Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.860.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sys.zhan####.com:80
- TCP(HTTP/1.1) dj.palmes####.com:80
- TCP(HTTP/1.1) bo####.d.ire####.####.com:80
- TCP(HTTP/1.1) log.tracki####.com:80
- TCP(HTTP/1.1) ah2.zhan####.com:80
- TCP(HTTP/1.1) b####.d.ire####.com:80
- TCP(HTTP/1.1) log.ire####.com:80
- TCP(HTTP/1.1) src.r####.com:80
- TCP(HTTP/1.1) p####.zhan####.com:80
- TCP(HTTP/1.1) b####.img.ire####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) doma####.zhangy####.com:80
- TCP(HTTP/1.1) o####.d.ire####.com:80
- TCP(HTTP/1.1) up####.v.bs####.cn:80
- TCP(TLS/1.0) o####.d.zhangy####.####.com:443
- TCP(TLS/1.0) av1.x####.com:443
- TCP(TLS/1.0) thi####.q####.cn:443
- TCP(TLS/1.0) s####.we####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) stati####.palmes####.com.####.com:443
- TCP(TLS/1.0) api.w####.com:443
- TCP(TLS/1.0) se####.d.zhangy####.####.cn:443
- TCP(TLS/1.0) dj.palmes####.com:443
- TCP(TLS/1.0) api.up####.com:443
- TCP(TLS/1.0) pu####.sdk.guang####.com:443
- TCP(TLS/1.0) apk.shensh####.com.####.com:443
- TCP(TLS/1.0) o####.d.ire####.com:443
- TCP(TLS/1.0) is.sn####.com:443
- TCP(TLS/1.0) b####.d.ire####.com:443
Запросы DNS:
- ah2.zhan####.com
- an####.l####.com
- api.up####.com
- api.w####.com
- apk.shensh####.com
- av1.x####.com
- b####.d.ire####.com
- b####.img.ire####.com
- bo####.d.ire####.com
- bo####.img.ire####.com
- bo####.img.zhangy####.com
- c####.x####.com
- c####.x####.com
- dc.l####.com
- dj.palmes####.com
- doma####.zhangy####.com
- i.ugc.co####.cn
- is.sn####.com
- log.ire####.com
- log.tracki####.com
- o####.d.ire####.com
- o####.d.zhangy####.com
- p####.zhan####.com
- pu####.sdk.guang####.com
- q.q####.cn
- s####.we####.com
- sdk.c####.com
- se####.d.ire####.com
- se####.d.zhangy####.com
- seri####.d.zhangy####.com
- src.r####.com
- stati####.palmes####.com
- sys.zhan####.com
- t####.sin####.cn
- thi####.q####.cn
Запросы HTTP GET:
- b####.d.ire####.com/group7/M00/01/1C/CmQUNFjmBzOEexiIAAAAAHdYxGo79695614...
- b####.d.ire####.com/group7/M00/14/6A/CmQUily0W5CEFZe-AAAAAHYUgRI17660394...
- b####.img.ire####.com/group61/M00/43/B8/CmQUOF27jfWENwyNAAAAADqAoFY10399...
- b####.img.ire####.com/group61/M00/43/B8/CmQUOF27jhyEOGMsAAAAABne8vU29916...
- b####.img.ire####.com/group61/M00/43/BA/CmQUOF27jnWEdhwMAAAAALd0uz884536...
- b####.img.ire####.com/group61/M00/43/C2/CmQUOV27jp2EBa1iAAAAAEqY_7w53225...
- b####.img.ire####.com/group61/M00/81/40/CmQUOV32-fGEAUgOAAAAALEuNak43039...
- b####.img.ire####.com/group61/M00/82/12/CmQUOF34N8aEAZu3AAAAACosClM55192...
- b####.img.ire####.com/group61/M00/82/15/CmQUOF34Ob6Edu4EAAAAAH7E4gY66925...
- b####.img.ire####.com/group61/M00/82/EC/CmQUOV35jZqEFfU6AAAAAGKqueY43751...
- b####.img.ire####.com/group61/M00/84/36/CmQUOV367iOEfmRJAAAAAOoUS-Q06727...
- b####.img.ire####.com/group61/M00/84/90/CmQUOV37RECEF_RQAAAAAKlcTgs13129...
