Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.41.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.d####.com:80
- TCP(HTTP/1.1) u####.a####.top:80
- TCP(HTTP/1.1) res####.a####.top:80
- TCP(HTTP/1.1) f.qia####.com:80
- TCP(HTTP/1.1) a####.w####.com:80
- TCP(HTTP/1.1) api.m2g.adoc####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) h.w####.com:80
- TCP(HTTP/1.1) api.lubang####.com:80
- TCP(HTTP/1.1) kou####.a####.top:80
- TCP(HTTP/1.1) ad.qia####.com:80
- TCP(HTTP/1.1) i####.d####.cn:80
- TCP(HTTP/1.1) 58.2####.203.36:654
- TCP(HTTP/1.1) dup.baidust####.com:80
- TCP(HTTP/1.1) ip.j####.com:999
- TCP(HTTP/1.1) ip.j####.com:99
- TCP(HTTP/1.1) p####.api.adoc####.com:80
- TCP(HTTP/1.1) p####.pc####.com.cn:80
- TCP(HTTP/1.1) i####.pcon####.com.cn:80
- TCP(HTTP/1.1) api.gug####.com:8935
- TCP(HTTP/1.1) d####.cn:80
- TCP(HTTP/1.1) co####.ssp.adoc####.com:80
- TCP(HTTP/1.1) t####.a####.top:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) 58.2####.201.145:654
- TCP(HTTP/1.1) s.zhito####.com:88
- TCP(HTTP/1.1) 58.2####.198.157:999
- TCP(HTTP/1.1) dsp.huoli####.cn:80
- TCP(HTTP/1.1) 1####.75.90.218:80
- TCP(HTTP/1.1) s.zhito####.com:808
- TCP(HTTP/1.1) s.zhito####.com:807
- TCP(HTTP/1.1) 1####.75.92.94:80
- TCP(HTTP/1.1) api.yunco####.com:80
- TCP(HTTP/1.1) ad.w####.com:80
- TCP(HTTP/1.1) api.adoc####.com:80
- TCP(HTTP/1.1) vvv.focusd####.cn:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) api.g####.vip:443
- TCP(TLS/1.0) p####.pc####.com.cn:443
- TCP(TLS/1.0) p####.m.jd.com:443
- TCP(TLS/1.0) mg####.pcon####.com.cn:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) t####.pc####.com.cn:443
- TCP(TLS/1.0) js.3con####.com:443
- TCP(TLS/1.0) i####.j####.com:443
- TCP(TLS/1.0) pc####.i####.com:443
- TCP(TLS/1.0) dup.baidust####.com:443
- TCP(TLS/1.0) lhyysdk####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) img.pcon####.com.####.cn:443
- TCP(TLS/1.0) wl.jd.com.####.com:443
- TCP(TLS/1.0) www.pc####.com.####.cn:443
- TCP(TLS/1.0) ec####.b####.com:443
- TCP(TLS/1.0) c####.pc####.com.cn:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) i####.d####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) ivy.pcon####.com.cn:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) cdn.boo####.com.####.com:443
- TCP(TLS/1.0) cr.3con####.com:443
- TCP(TLS/1.0) sw3.d####.com:443
- TCP(TLS/1.0) u.j####.com:443
Запросы DNS:
- 2.and####.p####.####.org
- 611.a####.top
- a####.d####.com
- a####.w####.com
- ad.qia####.com
- ad.w####.com
- api.adoc####.com
- api.g####.vip
- api.gug####.com
- api.lubang####.com
- api.m2g.adoc####.com
- api.yunco####.com
- c####.mm####.com
- c####.pc####.com.cn
- c####.zhito####.com
- c.c####.com
- cdn.boo####.com
- co####.ssp.adoc####.com
- cr.3con####.com
- d####.cn
- dsp.huoli####.cn
- dup.baidust####.com
- ec####.b####.com
- f.qia####.com
- filt####.a####.top
- h.w####.com
- hm.b####.com
- i####.d####.cn
- i####.d####.com
- i####.pcon####.com.cn
- img.pcon####.com.cn
- ip.j####.com
- ip.zhito####.com
- ivy.pcon####.com.cn
- js.3con####.com
- kou####.a####.top
- lhyysdk####.oss-cn-####.aliy####.com
- lr.3con####.com
- m.360bu####.com
- mg####.pcon####.com.cn
- p####.api.adoc####.com
- p####.m.jd.com
- p####.pc####.com.cn
- pc####.i####.com
- pos.b####.com
- pv.s####.com
- res####.a####.top
- s.zhito####.com
- s13.c####.com
- s4.c####.com
- s5.c####.com
- sto####.360bu####.com
- sw3.d####.com
- t####.a####.top
- t####.pc####.com.cn
- u####.a####.top
- u.j####.com
- v1.c####.com
- vvv.focusd####.cn
- w####.jd.com
- w####.pc####.com.cn
- w####.pcon####.com.cn
- www.google-####.com
- www.pc####.com.cn
- www.pcon####.com.cn
- z11.c####.com
- z3.c####.com
- z6.c####.com
- z7.c####.com
- z9.c####.com
Запросы HTTP GET:
- a####.d####.com/rewrite?fromid=####
- api.adoc####.com/ssp/mgm/task?taskId=####&ip=####
- api.adoc####.com/titan/monitor/device_info
- api.m2g.adoc####.com/ssp/mgm/task?taskId=####&ip=####
- co####.ssp.adoc####.com/api/v2/SDKCommonConfig?channelCode=####&version=...
