Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.860.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sys.zhan####.com:80
- TCP(HTTP/1.1) web.st####.zhangy####.com:80
- TCP(HTTP/1.1) log.tracki####.com:80
- TCP(HTTP/1.1) ah2.zhan####.com:80
- TCP(HTTP/1.1) b####.d.ire####.com:80
- TCP(HTTP/1.1) log.ire####.com:80
- TCP(HTTP/1.1) src.r####.com:80
- TCP(HTTP/1.1) p####.zhan####.com:80
- TCP(HTTP/1.1) oth####.d.ire####.####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) doma####.zhangy####.com:80
- TCP(HTTP/1.1) up####.v.bs####.cn:80
- TCP(TLS/1.0) bo####.img.zhangy####.com:443
- TCP(TLS/1.0) o####.d.zhangy####.####.com:443
- TCP(TLS/1.0) av1.x####.com:443
- TCP(TLS/1.0) thi####.q####.cn:443
- TCP(TLS/1.0) an####.l####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) dj.palmes####.com:443
- TCP(TLS/1.0) api.w####.com:443
- TCP(TLS/1.0) se####.d.zhangy####.####.cn:443
- TCP(TLS/1.0) sf3-ttc####.ps####.com:443
- TCP(TLS/1.0) api.up####.com:443
- TCP(TLS/1.0) web.st####.zhangy####.com:443
- TCP(TLS/1.0) seri####.d.zhangy####.com:443
- TCP(TLS/1.0) b####.d.ire####.com:443
Запросы DNS:
- ah2.zhan####.com
- an####.l####.com
- api.up####.com
- api.w####.com
- av1.x####.com
- b####.d.ire####.com
- b####.img.ire####.com
- bo####.d.ire####.com
- bo####.img.ire####.com
- bo####.img.zhangy####.com
- c####.x####.com
- c####.x####.com
- dc.l####.com
- dj.palmes####.com
- doma####.zhangy####.com
- i.ugc.co####.cn
- is.sn####.com
- log.ire####.com
- log.tracki####.com
- o####.d.zhangy####.com
- oth####.d.ire####.com
- p####.zhan####.com
- sdk.c####.com
- se####.d.zhangy####.com
- seri####.d.zhangy####.com
- sf3-ttc####.ps####.com
- src.r####.com
- sys.zhan####.com
- thi####.q####.cn
- web.st####.zhangy####.com
Запросы HTTP GET:
- ah2.zhan####.com/download_ext/dl_dyn_epub_free?pk=####&type=####&btype=#...
- b####.d.ire####.com/group7/M00/BE/3F/CmQUNFpTSgqEUxF5AAAAABuG10818383066...
- doma####.zhangy####.com/cloudconf/confs?random=####&p2=####&p3=####
- log.tracki####.com/receive/gettime
- oth####.d.ire####.####.com/group7/M00/00/E1/CmQUNFjmAHGEfY8aAAAAAPG0Et03...
- oth####.d.ire####.####.com/group7/M00/02/9F/CmQUNFjmQWaEaWPTAAAAAIjoT0s0...
- oth####.d.ire####.####.com/group7/M00/02/FE/CmQUNFjmS0iEYuE_AAAAALxr8Xo6...
- oth####.d.ire####.####.com/group7/M00/03/16/CmQUNFjmTe-EMJg-AAAAAPCPFys7...
- oth####.d.ire####.####.com/group7/M00/03/3F/CmQUNFjmUseEY1-hAAAAABUvVDU6...
- oth####.d.ire####.####.com/group7/M00/04/5C/CmQUNFjmb8mEdbg8AAAAAFjQBDg1...
- oth####.d.ire####.####.com/group7/M00/D7/7A/CmQUNFm4_Y6Efw2TAAAAANjCSbc5...
- oth####.d.ire####.####.com/group7/M00/FE/58/CmQUNFjjGpyEVqfaAAAAAIBhl0I4...
- oth####.d.ire####.####.com/group8/M00/19/ED/wKgHil2oCeWEMuKCAAAAACoPoeo2...
- p####.zhan####.com/cocoon/alias/gen?zyeid=####&usr=####&rgt=####&p1=####...
- src.r####.com/kubo/dex/luomi_9.1.29.dex
- up####.v.bs####.cn/group61/M00/30/22/CmQUOF2N3CiEP5ZmAAAAAKLKrKM67889299...
