Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Click.345.origin
- Android.DownLoader.1007.origin
- Android.Triada.4567
- Android.Triada.482.origin
- Android.Triada.510.origin
- Android.Triada.560.origin
- Android.Triada.563.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) cn.f####.top:8080
- TCP(HTTP/1.1) newap####.math####.cn:80
- TCP(HTTP/1.1) 10####.zhit####.com:99
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) t####.a####.top:80
- TCP(HTTP/1.1) b####.bugse####.com:80
- TCP(HTTP/1.1) 5.1####.223.253:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) ck.j####.top:80
- TCP(HTTP/1.1) 47.1####.185.46:80
- TCP(HTTP/1.1) co####.ssp.adoc####.com:80
- TCP(HTTP/1.1) u####.b0.upa####.com:80
- TCP(HTTP/1.1) p27-fto####.b0.a####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) d####.cn:80
- TCP(HTTP/1.1) api.z####.com:80
- TCP(HTTP/1.1) 4####.98.31.107:901
- TCP(HTTP/1.1) 58.2####.198.157:999
- TCP(HTTP/1.1) err.ta####.com:80
- TCP(HTTP/1.1) ad.l####.com:80
- TCP(HTTP/1.1) www.78####.cc:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) 58.2####.92.50:808
- TCP(HTTP/1.1) ad.smudge####.com:8986
- TCP(HTTP/1.1) res####.a####.top:80
- TCP(HTTP/1.1) jp####.njt####.com:10091
- TCP(HTTP/1.1) www.f####.com:80
- TCP(HTTP/1.1) filt####.a####.top:80
- TCP(HTTP/1.1) m.our####.cn:80
- TCP(HTTP/1.1) 78####.cc:80
- TCP(HTTP/1.1) q####.com:80
- TCP(HTTP/1.1) 1####.56.165.2:19001
- TCP(HTTP/1.1) cui.dspliul####.com:99
- TCP(HTTP/1.1) i.iqt####.com:651
- TCP(HTTP/1.1) 1####.201.175.19:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) b####.bugse####.com:3000
- TCP(HTTP/1.1) g.cn.miao####.com:80
- TCP(HTTP/1.1) api.40088####.com:8181
- TCP(HTTP/1.1) a.78####.cc:80
- TCP(HTTP/1.1) a####.d####.com:80
- TCP(HTTP/1.1) w####.aut####.cn:80
- TCP(HTTP/1.1) jxs####.slj####.com:17002
- TCP(HTTP/1.1) mto####.hvf####.com:10259
- TCP(HTTP/1.1) b####.bugse####.com:3002
- TCP(HTTP/1.1) yun.zhit####.com:99
- TCP(HTTP/1.1) mh####.b0.a####.com:80
- TCP(HTTP/1.1) geb####.slj####.com:17002
- TCP(HTTP/1.1) 1####.27.70.235:80
- TCP(HTTP/1.1) mav.m####.com.####.com:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(HTTP/1.1) i####.t####.sogo####.####.com:80
- TCP(HTTP/1.1) adx####.hvf####.com:10317
- TCP(HTTP/1.1) p####.hfc####.com:80
- TCP(HTTP/1.1) r1.baiyuns####.com:80
- TCP(HTTP/1.1) w####.c####.com:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) acti####.t####.cn:80
- TCP(HTTP/1.1) ad.api.clou####.xyz:80
- TCP(HTTP/1.1) f####.st####.z####.com:80
- TCP(HTTP/1.1) c####.aut####.cn.####.com:80
- TCP(HTTP/1.1) 1####.131.79.3:8090
- TCP(HTTP/1.1) 14.17.1####.182:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) 58.2####.67.136:99
- TCP(HTTP/1.1) api.a####.ads####.cn:80
- TCP(HTTP/1.1) ad.l####.com:3000
- TCP(HTTP/1.1) u####.a####.top:80
- TCP(HTTP/1.1) adx####.hvf####.com:10259
- TCP(HTTP/1.1) api.yunco####.com:80
- TCP(HTTP/1.1) gn####.f####.top:8080
- TCP(HTTP/1.1) ap####.math####.cn:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) app.a####.top:80
- TCP(HTTP/1.1) 10####.zhit####.com:808
- TCP(HTTP/1.1) dup.baidust####.com:80
- TCP(HTTP/1.1) s####.al####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) d####.cn:808
- TCP(HTTP/1.1) pp.c####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) xh.ma####.com:80
- TCP(HTTP/1.1) 47.1####.211.73:80
- TCP(HTTP/1.1) ec####.b####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) j####.g####.vip:80
- TCP(HTTP/1.1) ad.l####.com:3002
- TCP(HTTP/1.1) akd####.aog####.com:19001
- TCP(HTTP/1.1) p####.api.adoc####.com:80
- TCP(HTTP/1.1) n####.be####.s####.com:80
- TCP(TLS/1.0) sy.cl####.com:443
- TCP(TLS/1.0) 2####.107.1.97:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) log.mm####.com:443
- TCP(TLS/1.0) i####.d####.com:443
- TCP(TLS/1.0) h####.b####.com:443
