Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.860.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sys.zhan####.com:80
- TCP(HTTP/1.1) dj.palmes####.com:80
- TCP(HTTP/1.1) log.tracki####.com:80
- TCP(HTTP/1.1) ah2.zhan####.com:80
- TCP(HTTP/1.1) oth####.d.zhangy####.com:80
- TCP(HTTP/1.1) b####.d.ire####.com:80
- TCP(HTTP/1.1) seri####.d.ire####.####.cn:80
- TCP(HTTP/1.1) bo####.img.ire####.####.cn:80
- TCP(HTTP/1.1) log.ire####.com:80
- TCP(HTTP/1.1) src.r####.com:80
- TCP(HTTP/1.1) p####.zhan####.com:80
- TCP(HTTP/1.1) b####.img.ire####.com:80
- TCP(HTTP/1.1) oth####.d.ire####.####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) doma####.zhangy####.com:80
- TCP(TLS/1.0) bo####.img.zhangy####.com:443
- TCP(TLS/1.0) stati####.palmes####.com.####.com:443
- TCP(TLS/1.0) s####.we####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) av1.x####.com:443
- TCP(TLS/1.0) api.w####.com:443
- TCP(TLS/1.0) dj.palmes####.com:443
- TCP(TLS/1.0) api.up####.com:443
- TCP(TLS/1.0) seri####.d.ire####.####.cn:443
- TCP(TLS/1.0) oth####.d.zhangy####.com:443
- TCP(TLS/1.0) is.sn####.com:443
Запросы DNS:
- ah2.zhan####.com
- an####.l####.com
- api.up####.com
- api.w####.com
- av1.x####.com
- b####.d.ire####.com
- b####.img.ire####.com
- bo####.d.ire####.com
- bo####.img.ire####.com
- bo####.img.zhangy####.com
- c####.x####.com
- c####.x####.com
- dc.l####.com
- dj.palmes####.com
- doma####.zhangy####.com
- doma####.zhangy####.com
- is.sn####.com
- log.ire####.com
- log.tracki####.com
- oth####.d.ire####.com
- oth####.d.zhangy####.com
- p####.zhan####.com
- s####.we####.com
- sdk.c####.com
- se####.d.ire####.com
- se####.d.zhangy####.com
- seri####.d.ire####.com
- seri####.d.zhangy####.com
- src.r####.com
- stati####.palmes####.com
- sys.zhan####.com
Запросы HTTP GET:
- b####.d.ire####.com/group7/M00/0B/E3/CmQUilw0c8-EVX5IAAAAAHNY6fE36207167...
- b####.d.ire####.com/group7/M00/E5/51/CmQUil4FJSmEcBe2AAAAAGk5AF838813697...
- b####.d.ire####.com/group7/M00/F9/DD/CmQUNFjgIPOEFI45AAAAAPRdHtY55358605...
- b####.img.ire####.com/group61/M00/43/B8/CmQUOF27jgeEY-5KAAAAAGN-RSY11624...
- b####.img.ire####.com/group61/M00/43/B8/CmQUOF27jhyEOGMsAAAAABne8vU29916...
- b####.img.ire####.com/group61/M00/43/C0/CmQUOV27jhKEdOhhAAAAAFkYPI437447...
- b####.img.ire####.com/group61/M00/B7/E7/CmQUOV5DlpmEeCe1AAAAAM1mnxw12399...
- b####.img.ire####.com/group61/M00/B7/E9/CmQUOF5DlsSEfUeAAAAAAH-RRu808367...
- b####.img.ire####.com/group61/M00/BA/99/CmQUOV5FJhmEVkr6AAAAAJlqVqY89163...
- b####.img.ire####.com/group61/M00/BC/0A/CmQUOV5GVy2EYDmtAAAAAIITzNI24624...
- b####.img.ire####.com/group61/M00/C1/C2/CmQUOF5L3kKEA3cFAAAAAPmbttg80277...
- b####.img.ire####.com/group61/M00/C1/C2/CmQUOF5L3qKEIA_AAAAAAIaPLww62602...
- b####.img.ire####.com/group61/M00/C1/C6/CmQUOV5L3nCEMv-SAAAAAKyAJGc16352...
- bo####.img.ire####.####.cn/group61/M00/43/B8/CmQUOF27jfWENwyNAAAAADqAoFY...
- bo####.img.ire####.####.cn/group61/M00/43/B8/CmQUOF27jieEZTH9AAAAAGfl6S8...
