Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.319.origin
- Android.Triada.4567
- Android.Triada.510.origin
- Android.Triada.537.origin
- Android.Triada.541.origin
- Android.Triada.546.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) x####.me####.com:10248
- TCP(HTTP/1.1) hw.li####.net:80
- TCP(HTTP/1.1) c####.6k####.com:10238
- TCP(HTTP/1.1) apica####.com:80
- TCP(HTTP/1.1) cdn.tab####.com:80
- TCP(HTTP/1.1) sdk####.appclic####.com:80
- TCP(HTTP/1.1) 13.2####.16.115:8081
- TCP(HTTP/1.1) g####.bestv####.cc:80
- TCP(HTTP/1.1) ne####.s####.com:8033
- TCP(HTTP/1.1) x####.me####.com:10238
- TCP(HTTP/1.1) api.bi####.com:80
- TCP(HTTP/1.1) ne####.s####.com:6262
- TCP(HTTP/1.1) ip####.com:80
- TCP(HTTP/1.1) we####.pro:80
- TCP(HTTP/1.1) n####.aimoong####.com:80
- TCP(HTTP/1.1) y####.k8####.com:80
- TCP(HTTP/1.1) cl-3249####.g####.co:80
- TCP(TLS/1.0) 2-01-27####.cdx.ced####.net:443
- TCP(TLS/1.0) sb.scoreca####.com.####.net:443
- TCP(TLS/1.0) cdn.amppro####.org:443
- TCP(TLS/1.0) a####.b####.com:443
- TCP(TLS/1.0) apica####.com:443
- TCP(TLS/1.0) pug-####.pubm####.com:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) g.geo####.com:443
- TCP(TLS/1.0) btt####.com:443
- TCP(TLS/1.0) www.goodret####.in.####.net:443
- TCP(TLS/1.0) securep####.g.doublec####.net:443
- TCP(TLS/1.0) global####.ca:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) a82a711####.safef####.googles####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) cm.g.doublec####.net:443
- TCP(TLS/1.0) adser####.go####.nl:443
- TCP(TLS/1.0) e1.em####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) h####.b####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) dis.cr####.com:443
- TCP(TLS/1.0) s.c.ap####.net:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) m####.ad####.org:443
- TCP(TLS/1.0) e####.vap.l####.com:443
- TCP(TLS/1.0) am-####.tab####.com:443
- TCP(TLS/1.0) p####.rubicon####.com:443
- TCP(TLS/1.0) 1####.250.179.138:443
- TCP(TLS/1.0) dsp.adke####.com:443
- TCP(TLS/1.0) x.bidsw####.net:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) tpc.googles####.com:443
- TCP(TLS/1.0) id5-####.com:443
- TCP(TLS/1.0) cds.tab####.com:443
- TCP(TLS/1.0) do####.geo.ipo####.net:443
- TCP(TLS/1.0) cdn.tab####.com:443
- TCP(TLS/1.0) safebro####.google####.com:443
- TCP(TLS/1.0) lg####.contex####.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) alldo####.linx####.com.####.com:443
- TCP(TLS/1.2) 1####.217.168.227:443
- TCP(TLS/1.2) 1####.250.179.138:443
- TCP(TLS/1.2) 1####.217.17.110:443
Запросы DNS:
- a####.b####.com
- a82a711####.safef####.googles####.com
- adser####.go####.com
- adser####.go####.nl
- and####.google####.com
- api.bi####.com