- TCP(TLS/1.0) err.ta####.com:443
- TCP(TLS/1.0) api.g####.vip:443
- TCP(TLS/1.0) lbs.net####.im:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) to####.ctobsn####.com:443
- TCP(TLS/1.0) st3.wagbr####.adverti####.####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) mav.m####.com.####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) st####.ud####.com.####.com:443
- TCP(TLS/1.0) sw4.d####.com:443
- TCP(TLS/1.0) g.cn.miao####.com:443
- TCP(TLS/1.0) s####.al####.com:443
- TCP(TLS/1.0) lhyysdk####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) dm.byted####.com:443
- TCP(TLS/1.0) sf3-fe####.pglstat####.com:443
- TCP(TLS/1.0) wtc.d####.com:443
- TCP(TLS/1.0) epass####.didi####.com.cn:443
- TCP(TLS/1.0) yun.b####.com:443
- TCP(TLS/1.0) 1142864####.cn-hang####.fc.####.com:443
- TCP(TLS/1.0) dig.b####.net:443
- TCP(TLS/1.0) gsacti####.didi####.com.cn:443
- TCP(TLS/1.0) a####.al####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) nim.qi####.com:443
- TCP(TLS/1.0) pang####.sn####.com:443
- TCP(TLS/1.0) api16-a####.pa####.io.####.net:443
- TCP(TLS/1.0) quickon####.b0.a####.com:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) v.d####.cn:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) qy-swa####.qi####.com:443
- TCP(TLS/1.0) m.sakab####.cn:443
- TCP(TLS/1.0) jingtai####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) et2.wagbr####.adverti####.####.com:443
- TCP(TLS/1.0) na61-####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) pp.c####.com:443
- TCP(TLS/1.0) dxp.b####.com:443
- TCP link-####.net####.im:8080
- TCP l####.net####.im:8080
- TCP 39.1####.37.225:9066
- TCP gw.adv####.com:8080
- TCP zb-cent####.m.ta####.com:443
Запросы DNS:
- 10####.zhit####.com
- 602.a####.top
- 653.a####.top
- 78####.cc
- a####.al####.com
- a####.d####.com
- a####.m.sm.cn
- a####.man.aliy####.com
- a.78####.cc
- acti####.t####.cn
- ad.api.clou####.xyz
- ad.l####.com
- ad.smudge####.com
- adx####.hvf####.com
- ag####.m.ta####.com
- akd####.aog####.com
- amdc####.m.ta####.com
- and####.b####.qq.com
- ap####.math####.cn
- api.40088####.com
- api.a####.ads####.cn
- api.g####.vip
- api.yunco####.com
- api.z####.com
- api16-a####.pa####.io
- app.a####.top
- b####.bugse####.com
- b####.bugse####.com
- bx.ads####.cn
- c####.aut####.cn
- c####.mm####.com
- c.c####.com
- c.cdn.wa####.xyz
- cdn.boo####.com
- cdn.jiu####.com
- ck.j####.top
- cn.f####.top
- co####.ssp.adoc####.com
- cui.dspliul####.com
- cw####.mintl####.cn
- d####.cn
- dic####.hnn####.com
- dig.b####.net
- dm.byted####.com
- dm.ps####.com
- dm.tou####.com
- down####.baiyuns####.com
- dpubst####.ud####.com
- dup.baidust####.com
- dwf.linx####.com
- dxp.b####.com
- e####.ta####.com
- ec####.b####.com
- epass####.didi####.com.cn
- err.ta####.com
- f####.st####.z####.com
- fc.b####.com
- filt####.a####.top
- fou####.ta####.com
- g.al####.com
- g.cn.miao####.com
- geb####.slj####.com
- gn####.f####.top
- gsacti####.didi####.com.cn
- gw.adv####.com
- h####.b####.com
- h####.c####.com
- hm.b####.com
- i####.d####.com
- i####.t####.sogo####.com
- i.iqt####.com
- ip.ta####.com
- j####.g####.vip
- jingtai####.oss-cn-####.aliy####.com
- jp####.njt####.com
- jxs####.slj####.com
- l####.m.sm.cn
- l####.net####.im
- l####.tbs.qq.com
- lbs.net####.im
- lhyysdk####.oss-cn-####.aliy####.com
- link-####.net####.im
- lla####.slj####.com
- log.mm####.com
- m####.me####.com
- m.our####.cn
- m.sakab####.cn
- mav.m####.com
- msg.umengc####.com
- mt####.go####.com
- mto####.hvf####.com
- n####.be####.s####.com
- newap####.math####.cn
- nim.qi####.com
- p####.api.adoc####.com
- p####.bugse####.com
- p####.hfc####.com
- p27.f####.net
- pang####.sn####.com
- pco####.c####.com
- pco####.sm.cn
- plb####.u####.com
- pos.b####.com
- pp.c####.com
- pv.s####.com
- q####.com
- qy-swa####.qi####.com