- up####.v.bs####.cn/group61/M00/30/26/CmQUOV2N3A2EFcU_AAAAAAmjpwU27022404...
- up####.v.bs####.cn/group61/M00/30/DC/CmQUOF2QIgSEIMhBAAAAAOFeIFc50784183...
- up####.v.bs####.cn/group61/M00/30/DF/CmQUOV2QIheEcCuiAAAAAAmjpwU42336841...
- web.st####.zhangy####.com/group61/M00/13/E8/CmQUOF1bkfyEKrgaAAAAAMI53Kc1...
- web.st####.zhangy####.com/group61/M00/21/F8/CmQUOV1x1yyEf710AAAAABe7Q4g0...
- web.st####.zhangy####.com/group61/M00/30/22/CmQUOF2N2z-ERtk2AAAAAC8vjdU6...
- web.st####.zhangy####.com/group61/M00/30/25/CmQUOV2N2lWEZIppAAAAAEy5oHY6...
- web.st####.zhangy####.com/group61/M00/30/26/CmQUOV2N2_CELUAZAAAAAOFeIFc6...
- web.st####.zhangy####.com/group61/M00/30/26/CmQUOV2N2yeEbSRxAAAAAPtilsQ2...
- web.st####.zhangy####.com/group61/M00/30/D0/CmQUOV2QFBOEcBG4AAAAAAMcoHA6...
- web.st####.zhangy####.com/group61/M00/30/DC/CmQUOF2QIieEPaMSAAAAAKLKrKM3...
- web.st####.zhangy####.com/group61/M00/30/DF/CmQUOV2QIeOEDXsyAAAAAPtilsQ4...
- web.st####.zhangy####.com/group61/M00/30/DF/CmQUOV2QIfSEbREZAAAAAC8vjdU3...
- web.st####.zhangy####.com/group61/M00/39/F9/CmQUOF2kGliEGfg2AAAAANo85as7...
- web.st####.zhangy####.com/group61/M00/3A/00/CmQUOV2kGpyEdJ5zAAAAAMjn0i06...
- web.st####.zhangy####.com/group61/M00/3F/55/CmQUOV2xKhyEUyh-AAAAAJNy15s8...
- web.st####.zhangy####.com/group61/M00/FF/17/CmQUOF06pQyEYcJHAAAAAGquExA9...
Запросы HTTP POST:
- ah2.zhan####.com/zyapi/bookstore/ad/boot
- log.ire####.com/log-agent/log
- log.ire####.com/log-agent/rlog
- log.tracki####.com/receive/tkio/install
- log.tracki####.com/receive/tkio/startup
- sdk.c####.com/versiontapi.php?v=####&type=####
- sys.zhan####.com/message/taskConfigure?package=####&zyeid=####&usr=####&...
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-5998622401067643521
- /data/data/####/0
- /data/data/####/1021689741840853517
- /data/data/####/1572113688080_2222
- /data/data/####/1572113688214.apk
- /data/data/####/1572113688240_2222
- /data/data/####/1572113688696_2222
- /data/data/####/1572113689446_2222
- /data/data/####/1572113690545_2326
- /data/data/####/1572113691888_2326
- /data/data/####/1572113692171_2326
- /data/data/####/1572113692260.apk
- /data/data/####/1572113692364_2222
- /data/data/####/1572113693134_2326
- /data/data/####/1572113693343_2222
- /data/data/####/1572113693573_2222
- /data/data/####/1572113694109_2222
- /data/data/####/1572113694691.apk
- /data/data/####/1572113695893.apk
- /data/data/####/1572113696969.apk
- /data/data/####/1572113696994.apk
- /data/data/####/1572113719890_2222
- /data/data/####/1572113720516_2222
- /data/data/####/1572113731190_2222
- /data/data/####/1572113731336_2222
- /data/data/####/1572113731503_2222
- /data/data/####/1572113752942_2222
- /data/data/####/Alvin2.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/ContextData.xml
- /data/data/####/GeneralSetting.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/Reyun.db
- /data/data/####/Reyun.db-journal
- /data/data/####/TBFileDownload-journal
- /data/data/####/TDCloudSettingsConfig50E9251AE9D74852BE9061C7154394DD.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_cloudcontrol1.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime0.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime0.xml
- /data/data/####/ax_c.xml
- /data/data/####/com.chaozh.iReader.dj-1.apk.classes-1830078600.zip
- /data/data/####/com.chaozh.iReader.dj-1.apk.classes-2041632102.zip