- bo####.d.ire####.####.com/group7/M00/15/40/CmQUNFj4jByEZLcSAAAAADiZV5417...
- dj.palmes####.com/dj_download/out/ext/dl_dyn_epub_free?pk=####&type=####...
- doma####.zhangy####.com/cloudconf/confs?random=####&p2=####&p3=####
- log.tracki####.com/receive/gettime
- o####.d.ire####.com/group1/M00/61/32/wKgHhVjmBzOEESmbAAAAAJLIJhE07180239...
- o####.d.ire####.com/group1/M00/67/0C/wKgHhVj4jByEET9pAAAAAHunchI42844537...
- o####.d.ire####.com/group1/M00/76/17/wKgHhVy0W4-EXyddAAAAAIJELqY15579863...
- o####.d.ire####.com/group8/M00/19/ED/wKgHil2oCeWEMuKCAAAAACoPoeo24726877...
- p####.zhan####.com/cocoon/alias/gen?usr=####&rgt=####&p1=####&pc=####&p2...
- p####.zhan####.com/cocoon/alias/gen?zyeid=####&usr=####&rgt=####&p1=####...
- src.r####.com/kubo/dex/luomi_9.1.29.dex
- up####.v.bs####.cn/group61/M00/43/B8/CmQUOF27jgeEY-5KAAAAAGN-RSY11624966...
- up####.v.bs####.cn/group61/M00/43/B8/CmQUOF27jieEZTH9AAAAAGfl6S822238500...
- up####.v.bs####.cn/group61/M00/43/BA/CmQUOF27jn-EMMAFAAAAANwKBes25999186...
- up####.v.bs####.cn/group61/M00/43/BA/CmQUOF27jrKEa2MVAAAAANjP6fM76995313...
- up####.v.bs####.cn/group61/M00/43/C0/CmQUOV27jhKEdOhhAAAAAFkYPI437447242...
- up####.v.bs####.cn/group61/M00/43/C2/CmQUOV27jr6EDUyoAAAAAECbPAk60777092...
Запросы HTTP POST:
- ah2.zhan####.com/zyapi/bookstore/ad/boot
- log.ire####.com/log-agent/log
- log.ire####.com/log-agent/rlog
- log.tracki####.com/receive/tkio/install
- log.tracki####.com/receive/tkio/startup
- sdk.c####.com/versiontapi.php?v=####&type=####
- sys.zhan####.com/message/taskConfigure?package=####&usr=####&rgt=####&p1...
- sys.zhan####.com/message/taskConfigure?package=####&zyeid=####&usr=####&...
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0
- /data/data/####/1576986806009_2221
- /data/data/####/1576986806032.apk
- /data/data/####/1576986806158_2221
- /data/data/####/1576986806470_2221
- /data/data/####/1576986807308_2221
- /data/data/####/1576986808496_2221
- /data/data/####/1576986808747_2318
- /data/data/####/1576986808862.apk
- /data/data/####/1576986809371_2318
- /data/data/####/1576986809503_2221
- /data/data/####/1576986810043_2221
- /data/data/####/1576986811355.apk
- /data/data/####/1576986811603_2318
- /data/data/####/1576986811869_2318
- /data/data/####/1576986816062.apk
- /data/data/####/1576986820038.apk
- /data/data/####/1576986834947_2221
- /data/data/####/1576986835513_2221
- /data/data/####/1576986847094_2221
- /data/data/####/1576986847157_2221
- /data/data/####/1576986847757_2221
- /data/data/####/1576986853635_2221
- /data/data/####/1576986853672_2221
- /data/data/####/1576986870942_2221
- /data/data/####/Alvin2.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/ContextData.xml
- /data/data/####/GeneralSetting.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/Reyun.db
- /data/data/####/Reyun.db-journal
- /data/data/####/TBFileDownload-journal
- /data/data/####/TDCloudSettingsConfig50E9251AE9D74852BE9061C7154394DD.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_cloudcontrol1.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime0.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime0.xml
- /data/data/####/ax_c.xml
- /data/data/####/classes.dex
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes-326067295.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes-825779935.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes-940617408.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes1457395012.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes2.zip
