Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.300.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) a####.u####.com.####.com:80
- TCP(HTTP/1.1) scs.opensp####.cn:80
- TCP(HTTP/1.1) 1####.31.213.162:80
- TCP(HTTP/1.1) flex####.z####.im:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) bbq.aa####.cn:80
- TCP(HTTP/1.1) up####.sdk.jig####.cn:80
- TCP(HTTP/1.1) 47.97.2####.214:80
- TCP(TLS/1.0) lbs.net####.im:443
- TCP(TLS/1.0) 1####.250.179.170:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) 1####.250.179.195:443
- TCP(TLS/1.0) gd-s####.j####.cn:443
- TCP(TLS/1.0) def####.cn.zb.####.com:443
- TCP(TLS/1.0) wa####.127.net:443
- TCP(TLS/1.2) 1####.250.179.195:443
- TCP(TLS/1.2) 1####.250.179.170:443
- TCP(TLS/1.2) 1####.250.179.142:443
- TCP 1####.71.205.70:7007
- TCP a####.h####.vip:443
- UDP s.j####.cn:19000
- UDP 1####.250.179.170:443
Запросы DNS:
- a####.h####.vip
- a####.u####.com
- ali-s####.j####.cn
- and####.b####.qq.com
- bbq.aa####.cn
- d####.opensp####.cn
- flex####.z####.im
- gd-s####.j####.cn
- lbs.net####.im
- live195####.(n####.8.####.8
- live195####.(n####.8.####.8
- live195####.(n####.8.####.8
- live195####.(null)
- live195####.(null)
- live195####.(null)
- log.u####.com
- m####.go####.com
- qini####.h####.vip
- s####.u####.com
- s####.u####.com.####.8
- s.j####.cn
- scs.opensp####.cn
- sis.j####.io
- t####.j####.cn
- up####.sdk.jig####.cn
- wa####.127.net
Запросы HTTP GET:
- d####.c####.l####.####.com//img/20180712/2/6/3/5b46c0ca7e60c.jpg
- d####.c####.l####.####.com//img/20180725/2/9/2/5b57f8f6466d9.jpeg
- d####.c####.l####.####.com//img/20180813/6/0/4/5b7091d5d71fe.jpg
- d####.c####.l####.####.com//img/20180814/a/a/8/5b72ae4a4a3e0.jpeg
- d####.c####.l####.####.com//img/20180815/1/9/7/5b730325b5015.jpg
- d####.c####.l####.####.com//img/20180815/c/8/d/5b731257d9fda.jpg
- d####.c####.l####.####.com//img/20180818/3/0/9/5b78061fb6cba.jpeg
- d####.c####.l####.####.com//img/20180818/3/7/2/5b77e0b26cfdb.jpg
- d####.c####.l####.####.com//img/20180820/f/9/c/5b7a6b8e2a685.jpg
- d####.c####.l####.####.com//img/20180823/4/4/2/5b7ec34c5ade0.jpg
- d####.c####.l####.####.com//img/20180823/f/3/1/5b7e30a6a81cb.jpg
- d####.c####.l####.####.com/henpi/banner/1564482213232312.png
- d####.c####.l####.####.com/henpi/banner2/12345.png
- d####.c####.l####.####.com/henpi/music_type/1807100.54467300153121155625...
- d####.c####.l####.####.com/img/20180726/f/7/7/5b599ce87741b.jpg_180.180
- d####.c####.l####.####.com/img/banner/19012017368000154798884234633.png
- d####.c####.l####.####.com/img/henpi/dyimg/20092877593100160127434748779...
- d####.c####.l####.####.com/img/henpi/dyimg/20092887833600160127434710884...
- d####.c####.l####.####.com/img/henpi/dyimg/20092899931700160127434734864...
- d####.c####.l####.####.com/img/henpi/dyimg/305948319/20201012152849860.j...
- d####.c####.l####.####.com/img/henpi/dyimg/305948562/20201008223047475.J...
- d####.c####.l####.####.com/img/henpi/dyimg/305948587/20201012193045928.j...