- r1.baiyuns####.com
- res####.a####.com
- res####.a####.top
- s####.al####.com
- s####.e.qq.com
- s####.m.sm.cn
- s11.c####.com
- s4.c####.com
- s9.c####.com
- s95.c####.com
- s96.c####.com
- sf3-fe####.pglstat####.com
- sf3-ttc####.ps####.com
- st####.ud####.com
- sw4.d####.com
- sy.cl####.com
- t####.a####.top
- to####.ctobsn####.com
- u####.a####.top
- u####.b0.upa####.com
- u####.u####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- v.d####.cn
- v1.c####.com
- w####.aut####.cn
- w####.c####.com
- w####.pcon####.com.cn
- wtc.d####.com
- www.78####.cc
- www.78####.cc
- www.78####.cc
- www.f####.com
- xh.ma####.com
- y####.m.sm.cn
- ycb####.slj####.com
- ysr####.hpi####.com
- yun.b####.com
- yun.zhit####.com
- z11.c####.com
- z12.c####.com
- z13.c####.com
- z2.c####.com
- z3.c####.com
- z4.c####.com
- z6.c####.com
Запросы HTTP GET:
- 10####.zhit####.com:808/1020yd/index.html
- 10####.zhit####.com:808/1020yd/yrc_001mobile.js
- 10####.zhit####.com:99/wap/index.html?10####
- 58.2####.92.50:808/ghyd.html
- 58.2####.92.50:808/ywm.html
- 58.2####.92.50:808/zzz.html
- 78####.cc/index/backend/pro_count?event_id=####&channel_id=####&project_...
- 78####.cc/index/count/count_shell?shellname=####
- 78####.cc/index/limit/getLimit?channel=####&project=####
- 78####.cc/index/limit/limit_count?channel=####&project=####
- 78####.cc/index/limit/limit_get?channel=####&project=####
- 78####.cc/index/limit/limit_minute?channel=####&project=####
- 78####.cc/index/param/get_param?pro_name=####
- 78####.cc/index/publics/get_hot_data
- a####.d####.com/rewrite?fromid=####
- a.78####.cc/index/upapp/app_datas?upapp_id=####&imei=####&channel_id=####
- ad.l####.com/sdk_ad
- ad.l####.com:3000/api?rdtime=####&secure=####&channel=####&osv=####&adid...
- ad.l####.com:3002/api?rdtime=####&secure=####&channel=####&osv=####&adid...
- ad.smudge####.com:8986/api/5/detail/report?businessId=####&token=####&ti...
- api.40088####.com:8181/tran/360/wan?a=####&u=####&uri=aHR####
- api.a####.ads####.cn/thirdparty/sapi/callback?cid=####&adspaceid=####&mc...
- api.z####.com/v1/advert/config?product=####×tamp=####&platform=####...
- app.a####.top/anshuaControl.json
- app.a####.top/api.json
- app.a####.top/pingpaiAD.json
- b####.bugse####.com/sdk_ad
- b####.bugse####.com:3000/api?rdtime=####&secure=####&channel=####&osv=##...
- b####.bugse####.com:3002/api?rdtime=####&secure=####&channel=####&osv=##...
- c####.aut####.cn.####.com/album/g24/M00/81/7D/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g24/M09/81/81/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g3/M05/29/60/userphotos/2020/01/03/14/Ch...
- c####.aut####.cn.####.com/album/g30/M02/2D/CC/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g30/M02/32/D8/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g30/M05/2D/C8/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g30/M06/2D/C6/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g30/M07/2D/CA/userphotos/2020/01/03/14/C...
- c####.aut####.cn.####.com/album/g30/M09/2D/BD/userphotos/2020/01/03/14/C...
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####&web_id=####
- c.c####.com/z_stat.php?id=####&web_id=####
- ck.j####.top/jssdk/mi0099.js
- co####.ssp.adoc####.com/api/v2/SDKActiveConfig?version=####&channelCode=...
- co####.ssp.adoc####.com/api/v2/SDKCommonConfig?channelCode=####&version=...
- co####.ssp.adoc####.com/api/v2/gpConfig?channelCode=####&version=####
- co####.ssp.adoc####.com/api/v2/mgmConfig?channelCode=####&version=####
- co####.ssp.adoc####.com/api/v2/mgmWebviewRatioConfig?channelCode=####&ve...
- cui.dspliul####.com:99/xiao/index.html
- d####.cn/fenpei.html?3####
- dup.baidust####.com/js/os.js
- ec####.b####.com/se.jpg?type=####&ver=####&rdm=####
- err.ta####.com/error1.html?c=404&u=/hz.aplus.taobao.org/app.gif?&cna=GXd...
