Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.127.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.b####.qq.com:8012
- TCP(HTTP/1.1) do####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) imgpac####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) a####.b####.qq.com:8011
- TCP(HTTP/1.1) sy####.do####.cn:80
- TCP(TLS/1.0) api.s####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 1####.217.19.206:443
- TCP(TLS/1.0) s####.j####.cn:443
- UDP s.j####.cn:19000
- TCP 43.2####.88.91:7000
Запросы DNS:
- a####.b####.qq.com
- aexcep####.b####.qq.com
- and####.b####.qq.com
- api.s####.com
- do####.oss-cn-####.aliy####.com
- imgpac####.oss-cn-####.aliy####.com
- log.u####.com
- mt####.go####.com
- plb####.u####.com
- s####.j####.cn
- s####.u####.com
- s.j####.cn
- sis.j####.io
- sy####.do####.cn
- u####.u####.com
- up####.sdk.jig####.cn
Запросы HTTP GET:
- do####.oss-cn-####.aliy####.com/app_img/index_pro.png
- do####.oss-cn-####.aliy####.com/app_img/me_index/index_vip.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c461542013733554.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c461542013776601.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c471542013652386.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c491542013750166.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c501542013763347.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c601542013832785.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c721542013801375.png
- do####.oss-cn-####.aliy####.com/cms/2018/11/c971542013788403.png
- do####.oss-cn-####.aliy####.com/cms/2019/2/c661550746297591.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c121553566583773.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c131552360153952.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c181551956019050.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c201552191036225.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c221552360137330.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c271552191202578.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c441551955710481.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c461552191137310.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c491552191167104.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c541552191057487.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c541552360177508.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/3/c681552191046516.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c691552644151643.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c761551955695282.png
- do####.oss-cn-####.aliy####.com/cms/2019/3/c901552360119166.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/4/c231555986237943.jpg
- do####.oss-cn-####.aliy####.com/cms/2019/4/c941555984732609.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c121521105444651.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c201521193976699.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c301520490803329.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c351521105743184.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c511521191866606.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c571520490636455.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/3/c691521105485339.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/8/c701534471929521.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c111537506560413.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c141538103886657.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c151538299867878.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c501537506267383.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c501538104538188.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c561537495788264.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c821538111162222.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c871537507916468.jpg
- imgpac####.oss-cn-####.aliy####.com/cms/2018/9/c971537495756168.jpg
Запросы HTTP POST:
- a####.b####.qq.com:8011/rqd/async
- a####.b####.qq.com:8012/rqd/async
- and####.b####.qq.com/rqd/async
- and####.b####.qq.com/rqd/async?aid=####
- sy####.do####.cn/api/index/category_list
- sy####.do####.cn/api/index/category_list_2
- sy####.do####.cn/api/index/index
- sy####.do####.cn/api/index/index_detail
- sy####.do####.cn/api/index/search_key
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/05a07da9f8bc1fd3541707b1962b63d5d5b2c6f78ca1a1c....0.tmp
- /data/data/####/1004
- /data/data/####/13807c81c1964006522ef352e598c50ea090c8710ebc81a....0.tmp
- /data/data/####/1556293777091.log
