Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Triada.531.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) zxcon####.zhaoxi####.com:80
- TCP(HTTP/1.1) i####.17k.com:80
- TCP(HTTP/1.1) gs.g####.com:80
- TCP(HTTP/1.1) b####.g####.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) l.gm.m####.com:80
- TCP(HTTP/1.1) cdn.st####.17k.com:80
- TCP(HTTP/1.1) sdk.xinxi####.com:8100
- TCP(HTTP/1.1) c####.g####.com:80
- TCP(HTTP/1.1) norma-e####.m####.com:80
- TCP(HTTP/1.1) beacon####.aliy####.com:80
- TCP(TLS/1.0) media####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) sh.wagbr####.aliyun####.com:443
- TCP(TLS/1.0) i####.17k.com:443
- TCP(TLS/1.0) zxbook####.zhaoxi####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) azh####.com:9190
- TCP(TLS/1.0) sf3-ttc####.ps####.com:443
- TCP(TLS/1.0) api16-a####.pa####.io.####.net:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) azh####.com:9061
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) bookc####.yu####.com.####.com:443
- TCP(TLS/1.0) f####.zhaoxi####.com:443
- TCP(TLS/1.0) to####.ctobsn####.com:443
- TCP(TLS/1.0) cow.zhaoxi####.com:443
- TCP(TLS/1.0) dig.b####.net:443
- TCP(TLS/1.0) dm.ps####.com:443
- TCP(TLS/1.0) 64.2####.161.95:443
- TCP(TLS/1.0) gs.g####.com:443
- TCP(TLS/1.2) 2####.58.208.106:443
- TCP(TLS/1.2) 2####.85.233.101:443
- TCP(TLS/1.2) 64.2####.162.94:443
Запросы DNS:
- a####.man.aliy####.com
- ad1.azh####.com
- ada####.ut.ta####.com
- api.s####.mob.com
- api16-a####.pa####.io
- azh####.com
- b####.g####.com
- beacon####.aliy####.com
- bookc####.yu####.com
- c####.g####.com
- c####.g####.com
- c####.zhaoxi####.com
- cdn.st####.17k.com
- cow.zhaoxi####.com
- dig.b####.net
- dm.byted####.com
- dm.ps####.com
- dm.tou####.com
- f####.zhaoxi####.com
- f.gm.m####.com
- gs.g####.com
- i####.17k.com
- instant####.google####.com
- l.gm.m####.com
- m####.go####.com
- media####.oss-cn-####.aliy####.com
- norma-e####.m####.com
- p####.google####.com
- pang####.sn####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sdk.xinxi####.com
- sf3-fe####.pglstat####.com
- sf3-ttc####.ps####.com
- to####.ctobsn####.com
- u####.u####.com
- zxbook####.zhaoxi####.com
- zxcon####.zhaoxi####.com
Запросы HTTP GET:
- cdn.st####.17k.com//cp/book/600x800/2906280.jpg
- i####.17k.com/cmsimg/recommend/600_800/0/89/2730089/2730089.jpg
- l.gm.m####.com/privacy/policy/authorization/status?appkey=####&apppkg=##...
- norma-e####.m####.com/android/exchange/getpublickey.do
- zxcon####.zhaoxi####.com/image/book/11/829451/8a7ca715689ae70d557d270750...
- zxcon####.zhaoxi####.com/image/book/395/827787/2ddbc11601c4671bb464a824b...
- zxcon####.zhaoxi####.com/image/book/402/809362/e95960b721bc3cafbed5fd46e...
- zxcon####.zhaoxi####.com/image/book/561/844337/c3c071ec9ed418cb6fc83e350...
- zxcon####.zhaoxi####.com/image/book/565/754229/745664c42624817c17f000d8a...
- zxcon####.zhaoxi####.com/image/book/69/826437/9bc3c871ae78198d0a0cec9a1e...
- zxcon####.zhaoxi####.com/image/book/738/813794/08cecc871f92bef4226d5697a...
- zxcon####.zhaoxi####.com/image/book/820/806708/7b72a7aa21c5f850eb7dfb542...
- zxcon####.zhaoxi####.com/image/book/830/806718/4c8df3dd5d6118d26d66c5a24...
- zxcon####.zhaoxi####.com/image/book/936/749480/9ee2c8219331f3299d22e383c...
- zxcon####.zhaoxi####.com/image/book/955/829371/518b3655cad104acd6de6bbf5...
