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzM2MjYy;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzM4NDM5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzMwMjEy;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzMyMzM5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzQ3NDU5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjM4NzQwMzE2;
- /data/data/####/dW1weF9wdXNoX3JlZ2lzdGVyXzE1NTYyMzg2ODIxODM=;
- /data/data/####/du.lock
- /data/data/####/e77d8ef2d5045eb4a8b23fcdb2cd87259a76d94df15b037....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/httpdns_config_cache.xml.bak (deleted)
- /data/data/####/i==1.2.0&&1.1.3_1556238678683_envelope.log
- /data/data/####/i==1.2.0&&1.1.3_1556238687216_envelope.log
- /data/data/####/i==1.2.0&&1.1.3_1556238694228_envelope.log
- /data/data/####/i==1.2.0&&1.1.3_1556238701262_envelope.log
- /data/data/####/i==1.2.0&&1.1.3_1556238708257_envelope.log
- /data/data/####/info.xml
- /data/data/####/journal.tmp
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.0.2.so
- /data/data/####/libufix.so
- /data/data/####/linkedme_referral_shared_pref.xml
- /data/data/####/linkedme_referral_shared_pref.xml.bak
- /data/data/####/linkedme_referral_shared_pref.xml.bak (deleted)
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/multidex.version.xml
- /data/data/####/myNewsHeadLine-db-journal
- /data/data/####/native_record_lock
- /data/data/####/security_info
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/..ccdid
- /data/media/####/..ccvid
- /data/media/####/..cvtid
- /data/media/####/._android.dat
- /data/media/####/._system.dat
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.ccdid
- /data/media/####/.ccvid
- /data/media/####/.cvtid
- /data/media/####/.duid
- /data/media/####/.lm_device_id
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/17987f03672042e781a148ced32f3331
- /data/media/####/527091c2bd67412a8e4329863bd32692
- /data/media/####/7133988eaf15477198bd63a443cee6be
- /data/media/####/97b87a49b6534e3aa2a9bf2166f48c97
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/_android.dat
- /data/media/####/_system.dat
- /data/media/####/a4a840564c704168a5a64001cefcf595
- /data/media/####/a7c7eb41c1b445e5875b8ee556774862
- /data/media/####/b109b67b0d9a4ed39b3e12a3a97d3cc6
- /data/media/####/crash2019-04-26 00;31;18.trace
- /data/media/####/crash2019-04-26 00;31;26.trace
- /data/media/####/crash2019-04-26 00;31;34.trace
- /data/media/####/crash2019-04-26 00;31;41.trace
- /data/media/####/crash2019-04-26 00;31;47.trace
- /data/media/####/crash2019-04-26 00;31;50.trace
- /data/media/####/crash2019-04-26 00;31;52.trace
- /data/media/####/crash2019-04-26 00;31;54.trace
- /data/media/####/crash2019-04-26 00;31;56.trace
- /data/media/####/crash2019-04-26 00;31;58.trace
- /data/media/####/crash2019-04-26 00;32;01.trace
- /data/media/####/crash2019-04-26 00;32;04.trace
- /data/media/####/crash2019-04-26 00;32;05.trace
- /data/media/####/crash2019-04-26 00;32;09.trace
- /data/media/####/crash2019-04-26 00;32;12.trace
- /data/media/####/crash2019-04-26 00;32;13.trace
- /data/media/####/crash2019-04-26 00;32;16.trace
- /data/media/####/crash2019-04-26 00;32;18.trace
- /data/media/####/crash2019-04-26 00;32;20.trace
- /data/media/####/crash2019-04-26 00;32;27.trace
- /data/media/####/db34ab33969a484885b7df795aa76537
- /data/media/####/deviceToken