- bo####.img.ire####.####.cn/group61/M00/43/BA/CmQUOF27jn-EMMAFAAAAANwKBes...
- bo####.img.ire####.####.cn/group61/M00/43/BA/CmQUOF27jnWEdhwMAAAAALd0uz8...
- bo####.img.ire####.####.cn/group61/M00/43/BA/CmQUOF27jrKEa2MVAAAAANjP6fM...
- bo####.img.ire####.####.cn/group61/M00/43/C2/CmQUOV27jp2EBa1iAAAAAEqY_7w...
- bo####.img.ire####.####.cn/group61/M00/43/C2/CmQUOV27jr6EDUyoAAAAAECbPAk...
- dj.palmes####.com/dj_download/out/ext/dl_dyn_epub_free?pk=####&type=####...
- doma####.zhangy####.com/cloudconf/confs?random=####&p2=####&p3=####
- log.tracki####.com/receive/gettime
- oth####.d.ire####.####.com/group7/M00/03/B9/CmQUNFjmYjOETDzyAAAAAN5O_Bc5...
- oth####.d.ire####.####.com/group7/M00/1E/C4/CmQUBlvisXeENGfjAAAAAOKiIuo9...
- oth####.d.ire####.####.com/group7/M00/35/96/CmQUilzAGWGEJUp_AAAAAC1-0e03...
- oth####.d.ire####.####.com/group7/M00/62/BD/CmQUil3ziQWEVl-xAAAAAI9IrU06...
- oth####.d.ire####.####.com/group7/M00/C6/05/CmQUil1BbC-ENh5TAAAAACeR8vE4...
- oth####.d.ire####.####.com/group7/M00/CE/C5/CmQUilzwxxCEVVR5AAAAAEwjzNE0...
- oth####.d.ire####.####.com/group8/M00/19/ED/wKgHil2oCeWEMuKCAAAAACoPoeo2...
- oth####.d.zhangy####.com/group1/M00/FA/F8/wKgHhVw0c86EGudkAAAAAGirSYg080...
- p####.zhan####.com/cocoon/alias/gen?zyeid=####&usr=####&rgt=####&p1=####...
- seri####.d.ire####.####.cn/group1/M00/1E/7A/wKgHhV4FJSiERcMbAAAAACk-xZs6...
- seri####.d.ire####.####.cn/group1/M00/65/7C/wKgHhVzwxxCENA_HAAAAAFZq6CQ5...
- seri####.d.ire####.####.cn/group1/M00/90/55/wKgHhVjmYjOESmhRAAAAAJ4XL7Y7...
- seri####.d.ire####.####.cn/group1/M00/95/73/wKgHhV1BbC6EdJwfAAAAAJD-aVg3...
- seri####.d.ire####.####.cn/group1/M00/A1/D9/wKgHhVzAGWCEQfnNAAAAAH4Khxw8...
- seri####.d.ire####.####.cn/group1/M00/B6/25/wKgHhVjgIPOEQGv_AAAAAEAYrNw1...
- seri####.d.ire####.####.cn/group1/M00/D6/7A/wKgHhV3ziQWETuyLAAAAAEsNGzE9...
- seri####.d.ire####.####.cn/group1/M00/E3/AC/wKgHhVvisXeESuYFAAAAAOBVMT80...
- src.r####.com/kubo/dex/luomi_9.1.29.dex
Запросы HTTP POST:
- ah2.zhan####.com/zyapi/bookstore/ad/boot
- doma####.zhangy####.com/log_agent/rlog
- log.ire####.com/log-agent/log
- log.ire####.com/log-agent/rlog
- log.tracki####.com/receive/tkio/install
- log.tracki####.com/receive/tkio/startup
- sdk.c####.com/versiontapi.php?v=####&type=####
- sys.zhan####.com/message/taskConfigure?package=####&zyeid=####&usr=####&...