- d####.c####.l####.####.com/img/henpi/favorite/154323263151078413.jpg
- d####.c####.l####.####.com/img/henpi/imgphoto/153993772614282.jpg_180.180
- d####.c####.l####.####.com/img/henpi/imgphoto/155845045732187.jpg_180.180
- d####.c####.l####.####.com/img/henpi/imgphoto/160801011636558.jpeg_180.180
- d####.c####.l####.####.com/img/henpi/music_type/153847658920270784.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/154165383164683384.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/154345942418611775.jpg
- d####.c####.l####.####.com/img/henpi/music_type/154623208729436868.png
- d####.c####.l####.####.com/img/henpi/music_type/154676914323337949.jpg
- d####.c####.l####.####.com/img/henpi/music_type/154678511787635431.jpg
- d####.c####.l####.####.com/img/henpi/music_type/155316783518161359.jpg
- d####.c####.l####.####.com/img/henpi/music_type/156466469583082741.jpg
- d####.c####.l####.####.com/img/henpi/music_type/156511913558443523.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/157934972196799654.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/158101396280428500.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/160197178774139017.jpg
- d####.c####.l####.####.com/img/henpi/music_type/160198401408833150.jpg
- d####.c####.l####.####.com/img/henpi/music_type/160264071541037109.jpg
- d####.c####.l####.####.com/img/henpi/music_type/160439150827020163.jpeg
- d####.c####.l####.####.com/img/henpi/music_type/180904879869001536048772...
- d####.c####.l####.####.com/img/henpi/music_type/180905356737001536090275...
- d####.c####.l####.####.com/img/henpi/music_type/180919651156001537308945...
- d####.c####.l####.####.com/img/henpi/music_type/190120200401001547992031...
- d####.c####.l####.####.com/img/henpi/music_type/190120723964001547996489...
- d####.c####.l####.####.com/img/index_home/18102665140200154054580310505....
- d####.c####.l####.####.com/img/index_home/18122805394500154599573734570....
- d####.c####.l####.####.com/img/index_home/18122846406500154599572349655....
- d####.c####.l####.####.com/img/index_home/18122847741600154599569029711....
- d####.c####.l####.####.com/img/music_type/18121304202800154468122839836....
- d####.c####.l####.####.com/img/yyb/sjfm/14.jpg
- d####.c####.l####.####.com/img/yyb/sjfm/2.jpg
- d####.c####.l####.####.com/music_type/newimg/1.jpg
- d####.c####.l####.####.com/music_type/newimg/192.jpg
- d####.c####.l####.####.com/music_type/newimg/200.jpg
- d####.c####.l####.####.com/music_type/newimg/210.jpg
- d####.c####.l####.####.com/music_type/newimg/241.jpg
- d####.c####.l####.####.com/music_type/newimg/259.jpg
- d####.c####.l####.####.com/music_type/newimg/281.jpg
- d####.c####.l####.####.com/music_type/newimg/3.jpg
- d####.c####.l####.####.com/music_type/newimg/44.jpg
- d####.c####.l####.####.com/music_type/newimg/52.jpg
- def####.cn.zb.####.com:443/bar/get/5a7c39818f4a9d37b40002e5/?ud_get=####
- flex####.z####.im/online/live/195649516/init.html?zegotoken=####
- flex####.z####.im/online/live/195649516/route.html?zegotoken=####
- flex####.z####.im/root/cert.2017?zegotoken=####
Запросы HTTP POST:
- a####.u####.com.####.com/app_logs
- and####.b####.qq.com/rqd/async?aid=####
- bbq.aa####.cn/classes.dex
- gd-s####.j####.cn:443/v3/report
- scs.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
- scs.opensp####.cn/scs?cmd=####&logver=####&size=####
- t####.j####.cn:443/
- up####.sdk.jig####.cn/v1/push/sdk/postlist
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.cl
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/1004
- /data/data/####/1636086936691.log
- /data/data/####/38fb253c-0802-4a77-b3c1-8afe8c37f598
- /data/data/####/8bd516ceec9944c283654bf531b9ed07.xml
- /data/data/####/9d122bef-3ec3-49e8-b7a7-5ee81b4278d6
