Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Backdoor.564.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) cmsap####.ahea####.com:80
- TCP(TLS/1.0) dot.wts.xi####.cn:443
- TCP(TLS/1.0) 2####.58.208.106:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) vo####.ahea####.com:443
- TCP(TLS/1.0) cmsap####.ahea####.com:443
- TCP(TLS/1.0) alibaba####.ten####.ali####.com:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) connect####.gst####.com:443
- TCP(TLS/1.2) 2####.58.214.14:443
- UDP 2####.58.208.106:443
Запросы DNS:
- a####.u####.com
- ap####.g####.com
- c####.ahea####.com
- c####.g####.com
- cmsap####.ahea####.com
- cmswe####.ahea####.com
- connect####.gst####.com
- dot.wts.xi####.cn
- ga####.lotu####.com
- l####.tbs.qq.com
- log.u####.com
- m####.go####.com
- on####.lotu####.com
- q####.ahea####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- u####.u####.com
- vo####.ahea####.com
- votea####.ahea####.com
Запросы HTTP GET:
- cmsap####.ahea####.com//UploadFile/2104/2018/01-30/4608d8a3-7639-4575-98...
- cmsap####.ahea####.com//UploadFile/2104/2018/08-23/71f14ad5-3164-4e54-a3...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-08/4ebc1d73-c57f-4d92-b6...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-08/52eab2a2-78e4-4567-86...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-08/5b68decc-5305-47da-b8...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-08/75677185-236d-4de1-92...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-09/4711993f-625f-476b-95...
- cmsap####.ahea####.com//UploadFile/2104/2019/01-09/7f1441bd-469b-4f99-b7...
- ti####.c####.l####.####.com/2104/2021/01-22/c39ba1de25a541b59828704a1c7a...
- ti####.c####.l####.####.com/2104/2021/06-23/3b0638511588446aa989b98d14ce...
- ti####.c####.l####.####.com/2104/2021/06-24/1cf2350b2be44166837f65fce160...
- ti####.c####.l####.####.com/2104/2021/06-24/20481937035c430e8ccf800be924...
- ti####.c####.l####.####.com/2104/2021/06-27/2f20bb3928b844ba948d6ad2cd86...
- ti####.c####.l####.####.com/2104/2021/06-28/42cf7007c67d44e6b0b03fe7f451...
- ti####.c####.l####.####.com/2104/2021/06-29/88298485ee6841a3bcffafea4ae7...
- ti####.c####.l####.####.com/2104/2021/07-01/29d34cd2c396479fb3935bebe9db...
- ti####.c####.l####.####.com/2104/2021/07-01/53125c2d76ec48b184b88949df6c...
- ti####.c####.l####.####.com/2104/2021/07-05/b94403fa2c964948984c7eaafbbc...
- ti####.c####.l####.####.com/2104/2021/07-06/300246bc52d4421fb3791fb91feb...
- ti####.c####.l####.####.com/2104/2021/07-07/052e01e46e784ce890eaa2a8481d...
- ti####.c####.l####.####.com/2104/2021/07-07/b7bb171ea57545aeaf92f226cb85...
- ti####.c####.l####.####.com/2104/2021/07-08/97fa83a640b546728d621d49ef7b...
- ti####.c####.l####.####.com/2104/2021/07-09/083cee5631b3481c8404eb59c1fe...
- ti####.c####.l####.####.com/2104/2021/07-09/62c160fd4ce5470fa49573a46ba4...
- ti####.c####.l####.####.com/2104/2021/07-10/a92144c67bda462e8972bbde1384...
- ti####.c####.l####.####.com/2104/2021/07-11/4a89a0401361432db83be210d507...
- ti####.c####.l####.####.com/2104/2021/07-11/8920c1b69e72413aa68772678ae3...
- ti####.c####.l####.####.com/2104/2021/07-11/c4d8ab0c199e485e9b133267dd2c...
- ti####.c####.l####.####.com/2104/2021/07-12/2aca83832ba74b3b914620b0d07a...
- ti####.c####.l####.####.com/2104/2021/07-12/318f5122d1d246b7a4e8654fbe10...
- ti####.c####.l####.####.com/2104/2021/07-12/43f6176ba276432b901aee1494b2...