- api.s####.com
- apica####.com
- bh.contex####.com
- bi####.bi####.com
- btt####.com
- c####.6k####.com
- c####.mm####.com
- c.c####.com
- cdn.amppro####.org
- cdn.tab####.com
- cds.tab####.com
- ce.l####.com
- cm.g.doublec####.net
- dis.cr####.com
- dsp.adke####.com
- dwf.linx####.com
- e1.em####.com
- f####.google####.com
- g####.bestv####.cc
- global####.ca
- global####.pro
- h####.b####.com
- hw.li####.net
- ib.a####.com
- id5-####.com
- im####.tab####.com
- instant####.google####.com
- ip####.com
- m####.ad####.org
- md####.google####.com
- n####.aimoong####.com
- ne####.s####.com
- p####.google####.com
- p####.rubicon####.com
- pag####.googles####.com
- rtb-c####.smartad####.com
- rtb.mfad####.com
- s####.tab####.com
- s.c.ap####.net
- s.dailyre####.com
- s4.c####.com
- safebro####.google####.com
- sb.scoreca####.com
- sdk####.appclic####.com
- se####.gam####.com
- securep####.g.doublec####.net
- sim####.pubm####.com
- syn####.tab####.com
- tpc.googles####.com
- trc.tab####.com
- we####.pro
- www.goodret####.in
- www.google-####.com
- www.googlet####.com
- x####.me####.com
- x.bidsw####.net
- y####.k8####.com
- z3.c####.com
Запросы HTTP GET:
- apica####.com/i/news/20210204/667741.jpg
- apica####.com/i/news/20210204/667742.jpg
- apica####.com/i/news/20210204/667743.jpg
- apica####.com/i/news/20210204/667744.jpg
- apica####.com/i/news/20210204/667772.jpg
- apica####.com/i/news/20210204/667773.jpg
- apica####.com/i/news/20210204/667774.jpg
- apica####.com/i/news/20210204/667775.jpg
- apica####.com/i/news/20210204/667839.jpg
- apica####.com/i/news/20210204/667840.jpg
- cdn.tab####.com/libtrc/yumei-globalnews/loader.js
- cdn.tab####.com/libtrc/yumei-wenews/loader.js
- cl-3249####.g####.co/zebra_cdn/static/funnews/img/555.png
- cl-3249####.g####.co/zebra_cdn/static/funnews/js/jquery-3.4.1.min.js
- cl-3249####.g####.co/zebra_cdn/static/funnews/lib/ukit3/css/uikit.min.css
- cl-3249####.g####.co/zebra_cdn/static/funnews/lib/ukit3/js/uikit-icons.m...
- cl-3249####.g####.co/zebra_cdn/static/funnews/lib/ukit3/js/uikit.min.js
- g####.bestv####.cc/api/v1/sa?act=####&domain=####&chid=####&template_id=...
- g####.bestv####.cc/favicon.ico
- ip####.com/json/?lang=####
- n####.aimoong####.com/api/v1/news?cate=####&page=####&domain=####&chid=#...
- n####.aimoong####.com/cfg51668/index.html
- n####.aimoong####.com/static/css/theme.css
- n####.aimoong####.com/static/js/constants.js
- n####.aimoong####.com/static/js/init.js
- n####.aimoong####.com/static/js/listPage.js
- n####.aimoong####.com/static/js/util.js
- ne####.s####.com:6262/sdk-logs/sdk-logs-control/logs/control?appId=####&...
- ne####.s####.com:8033/ana/get-ana-status?app_id=####&task_id=####&imsi_i...