- /data/data/####/com.chaozh.iReader.dj-1.apk.classes2.zip
- /data/data/####/com.chaozh.iReader.dj-1.apk.classes3.zip
- /data/data/####/com.zhangyue.iReader.SharedPreferences.temp.xml
- /data/data/####/com.zhangyue.iReader.SharedPreferences.xml
- /data/data/####/com.zhangyue.iReader.SharedPreferences.xml.bak
- /data/data/####/com.zhangyue.iReader.SharedPreferences.xml.bak (deleted)
- /data/data/####/com.zhangyue.iReader.bookstore.SP.xml
- /data/data/####/com.zhangyue.module.ad.xml
- /data/data/####/downloader.db-journal
- /data/data/####/experience.db-journal
- /data/data/####/gg.dex
- /data/data/####/guide.db
- /data/data/####/iReader.db-journal
- /data/data/####/info.txt
- /data/data/####/installedlist.plugin
- /data/data/####/iv
- /data/data/####/mc182.dex
- /data/data/####/mc_cache.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pathinfo
- /data/data/####/pluginwebdiff_djbookdetail.tmp
- /data/data/####/pluginwebdiff_djbookstore.tmp
- /data/data/####/pluginwebdiff_djcommon
- /data/data/####/pluginwebdiff_djcommon.diff.tmp
- /data/data/####/pluginwebdiff_djconfig
- /data/data/####/pluginwebdiff_djconfig.diff.tmp
- /data/data/####/pluginwebdiff_djmine
- /data/data/####/pluginwebdiff_djmine.diff.tmp
- /data/data/####/salt
- /data/data/####/schedule
- /data/data/####/sp_push_time.xml
- /data/data/####/task.db-journal
- /data/data/####/tdid.xml
- /data/data/####/theme_bg1.xml
- /data/data/####/theme_bg2.xml
- /data/data/####/theme_bg3.xml
- /data/data/####/theme_bg5.xml
- /data/data/####/theme_bg_huyan.xml
- /data/data/####/theme_bg_yejian6.xml
- /data/data/####/theme_bg_yejian7.xml
- /data/data/####/theme_bg_yejian8.xml
- /data/data/####/theme_bg_yejian9.xml
- /data/data/####/theme_layout_manhua.xml
- /data/data/####/theme_layout_pad70.xml
- /data/data/####/theme_layout_pad70_chuban.xml
- /data/data/####/theme_layout_pad70_qingsuan.xml
- /data/data/####/theme_layout_pad70_wangwen.xml
- /data/data/####/theme_pager.xml
- /data/data/####/theme_user.xml
- /data/data/####/tracking_device_id_cache.xml
- /data/data/####/tracking_install.xml
- /data/data/####/tracking_interval.xml
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ttopensdk.db-journal
- /data/data/####/uparpu.db-journal
- /data/data/####/uparpu_agent_log
- /data/data/####/uparpu_sdk.xml
- /data/data/####/webview.db-journal
- /data/media/####/-1040484843.0.tmp
- /data/media/####/-1225687568.0.tmp
- /data/media/####/-558320990.0.tmp
- /data/media/####/-631110677.0.tmp
- /data/media/####/-776265040.0.tmp
- /data/media/####/.DS_Store
- /data/media/####/.nomedia
- /data/media/####/.yunba_device_id
- /data/media/####/03a86c8298b3084d0adf202c58c5e9f326e9194d6fbd89....0.tmp
- /data/media/####/08b4bb603502dd01e9c55def47cba95311645b8ca3a496....0.tmp
- /data/media/####/0d369625866da28d46a8c3834c0157b489c036d8c3db8c....0.tmp
- /data/media/####/0f503fbf209e144973112afd459bd348f29f1b02d424fb....0.tmp
- /data/media/####/1.zyesnext
- /data/media/####/10c6b56376167ba58aad1690f7948ae4a3614eea713262....0.tmp
- /data/media/####/1122321729
- /data/media/####/11280223.ix.tmp
- /data/media/####/11280520.ix
- /data/media/####/11283808.ix
- /data/media/####/11284828.ix
- /data/media/####/11285947.ix.tmp
- /data/media/####/11286811.ix.tmp
- /data/media/####/11287293.ix.tmp
- /data/media/####/11289215.ix.tmp