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0
- /data/data/####/1582180725092_2231
- /data/data/####/1582180725151_2231
- /data/data/####/1582180725199.apk
- /data/data/####/1582180725481_2231
- /data/data/####/1582180726306_2231
- /data/data/####/1582180727188_2327
- /data/data/####/1582180727320.apk
- /data/data/####/1582180728383_2231
- /data/data/####/1582180728395_2327
- /data/data/####/1582180728482_2231
- /data/data/####/1582180728617_2327
- /data/data/####/1582180728997_2231
- /data/data/####/1582180729281.apk
- /data/data/####/1582180729936.apk
- /data/data/####/1582180730814_2231
- /data/data/####/1582180735115.apk
- /data/data/####/1582180735132.apk
- /data/data/####/1582180759629_2231
- /data/data/####/1582180766504_2231
- /data/data/####/1582180766609_2231
- /data/data/####/1582180766701_2231
- /data/data/####/1582180789954_2231
- /data/data/####/3164361435.apk
- /data/data/####/Alvin2.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/ContextData.xml
- /data/data/####/GeneralSetting.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/Reyun.db
- /data/data/####/Reyun.db-journal
- /data/data/####/TBFileDownload-journal
- /data/data/####/TDCloudSettingsConfig50E9251AE9D74852BE9061C7154394DD.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_cloudcontrol1.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime0.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime0.xml
- /data/data/####/ax_c.xml
- /data/data/####/classes.dex
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes-1611407561.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes1266909868.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes1418418525.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes2.zip
- /data/data/####/com.chaozh.iReader.dmj-1.apk.classes525055622.zip
- /data/data/####/com.zhangyue.iReader.SharedPreferences.temp.xml
- /data/data/####/com.zhangyue.iReader.SharedPreferences.xml
- /data/data/####/com.zhangyue.iReader.bookstore.SP.xml
- /data/data/####/com.zhangyue.module.ad.xml
- /data/data/####/downloader.db-journal
- /data/data/####/experience.db-journal
- /data/data/####/gg.dex
- /data/data/####/guide.db
- /data/data/####/iReader.db-journal
- /data/data/####/info.txt
- /data/data/####/installedlist.plugin
- /data/data/####/iv
- /data/data/####/mc182.dex
- /data/data/####/mc_cache.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pathinfo
- /data/data/####/pluginweb_djsearch
- /data/data/####/pluginweb_djsearch.diff.tmp
- /data/data/####/pluginwebdiff_djad
- /data/data/####/pluginwebdiff_djad.diff.tmp
- /data/data/####/pluginwebdiff_djbookdetail.tmp
- /data/data/####/pluginwebdiff_djbookstore.tmp
- /data/data/####/pluginwebdiff_djcommon
- /data/data/####/pluginwebdiff_djcommon.diff.tmp
- /data/data/####/pluginwebdiff_djconfig
- /data/data/####/pluginwebdiff_djconfig.diff.tmp
- /data/data/####/pluginwebdiff_djconfig.tmp
- /data/data/####/pluginwebdiff_djmine
- /data/data/####/pluginwebdiff_djmine.diff.tmp
- /data/data/####/pluginwebdiff_djmine.tmp
- /data/data/####/salt
- /data/data/####/schedule
- /data/data/####/task.db-journal
- /data/data/####/tdid.xml
- /data/data/####/theme_bg1.xml
- /data/data/####/theme_bg2.xml
- /data/data/####/theme_bg3.xml
- /data/data/####/theme_bg5.xml
- /data/data/####/theme_bg_huyan.xml
- /data/data/####/theme_bg_yejian6.xml
- /data/data/####/theme_bg_yejian7.xml
- /data/data/####/theme_bg_yejian8.xml
- /data/data/####/theme_bg_yejian9.xml
- /data/data/####/theme_layout_manhua.xml
- /data/data/####/theme_layout_pad70.xml
- /data/data/####/theme_layout_pad70_chuban.xml
- /data/data/####/theme_layout_pad70_qingsuan.xml
- /data/data/####/theme_layout_pad70_wangwen.xml
- /data/data/####/theme_pager.xml