- f####.st####.z####.com/php12123/03900daf4277d586d8954ac206d479cc.jpg
- f####.st####.z####.com/php12123/1afdba9a082e19aafbe70653cd7c230b.png
- f####.st####.z####.com/php12123/20190319/1d0ad428ee3db572f8d7dc9caf5318a...
- f####.st####.z####.com/php12123/24f87b460ec4e6ca966c3692edc8cd00.jpg
- f####.st####.z####.com/php12123/2f19e5feb68e2cc422a3e4640dc9ba9b.png
- f####.st####.z####.com/php12123/579184f08ba1dfa1ff0516443b809eae.jpg
- f####.st####.z####.com/php12123/5c78aa7fb4c3f9d057b3a948414c7bc4.png
- f####.st####.z####.com/php12123/675783feaa75b10cfa4cefd8affb6129.png
- f####.st####.z####.com/php12123/6c93a4f440e277cc301113c029ff6e0b.png
- f####.st####.z####.com/php12123/83fca499aabf1fcb5f9821c670eb4ad4.png
- f####.st####.z####.com/php12123/b923d47945e1931a97b0d84980bacb7e.jpg
- f####.st####.z####.com/php12123/bb2c6ad76628fa69d9a0e96c778e28a1.png
- f####.st####.z####.com/php12123/cecbeee6af4d1c492b97e8d2853c9848.png
- f####.st####.z####.com/php12123/e2c51eff44598107d3404f290051f9f4.jpg
- f####.st####.z####.com/php12123/e55896bfdca034077cd0a3e53e9c54d0.png
- f####.st####.z####.com/php12123/f4847d62990d2de23fda16f7d3e9ce52.png
- filt####.a####.top/filter_control_602.json
- g.cn.miao####.com/x/k=2189293&p=7dJyy&dx=__IPDX__&rt=2&pro=n&ns=__IP__&n...
- g.cn.miao####.com/x/k=2189293&p=7dJyz&dx=__IPDX__&rt=2&pro=n&ns=__IP__&n...
- gd.a.s####.com/cityjson?ie=####
- gm.mm####.com/9.gif?abc=####&rnd=####
- gn####.f####.top:8080/qsad/api/getAd/ikQIalowRJD6xUuA7FZzCA==
- hm.b####.com/hm.js?6058df4####
- hm.b####.com/hm.js?e70ecd2####
- i####.t####.sogo####.####.com/wap/js/aw.js
- i####.t####.sogo####.####.com/wap/js/wp.js
- ip.ta####.com/service/getIpInfo.php?ip=####
- j####.g####.vip/fd.js
- m.our####.cn/search/atvs/
- mav.m####.com.####.com/l87znGx3
- mh####.b0.a####.com/sdk/cj016_cj016.html
- n####.be####.s####.com/wap_ask_service?callback=####&url=####
- newap####.math####.cn/ssp/mgm/task?taskId=####&ip=####
- p####.api.adoc####.com/ip
- p####.hfc####.com/c/dyonTuo.zip
- p####.hfc####.com/c/iuhaysdasd.zip
- p####.hfc####.com/c/l/11Y24jsbuliang.zip
- p####.hfc####.com/two/SOI349RED8EO35RE98FE359E844T9R.zip
- p####.hfc####.com/zz/503krenjgboy.zip
- p27-fto####.b0.a####.com/
- p27-fto####.b0.a####.com/css/base_v6.css
- p27-fto####.b0.a####.com/css/reset.css
- p27-fto####.b0.a####.com/sm/wm972039.js?key=####
- p27-fto####.b0.a####.com/vo.js?key=####
- pos.b####.com/bfp/snippetcacher.php?dpv=####&di=####
- pp.c####.com/cfzx.php?o_id=273?173####
- pp.c####.com/cfzx.php?o_id=273?285####
- pp.c####.com/cfzx.php?o_id=273?483####
- pp.c####.com/cfzx.php?o_id=273?551####
- pp.c####.com/cfzx.php?o_id=273?602####
- pp.c####.com/cfzx.php?o_id=273?605####
- pp.c####.com/cfzx.php?o_id=273?725####
- pp.c####.com/cfzx.php?o_id=273?772####
- pp.c####.com/cfzx.php?o_id=274?100####
- pp.c####.com/cfzx.php?o_id=274?161####
- pp.c####.com/cfzx.php?o_id=274?231####
- pp.c####.com/cfzx.php?o_id=274?286####
- pp.c####.com/cfzx.php?o_id=274?299####
- pp.c####.com/cfzx.php?o_id=274?342####
- pp.c####.com/cfzx.php?o_id=274?408####
- pp.c####.com/cfzx.php?o_id=274?448####
- pp.c####.com/cfzx.php?o_id=274?634####
- pp.c####.com/cfzx.php?o_id=274?642####
- pp.c####.com/cfzx.php?o_id=274?712####
- pp.c####.com/cfzx.php?o_id=274?763####
- pp.c####.com/cfzx.php?o_id=274?816####
- pp.c####.com/icfzx.php
- q####.com/N7WGC21F5LSO.jar
- res####.a####.top/LHYY.png
- res####.a####.top/sdk13_2.png
- res####.a####.top/sdk16.png
- res####.a####.top/sdk18_4.png
- res####.a####.top/sdk19.png
- res####.a####.top/sdk21.png
- res####.a####.top/sdk24_3.png
- res####.a####.top/sdk5.png
- res####.a####.top/sdk7.png
- s####.al####.com/L1/272/6837/static/wap/img/uc-32.png
- s####.al####.com/L1/272/6837/static/wap/img/uc.png
- t####.a####.top/anshua.json
- t####.a####.top/channl_haoqi1.png
- t####.a####.top/req.json
- u####.a####.top/602.html
- u####.a####.top/653.html
- u####.a####.top/js1005.html
- u####.b0.upa####.com/libs/jquery/jquery-2.0.3.min.js
- w####.aut####.cn/chejiahaodfs/g24/M05/81/34/autohomecar__ChsEl14O2HuAfsG...