- /data/media/####/11289540.ix
- /data/media/####/11291310.ix
- /data/media/####/11297144.ix.tmp
- /data/media/####/11297854.ix.tmp
- /data/media/####/11543741.ix.tmp
- /data/media/####/11591784.ix.tmp
- /data/media/####/1283012fd41084d599f467e9d7963f31467f8e254ca60c....0.tmp
- /data/media/####/12fc2c9e2c70cdb7b0543e0423bfb5c31c7ff74582bc35....0.tmp
- /data/media/####/1406bb355ab95f7114516f9ef8aedb1451309f8be1580c....0.tmp
- /data/media/####/176896830.0.tmp
- /data/media/####/1948796308
- /data/media/####/1b98bdbd9ac9bf057617dd06d5ad1acff2e0074a18277e....0.tmp
- /data/media/####/2.zyesnext
- /data/media/####/2022752108.0.tmp
- /data/media/####/2337af8ed5b4a400f3ebade3f942a16bfc277c170f5696....0.tmp
- /data/media/####/276c3ba20016e9821bdc5eef3cdfa3232f9d19af9642bb....0.tmp
- /data/media/####/3.zyesnext
- /data/media/####/308923774.0.tmp
- /data/media/####/386951b6b855236ad25db9fbec853ecd.tmp
- /data/media/####/400994489.0.tmp
- /data/media/####/466a922c02b50e5872e456fdda69d21152e61fb7f61264....0.tmp
- /data/media/####/4f766cf8dc038f8b65cbdfa07a76de4e60ce16391e3ef1....0.tmp
- /data/media/####/5756863d98bc6c26c638a1a32d2f96b2d2251ec9f2aa33....0.tmp
- /data/media/####/5f761202959fb923264f85eb8951b6c4c0c130b6eec548....0.tmp
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_0
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_1
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_11
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_13
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_20
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_26
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_27
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_6
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_8
- /data/media/####/657eb18f9212ff927c65af32d8735eb7i2314388293&124012_9
- /data/media/####/67c01adaeddce165e1e0641ef1d3fa31747722f6bf2056....0.tmp
- /data/media/####/687378379.0.tmp
- /data/media/####/7b3d1a2e738c4bbb92e9cabac697842accfbc3f86724d9....0.tmp
- /data/media/####/7ed79103d6614b153e8d003bba639bfb0011caf1ee61c6....0.tmp
- /data/media/####/814745cd148de543b190929017fc1d20707d58e845d2a0....0.tmp
- /data/media/####/862611071.0.tmp
- /data/media/####/86e9f5f12cdadb954a3b7df67e8a298543932978fc2105....0.tmp
- /data/media/####/9af8409ff799b054db6996ac7796b84e91d5b1dee38804....0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/a7e95e7f1d102d9df38d77af8940969d7c33d67ac9e19b....0.tmp
- /data/media/####/ac541fa49e6c8a3f0f14ff6e5fc9c0579a795dc7ab2cbf....0.tmp
- /data/media/####/appCache_a6dc49d.zip.tmp
- /data/media/####/b14bbef1865400fbc677ad566ffa7914716885e4ffb7be....0.tmp
- /data/media/####/b4086d96e073e98a4cfdff4336b1d532e5da0edbac0769....0.tmp
- /data/media/####/bookfeed.png
- /data/media/####/c-1.zycp.tmp
- /data/media/####/c-2.zycp.tmp
- /data/media/####/c-3.zycp.tmp
- /data/media/####/c45edac25e341728e1baa9f62135785c4ace49961b50b7....0.tmp
- /data/media/####/c4959df480e72a40723a06235dab0fe2db3d1e0f8af5fc....0.tmp
- /data/media/####/cad3045803119acdd2554eb9884409e0.tmp
- /data/media/####/chap_vote_after_1x
- /data/media/####/chap_vote_after_2x
- /data/media/####/chap_vote_after_3x
- /data/media/####/chap_vote_before_1x
- /data/media/####/chap_vote_before_2x
- /data/media/####/chap_vote_before_3x
- /data/media/####/chapvote.db-journal