- /data/media/####/duid
- /data/media/####/sysid.dat
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.0.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- date
- df
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- id
- ip link
- logcat -d -v threadtime
- ls /dev/socket
- ls /sys/class/thermal
- ls /system/fonts
- mkdir -p <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/
- ps
- service call iphonesubinfo 1
- sh -c cat /proc/meminfo
- sh -c cat /sys/class/net/eth0/address
- sh -c cd /proc/;cat cpuinfo
- sh -c cd /proc/net/ && cat arp
- sh -c cd /proc/self/;cat status
- sh -c echo MjRDNjhCRjJGRTcwRDZBMjdBMzM2RjUwMjIwRjNFRTRjOGZ2NXhDVjUrMllMaEtrSGRjWjQ2NGp3aGlwbGFNMTV4R3gydjFBVUIxUXMzVUNHMGN5OC9qNFJUK3E5N0xkbGYxdkF6WE5udSsxTDV0MnF6dSt5QnphWHRvODdJUmNxTjAvenE2bDBMeWpza3Zva0Z1UnFxMTdOMW9iWWFSZlArVkZJOE5oS0MvUmcvaWVtYkFyVG1jQlRJZWlJSGlJb3NNaDhZNFNRdFlVUGhBM2pFb3V4TEpJeHozSDdPN25wdEhrRTNqYXVMS1NndFlWY3Y4NXljSzE4YU5IaS9zSHBvWnF4S2FEMWgxVXRjd01wSmlFWlZRaHcvcnM5bmp4SUQvNEpCekE2SHJPS0syK2ljQXBpejJwUWc5Y09Pd3ovWWk2YXFoY3Q4NnJwb0g3Tk4vbTZqYjQzcTZvZ3pzK1lPQ2JRY1ZQRkd4NG1EdGZTKzJVbDYwTzRURlJNdWd5azVjSG43UnVjZ1VnOHM1RStxWUM1eEQ2YUdrZUNFc29vOHAzajNjbjJSWT0= > <SD-Card>/../../../../../..<SD-Card>/..ccdid
- sh -c echo MjRDNjhCRjJGRTcwRDZBMjdBMzM2RjUwMjIwRjNFRTRjOGZ2NXhDVjUrMllMaEtrSGRjWjQ2NGp3aGlwbGFNMTV4R3gydjFBVUIxUXMzVUNHMGN5OC9qNFJUK3E5N0xkbGYxdkF6WE5udSsxTDV0MnF6dSt5QnphWHRvODdJUmNxTjAvenE2bDBMeWpza3Zva0Z1UnFxMTdOMW9iWWFSZlArVkZJOE5oS0MvUmcvaWVtYkFyVG1jQlRJZWlJSGlJb3NNaDhZNFNRdFlVUGhBM2pFb3V4TEpJeHozSDdPN25wdEhrRTNqYXVMS1NndFlWY3Y4NXljSzE4YU5IaS9zSHBvWnF4S2FEMWgxVXRjd01wSmlFWlZRaHcvcnM5bmp4SUQvNEpCekE2SHJPS0syK2ljQXBpejJwUWc5Y09Pd3ovWWk2YXFoY3Q4NnJwb0g3Tk4vbTZqYjQzcTZvZ3pzK1lPQ2JRY1ZQRkd4NG1EdGZTKzJVbDYwTzRURlJNdWd5azVjSG43UnVjZ1VnOHM1RStxWUM1eEQ2YUdrZUNFc29vOHAzajNjbjJSWT0= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccdid
- sh -c echo MkZFODQyMUNCMDBBRUUxMzAyMjU3MTcyNEY5MzA2OTZFRDY1NDQ6RUMxNTQxOjJCNkU0Rg== > <SD-Card>/../../../../../..<SD-Card>/._android.dat
- sh -c echo MkZFODQyMUNCMDBBRUUxMzAyMjU3MTcyNEY5MzA2OTZFRDY1NDQ6RUMxNTQxOjJCNkU0Rg== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
- sh -c echo NkRGMTFDMTFGMTFBODA1M0MwMjQ1QTZCQTVDNkU4MzIyMDE4MDIwOTAwMDM= > <SD-Card>/../../../../../..<SD-Card>/..ccvid
- sh -c echo NkRGMTFDMTFGMTFBODA1M0MwMjQ1QTZCQTVDNkU4MzIyMDE4MDIwOTAwMDM= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccvid
- sh -c echo NkUzODdCOTI3RUFGN0ExQTUxODFFMUEwODc4NkY4N0IxNTU2MjM4Njkx > <SD-Card>/../../../../../..<SD-Card>/..cvtid
- sh -c echo NkUzODdCOTI3RUFGN0ExQTUxODFFMUEwODc4NkY4N0IxNTU2MjM4Njkx > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.cvtid
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/._system.dat
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
- sh -c echo RkVENzdCRjI4REE5RUZFRDREOTQ4REM2OUU3RkI5Q0ZlYzZhOGY1ZmVkZGQ0MDczODliOTlmNjc3NWI0NTdmaQo= > <SD-Card>/../../../../../..<SD-Card>/.duid
- sh -c echo RkVENzdCRjI4REE5RUZFRDREOTQ4REM2OUU3RkI5Q0ZlYzZhOGY1ZmVkZGQ0MDczODliOTlmNjc3NWI0NTdmaQo= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/duid
Загружает динамические библиотеки:
- Bugly
- du
- libnfix
- libshella-2.9.0.2
- libufix
- nfix
- tnet-3.1
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- RSA
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- desede-CBC-NoPadding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