- ti####.c####.l####.####.com/2104/2021/07-12/c94b9bd8540a4e27a0d6d8b3e69f...
- ti####.c####.l####.####.com/2104/2021/07-13/18c4c264fd7349428e00330baa17...
- ti####.c####.l####.####.com/2104/2021/07-13/3ef489e9ec8d4bed9d9f5ea5d596...
- ti####.c####.l####.####.com/2104/2021/07-13/476fe7c802e74a0587294bf56448...
- ti####.c####.l####.####.com/2104/2021/07-13/cccaa0e6d9894024871e0824853a...
- ti####.c####.l####.####.com/2104/2021/07-13/ce3a5e2bb0a84fe1b45fe5dc039c...
- ti####.c####.l####.####.com/2104/2021/07-13/f3476119bc17488a98fbaa751c50...
- ti####.c####.l####.####.com/2104/2021/07-14/0cde2097f4ae4786be073558ecd0...
- ti####.c####.l####.####.com/2104/2021/07-14/605b2b8c788b44cd9f8cce884419...
- ti####.c####.l####.####.com/2104/2021/07-14/c40c517f2210425592fd24f6a889...
- ti####.c####.l####.####.com/2104/2021/07-15/0cc5031605934addab2b9cdbdf93...
- ti####.c####.l####.####.com/2104/2021/07-15/1c97b0f77d4d4e18aa76ff6aee80...
- ti####.c####.l####.####.com/2104/2021/07-15/293c790bc3ef4a3ebf562769c011...
- ti####.c####.l####.####.com/2104/2021/07-15/883b2510c4d045c28284e5ee3d10...
- ti####.c####.l####.####.com/2104/2021/07-15/bf6a63622c9f4e5480b618c50755...
- ti####.c####.l####.####.com/2104/2021/07-16/066cf1ad547746499f7d94dab4f8...
- ti####.c####.l####.####.com/2104/2021/07-16/28247c25d8fc43a3a267aa11879a...
- ti####.c####.l####.####.com/2104/2021/07-16/3595391bc0c3488c9a1a3a1fba8d...
- ti####.c####.l####.####.com/2104/2021/07-16/4ada05517b854851afa6099f2ed4...
- ti####.c####.l####.####.com/2104/2021/07-16/64852fbff0994fd0807b757fcc1e...
- ti####.c####.l####.####.com/2104/2021/07-16/67de0672efc94dff8fe49051b16d...
- ti####.c####.l####.####.com/2104/2021/07-16/8a45bc5a6de2495f9a1a6447b07e...
- ti####.c####.l####.####.com/2104/2021/07-16/8d8c71942f114efe9dbc90342770...
- ti####.c####.l####.####.com/2104/2021/07-16/9714f6a4cd914df698c51762c3f7...
- ti####.c####.l####.####.com/2104/2021/07-16/9fda79b6ed4e449895662938b908...
- ti####.c####.l####.####.com/2104/2021/07-16/b80501ca24d04777abdc244d571d...
- ti####.c####.l####.####.com/2104/2021/07-16/b876b8c44e9c4570b768bf42493d...
- ti####.c####.l####.####.com/2104/2021/07-16/cb9666d71e3c4ff092d0c938c063...
- ti####.c####.l####.####.com/2104/2021/07-16/f813a9ebd681412481ccf8f8f620...
