Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Click.995
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) cb####.alli####.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) securit####.sp####.mig.####.net:443
- TCP(TLS/1.0) 1####.217.20.74:443
- TCP(TLS/1.0) ap####.uc.cn:443
- TCP(TLS/1.0) s####.e.qq.com:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) safebro####.google####.com:443
- TCP(TLS/1.0) ip.adi####.net:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) q####.tc.qq.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.2) safebro####.google####.com:443
- TCP(TLS/1.2) www.google####.com:443
- TCP(TLS/1.2) 2####.58.208.110:443
- TCP(TLS/1.2) 1####.250.179.195:443
- TCP(TLS/1.2) and####.cli####.go####.com:443
- TCP(TLS/1.2) p####.google####.com:443
- TCP(TLS/1.2) 1####.217.20.74:443
Запросы DNS:
- and####.b####.qq.com
- and####.cli####.go####.com
- ap####.uc.cn
- cb####.alli####.com
- cdn.ipad####.com
- instant####.google####.com
- ip.adi####.net
- ip.ta####.com
- l####.tbs.qq.com
- m####.go####.com
- md####.google####.com
- p####.google####.com
- pi####.qq.com
- q####.qq.com
- s####.adi####.net
- s####.e.qq.com
- safebro####.google####.com
- sdk.ipad####.com
- t####.m.qq.com
- u####.u####.com
- www.google####.com
Запросы HTTP GET:
- cb####.alli####.com/app/trans/503884?bookstore=####&t=####&tk=####&chann...
- ip.ta####.com/outGetIpInfo?accessKey=####&ip=####
- ti####.c####.l####.####.com/bs/images/chasing_dots.png?ver=####
- ti####.c####.l####.####.com/bs/static/css/app.5b217e1a.css
- ti####.c####.l####.####.com/bs/static/css/chunk-27e89726.10091821.css
- ti####.c####.l####.####.com/bs/static/css/chunk-2cd24d46.dbe41140.css
- ti####.c####.l####.####.com/bs/static/css/chunk-2ce55d9b.e3f93300.css
- ti####.c####.l####.####.com/bs/static/css/chunk-350b1d67.b25787cc.css
- ti####.c####.l####.####.com/bs/static/css/chunk-3a5861c9.cc975fcb.css
- ti####.c####.l####.####.com/bs/static/css/chunk-45b6e9d4.c5db3e2d.css
- ti####.c####.l####.####.com/bs/static/css/chunk-45d1b656.0bedbbee.css
- ti####.c####.l####.####.com/bs/static/css/chunk-493f8bd8.4df63762.css
- ti####.c####.l####.####.com/bs/static/css/chunk-5c0a86cb.81560803.css
- ti####.c####.l####.####.com/bs/static/css/chunk-5d9c3d4d.60a684eb.css
- ti####.c####.l####.####.com/bs/static/css/chunk-6ab4e262.307baf48.css
- ti####.c####.l####.####.com/bs/static/css/chunk-74d8d23e.df861e11.css
- ti####.c####.l####.####.com/bs/static/css/chunk-7c81dd9e.96e192d8.css
- ti####.c####.l####.####.com/bs/static/css/chunk-a71b30c4.bcc05bda.css
- ti####.c####.l####.####.com/bs/static/css/chunk-baee83e2.fbbfdb2f.css
- ti####.c####.l####.####.com/bs/static/css/chunk-e6ade8bc.6d1c3679.css
- ti####.c####.l####.####.com/bs/static/css/chunk-eb98a71a.085de04b.css
- ti####.c####.l####.####.com/bs/static/css/chunk-fa2d32ec.2488aa8a.css
- ti####.c####.l####.####.com/bs/static/css/chunk-vendors.24149012.css
- ti####.c####.l####.####.com/bs/static/css/comments.a606d51e.css
- ti####.c####.l####.####.com/bs/static/css/components.38f40172.css
- ti####.c####.l####.####.com/bs/static/css/local-book.94ba0c62.css
- ti####.c####.l####.####.com/bs/static/css/readers.444670e2.css
- ti####.c####.l####.####.com/bs/static/css/task.56d7418c.css
- ti####.c####.l####.####.com/bs/static/js/app.2d611640.js
- ti####.c####.l####.####.com/bs/static/js/chunk-27e89726.85b5232e.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2cd24d46.41c05459.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2ce55d9b.407d5719.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0aab96.ac93d57e.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0ac448.4295f32a.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0b27b5.79d36548.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0b6359.86842b31.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0b6aec.86fd7491.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0df288.6e026769.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0e5da1.3ce68656.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0e5fac.4373afae.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0e95df.714749d8.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d0f026d.9d24b350.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d21f251.f0dd1213.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d225814.6ebbbd82.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d225b9a.af8d43a0.js