- w####.aut####.cn/chejiahaodfs/g27/M0A/30/61/autohomecar__ChsEfF4O3u6Ab9i...
- w####.aut####.cn/chejiahaodfs/g29/M07/2E/7A/autohomecar__ChsEn14O3oaACyo...
- w####.aut####.cn/chejiahaodfs/g3/M03/35/FB/autohomecar__ChcCRV4O2HuAITYb...
- w####.aut####.cn/chejiahaodfs/g3/M03/36/17/autohomecar__ChcCRV4O3XOAEW4L...
- w####.c####.com/abc/xyz/point/index.php
- www.78####.cc/cnzz/index4.html
- www.78####.cc/index/param/get_param?pro_name=####
- www.78####.cc/index/project/project_status?action=####
- www.78####.cc/index/publics/get_ip
- www.f####.com/search/144562d31363636_1.html
- www.f####.com/static/js/dist/clipboard.min.js
- xh.ma####.com/
- xh.ma####.com/css/common.css
- xh.ma####.com/css/default.css
- xh.ma####.com/js/common.js
- xh.ma####.com/js/jquery.min.js
- yun.zhit####.com:99/yun/index.html
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- z.c####.com/stat.htm?id=1256135178&r=http://dspcc.cn/fenpei.html?3####&l...
- z.c####.com/stat.htm?id=1256135229&r=http://dspcc.cn/fenpei.html?3####&l...
Запросы HTTP POST:
- 78####.cc/index/backend/pro_data
- 78####.cc/index/package/pack_add
- acti####.t####.cn/native/sdk/event/log
- ad.api.clou####.xyz/ads
- ad.smudge####.com:8986/api/5/detail?businessId=####&token=####×tamp...
- adx####.hvf####.com:10259/7471fc/
- adx####.hvf####.com:10259/7peta8/
- adx####.hvf####.com:10317/widlth/
- adx####.hvf####.com:10317/xkeila/
- akd####.aog####.com:19001/vgqcuctsmu/
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- and####.b####.qq.com/rqd/async?aid=####
- ap####.math####.cn/titan/monitor/device_info
- api.40088####.com:8181/v3/entry/list
- api.a####.ads####.cn/thirdparty/sapi/chn
- api.yunco####.com/service/rest
- api.z####.com/app/version/android-upgrade
- api.z####.com/pc/news/get-article-category
- api.z####.com/pc/news/get-category-list-by-pinyin-abbr
- api.z####.com/push-tag/list
- api.z####.com/tab-conf/app-column-conf
- api.z####.com/tab-conf/app-sys-conf
- api.z####.com/tab-conf/uuid
- api.z####.com/tips/index
- api.z####.com/v1/advert/list
- cn.f####.top:8080/qsad/api/c/c
- geb####.slj####.com:17002/6a4it/
- geb####.slj####.com:17002/jw1pw/
- gn####.f####.top:8080/qsad/api/c/c
- i.iqt####.com:651/slsdk/getdata.aspx
- jp####.njt####.com:10091/wisdom/marking
- jxs####.slj####.com:17002/5rhxg/
- l####.tbs.qq.com/ajax?c=####&k=####
- mto####.hvf####.com:10259/7471fc/
- mto####.hvf####.com:10259/xhzsud/
- r1.baiyuns####.com/service/rest
- res####.a####.com/v3/weather/weatherInfo
- s####.e.qq.com/activate
- w####.pcon####.com.cn/ip.jsp
- www.78####.cc/index/backend/pro_data
- www.78####.cc/index/package/pack_add
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-1135038580-754662270
- /data/data/####/-1852006340
- /data/data/####/-Ovo9IAsPMHUUHmpv-655O_MhyE.-1255340953.tmp
- /data/data/####/.cl
- /data/data/####/.ef0b4ddacc046d054f437ba0af966623
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/07d31d470827ca6b0da1dda8885c1368.db
- /data/data/####/1002
- /data/data/####/1004
- /data/data/####/13_2.dex (deleted)
- /data/data/####/13_2.jar
- /data/data/####/16.dex (deleted)
- /data/data/####/16.jar
- /data/data/####/18_4.dex (deleted)
- /data/data/####/18_4.jar
- /data/data/####/19.dex (deleted)
- /data/data/####/19.jar
- /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
- /data/data/####/21.dex (deleted)
- /data/data/####/21.jar
- /data/data/####/24_3.dex (deleted)
- /data/data/####/24_3.jar
- /data/data/####/24c110e1f76093b35c3c2df1927aab79.0
- /data/data/####/26wW655QKvpuznVh2oEcFLFgA04.-296433953.tmp
- /data/data/####/3327275
- /data/data/####/3941844900304.0
- /data/data/####/43d2389c33b84651a5acac9486303717