- /data/data/####/com.zhangyue.iReader.SharedPreferences.temp.xml
- /data/data/####/com.zhangyue.iReader.SharedPreferences.xml
- /data/data/####/com.zhangyue.iReader.bookstore.SP.xml
- /data/data/####/com.zhangyue.module.ad.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downloader.db-journal
- /data/data/####/experience.db-journal
- /data/data/####/gg.dex
- /data/data/####/guide.db
- /data/data/####/iReader.db-journal
- /data/data/####/index
- /data/data/####/info.txt
- /data/data/####/installedlist.plugin
- /data/data/####/iv
- /data/data/####/mc182.dex
- /data/data/####/mc_cache.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pathinfo
- /data/data/####/pluginweb_djsearch
- /data/data/####/pluginweb_djsearch.diff.tmp
- /data/data/####/pluginwebdiff_djad
- /data/data/####/pluginwebdiff_djad.diff.tmp
- /data/data/####/pluginwebdiff_djbookdetail.tmp
- /data/data/####/pluginwebdiff_djbookstore
- /data/data/####/pluginwebdiff_djbookstore.tmp
- /data/data/####/pluginwebdiff_djcommon
- /data/data/####/pluginwebdiff_djcommon.diff.tmp
- /data/data/####/pluginwebdiff_djconfig
- /data/data/####/pluginwebdiff_djconfig.diff.tmp
- /data/data/####/pluginwebdiff_djconfig.tmp
- /data/data/####/pluginwebdiff_djmine
- /data/data/####/pluginwebdiff_djmine.diff
- /data/data/####/pluginwebdiff_djmine.diff.tmp
- /data/data/####/pluginwebdiff_djmine.tmp
- /data/data/####/salt
- /data/data/####/schedule
- /data/data/####/task.db-journal
- /data/data/####/tdid.xml
- /data/data/####/theme_bg1.xml
- /data/data/####/theme_bg2.xml
- /data/data/####/theme_bg3.xml
- /data/data/####/theme_bg5.xml
- /data/data/####/theme_bg_huyan.xml
- /data/data/####/theme_bg_yejian6.xml
- /data/data/####/theme_bg_yejian7.xml
- /data/data/####/theme_bg_yejian8.xml
- /data/data/####/theme_bg_yejian9.xml
- /data/data/####/theme_layout_manhua.xml
- /data/data/####/theme_layout_pad70.xml
- /data/data/####/theme_layout_pad70_chuban.xml
- /data/data/####/theme_layout_pad70_qingsuan.xml
- /data/data/####/theme_layout_pad70_wangwen.xml
- /data/data/####/theme_pager.xml
- /data/data/####/theme_user.xml
- /data/data/####/tracking_device_id_cache.xml
- /data/data/####/tracking_install.xml
- /data/data/####/tracking_interval.xml
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/uparpu.db-journal
- /data/data/####/uparpu_agent_log
- /data/data/####/uparpu_sdk.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/-1514398302.0.tmp
- /data/media/####/-1567028798.0.tmp
- /data/media/####/-1711385273.0.tmp
- /data/media/####/-1724770681.0.tmp
- /data/media/####/-1739536073
- /data/media/####/-268489359.0.tmp
- /data/media/####/.DS_Store
- /data/media/####/.nomedia
- /data/media/####/.yunba_device_id
- /data/media/####/0abc84d3f398420c10af9bd9f51b4b8a29188c495edf68....0.tmp
- /data/media/####/1.zyesnext
- /data/media/####/11280520.ix
- /data/media/####/11283808.ix
- /data/media/####/11284828.ix
- /data/media/####/11289540.ix
- /data/media/####/11291310.ix
- /data/media/####/11295969.ix.tmp
- /data/media/####/11465289.ix.tmp
- /data/media/####/11801084.ix.tmp
- /data/media/####/1349ff547d223b56c34669d192fd7ed6ef525fac70a477....0.tmp
- /data/media/####/1361727a92b1ef962ce2f50afbb235f302d61fb644111d....0.tmp
- /data/media/####/13cf69c402094b051af6c3c23fb75a442e950a7e0d7064....0.tmp