Запросы HTTP POST:
- l####.tbs.qq.com/ajax?c=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.cl
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/04ced8e039c10b3e2b7bf339c471c540.0
- /data/data/####/05d715d6d293ae865bd4ae5891036491371420c0aefbf1b....0.tmp
- /data/data/####/080dbba52c1c897dd34a957406d3c26b9bfc2de2d0439fd....0.tmp
- /data/data/####/0887d3b2858e2d130fde303f9a637932a06d67dd58e85ff....0.tmp
- /data/data/####/0f82e5a6f52bfec237c078eb56584d434537c0c87bd82b8....0.tmp
- /data/data/####/1010d87df51e4cf6e6412e9d655cee4b8285ff953b64069....0.tmp
- /data/data/####/10be2d192a8ccb443c6dd63038f093fd70404aad25cae6a....0.tmp
- /data/data/####/18408c3ba4e33d27aa759589d4ba32e4310cc476a88f27c....0.tmp
- /data/data/####/20ca0273a6036e6d10d5287fe6700103acc2d45128c180e....0.tmp
- /data/data/####/236e1e355d9a439871efbf53b0cb4debbe8a069a9dc6800....0.tmp
- /data/data/####/259c5f85a9409a7bf9e8cb64b1c02745bedc1e707da5e9c....0.tmp
- /data/data/####/27960c660f05e8ab33571bbe3d9eda6846336278eb4e421....0.tmp
- /data/data/####/316328ec5f0a16a712dc007fd0e25cfb89e3c3af9452633....0.tmp
- /data/data/####/35515c1e02e3c8f7003ef810e3603ebf2778fd8dbb1954e....0.tmp
- /data/data/####/35d53c5accfd2ef428be5feeab8923f375d3b3002ec932d...be22.0
- /data/data/####/3688f53fc5f133c80dfd63784444f15b718663452878536....0.tmp
- /data/data/####/36e326d7b764ce5423faebe42435174e64f7785805f112c....0.tmp
- /data/data/####/38196c95682334a2f58bc2eab8e2f2379526886df3ea516....0.tmp
- /data/data/####/3c258eedfe7d0a69a59871950bfb1d9ed33b02629b53061....0.tmp
- /data/data/####/3d8959978bcb879ce117f2751c8565f151cb4c7adc3ea21....0.tmp
- /data/data/####/3e90e5a824109250c48fedcaf52d45b8edecbd033d9af64....0.tmp
- /data/data/####/42ada9d18ae8bc200c225f62d73b22b7acc1ee56682edae...8956.0
- /data/data/####/491acc24165803364cdb49fbd60f5800342ec963b8a4df9....0.tmp
- /data/data/####/4b8d05966f30c2f86d67c0fa9c6cb14567e9df2136ece16....0.tmp
- /data/data/####/50f4d596263a5976d109d511c084f5ff9474d2e7546a967....0.tmp
- /data/data/####/5613a4da39013b384a0730a7628fab0002e3ee4126f8ffd....0.tmp
- /data/data/####/6063feeeedd7cdd16438c4b1f981394e66e88ee359b283f....0.tmp
- /data/data/####/65a3de0cca33e2edc319365bfed8d684b03d48955867655....0.tmp
- /data/data/####/674fb7388fa31fe31f56027154538687b343c2246f15b73....0.tmp
- /data/data/####/68172c6656f04cef84dbcfe21f2b6946c6ebc5349e2bc40....0.tmp
- /data/data/####/69e8606258e0b6cf43baa9b58f6fa23f42c2d6ca53c5e8a....0.tmp
- /data/data/####/6eb13e010a1536ffeea1da5dd58f43d36b5c50b2f0ae224....0.tmp
- /data/data/####/7829d65c03496a4bdc9ca74b07aae102fb2ef57dca24b51....0.tmp
- /data/data/####/7ac3d70b0207c317b80349cb74b339c6bdf0b42186e4377....0.tmp
- /data/data/####/80936cfebc6047f579762fe173b0968c8ee6916ed649715...25fe.0
- /data/data/####/88ff80f9d382476e4df32c73ea3a8641902e4e245c21216...0b9e.0
- /data/data/####/9020f258a96283eef9acabe98f25bf751ad0c9660fd65c2....0.tmp
- /data/data/####/965e8e98b843f722f1425f14ff86c843ca4c18cc31fa6b8....0.tmp
- /data/data/####/AheadNews280.db-journal
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/PrefsFile.xml
- /data/data/####/PrefsFile.xml.bak (deleted)
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/_tmp_PRIORITIZED_3503_1626460102120
- /data/data/####/_tmp_PRIORITIZED_3503_1626460102808
- /data/data/####/_tmp_PRIORITIZED_3574_1626460104625
- /data/data/####/a54c3ed22a601461f2ec10cf9c74809ce09e2c61f9de16c....0.tmp