- zxcon####.zhaoxi####.com/image/book/97/746593/a45c5d50f915ba12a09cf81658...
Запросы HTTP POST:
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/snsconf
- b####.g####.com/api.php?format=####&t=####
- beacon####.aliy####.com/beacon/fetch/config/byappkey
- c####.g####.com/api.php?format=####&t=####
- gs.g####.com/geshu/sdk/getBaseConfs
- gs.g####.com/geshu/sdkStatistics/bd
- gs.g####.com/geshu/sdkStatistics/ubi
- norma-e####.m####.com/push/android/external/add.do
- sdk.xinxi####.com:8100/api/getAppVersion
- sdk.xinxi####.com:8100/api/sdk/init2
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.artc_lock
- /data/data/####/.at_lock
- /data/data/####/.dex2oatlock
- /data/data/####/.dic_lock
- /data/data/####/.du_lock
- /data/data/####/.duid
- /data/data/####/.dvcv_lock
- /data/data/####/.globalLock
- /data/data/####/.im_lock
- /data/data/####/.imprint
- /data/data/####/.lesd_lock
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.pkg_lock
- /data/data/####/.pkgs_lock
- /data/data/####/.slw
- /data/data/####/.statistics
- /data/data/####/.updateIV.dat
- /data/data/####/.updateIV.dat_0
- /data/data/####/.updateIV.dat_1
- /data/data/####/.vpl_lock
- /data/data/####/0000000lllll_0.dex
- /data/data/####/0000000lllll_1.dex
- /data/data/####/000392aecf36118418a483c2e29ba933c79ef6ecfc67291....0.tmp
- /data/data/####/000O00ll111l_0.dex
- /data/data/####/000O00ll111l_1.dex
- /data/data/####/00O000ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex (deleted)
- /data/data/####/00O000ll111l_0.dex.flock
- /data/data/####/00O000ll111l_0.dex.flock (deleted)
- /data/data/####/00O000ll111l_1.dex
- /data/data/####/00O000ll111l_1.dex (deleted)
- /data/data/####/00O000ll111l_1.dex.flock
- /data/data/####/00O000ll111l_1.dex.flock (deleted)
- /data/data/####/03dc8e2cd2070d2ce2db0033d0a015dd9f0b6a3c6f1ad8e....0.tmp
- /data/data/####/0542bc985939f27d752a4cd2cd45b347964dd27c440ef2a....0.tmp
- /data/data/####/0OO00l111l1l
- /data/data/####/0OO00l111l1l.lock
- /data/data/####/0a6cbfd83b2a76402e6fe7187a7d6341160ed316990e773....0.tmp
- /data/data/####/12083322c1dd1d917c43f73ce6052c6f.0
- /data/data/####/12083322c1dd1d917c43f73ce6052c6f.1
- /data/data/####/19b6abd855e7b036f0ec382180bb39cca91b3766fae5d42....0.tmp
- /data/data/####/1babf212b7172c944dde66ead7058e3871b3a6158409f44....0.tmp
- /data/data/####/20c1d426df801c767a1d4a366e0e4b7ec6147c51a15ad59....0.tmp
- /data/data/####/2a70b089a47c5bbe2c0304e780469cae4eae167ccfabfa3....0.tmp
- /data/data/####/2bd2b2d66963f08fb28d954dff6cbdd5.0.tmp
- /data/data/####/2bd2b2d66963f08fb28d954dff6cbdd5.1.tmp
- /data/data/####/2ce6f4c5fb14f131bc0ab73147543d0e.0
- /data/data/####/2ce6f4c5fb14f131bc0ab73147543d0e.1
- /data/data/####/3f02bd674765e36065b1e955385dd67e3e8fc4e96e39554....0.tmp
- /data/data/####/43fa6267513f65fffe629fd9642a83a3.0.tmp
- /data/data/####/43fa6267513f65fffe629fd9642a83a3.1
- /data/data/####/44063d6b9f105dd3711d440ac979b2fab0ec22246a1ce55....0.tmp
- /data/data/####/478a6d67b4f5a97dc80e9f6f83ef94d8741abd33f93589a....0.tmp
- /data/data/####/52726f5171595a4dd304f900e5910b2e.0
- /data/data/####/52726f5171595a4dd304f900e5910b2e.1
- /data/data/####/53cc80c53b9b43ab5f6959c5faa10fad1a99d14b73cafc3....0.tmp
- /data/data/####/58bf8d410341e643bdaf5aa57db59924774b9d1923abc03....0.tmp
- /data/data/####/5bae02b7b21afabb10aa848a52d9b8ec.0.tmp
- /data/data/####/5bae02b7b21afabb10aa848a52d9b8ec.1
- /data/data/####/6b09e7dfed5037eb1d65d9fae3c695c0225012393e822f6....0.tmp