- co####.ssp.adoc####.com/api/v2/mgmConfig?channelCode=####&version=####
- co####.ssp.adoc####.com/api/v2/mgmWebviewRatioConfig?channelCode=####&ve...
- d####.cn/aawc.html
- d####.cn/aawm.html
- d####.cn/baiduwm.html
- d####.cn/bbwc.html
- d####.cn/bbwm.html
- d####.cn/fenpei.html?c####
- d####.cn/xincan.html?4####
- d####.cn/yhyd.html
- dsp.huoli####.cn/fenpei.html?3####
- dsp.huoli####.cn/web/app.html
- dsp.huoli####.cn/web/wap.html
- dsp.huoli####.cn/xincan.html?3####
- dsp.huoli####.cn/xincan.html?4####
- dup.baidust####.com/js/os.js
- f.qia####.com/e/20191108171457b_600017_v61.enc
- gd.a.s####.com/cityjson?ie=####
- i####.d####.cn/goldcool.php?id=####
- i####.pcon####.com.cn/blank.gif
- ip.j####.com:99/IP/Index/geturls
- ip.j####.com:99/Public/Access/js/modules/common.js
- ip.j####.com:99/Public/Access/js/modules/creifr.js
- ip.j####.com:99/ip/index.html
- ip.j####.com:999/wap/index.php?0####
- kou####.a####.top/kouling.json
- p####.api.adoc####.com/ip
- p####.pc####.com.cn/cars/image/1471508-1-sg9488-o1.html?ad=####
- pos.b####.com/bctm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/bctm?psi=1fe629bab3d4cee20ea84826b57cf9a9&di=6669420&dri=0...
- pos.b####.com/bfp/snippetcacher.php?dpv=####&di=####
- pos.b####.com/fcdm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/fcdm?psi=b2d63b4c5d96995e6432b8087a1a537a&di=6669420&dri=0...
- pos.b####.com/fcqm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/fcqm?psi=c86038f29276a2fd8314ef0c870c22dc&di=6669420&dri=0...
- pos.b####.com/gcsm?conwid=234&conhei=60&rtbid=3033352&rdid=13147349&dc=2...
- pos.b####.com/gcsm?psi=7e668a47efe2b08d4851592e9bb1f061&di=5897808&dri=0...
- pos.b####.com/gcwm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/gcwm?psi=c00a6720bc37287bf925aa6d16c35357&di=6669420&dri=0...
- pos.b####.com/hcim?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/hcim?psi=6be00a309381a8e4d0e300809f717059&di=6669420&dri=0...
- pos.b####.com/hcvm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/hcvm?psi=ab261cb5e1e687122577f735b8200282&di=6669420&dri=0...
- pos.b####.com/jclm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/jclm?psi=88589af16984f7a2b6b7c5edd21da073&di=6669420&dri=0...
- pos.b####.com/lccm?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
- pos.b####.com/mcsm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/mcsm?psi=0cf8240483ffe68dd09f338c32b56d62&di=6669420&dri=0...
- pos.b####.com/mcym?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/mcym?psi=a7e0fc8cb318217ea29593292f5f0a41&di=6669420&dri=0...
- pos.b####.com/ncqm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/ncqm?psi=748f56dd7ed7cf7d66b7c507cc7d763f&di=6669420&dri=0...
- pos.b####.com/ocum?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/ocum?psi=adc96ebd1985ab37d3765de41c3f9697&di=6669420&dri=0...