- /data/data/####/19a670246f46fbbf0f0fce9213ea2df3904e7072011bec7....0.tmp
- /data/data/####/1cc3e8c02159858edeeded16857bffa068241966471330b....0.tmp
- /data/data/####/287034d6619e995af440cdb783586dcd983105bb32f5fc4....0.tmp
- /data/data/####/2bb87a1e83933ac668c46ac705a70f92e741a2765b58780....0.tmp
- /data/data/####/2ddb830827a2a813d46946b0395151b84f9ab583fd67f8d....0.tmp
- /data/data/####/2e897ea0bd756cab35e0cf258c0e8a4aac0c58668e4e04d....0.tmp
- /data/data/####/30d8f5b76be93742f30347dcc086ea4e663fc9aa98122e2....0.tmp
- /data/data/####/378c206d05c62563c26b07327fdbf5c7e9454abf83b6788....0.tmp
- /data/data/####/384f021688d761a41ec0ecc0474c1adbf8fdc565097d88d....0.tmp
- /data/data/####/3e8e1b3022922cb88dd2cb93690863eca85b69c74387371....0.tmp
- /data/data/####/50d7764c3433cdbd2b11399c30c498ddf34c5ab0f079ca7....0.tmp
- /data/data/####/5c38544c620c38a650defe49e4cab336291307e118e9ab2....0.tmp
- /data/data/####/5d4706b80094f97543c5a1afac36addaf65bf2fcb755473....0.tmp
- /data/data/####/5f859b40cd99aafbe1b9aa5bf2a1007ddd12a1e8adebe1e....0.tmp
- /data/data/####/602e76289ddc88f8c7dec4c6973c94717f040993c79d330....0.tmp
- /data/data/####/6190c802e3ac9cd06c69b4f3ed44176b2051e9a48b1786d....0.tmp
- /data/data/####/648436d714e6c4e1a65222bd2a4c29f1195c947bad2fbf1....0.tmp
- /data/data/####/64a1b25d8f8ea8884ae0bc09f75097a11960f64c65f756b....0.tmp
- /data/data/####/6733cec1d741cf5a84cfca304944e424a4f2d2ac3f7c94e....0.tmp
- /data/data/####/901386cef3548abee391d11f1cda4862368a3d744fa2283....0.tmp
- /data/data/####/9350c6a0c7b23d6369f8aa2bf21d5b15e9e829da439d259....0.tmp
- /data/data/####/999577426ad6ba16dee2217bc6ea1a74f04923183723105....0.tmp
- /data/data/####/9dab61a36daf8d991c6fae488100dd444d6d391d4178400....0.tmp
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/JPushSA_Config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a8a5da43088f91081047db5ab732e350311f870b7253e0d....0.tmp
- /data/data/####/aea8de58251d694577b7d92f30299245612365988a1e74a....0.tmp
- /data/data/####/appPackageNames_v2
- /data/data/####/b41ca663f24ec7122ca76f9b6be84470f02d2ac5233fb9f....0.tmp
- /data/data/####/b535896632f2f81bd3e376048d55cb00b6dd0962dc9134d....0.tmp
- /data/data/####/b6655c6db58f5b2a26ab2609fd8c932565528da0fe47c78....0.tmp
- /data/data/####/b8e33c97878c852a17db3db17bf4f2745104b381c4dc812....0.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_db_legu-journal
- /data/data/####/c7dacd73ae61d5dbfee5c3224a3cb224c6aae46a1763acc....0.tmp
- /data/data/####/cb27a7332735837c1d12ac33d95ed7d6f4272187d3cd1b8....0.tmp
- /data/data/####/cd0ac8141bd68083c9c802d113749da4ef35738f2956703....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.dora.syj.xml
- /data/data/####/crashrecord.xml
- /data/data/####/d373668fab2a99949cbdc5161653f17122e416e29e7db33....0.tmp
- /data/data/####/d7730fcb19cc82c2e1dd2a81701bd4dcfa710b95dc7bf97....0.tmp
- /data/data/####/d8e581771acf883f81a9f616faa4f0e1f7f13b59f3bb1cb....0.tmp
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU2MjkzNzc0MzAy;
- /data/data/####/dbe63fc06dd15a6f9ca76902c7653c7a7914fdb0a303c88....0.tmp
- /data/data/####/ded59e22dd3596a0b2d42dfbb23b662d384ab9a841cb78e....0.tmp
- /data/data/####/e52abc1a76f7def30614960e517095c611f252871adadb4....0.tmp
- /data/data/####/e721f815070ce71a3f7bbfb4fdd30000eb439e2aeaed034....0.tmp
- /data/data/####/ea250fb72a7eefff807bdc789cd8a2afa407810d3cf00ad....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f303acc343f8e78d94c9088e4b59f816046a86d5b9ea3a6....0.tmp
- /data/data/####/f99b16288fd12173ec7274e53f3d565de6667fa65041b49....0.tmp
- /data/data/####/i==1.2.0&&1.4.6_1556293774625_envelope.log
- /data/data/####/info.xml
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_local_notification.db
- /data/data/####/jpush_local_notification.db-journal
- /data/data/####/jpush_local_notification.db-wal
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/libshella-2.9.1.2.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/pushcore_umeng_common_config.xml
- /data/data/####/security_info
- /data/data/####/sobot_chat_20190426_log.txt
- /data/data/####/sobot_config.xml
- /data/data/####/t==8.0.0&&1.4.6_1556293776531_envelope.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/wakeup_cache.json
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.push_deviceid
- /data/media/####/.umm.dat
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.1.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- ls /
- ls /sys/class/thermal
Загружает динамические библиотеки:
- Bugly
- jcore119
- libnfix
- libshella-2.9.1.2
- libufix
- nfix
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