- /data/data/####/44367F39739CCD6BBF960E91E7DB78B2.xml
- /data/data/####/4B8DB6B83129A65A2EF4DCFC1393C3B0.xml
- /data/data/####/5.dex (deleted)
- /data/data/####/5.jar
- /data/data/####/5yw4MwbnPD3TRQd31cSC6hhecVs.46538973.tmp
- /data/data/####/6354d1a8bad12a42ddc776ccf00fc08d.db
- /data/data/####/65a89b0d5130222f89f71ed812ac122f.db
- /data/data/####/6KrF430qkev7p2rSKCHETnJZPKE.235835855.tmp
- /data/data/####/6bad1320719545b59bbcb7e1117c14e3
- /data/data/####/7.dex (deleted)
- /data/data/####/7.jar
- /data/data/####/77269110afc285fb3b477e86a49dca81.db
- /data/data/####/7765019218066.0
- /data/data/####/7942665025765.0
- /data/data/####/7LrAIiDPBVumNYftpBqHGGHvLbY.436372045.tmp
- /data/data/####/7UFk7b3fo5Wkx67tC8VgUa06xSs.-2086579100.tmp
- /data/data/####/8285687079f726e81979764e271ed349
- /data/data/####/8483b7491b1f419647d94d8f5e3761a3.db
- /data/data/####/8483b7491b1f419647d94d8f5e3761a3.dex
- /data/data/####/8483b7491b1f419647d94d8f5e3761a3.jar
- /data/data/####/8EAD111D030291821E19A80E344C340A.xml
- /data/data/####/965928347771.0
- /data/data/####/9791062b2062bd5e2b2f75caad8fa155.db
- /data/data/####/9QKJlQ7DHTUc7HRQzC_RHPky8U8.-1929268813.tmp
- /data/data/####/ACCS_BINDumeng;58107fdec8957663fb003c19.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ApplicationCache.db
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/HbwekGTCAFXE65I1EHPPcyX7SDc.469786196.tmp
- /data/data/####/Ix132mMskey1.xml
- /data/data/####/KVzIaefx5yxyt61caVz5M1w2_X4.-1791340252.tmp
- /data/data/####/LQLpHUZeu3sxhxRbm3j-_I-yMPg.-290052594.tmp
- /data/data/####/MGUX2oRoa6357l6auSBTgn6_5HE.-752759454.tmp
- /data/data/####/MRDElCW09QcGwWORGnMt4iQzN40.191137706.tmp
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/NIMSDK_Config_f7274dbc6d1b56317a1437bb9d42f596.xml
- /data/data/####/NIMSDK_Config_f7274dbc6d1b56317a1437bb9d42f596_...ea.xml
- /data/data/####/PXgmPlIhnHT1TLrufRqEyc96AoQ.-1495064075.tmp
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/Unicorn.f7274dbc6d1b56317a1437bb9d42f596.xml
- /data/data/####/V8r-vGNDM614gmwRBcRd2I0LqVc.604360694.tmp
- /data/data/####/VUgwE5xJtoENdWu_r7ustPGhjPk.1892869919.tmp
- /data/data/####/We5YimWhUgvu0BVXRK1EFao6THo.1335190452.tmp
- /data/data/####/WebViewBasePrefs.xml
- /data/data/####/XkdjsIx132mM356507059351895comm.xml
- /data/data/####/XkdjsIx132mM356507059351895tasks.xml
- /data/data/####/XkdjsIx132mMskey1.xml
- /data/data/####/YGGT_HxsSWCw1xwSbgHAakeYHhs.-1725351479.tmp
- /data/data/####/__Baidu_Stat_SDK_SendRem.xml
- /data/data/####/__local_ap_info_cache.json
- /data/data/####/__local_last_session.json
- /data/data/####/__local_stat_cache.json
- /data/data/####/__send_data_1606519041210
- /data/data/####/__send_data_1606519088596
- /data/data/####/_p.xml
- /data/data/####/_sh.xml
- /data/data/####/accs.db
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/ahq_spu_ti.xml
- /data/data/####/azCXUfoP3EEwjARu-lpax6-PMO8.-1851706062.tmp
- /data/data/####/bEpCl9OGns9oCvcE_j8SV3pX7YI.993909135.tmp
- /data/data/####/bVALwOLn3S7QCHAeIa9SVh65GoE.457734555.tmp
- /data/data/####/baidu_mtj_sdk_record.xml
- /data/data/####/baidu_mtj_sdk_record.xml.bak (deleted)
- /data/data/####/bd_embed_tea_agent.db-journal
- /data/data/####/be8daf1d4c724541a608470c8f0a4469
- /data/data/####/bugly_db_-journal
- /data/data/####/bxRY-BNV9nVjQ7GmvhTh9_ey00E.-1185004523.tmp
- /data/data/####/c1043658b041986e0521eea2237c83fa.db
- /data/data/####/cdu_st_-1510132342
- /data/data/####/cdu_st_-1897404729
- /data/data/####/cdu_st_-1963733048
- /data/data/####/cdu_st_-646630316
- /data/data/####/cdu_st_-724289219
- /data/data/####/cdu_st_-752754616