- pos.b####.com/ocxm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/ocxm?psi=2bcb22d936831a0c821db09d1637e1a2&di=6669420&dri=0...
- pos.b####.com/pcrm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/pcrm?psi=7f87d6488e859f152d1c5d22c30a7984&di=6669420&dri=0...
- pos.b####.com/pcum?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/pcum?psi=5eeff04eb11d5402eea8b828160df6d2&di=6669420&dri=0...
- pos.b####.com/scnm?psi=687ebdcdf828be0ad06ccfde492659a8&di=6611856&dri=0...
- pos.b####.com/scqm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/scqm?psi=05ee6384575ce8ddfc2ed5586021c61d&di=6669420&dri=0...
- pos.b####.com/tckm?conwid=234&conhei=60&rtbid=3033352&rdid=13147349&dc=2...
- pos.b####.com/tckm?psi=30cabed5e6440c4f7194aa278c6d472d&di=5897808&dri=0...
- pos.b####.com/tcpm?conwid=234&conhei=60&rtbid=3184800&rdid=13808384&dc=2...
- pos.b####.com/tcpm?psi=8d5b5d1148ec89310c17446ad39ad522&di=6669420&dri=0...
- pos.b####.com/xcbm?conwid=####&conhei=####&rtbid=####&rdid=####&dc=####&...
- pos.b####.com/xcbm?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
- pos.b####.com/xclm?psi=d6e17cf9fcee23e48b32f129febbd639&di=6688728&dri=0...
- res####.a####.top/LHYY.png
- res####.a####.top/filter_control_611.json
- res####.a####.top/sdk16.png
- res####.a####.top/sdk17.png
- res####.a####.top/sdk18.png
- res####.a####.top/sdk5_2.png
- res####.a####.top/sdk7.png
- s.zhito####.com:807/528/jd0622.html
- s.zhito####.com:807/ip/ip.html
- s.zhito####.com:808/0622/index.html
- s.zhito####.com:808/0622/yrc_001mobile.js
- s.zhito####.com:88/wap.html
- t####.a####.top/channl_adong5.png
- u####.a####.top/611.html
- vvv.focusd####.cn/ad/v1/log.action?action=####&package=####&channel=####...
Запросы HTTP POST:
- a####.w####.com/rest/pt
- ad.qia####.com//api/2io82K
- ad.qia####.com//api/8VbeIo
- ad.qia####.com//api/Ddgv3VE
- ad.qia####.com//api/Mny1OOW3
- ad.qia####.com//api/QTnLukEdO1
- ad.qia####.com//api/SEEzevU1
- ad.qia####.com//api/SJoGF44Q
- ad.qia####.com//api/SVFUp6
- ad.qia####.com//api/voEYG7
- ad.w####.com/api.htm?pid=####
- api.gug####.com:8935/
- api.lubang####.com/domain.php
- api.lubang####.com/srp.php
- api.yunco####.com/service/rest
- h.w####.com/api/Gu5wT0Z
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.3WN9
- /data/data/####/.5TE4.xml
- /data/data/####/.J1_v.xml
- /data/data/####/.__mob_ad_data.xml
- /data/data/####/.fKSra
- /data/data/####/.fKSra.zip
- /data/data/####/16.jar
- /data/data/####/17.jar
- /data/data/####/18.jar
- /data/data/####/1c57054f65daf33c2ff6aafa6e479c44.db
- /data/data/####/5_2.jar
- /data/data/####/7.jar
- /data/data/####/7295ece1696c2c3e0ee9a8b27f4b49a3.db
- /data/data/####/85b8370a53d6eca22da5f3fb5c291ed7.db
- /data/data/####/ahq_spu_ti.xml
- /data/data/####/countIp.xml
- /data/data/####/d19e9c953d3ee5108f32dc026e00652c.db
- /data/data/####/d19e9c953d3ee5108f32dc026e00652c.jar
- /data/data/####/d2530b6daefa9b15f2ea89ae51fb23b6.db
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downUmeng.jar
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/fe0dfcec6e195d55d555804df2596854.db
- /data/data/####/hhq_spu_ti.xml
- /data/data/####/index
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/xx.dsad.xxxxsadxhcTEST.xml
- /data/data/####/xx_dsad_xxxxsadxhcTEST.txt
- /data/media/####/.YiAds.log
- /data/media/####/.YiAds_Net.log
- /data/media/####/xx_dsad_xxxxsadxhcTEST.txt
Другие:
Запускает следующие shell-скрипты:
- cat /proc/cpuinfo
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES
- DES-CBC-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