- /data/data/####/theme_user.xml
- /data/data/####/tracking_device_id_cache.xml
- /data/data/####/tracking_install.xml
- /data/data/####/tracking_interval.xml
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/uparpu.db-journal
- /data/data/####/uparpu_agent_log
- /data/data/####/uparpu_sdk.xml
- /data/data/####/webview.db-journal
- /data/media/####/-213505242.0.tmp
- /data/media/####/-259122356
- /data/media/####/-299156380
- /data/media/####/-442559330.0.tmp
- /data/media/####/-75173790.0.tmp
- /data/media/####/.DS_Store
- /data/media/####/.nomedia
- /data/media/####/.yunba_device_id
- /data/media/####/068233781bdd072731a55a10a5fb3787c5f3c356fd1798....0.tmp
- /data/media/####/0c210f870511f8faa0f1cc4c91d87d0b9f4195d60da966....0.tmp
- /data/media/####/0d4006eafe3464b99712d492fa319ecabce13a8a3c1b83....0.tmp
- /data/media/####/0ffd788d8439af3864972c5114b43ae9ff792c394bd601....0.tmp
- /data/media/####/1.zyesnext
- /data/media/####/11280520.ix
- /data/media/####/11283589.ix.tmp
- /data/media/####/11283808.ix
- /data/media/####/11284828.ix
- /data/media/####/11289540.ix
- /data/media/####/11291310.ix
- /data/media/####/11315629.ix.tmp
- /data/media/####/11726789.ix.tmp
- /data/media/####/11759893.ix.tmp
- /data/media/####/11809721.ix.tmp
- /data/media/####/11825882.ix.tmp
- /data/media/####/11861937.ix.tmp
- /data/media/####/12061802.ix.tmp
- /data/media/####/12072177.ix.tmp
- /data/media/####/13cf69c402094b051af6c3c23fb75a442e950a7e0d7064....0.tmp
- /data/media/####/1426645731.0.tmp
- /data/media/####/1669344699.0.tmp
- /data/media/####/1867674763.0.tmp
- /data/media/####/1917427715.0.tmp
- /data/media/####/2.zyesnext
- /data/media/####/22a5cf5d1aa58311b753674b58c5ead26686f0b4171d72....0.tmp
- /data/media/####/29d16b4d849882e6bfd4a3bcfc1278176818f40f150186....0.tmp
- /data/media/####/2f2a2d9523e88e93d07cfcf288599e76681eb0af670851....0.tmp
- /data/media/####/3.zyesnext
- /data/media/####/362212b46b53e3615467cc97be2c3fc52bb702d5f3761e....0.tmp
- /data/media/####/41488c108a2adecc9ab07b99fdbc2def7c4dfef1102640....0.tmp
- /data/media/####/429cd3975aca0aea272fd1ae53d5beb928824aa2a13568....0.tmp
- /data/media/####/4ff7316f02d9225b815b2af249ea82d7a617af0954198b....0.tmp
- /data/media/####/510a76d875b2c17cd840e0a37ded64a56a15e49293f88b....0.tmp
- /data/media/####/512774494.0.tmp
- /data/media/####/558019152.0.tmp
- /data/media/####/5a132350332ac2258ce7a4d0f1a3ea9d7ae9f11ba63b00....0.tmp
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_0
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_1
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_11
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_13
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_20
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_26
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_27
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_6
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_8
- /data/media/####/5aefa372c637d0c66ead84b188aad415j11229592&124002_9
- /data/media/####/5c841d9b997e49e9c51d2705210c0fbe917acfb0dd2274....0.tmp
- /data/media/####/649c5310f97560ed2859e3e6819ebdd4f0956c0c0269ce....0.tmp
- /data/media/####/6bef131abb9812d6314ff3bf392ea4eaa6470065ea51de....0.tmp
- /data/media/####/702e22174392f62c861e9cf23bce056ab01100026e205e....0.tmp
- /data/media/####/72294bf699a4cc33c19a8ddd6eb4045394230efc2ba1ba....0.tmp
- /data/media/####/764168386a970f3954b170b7405c843ecd310ef53e4ecf....0.tmp
- /data/media/####/787016664.0.tmp
- /data/media/####/7f330fa160a83f5eab1739d6f58a9172cd49ce93522e57....0.tmp
- /data/media/####/851580963.0.tmp
- /data/media/####/85e725ed2e933d9612ae4145d2c48363b619e4bdf4b7a0....0.tmp