- we####.pro/1.css
- we####.pro/1.js
- we####.pro/?cid=####
- we####.pro/favicon.ico
- y####.k8####.com/hwyw/deahexwot.zip
- y####.k8####.com/hwyw/dsu394wfs9w3958w924re.zip
- y####.k8####.com/zhuti/FQxMWm33271217.zip
- y####.k8####.com/zhuti/HdayEUnz844.zip
- y####.k8####.com/zhuti/TdsoaweygXzt10.22.zip
- y####.k8####.com/zhuti/TurxyDrzt2021112yehuo.zip
- y####.k8####.com/zhuti/VQs8jWvXgl1116.zip
Запросы HTTP POST:
- api.bi####.com/un
- c####.6k####.com:10238/2ejolc/
- c####.6k####.com:10238/dts57h/
- c####.6k####.com:10238/z2s8gh/
- hw.li####.net/lbkj-cps/deal/activation
- hw.li####.net/lbkj-cps/multiplexing/getLink
- sdk####.appclic####.com/log
- x####.me####.com:10238/czwwwkpmfl/
- x####.me####.com:10238/phvttztyax/
- x####.me####.com:10248/iysyxb/
- x####.me####.com:10248/ng1fxo/
- x####.me####.com:10248/pauumd/
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/0EE330F9988B4FE0DA471FC48FD95D31.dex
- /data/data/####/0EE330F9988B4FE0DA471FC48FD95D31.dex.flock (deleted)
- /data/data/####/1FB529D5B86CB576CE98288F77DE7CFE.dex
- /data/data/####/1FB529D5B86CB576CE98288F77DE7CFE.dex.flock (deleted)
- /data/data/####/42788854BA703A44826C8F20E1B39658.dex
- /data/data/####/42788854BA703A44826C8F20E1B39658.dex.flock (deleted)
- /data/data/####/46EDBEC850D374CAD35CA3D274036409.dex
- /data/data/####/46EDBEC850D374CAD35CA3D274036409.dex.flock (deleted)
- /data/data/####/98FDECB17B837318717C64311D2C05D8.dex
- /data/data/####/98FDECB17B837318717C64311D2C05D8.dex.flock (deleted)
- /data/data/####/A814D93D5762AA7AA3C1A62684F1FCEC.dex
- /data/data/####/A814D93D5762AA7AA3C1A62684F1FCEC.dex.flock (deleted)
- /data/data/####/FB4499202F2098BCE86847A4C7A68257.dex
- /data/data/####/FB4499202F2098BCE86847A4C7A68257.dex.flock (deleted)
- /data/data/####/HWYDGAOSI.dex
- /data/data/####/HWYDGAOSI.dex.flock (deleted)
- /data/data/####/HWYDGAOSI.jar
- /data/data/####/MobikokCommonConfig.xml
- /data/data/####/MobikokDeviceConfig.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/__Baidu_Stat_SDK_SendRem.xml
- /data/data/####/__Baidu_Stat_SDK_SendRem.xml.bak
- /data/data/####/__local_ap_info_cache.json
- /data/data/####/__local_last_session.json
- /data/data/####/__local_stat_cache.json
- /data/data/####/__send_data_1612447247335
- /data/data/####/appuserid.xml
- /data/data/####/baidu_mtj_sdk_record.xml
- /data/data/####/com.mkijkw.setting_preferences.xml
- /data/data/####/comxcxid.xml
- /data/data/####/data.dex
- /data/data/####/data.dex.flock (deleted)
- /data/data/####/data.jar
- /data/data/####/gameid
- /data/data/####/gameid.zip
- /data/data/####/ivu.xml
- /data/data/####/kdid
- /data/data/####/libcxgj.so
- /data/data/####/libcxgj.so-32
- /data/data/####/libcxgj.so-64
- /data/data/####/libnav-6mdw2z.so
- /data/data/####/life_record_config.xml
- /data/data/####/metrics_guid
- /data/data/####/qite.png
- /data/data/####/sa.xml
- /data/data/####/sp_aaxcx.xml
- /data/data/####/sp_aaxcx.xml.bak
- /data/data/####/sp_awhiuf.xml
- /data/data/####/sp_awhiuf.xml.bak
- /data/data/####/sp_awsw.xml
- /data/data/####/sp_awsw.xml.bak
- /data/data/####/sp_qyejw.xml
- /data/data/####/sp_qyejw.xml.bak
- /data/data/####/sp_vizb.xml
- /data/data/####/sp_vizb.xml.bak
- /data/data/####/ulanda.xml
- /data/data/####/xdtversion.xml
- /data/media/####/.dunk
- /data/media/####/.dz
- /data/media/####/.mrq
- /data/media/####/.qhce
- /data/media/####/.zvz
- /data/media/####/0EE330F9988B4FE0DA471FC48FD95D31.temp