- /data/data/####/6ff32456c264cf8eefe861e83a125475a6fbaf98cd23061....0.tmp
- /data/data/####/7e96ccc7f3dc0571d7b528c7dd555b69887176b44fa6891....0.tmp
- /data/data/####/7f5e7d13bdd3c3911c0e7731f738d254.0
- /data/data/####/7f5e7d13bdd3c3911c0e7731f738d254.1
- /data/data/####/8097cddaa620974ccfe55d69dbc83e84.0
- /data/data/####/8097cddaa620974ccfe55d69dbc83e84.1
- /data/data/####/81c2a0e76099e133a3a622efa4d54ad40a4db3ec9e94723....0.tmp
- /data/data/####/89fe1e1108573fbb33f5c99c059d0f46.0.tmp
- /data/data/####/89fe1e1108573fbb33f5c99c059d0f46.1
- /data/data/####/8d7733426e092ba8ed0f6aec237cdcf7bec1da4e1dc8883....0.tmp
- /data/data/####/8ff5449f79caeccc7bac9bbef8b09c7e8556ce20a089fbe....0.tmp
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/MOBGUARD_100
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/UTCommon.xml
- /data/data/####/UTCommon.xml.bak
- /data/data/####/a11b7efafe0754cd76c9f5029fa1cc7b.0.tmp
- /data/data/####/a11b7efafe0754cd76c9f5029fa1cc7b.1.tmp
- /data/data/####/a264e824da54a97a84c20c750dd4490b619ca62e0533772....0.tmp
- /data/data/####/a4cc6898bccd12b06859fcae4028aeb8be9d14fab748caf....0.tmp
- /data/data/####/a514f3bafd1ef27356979d17a992d68d4154462d2673f4a....0.tmp
- /data/data/####/a==7.5.3&&6.0.615_1607804681232_envelope.log
- /data/data/####/ad_config.xml
- /data/data/####/ad_loader_config.xml
- /data/data/####/ad_show_time.xml
- /data/data/####/ap.Lock
- /data/data/####/app_channel.xml
- /data/data/####/b18e2141de3ef46b8866c57c2231572a.0
- /data/data/####/b18e2141de3ef46b8866c57c2231572a.1
- /data/data/####/b23bbbf5a20a2a069eb9e9c8b602c07b.0
- /data/data/####/b23bbbf5a20a2a069eb9e9c8b602c07b.1
- /data/data/####/b3ac83d81750d62cfb31fedeb987416ddeec373c9bdd463....0.tmp
- /data/data/####/b9c7ac9302208537247b0d0ee7a555e99fa79ee981c2c9e....0.tmp
- /data/data/####/bd_embed_tea_agent.db-journal
- /data/data/####/birdopenadsdk.xml
- /data/data/####/birdopenadsdk.xml.bak
- /data/data/####/c0ddb09bdeaa7905f033017ebdcf34bd4f6fcd35c57d67e....0.tmp
- /data/data/####/c1c95b91c8ad69c68965a733c65d0067.0
- /data/data/####/c1c95b91c8ad69c68965a733c65d0067.0.tmp
- /data/data/####/c1c95b91c8ad69c68965a733c65d0067.1
- /data/data/####/c626e37009cf1dc866f8d55f0deff965.0.tmp
- /data/data/####/c626e37009cf1dc866f8d55f0deff965.1
- /data/data/####/chapter_end_reward_video_config.xml
- /data/data/####/cmshljo_x.xml
- /data/data/####/com.x.y.1.xml
- /data/data/####/com.x.y.2.xml
- /data/data/####/com.zhaoxitech.cbook.xml
- /data/data/####/com.zhaoxitech.cbook_sdk_opt.xml
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info
- /data/data/####/config.xml
- /data/data/####/cta.xml
- /data/data/####/d147d52a211f78ac5e124145a503eaea2a801c3d4d295ca....0.tmp
- /data/data/####/d28b4aba9b915d6c4d2e728d8149800d.0.tmp
- /data/data/####/d28b4aba9b915d6c4d2e728d8149800d.1.tmp
- /data/data/####/d5aa3cbc34fa63451c425cf4e3ec47c466afaa53d4c7425....0.tmp
- /data/data/####/dcfaa74e75782d44d634b58d56793edfc0980d00273ed94....0.tmp
- /data/data/####/dea86c72ff2f58a14511cbbd1544d55891b5894d54a661f....0.tmp
- /data/data/####/devyok.DATA_PROVIDER.xml
- /data/data/####/dfb4427532ed3602de172bbc54e846de.0
- /data/data/####/dfb4427532ed3602de172bbc54e846de.1
- /data/data/####/dfdf0a7d6de15a45a73e4469087495b5cc9e01740fe368b....0.tmp
- /data/data/####/downloader.db-journal
- /data/data/####/e527783732853271b519fec1f0b3448088b94b43b89d072....0.tmp
- /data/data/####/e8a32175aa3270b10afb7075c239e912d202cb9796c8ab1....0.tmp