- ti####.c####.l####.####.com/bs/static/js/chunk-2d22d014.9ed1ba84.js
- ti####.c####.l####.####.com/bs/static/js/chunk-32191632.9e34a13c.js
- ti####.c####.l####.####.com/bs/static/js/chunk-350b1d67.afc67a35.js
- ti####.c####.l####.####.com/bs/static/js/chunk-3a5861c9.b554e6cf.js
- ti####.c####.l####.####.com/bs/static/js/chunk-45b6e9d4.8f452409.js
- ti####.c####.l####.####.com/bs/static/js/chunk-45d1b656.a8d988a8.js
- ti####.c####.l####.####.com/bs/static/js/chunk-493f8bd8.a60ac72d.js
- ti####.c####.l####.####.com/bs/static/js/chunk-5c0a86cb.45bc9556.js
- ti####.c####.l####.####.com/bs/static/js/chunk-5d9c3d4d.411dfc57.js
- ti####.c####.l####.####.com/bs/static/js/chunk-6ab4e262.784ff7ad.js
- ti####.c####.l####.####.com/bs/static/js/chunk-74d8d23e.1b1c1917.js
- ti####.c####.l####.####.com/bs/static/js/chunk-7c81dd9e.3ce82b00.js
- ti####.c####.l####.####.com/bs/static/js/chunk-a71b30c4.bd91bd9a.js
- ti####.c####.l####.####.com/bs/static/js/chunk-baee83e2.d48effcd.js
- ti####.c####.l####.####.com/bs/static/js/chunk-e6ade8bc.df2aab94.js
- ti####.c####.l####.####.com/bs/static/js/chunk-eb98a71a.7c8c3b7e.js
- ti####.c####.l####.####.com/bs/static/js/chunk-fa2d32ec.c2612b1a.js
- ti####.c####.l####.####.com/bs/static/js/chunk-vendors.333e5cc6.js
- ti####.c####.l####.####.com/bs/static/js/comments.418b3b4f.js
- ti####.c####.l####.####.com/bs/static/js/components.369b88bb.js
- ti####.c####.l####.####.com/bs/static/js/local-book.3d98ff5b.js
- ti####.c####.l####.####.com/bs/static/js/readers.5bf79988.js
- ti####.c####.l####.####.com/bs/static/js/task.e50b0390.js
Запросы HTTP POST:
- and####.b####.qq.com/rqd/async?aid=####
- l####.tbs.qq.com/ajax?c=####&k=####
- pi####.qq.com/mstat/report/?index=####
- s####.e.qq.com/activate
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.cl
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.turing.dat
- /data/data/####/085f135915e071e7_0
- /data/data/####/1004
- /data/data/####/105498_auMini_1
- /data/data/####/11fbf1a07137cd3e_0
- /data/data/####/1416f4da233ec65233b16f4a6f686f16_0
- /data/data/####/154d8de583b0b834_0
- /data/data/####/185d8cdb55a3b942_0
- /data/data/####/1fa80c5919114b72_0
- /data/data/####/228d6a87cd237a12_0
- /data/data/####/2aa367dd980f71b8_0
- /data/data/####/2add5037e1466784_0
- /data/data/####/2b830872b09c07e9_0
- /data/data/####/2bb4da94a56cceec_0
- /data/data/####/2c132041a191e29c_0
- /data/data/####/2c7da2323332ac26_0
- /data/data/####/2d4a5c7a30257c2b_0
- /data/data/####/2d5315af13afe831_0
- /data/data/####/307a8cdea1853fb7_0
- /data/data/####/35fa4bb9287770e3_0
- /data/data/####/420bc391df7d3816_0
- /data/data/####/4295ff6d2060fa8e_0
- /data/data/####/47d91cf6ed62b4c1_0
- /data/data/####/484a5713057414b2_0
- /data/data/####/48beb3ba7f9e867d_0
- /data/data/####/4edc2ecf7ce81ee7_0
- /data/data/####/5338bdb390efcaa0_0
- /data/data/####/53a36aea96990743_0
- /data/data/####/5bb34709ec849b63_0
- /data/data/####/5eaec12641455d4c_0
- /data/data/####/60aacd26259fd836_0
- /data/data/####/6a907114079d38e4_0
- /data/data/####/6a907114079d38e4_1
- /data/data/####/70d90142530d1edd_0
- /data/data/####/7129f1d53a2710b3_0
- /data/data/####/782f1beb21430b43_0
- /data/data/####/81e4df4cdf17c92c_0
- /data/data/####/84c66fbaa5d1f495_0
- /data/data/####/86c423ef69de1847_0
- /data/data/####/88aad9f5c926b99a_0
- /data/data/####/8a0ac0457d250231_0