- /data/media/####/copyright.xhtml
- /data/media/####/discount.png
- /data/media/####/discount_v.png
- /data/media/####/e718874dbd34c64543769413bcb1d9a2b84c127eff2a92....0.tmp
- /data/media/####/ec761ae1893f72f03256a697fdaa1fdb0c119d26d86f8e....0.tmp
- /data/media/####/ee6e177fa7250fdc10c4eaa8a7090a9ad322865d17cfb5....0.tmp
- /data/media/####/f59bfc99628f1a88b0fc9b71ede0da098aae9654d9a574....0.tmp
- /data/media/####/fb388ba379cf836ddc5b63d60ee86c898f0bfec9118a8b....0.tmp
- /data/media/####/ff1fdd55df3a1b528cb188260fdb99b890f519625e23e4....0.tmp
- /data/media/####/ft_channel_channel_45e37f9.js
- /data/media/####/ft_channel_static_css_c_58f8bbc.css
- /data/media/####/ft_channel_static_css_second_2b1be85.css
- /data/media/####/ft_common_android_down_9781c21.js
- /data/media/####/ft_common_c_c708117.css
- /data/media/####/ft_common_static_js_zybridge_android_d3b3106.js
- /data/media/####/ft_common_static_js_zybridge_ios_3191181.js
- /data/media/####/ft_common_uu_638b01b.js
- /data/media/####/ft_common_zepto_5b96d2c.js
- /data/media/####/ft_sign_static_css_sign_a2804e3.css
- /data/media/####/ft_task_static_css_android_task_1f5e5ab.css
- /data/media/####/ft_task_static_css_android_v3_base_24095ce.css
- /data/media/####/ft_task_static_css_iphone_task_bbc2d8f.css
- /data/media/####/ft_task_static_css_iphone_v3_base_208f0aa.css
- /data/media/####/guide.gd
- /data/media/####/ic_ad_left.png
- /data/media/####/ic_ad_right.png
- /data/media/####/ic_ad_skip.png
- /data/media/####/idea.db-journal
- /data/media/####/ireader2.db
- /data/media/####/journal.tmp
- /data/media/####/mob_analysis.sjbd
- /data/media/####/mob_analysis_479387f7-f70d-4da8-a4a5-1df034af3666.iz
- /data/media/####/mob_analysis_50659cbc-699c-4272-921c-973aa8b7d3cd.iz
- /data/media/####/mob_analysis_6d92ad6c-cb08-4f14-9303-f610aa9f36e3.iz
- /data/media/####/order.xhtml
- /data/media/####/order_btn_bg.png
- /data/media/####/order_btn_bg_v.png
- /data/media/####/order_content.xhtml
- /data/media/####/order_h.xhtml
- /data/media/####/order_v_h.xhtml
- /data/media/####/public-0.zyres.tmp
- /data/media/####/public-1.zyres
- /data/media/####/temp_pkg_info.json
- /data/media/####/totalbookdown.xhtml
- /data/media/####/totalbookdown_bg.jpg
- /data/media/####/totalbookdown_button.png
- /data/media/####/《一品嫡女》.zyepub.tmp
- /data/media/####/《下堂王妃逆袭记》.zyepub.tmp
- /data/media/####/《剩女快穿33次》.jpg
- /data/media/####/《剩女快穿33次》.zyepub
- /data/media/####/《姐姐是演技派》.jpg
- /data/media/####/《姐姐是演技派》.zyepub
- /data/media/####/《娇妻高高在上》.zyepub.tmp
- /data/media/####/《总裁爹地宠上天》.zyepub.tmp
- /data/media/####/《独宠媚色皇妃》.jpg
- /data/media/####/《独宠媚色皇妃》.zyepub
- /data/media/####/《独家蜜婚:陆少的心尖宠妻》.zyepub.tmp
- /data/media/####/《神医废柴妃》.zyepub.tmp
- /data/media/####/《绝世兵锋》.jpg
- /data/media/####/《绝世兵锋》.zyepub
- /data/media/####/《老公宠妻太甜蜜》.zyepub.tmp
- /data/media/####/《超级纨绔系统》.jpg
- /data/media/####/《超级纨绔系统》.zyepub
- /data/media/####/《邪帝缠宠:神医九小姐》.zyepub.tmp
- /data/media/####/《重生毒妃狠绝色》.zyepub.tmp
Другие:
Запускает следующие shell-скрипты:
- getprop
- getprop ro.build.version.emui
- getprop ro.config.hw_notch_size
- getprop ro.flyme.published
- getprop ro.letv.release.version
- getprop ro.miui.notch
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
Загружает динамические библиотеки:
- UiControl
- patchMerge
- tingReader
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