- /data/media/####/0EE330F9988B4FE0DA471FC48FD95D31.zip
- /data/media/####/1D302D3E6464EA39840D761291936A8C
- /data/media/####/1FB529D5B86CB576CE98288F77DE7CFE
- /data/media/####/1FB529D5B86CB576CE98288F77DE7CFE.temp
- /data/media/####/1FB529D5B86CB576CE98288F77DE7CFE.zip
- /data/media/####/42788854BA703A44826C8F20E1B39658
- /data/media/####/42788854BA703A44826C8F20E1B39658.jar
- /data/media/####/42788854BA703A44826C8F20E1B39658.temp
- /data/media/####/46EDBEC850D374CAD35CA3D274036409
- /data/media/####/46EDBEC850D374CAD35CA3D274036409.temp
- /data/media/####/46EDBEC850D374CAD35CA3D274036409.zip
- /data/media/####/65DD497BD09D9280598E9C19F97A9DB7
- /data/media/####/94CFC463D6AA6B8ED0859D5C578A1BD3
- /data/media/####/98FDECB17B837318717C64311D2C05D8
- /data/media/####/98FDECB17B837318717C64311D2C05D8.jar
- /data/media/####/98FDECB17B837318717C64311D2C05D8.temp
- /data/media/####/A814D93D5762AA7AA3C1A62684F1FCEC
- /data/media/####/A814D93D5762AA7AA3C1A62684F1FCEC.temp
- /data/media/####/A814D93D5762AA7AA3C1A62684F1FCEC.zip
- /data/media/####/ACE37C4EC01CE4655F895585B37D5F53
- /data/media/####/C26CA830C4CE76DE9C73AF9587965BA4
- /data/media/####/CE894A3EA9B474D8577194289B96FB3D
- /data/media/####/CF92ECD245D09E254B0DC0196A9C9FDC
- /data/media/####/Config.txt
- /data/media/####/FB4499202F2098BCE86847A4C7A68257
- /data/media/####/FB4499202F2098BCE86847A4C7A68257.temp
- /data/media/####/FB4499202F2098BCE86847A4C7A68257.zip
- /data/media/####/awv
- /data/media/####/wi
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/data.jar --oat-fd=105 --oat-location=/data/user/0/<Package>/files/data.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tda/HWYDGAOSI.jar --oat-fd=78 --oat-location=/data/user/0/<Package>/files/tda/HWYDGAOSI.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/qtoag/<Package>/naac/0EE330F9988B4FE0DA471FC48FD95D31.zip --oat-fd=76 --oat-location=/data/user/0/<Package>/files/0EE330F9988B4FE0DA471FC48FD95D31.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/qtoag/<Package>/naac/1FB529D5B86CB576CE98288F77DE7CFE.zip --oat-fd=75 --oat-location=/data/user/0/<Package>/files/1FB529D5B86CB576CE98288F77DE7CFE.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/qtoag/<Package>/naac/46EDBEC850D374CAD35CA3D274036409.zip --oat-fd=102 --oat-location=/data/user/0/<Package>/files/46EDBEC850D374CAD35CA3D274036409.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/qtoag/<Package>/naac/A814D93D5762AA7AA3C1A62684F1FCEC.zip --oat-fd=75 --oat-location=/data/user/0/<Package>/files/A814D93D5762AA7AA3C1A62684F1FCEC.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/qtoag/<Package>/naac/FB4499202F2098BCE86847A4C7A68257.zip --oat-fd=78 --oat-location=/data/user/0/<Package>/files/FB4499202F2098BCE86847A4C7A68257.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/yas/<Package>/wefg/42788854BA703A44826C8F20E1B39658.jar --oat-fd=85 --oat-location=/data/user/0/<Package>/files/42788854BA703A44826C8F20E1B39658.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/yas/<Package>/wefg/98FDECB17B837318717C64311D2C05D8.jar --oat-fd=87 --oat-location=/data/user/0/<Package>/files/98FDECB17B837318717C64311D2C05D8.dex --compiler-filter=speed
- cat /proc/version
- cat /sys/class/net/wlan0/address
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
- getprop ro.yunos.build.version
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- RSA-None-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