- /data/data/####/ef0867ba0d5db27f5d3b7676440e10a4b91bc48fd01a72d....0.tmp
- /data/data/####/embed_applog_stats.xml
- /data/data/####/embed_header_custom.xml
- /data/data/####/embed_last_sp_session.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fd5033d392328ff803f5aa9e2188a52d07f3abd4fee60da....0.tmp
- /data/data/####/fdfe5ff198d13b1d05951e48422ccb3261ea1e08d9605a4....0.tmp
- /data/data/####/getui_sp.xml
- /data/data/####/gtc.db-journal
- /data/data/####/hfnbirddownloader.db-journal
- /data/data/####/ias.db-journal
- /data/data/####/ias_sp.xml
- /data/data/####/ias_sp.xml.bak
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/init_code_id_12039_1660476884
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/libshellx-super.2019.so
- /data/data/####/lotus.dex
- /data/data/####/lotus.dex.flock (deleted)
- /data/data/####/lotus.jar
- /data/data/####/mob_commons_1
- /data/data/####/mz_push_preference.xml
- /data/data/####/npth.xml
- /data/data/####/npth_log.db-journal
- /data/data/####/o0oooOO0ooOo.dat
- /data/data/####/proc_auxv
- /data/data/####/push.pid
- /data/data/####/push_info.xml
- /data/data/####/pushsdk.db-journal
- /data/data/####/recommmend_dialog.xml
- /data/data/####/recommmend_dialog.xml.bak
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/snssdk_openudid.xml
- /data/data/####/sp_push_time.xml
- /data/data/####/tosversion
- /data/data/####/tt_dns_settings.xml
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/tt_sdk_settings.xml.bak
- /data/data/####/tt_sp_app_list.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ttopenadsdk.xml.bak
- /data/data/####/ttopensdk.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/ut.db
- /data/data/####/ut.db-journal
- /data/data/####/zxbook.db-journal (deleted)
- /data/data/####/zxbook.xml
- /data/media/####/.di
- /data/media/####/.mn_1666188972
- /data/media/####/2020-12-12.log.txt
- /data/media/####/20201212.txt
- /data/media/####/9b16651569e4a107a948f1de3327f9ab.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/bf940cebc2385b7739bf6f5991ecb0b5.tmp
- /data/media/####/clientudid.dat
- /data/media/####/com.zhaoxitech.cbook.bin
- /data/media/####/com.zhaoxitech.cbook_.db
- /data/media/####/config.txt
- /data/media/####/plcfg.xml
- /data/media/####/temp_pkg_info.json
- /data/media/####/zdid1
- /data/media/####/zx_did1
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- /system/bin/dex2oat --dex-file=/data/user/0/<Package>/files/prodexdir/00O000ll111l_0.dex --oat-file=/data/user/0/<Package>/files/prodexdir/odexdir/00O000ll111l_0.dex --compiler-filter=interpret-only
- /system/bin/dex2oat --dex-file=/data/user/0/<Package>/files/prodexdir/00O000ll111l_1.dex --oat-file=/data/user/0/<Package>/files/prodexdir/odexdir/00O000ll111l_1.dex --compiler-filter=interpret-only
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/jar/lotus.jar --oat-fd=75 --oat-location=/data/user/0/<Package>/files/jar/lotus.dex --compiler-filter=speed
- cat /sys/class/net/wlan0/address
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.sv.version
- getprop ro.lenovo.lvp.version
- getprop ro.letv.release.version
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.smartisan.version
- getprop ro.vivo.os.build.display.id
- getprop ro.vivo.os.version
- ls /data/local
- mount
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- Des-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- Des-ECB-NoPadding
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