- /data/data/####/cdu_st_1495260626
- /data/data/####/cdu_st_1606883332
- /data/data/####/cdu_st_465275389
- /data/data/####/cdu_st_759790841
- /data/data/####/channel_umeng_common_config.xml
- /data/data/####/chuanglan_report_2.2.1.db
- /data/data/####/chuanglan_report_2.2.1.db-journal
- /data/data/####/com.qiyukf.analytics.xml
- /data/data/####/com.wswy.wzcx.BETA_VALUES.xml
- /data/data/####/comwroteogigeoig.xml
- /data/data/####/core_info
- /data/data/####/core_umeng_common_config.xml
- /data/data/####/crashrecord.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjA2NTE5MDI3NDE5;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjA2NTE5MDQ4MTc5;
- /data/data/####/dW1weF9wdXNoX2xhdW5jaF8xNjA2NTE5MDU5MDk3;
- /data/data/####/dW1weF9wdXNoX3JlZ2lzdGVyXzE2MDY1MTkwMzk5OTQ=;
- /data/data/####/daemonserver.pid
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/download_upload
- /data/data/####/downloader.db-journal
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/eHhkX3Nw.xml
- /data/data/####/eHhkX3Nw.xml (deleted)
- /data/data/####/ed5bfe4bdbec3416c956d017ae73c00a
- /data/data/####/embed_applog_stats.xml
- /data/data/####/embed_header_custom.xml
- /data/data/####/embed_last_sp_session.xml
- /data/data/####/eudemon
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f51f0fcf55e6820131458f6e7f8df1e6.db
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/fas.xml
- /data/data/####/fas.xml.bak
- /data/data/####/ff47dc5781a0e1e22840736ad7f587f0.db
- /data/data/####/fjlroaUZTyoHr6WJzdwn9PCMuOo.-686057298.tmp
- /data/data/####/gameid
- /data/data/####/gameid.zip
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/hxdata.xml
- /data/data/####/i==1.2.0&&3.8.0_1606519027578_envelope.log
- /data/data/####/i==1.2.0&&3.8.0_1606519048218_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/javasdklog.xml
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/k.store
- /data/data/####/kDUB0ypHpgxf5XkltPTnJn5G5n4.928425159.tmp
- /data/data/####/kk_datas_info.xml
- /data/data/####/lAm5r4Doho48k5p5bD06F3U4iaU.283799055.tmp
- /data/data/####/libcuid.so
- /data/data/####/libjiagu-285061115.so
- /data/data/####/libqzwmfb.so
- /data/data/####/libqzwmfb.so-32
- /data/data/####/libqzwmfb.so-64
- /data/data/####/local_crash_lock
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mp2.tmp
- /data/data/####/mp28.tmp
- /data/data/####/mp3.tmp
- /data/data/####/mtj_auto.config
- /data/data/####/mtj_autoTracker.js
- /data/data/####/multidex.version.xml
- /data/data/####/nFp9byL9T2PMuHlffpObyB75Jws.-1228309344.tmp
- /data/data/####/native_record_lock
- /data/data/####/npth.xml
- /data/data/####/npth_log.db-journal
- /data/data/####/nzjR-9R-AjjBUbo6GFraz25j0s4.-1662754614.tmp
- /data/data/####/pp-Pl0vwwRC9G47uAHMHH2DheUg.-173146894.tmp
- /data/data/####/pref_bl
- /data/data/####/push_app_3.xml
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/qiyu_save_f7274dbc6d1b56317a1437bb9d42f596.xml
- /data/data/####/qqsz_file.xml
- /data/data/####/qqsz_file.xml.bak (deleted)
- /data/data/####/rWstcE2VSVvhfwJlts0JcdbwNDE.-2008789671.tmp
- /data/data/####/security_info
- /data/data/####/shanyan_share_data.xml
- /data/data/####/snssdk_openudid.xml
- /data/data/####/sp2.dex
- /data/data/####/sp2.jar
- /data/data/####/sp28.dex
- /data/data/####/sp28.jar
- /data/data/####/sp3.dex
- /data/data/####/sp3.jar
- /data/data/####/spUtils.xml
- /data/data/####/sp_name.xml
- /data/data/####/sp_push_time.xml
- /data/data/####/spu_ti.xml
- /data/data/####/spu_yj.xml
- /data/data/####/ssoconfigs.xml
- /data/data/####/szsh.xml
- /data/data/####/t==8.1.2&&3.8.0_1606519036001_envelope.log