- /data/media/####/1534360579.0.tmp
- /data/media/####/1812690646.0.tmp
- /data/media/####/1834072149.0.tmp
- /data/media/####/1879501059.0.tmp
- /data/media/####/1910528738.0.tmp
- /data/media/####/2.zyesnext
- /data/media/####/262788591
- /data/media/####/3.zyesnext
- /data/media/####/362212b46b53e3615467cc97be2c3fc52bb702d5f3761e....0.tmp
- /data/media/####/3987962ebcde1148d5ca8ac808760ddd539513766bd7c4....0.tmp
- /data/media/####/43adb831a84396087e754ab2a37faf538be1e17ebcd2bc....0.tmp
- /data/media/####/43ed8eed7df49d493ea1f8d7f6146fc87a8ebb110233fc....0.tmp
- /data/media/####/45a305ebbeffb1ecff34fd6db4de8fc0d04bfc0394bf3f....0.tmp
- /data/media/####/4ff7316f02d9225b815b2af249ea82d7a617af0954198b....0.tmp
- /data/media/####/510a76d875b2c17cd840e0a37ded64a56a15e49293f88b....0.tmp
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_0
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_1
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_11
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_13
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_20
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_26
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_27
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_6
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_8
- /data/media/####/5aefa372c637d0c66ead84b188aad415j3877939&124002_9
- /data/media/####/5b844f2155f4af2730e71a9d9ae74e9d0328f4cec65eb3....0.tmp
- /data/media/####/5c841d9b997e49e9c51d2705210c0fbe917acfb0dd2274....0.tmp
- /data/media/####/5e0d902b07d9dc936d0b7f9c4ad641dad922764d8c9d9d....0.tmp
- /data/media/####/673549127.0.tmp
- /data/media/####/690a22ef2062db2496fc1195dc71fb2bf036c37ec89694....0.tmp
- /data/media/####/702e22174392f62c861e9cf23bce056ab01100026e205e....0.tmp
- /data/media/####/73718488d1140dcbf2871ddb9276913da6b0ae13d073e1....0.tmp
- /data/media/####/764168386a970f3954b170b7405c843ecd310ef53e4ecf....0.tmp
- /data/media/####/7c45723e0b03a252c72ff4d465f05bdd70c9750bc2b8c1....0.tmp
- /data/media/####/85e725ed2e933d9612ae4145d2c48363b619e4bdf4b7a0....0.tmp
- /data/media/####/88f39438199745d860395b229f4a7768a7dc44d45a9dad....0.tmp
- /data/media/####/9035fc6ae99bab4ea7a06ca3547a494d3e9e914f589037....0.tmp
- /data/media/####/9af8409ff799b054db6996ac7796b84e91d5b1dee38804....0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ApplicationCache.db-journal
- /data/media/####/ContextData.xml
- /data/media/####/a34e2bc975fcc74aaef1380e0591dc2ceaaa91671befbc....0.tmp
- /data/media/####/a43677c40f12e1adb1914e1ae2ff4c0e46b76c8529902d....0.tmp
- /data/media/####/a4e0178c7988c0ddc294df2a0e251ba0ce22c63d724d1f....0.tmp
- /data/media/####/a93124cac4bd7f80c67e5705af9460ee9f1773fc5ad6e5....0.tmp
- /data/media/####/ab9fff813eaf55666b61f138ecf23af94960e0d5b80218....0.tmp
- /data/media/####/appCache_ddffa86.zip.tmp
- /data/media/####/b3b2921064f9cec13d38c1c890ccda6ef2801d87617fd2....0.tmp
- /data/media/####/b42b9e936effd6d31372b024a5cc9477fab96e394a9cfb....0.tmp
- /data/media/####/b93dc1d92a7d1faeefaae5656a6af38ac79885e43d1fe5....0.tmp
- /data/media/####/be01f08cdcf04cf4d749c2f9b150ff2369bab66ee3fc59....0.tmp
- /data/media/####/bed5ca15dfa6d16b219ecb82c98bb25e1a714e33521dac....0.tmp
- /data/media/####/bookfeed.png
- /data/media/####/c-1.zycp.tmp
- /data/media/####/c-2.zycp.tmp
- /data/media/####/c-3.zycp.tmp