- /data/data/####/a63ea2adf19a2988e861b0c7a2a18caa7d8601da6b0b758....0.tmp
- /data/data/####/alsn20170807.db
- /data/data/####/alsn20170807.db-journal
- /data/data/####/b3598c74b5e305bdb877e09889e9375d96b01633cc26b23....0.tmp
- /data/data/####/ba177ed660c69367836137eeb21daa2c46c4958d8647633....0.tmp
- /data/data/####/bb18d5154a8fa14dbf20ac2c8f394442278edd0d22a9d0e....0.tmp
- /data/data/####/c03ca6a4dc7b1254333da4a00cb3bdc8d3565224c47541c....0.tmp
- /data/data/####/c0c796dbaf59d238a883f790807ffba65621e38061f60d9....0.tmp
- /data/data/####/c0cf228154892d8edc637936efbadb9660faaea1ee8754a....0.tmp
- /data/data/####/c4ee116994316cfe768d547dbaa818c51df09351ca09d6e....0.tmp
- /data/data/####/c747f782f229e03b8975536c0c2621a0c0d6dddf7441ea2....0.tmp
- /data/data/####/cb92ad5eb110605b37cfde042ee2535a11254770d0783a7....0.tmp
- /data/data/####/cbdedeb5e56f7682028b12f479a114c89cb1e7f8669fb6d....0.tmp
- /data/data/####/cfd904a01c9af3c30e2248f63b5b6af7c548a7adadcafef....0.tmp
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.oat
- /data/data/####/com.aheading.news.anshunrb_preferences.xml
- /data/data/####/core_info
- /data/data/####/d1f93b8e15bcda48efff5396107383b00502e5d9d6bc176...e15f.0
- /data/data/####/d46a32cc78affdf630d74902545ac6d756dc1fd26ede128....0.tmp
- /data/data/####/d7c105d17a774946193905c83b56495be61003aa9bd438f....0.tmp
- /data/data/####/dc1569ad78fe7a7b626ec0ddf2334c07117622337b9eaa5....0.tmp
- /data/data/####/dc1dde4582e134d0507c776680998024c789ecdd31995ba...fe92.0
- /data/data/####/e1dccb574622e8bc0d9ea5b1e37a6815291a746793ab4c0....0.tmp
- /data/data/####/e99aede761e5148df4df035d8a69565a60a752f16cb2b99....0.tmp
- /data/data/####/ee9fecd5b778446270aa52136fc6934bb07b9cdc3148644....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f6b8f567aa441cd0eadfc537268ed6ed84953f8f14650dd....0.tmp
- /data/data/####/f74a2f9af2dfa4160168c0f33188903ec2327bdfcea44a1...6cd7.0
- /data/data/####/f88dd46ac6118cc735b871c31d5d592571204259f2ab2bb....0.tmp
- /data/data/####/getui_sp.xml
- /data/data/####/gis.db-journal
- /data/data/####/gtc.db-journal
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/i==1.2.0&&3.8.07_1626460111440_dW5pZnlfbG9ncw==;.log
- /data/data/####/info.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/k.store
- /data/data/####/libjiagu.so
- /data/data/####/lotuseed.apps
- /data/data/####/lotuseed.lock
- /data/data/####/lotuseed.s
- /data/data/####/lotuseed.task
- /data/data/####/lotuseed_global.xml
- /data/data/####/lotuseed_main.xml
- /data/data/####/metrics_guid
- /data/data/####/pref.xml
- /data/data/####/proc_auxv
- /data/data/####/push.pid
- /data/data/####/pushsdk.db-journal
- /data/data/####/pushservice_umeng_common_config.xml
- /data/data/####/run.pid
- /data/data/####/s==7.1.4&&3.8.07_1626460109765_dW1weF9zaGFyZQ==;.log
- /data/data/####/share.db-journal
- /data/data/####/t==9.3.6&&3.8.07_1626460110156_dW5pZnlfbG9ncw==;.log
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_general_config.xml.bak (deleted)
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/umzid_general_config.xml.bak
- /data/data/####/z==1.2.0&&3.8.07_1626460101440_emNmZw==;.log
- /data/data/####/zy_unique_id.bin
- /data/media/####/com.aheading.news.anshunrb.bin
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- getprop ro.product.cpu.abi
- ls /
- ls /sys/class/thermal
- ps
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