- /data/data/####/8d0bd2138a874034_0
- /data/data/####/8ee6eec41ea86cc1_0
- /data/data/####/924f31ed82d231f5_0
- /data/data/####/92a890587558ba99_0
- /data/data/####/9303156feebd78ce_0
- /data/data/####/96e8fbc2be4ee302_0
- /data/data/####/97fe990ab31163de_0
- /data/data/####/98365cfb2f4706af_0
- /data/data/####/993923871eceb58a_0
- /data/data/####/9c5fdda10c39d382_0
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/Cookies-journal
- /data/data/####/S5LMP00X5I0P6G0MOC.bati
- /data/data/####/S5LMP00X5I0P6G0MOC.end
- /data/data/####/S5LMP00X5I0P6G0MOC.hdr
- /data/data/####/S5LMP00X5I0P6G0MOC.meminfo
- /data/data/####/S5LMP00X5I0P6G0MOC.pid
- /data/data/####/S5LMP00X5I0P6G0MOC.ps
- /data/data/####/S5LMP00X5I0P6G0MOC.st
- /data/data/####/S5LMP00X5I0P6G0MOC.start
- /data/data/####/S5LMP00X5I0P6G0MOC.status
- /data/data/####/S5LMP00X5I0P6G0MOC.sts
- /data/data/####/S5LMP00X5I0P6G0MOC.time
- /data/data/####/S5LMP00X5I0P6G0MOC.uptime
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a6d6e4a7cafe62e342c8d78e76f8571b_0
- /data/data/####/b4e2cb44264dd91a_0
- /data/data/####/b7926e09e21a75aa_0
- /data/data/####/b828bbb8e56a17c7_0
- /data/data/####/ba63d37d311c3645_0
- /data/data/####/bb6ebf1929bd3176_0
- /data/data/####/be18eddcba8c4e79e761c913fbe81d34_0
- /data/data/####/bf981c130853f39e_0
- /data/data/####/bugly_db_-journal
- /data/data/####/c1bb3b4ef8336ac6_0
- /data/data/####/c27035f82ceb8314_0
- /data/data/####/c4961fc506074da2_0
- /data/data/####/c8ac7a3dfaf9bef3_0
- /data/data/####/c904ed1ef7f14d07_0
- /data/data/####/ccc05f613b51ce33_0
- /data/data/####/cdt.wa
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/com.g6p.i5x0.pml5s.mid.world.ro.xml
- /data/data/####/com.g6p.i5x0.pml5s_preferences.xml
- /data/data/####/com.qq.e.sdkconfig.xml
- /data/data/####/com.qq.e.sdkconfig.xml.bak
- /data/data/####/core_info
- /data/data/####/cr.wa
- /data/data/####/crashrecord.xml
- /data/data/####/d584fa151fef288f_0
- /data/data/####/d749e5ef491f6227_0
- /data/data/####/dba4c1c20d952204_0
- /data/data/####/ddedf02b1ca19aa3_0
- /data/data/####/de6fc6e6d00bdf773ac85456213ada55_0
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/download_upload
- /data/data/####/dt.wa
- /data/data/####/e01885189c27cb02_0
- /data/data/####/e0f8f97889a1b542_0
- /data/data/####/ef15709c9e856b78_0
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fbacbbfab0aa31a6_0
- /data/data/####/gdt_config.cfg
- /data/data/####/gdt_stat.db
- /data/data/####/gdt_stat.db-journal
- /data/data/####/gdt_suid
- /data/data/####/i==1.2.0&&1.1.0_1613493015628_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/libjiagu.so
- /data/data/####/local_crash_lock
- /data/data/####/metrics_guid
- /data/data/####/mpdc_105498_1
- /data/data/####/native_record_lock
- /data/data/####/preferences.xml
- /data/data/####/pri_tencent_analysis.db_com.g6p.i5x0.pml5s-journal
- /data/data/####/proc_auxv
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/security_info
- /data/data/####/spUtils.xml
- /data/data/####/t==9.1.0&&1.1.0_1613493014213_envelope.log
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tencent_analysis.db_com.g6p.i5x0.pml5s-journal
- /data/data/####/the-real-index
- /data/data/####/turingfd_conf_105498_auMini.xml
- /data/data/####/turingfd_conf_105498_auMini.xml.bak
- /data/data/####/turingfd_protect_105498_47_auMini.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_sp_zdata.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/unique
- /data/data/####/update_lc
- /data/data/####/ver
- /data/data/####/ymads.db-journal
- /data/data/####/z==1.2.0&&1.1.0_1613493011419_envelope.log
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/df
- /system/bin/getprop
- busybox ifconfig
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.product.cpu.abi
- ls /
- ls /sys/class/thermal
- ps
- sh -c type su
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