- /data/media/####/c21fc3a0c4eed92e850a1823ffe2a25ea3fbf8b5134c60....0.tmp
- /data/media/####/c829c7b25ea9601aeceac1a997fd63ab93cdf680828a37....0.tmp
- /data/media/####/cd9c54d103dc9271c1f79ac34dd9198676b8110f39127a....0.tmp
- /data/media/####/chap_vote_after_1x
- /data/media/####/chap_vote_after_2x
- /data/media/####/chap_vote_after_3x
- /data/media/####/chap_vote_before_1x
- /data/media/####/chap_vote_before_2x
- /data/media/####/chap_vote_before_3x
- /data/media/####/chapvote.db-journal
- /data/media/####/check.tmp
- /data/media/####/copyright.xhtml
- /data/media/####/da848292d81458474320715e798ff666fa3b15ba40fecd....0.tmp
- /data/media/####/discount.png
- /data/media/####/discount_v.png
- /data/media/####/e7470f0558375bdc1002a765866c88b1680a1bd1349e85....0.tmp
- /data/media/####/f0342a79c870adefc3a3f0ec72b428da0d8ed80c3da44b....0.tmp
- /data/media/####/ff109dca856f2089cff3cd991ad636c9d4d4b9e2405044....0.tmp
- /data/media/####/ft_channel_channel_45e37f9.js
- /data/media/####/ft_channel_static_css_c_955d5b5.css
- /data/media/####/ft_channel_static_css_second_0724f80.css
- /data/media/####/ft_common_android_down_9781c21.js
- /data/media/####/ft_common_c_19d5d20.css
- /data/media/####/ft_common_static_js_zybridge_android_88dd5af.js
- /data/media/####/ft_common_static_js_zybridge_ios_358717e.js
- /data/media/####/ft_common_uu_638b01b.js
- /data/media/####/ft_common_zepto_5b96d2c.js
- /data/media/####/ft_sign_static_css_sign_95abb6d.css
- /data/media/####/ft_task_static_css_android_task_c92d65e.css
- /data/media/####/ft_task_static_css_android_v3_base_24095ce.css
- /data/media/####/ft_task_static_css_iphone_task_91d5684.css
- /data/media/####/ft_task_static_css_iphone_v3_base_208f0aa.css
- /data/media/####/guide.gd
- /data/media/####/ic_ad_left.png
- /data/media/####/ic_ad_right.png
- /data/media/####/ic_ad_skip.png
- /data/media/####/idea.db-journal
- /data/media/####/ireader2.db
- /data/media/####/journal.tmp
- /data/media/####/mob_analysis.sjbd
- /data/media/####/mob_analysis_5435f9ef-11f8-4425-a0c9-27261fc2eb6d.iz
- /data/media/####/mob_analysis_97f7a8b4-a059-413e-8da7-4bc99d10c68c.iz
- /data/media/####/order.xhtml
- /data/media/####/order_btn_bg.png
- /data/media/####/order_btn_bg_v.png
- /data/media/####/order_content.xhtml
- /data/media/####/order_h.xhtml
- /data/media/####/order_v_h.xhtml
- /data/media/####/public-0.zyres.tmp
- /data/media/####/public-1.zyres
- /data/media/####/totalbookdown.xhtml
- /data/media/####/totalbookdown_bg.jpg
- /data/media/####/totalbookdown_button.png
- /data/media/####/《剩女快穿33次》.jpg
- /data/media/####/《剩女快穿33次》.zyepub
- /data/media/####/《姐姐是演技派》.jpg
- /data/media/####/《姐姐是演技派》.zyepub
- /data/media/####/《独宠媚色皇妃》.jpg
- /data/media/####/《独宠媚色皇妃》.zyepub
- /data/media/####/《皇叔:别乱来!》.zyepub.tmp
- /data/media/####/《第一狂妃:绝色御灵师》.zyepub.tmp
- /data/media/####/《绝世兵锋》.jpg
- /data/media/####/《绝世兵锋》.zyepub
- /data/media/####/《超级纨绔系统》.jpg
- /data/media/####/《超级纨绔系统》.zyepub
- /data/media/####/《闪婚厚爱:误嫁天价老公》.zyepub.tmp
Другие:
Запускает следующие shell-скрипты:
- getprop
- getprop ro.build.version.emui
- getprop ro.config.hw_notch_size
- getprop ro.flyme.published
- getprop ro.letv.release.version
- getprop ro.miui.notch
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
Загружает динамические библиотеки:
- UiControl
- mthook
- patchMerge
- tingReader
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