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/trace_circle.data
- /data/data/####/tsmbyr.png
- /data/data/####/tt_ad_sdk_sp.xml
- /data/data/####/tt_dns_settings.xml
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/tt_sp_app_list.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ttopensdk.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umengDB.db
- /data/data/####/umengDB.dex (deleted)
- /data/data/####/umengDB.jar
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/unicorn#cheese#
- /data/data/####/update_lc
- /data/data/####/webview.db
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/wppdjrwj.jar
- /data/data/####/xNF0YnVwBXsQiqhyfoKPjGzOufQ.624588191.tmp
- /data/data/####/xdtversion.xml
- /data/data/####/yd_config_c.xml
- /data/data/####/yrd2LahakXDWZqXYv60oEw6nX_c.-863403053.tmp
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.confd
- /data/media/####/.confd-journal
- /data/media/####/.cuid
- /data/media/####/.cuid2
- /data/media/####/.did
- /data/media/####/.ef0b4ddacc046d054f437ba0af966623
- /data/media/####/.kkid
- /data/media/####/.nomedia
- /data/media/####/.timestamp
- /data/media/####/.umm.dat
- /data/media/####/.usdis
- /data/media/####/1606519023228.db
- /data/media/####/1606519046267.db
- /data/media/####/306FA3F0A104985E3C7626619F8FB1F9
- /data/media/####/306FA3F0A104985E3C7626619F8FB1F9.jar
- /data/media/####/306FA3F0A104985E3C7626619F8FB1F9.temp
- /data/media/####/62E1A4628E3E24BCE7589CD0AD43C2AF
- /data/media/####/6E97E5851812F20B9487F262218488CC
- /data/media/####/7256A17995AA65F989B6622B9B448418
- /data/media/####/73fb0b480a78a79f0c2a270ba27969f5.tmp
- /data/media/####/8E7DF91940E3B1D1B86A9498DD67BEB4.temp
- /data/media/####/8E7DF91940E3B1D1B86A9498DD67BEB4.zip
- /data/media/####/A2B147E1CEFFE94412C486F9706132C3.temp
- /data/media/####/A2B147E1CEFFE94412C486F9706132C3.zip
- /data/media/####/Alvin2.xml
- /data/media/####/CA7D898961228BF9A6EBC717E0F19DCE
- /data/media/####/CCCC5B8911BBCB224E5317F7FB929A12.jar
- /data/media/####/CCCC5B8911BBCB224E5317F7FB929A12.temp
- /data/media/####/ContextData.xml
- /data/media/####/D967A959D8E39AF63D48D9EACAEC1F70.temp
- /data/media/####/D967A959D8E39AF63D48D9EACAEC1F70.zip
- /data/media/####/_pn
- /data/media/####/_shn
- /data/media/####/alsn20170807.db
- /data/media/####/alsn20170807.db-journal
- /data/media/####/cad79567a681799f51f979518b1d66dc.tmp
- /data/media/####/clientudid.dat
- /data/media/####/config.txt
- /data/media/####/deviceToken
- /data/media/####/sysid.dat
- /data/media/####/tbslog.txt
- /data/media/####/temp_pkg_info.json
- /data/media/####/tmp_c_20201128
- /data/media/####/tmp_u_20201128
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:58107fdec8957663fb003c19","utdid":"X8GI8IMaOE8DAGdzx1FlmfYV","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
- cat /proc/version
- cat /sys/class/net/wlan0/address
- chmod 500 <Package Folder>/files/DaemonServer
- getprop
- getprop ro.board.platform
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.letv.release.version
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.smartisan.version
- getprop ro.vivo.os.build.display.id
- getprop ro.vivo.os.version
- getprop ro.yunos.build.version
- logcat -d -v threadtime
- ls /
- ls /sys/class/thermal
- mount
- sh
Загружает динамические библиотеки:
- crash_analysis
- libimagepipeline
- libjiagu-285061115
- libnative-imagetranscoder
- libqzwmfb
- nms
- tnet-3.1
- tobEmbedEncrypt
- yaqcore_gdtadv
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- DES
- DES-CBC-PKCS5Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- DES
- RSA-None-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