- /data/media/####/8a6d1d1a521c2f91120bc3d7a30b2a881d3ae1367288ea....0.tmp
- /data/media/####/937c9c19644df0b24eaf5810f61bd7788e426145bbcd0e....0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/appCache_211dd24.zip.tmp
- /data/media/####/bookfeed.png
- /data/media/####/c-1.zycp.tmp
- /data/media/####/c-2.zycp.tmp
- /data/media/####/c-3.zycp.tmp
- /data/media/####/c0b03a388957b6e0a7fe58e898ca2d6c8afffa850481b8....0.tmp
- /data/media/####/c21fc3a0c4eed92e850a1823ffe2a25ea3fbf8b5134c60....0.tmp
- /data/media/####/chap_vote_after_1x
- /data/media/####/chap_vote_after_2x
- /data/media/####/chap_vote_after_3x
- /data/media/####/chap_vote_before_1x
- /data/media/####/chap_vote_before_2x
- /data/media/####/chap_vote_before_3x
- /data/media/####/chapvote.db-journal
- /data/media/####/copyright.xhtml
- /data/media/####/d0ce5a97bd4553e476eb2bd32be568dde0a7cd930fad2d....0.tmp
- /data/media/####/discount.png
- /data/media/####/discount_v.png
- /data/media/####/f09f9cf41028dadb90eb38b72692eb1b870431cf7a44b1....0.tmp
- /data/media/####/ft_channel_channel_45e37f9.js
- /data/media/####/ft_channel_static_css_c_955d5b5.css
- /data/media/####/ft_channel_static_css_second_0724f80.css
- /data/media/####/ft_common_android_down_9781c21.js
- /data/media/####/ft_common_c_19d5d20.css
- /data/media/####/ft_common_static_js_zybridge_android_3d2baf4.js
- /data/media/####/ft_common_static_js_zybridge_ios_7a129e1.js
- /data/media/####/ft_common_uu_638b01b.js
- /data/media/####/ft_common_zepto_5b96d2c.js
- /data/media/####/ft_sign_static_css_sign_95abb6d.css
- /data/media/####/ft_task_static_css_android_task_c92d65e.css
- /data/media/####/ft_task_static_css_android_v3_base_24095ce.css
- /data/media/####/ft_task_static_css_iphone_task_91d5684.css
- /data/media/####/ft_task_static_css_iphone_v3_base_208f0aa.css
- /data/media/####/guide.gd
- /data/media/####/ic_ad_left.png
- /data/media/####/ic_ad_right.png
- /data/media/####/ic_ad_skip.png
- /data/media/####/idea.db-journal
- /data/media/####/ireader2.db
- /data/media/####/journal.tmp
- /data/media/####/mob_analysis.sjbd
- /data/media/####/mob_analysis_1e743597-2460-4abf-9c6c-058c9bd9ce56.iz
- /data/media/####/mob_analysis_52b81017-7016-4caa-ac61-75e6669c7393.iz
- /data/media/####/order.xhtml
- /data/media/####/order_btn_bg.png
- /data/media/####/order_btn_bg_v.png
- /data/media/####/order_content.xhtml
- /data/media/####/order_h.xhtml
- /data/media/####/order_v_h.xhtml
- /data/media/####/public-0.zyres.tmp
- /data/media/####/public-1.zyres
- /data/media/####/totalbookdown.xhtml
- /data/media/####/totalbookdown_bg.jpg
- /data/media/####/totalbookdown_button.png
- /data/media/####/《一胞三胎,总裁爹爹超凶猛》.zyepub.tmp
- /data/media/####/《农门甜妻:夫君宠妻太磨人》.zyepub.tmp
- /data/media/####/《剩女快穿33次》.jpg
- /data/media/####/《剩女快穿33次》.zyepub
- /data/media/####/《医妃权倾天下》.zyepub.tmp
- /data/media/####/《姐姐是演技派》.jpg
- /data/media/####/《姐姐是演技派》.zyepub
- /data/media/####/《总裁的天价丑妻-1》.zyepub.tmp
- /data/media/####/《狂妃在上:邪王一宠到底》.zyepub.tmp
- /data/media/####/《独宠媚色皇妃》.jpg
- /data/media/####/《独宠媚色皇妃》.zyepub
- /data/media/####/《绝世兵锋》.jpg
- /data/media/####/《绝世兵锋》.zyepub
- /data/media/####/《至尊毒妃:邪王的盛宠娇妃》.zyepub.tmp
- /data/media/####/《萌宝驾到:腹黑娘亲妖孽爹》.zyepub.tmp
- /data/media/####/《超级纨绔系统》.jpg
- /data/media/####/《超级纨绔系统》.zyepub
- /data/media/####/《重生之复仇女王》.zyepub.tmp
- /data/media/####/《重生王妃宠上天-1》.zyepub.tmp
Другие:
Запускает следующие shell-скрипты:
- getprop
- getprop ro.build.version.emui
- getprop ro.config.hw_notch_size
- getprop ro.flyme.published
- getprop ro.letv.release.version
- getprop ro.miui.notch
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
Загружает динамические библиотеки:
- UiControl
- mthook
- patchMerge
- tingReader
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