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/JPushSA_Config.xml
- /data/data/####/JPushSA_Config.xml.bak
- /data/data/####/NIMSDK_Config_83882b5f1f7963a7aa98ff49838fc653.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/access_control.control.mx
- /data/data/####/access_control.write.mx
- /data/data/####/appPackageNames_v2
- /data/data/####/bc626adc-8424-4632-a410-5540c85f5b15
- /data/data/####/bugly_db_-journal
- /data/data/####/c0c5dc6b-db46-4002-ab46-61c7e592ff31
- /data/data/####/c8bbf2a4-5080-4d55-89d0-2b45ecb71406
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cfd7e840-6427-4ca8-bde4-0dabc537be39
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.oat
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.android.user.profile.xml.bak
- /data/data/####/cn.jpush.android.user.profile.xml.bak (deleted)
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.coolf.mosheng_preferences.xml
- /data/data/####/com.iflytek.id.xml
- /data/data/####/com.iflytek.msc.xml
- /data/data/####/crashrecord.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/ffmpeg
- /data/data/####/ffmpeg (deleted)
- /data/data/####/iflytek_state_com.coolf.mosheng.xml
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-journal (deleted)
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/jpush_statistics.db-wal (deleted)
- /data/data/####/libjiagu.so
- /data/data/####/local_crash_lock (deleted)
- /data/data/####/log.android.library.xml
- /data/data/####/log.android.library.xml.bak
- /data/data/####/metrics_guid
- /data/data/####/native_record_lock
- /data/data/####/proc_auxv
- /data/data/####/security_info
- /data/data/####/sync_metadata.realm
- /data/data/####/sync_metadata.realm.lock
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/userinfo.xml
- /data/data/####/userinfo.xml (deleted)
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/000001.dbtmp
- /data/media/####/000002.dbtmp
- /data/media/####/000003.log
- /data/media/####/009003241bf5c01f801eaeb564f0ca3f7cf7a667f161d8....0.tmp
- /data/media/####/043620cd704430f901c9d0020dad8797ab72539a7defb8....0.tmp
- /data/media/####/04634f944982169655ecbfa4b8255e1ded3923c64abf1d....0.tmp
- /data/media/####/04b94c9a81ae31f67bf78764a5371eebf5b682b2b1b5c4....0.tmp
- /data/media/####/09aa51603d2654aeff7ecabb03efeaf665826df9115bbb....0.tmp
- /data/media/####/0b825c72ff19fc26455d114767a71edbb8f39e9b1c7d3b....0.tmp
- /data/media/####/0b88f8b17be61e4b8770b5bc62802745b3dd2d1d0c23a0....0.tmp
- /data/media/####/0e7ba35a4a4e4b192751760a0dc9779f6f02ec2109b3db....0.tmp
- /data/media/####/1116ba2ce3f4d3c39d2c2d7f5202d72cf99a5ad17e8738....0.tmp
- /data/media/####/11cfa7e23fa6d49f1adc2e8d7d5ff60902b21b5e06e168....0.tmp
- /data/media/####/1226c5176ec21f5c7bb7918a27ea600acd2fa20ab6b7a6....0.tmp
- /data/media/####/195649516_0_0_init.db
- /data/media/####/195649516_0_0_route.db
- /data/media/####/1c9fe12918782d426276eac78abd38ca32d119143c2409....0.tmp
- /data/media/####/24e12470143f8fe3915358d5414b82e24141a68d65aaec....0.tmp
- /data/media/####/30bdb49a5de3ff6516ce8d554906dfd23ac88aefeb59d5....0.tmp
- /data/media/####/30f5d3090a98b4adcc952799187684e7e6172972e46ea9....0.tmp
- /data/media/####/317d13816ca99c523dbc9f69f277864603605b7b3ba846....0.tmp
- /data/media/####/321f0258c4f193718be4e8139fe53bbfd4715f0440f784....0.tmp
- /data/media/####/37075cd0a0edffa1a7d5fca0b4537520225ab20b41830c....0.tmp
- /data/media/####/3d2ecbaa829108cfc7eeac2af8c11bb1da613226dd4e38....0.tmp
- /data/media/####/3e4b1239581645ccf27913a5e980e70627e9e12f53a8db....0.tmp
- /data/media/####/3e660bc46ad54406b3801ef6891e546fd40c7d8ec3bfdd....0.tmp
- /data/media/####/449937559169d3b5c8a0a7788f8032bd939e0342af9d51....0.tmp
- /data/media/####/49838fee2ecc8e1dd71c0e81ad89a4b7877d73cb3268ca...dcdb.0
- /data/media/####/5b5f8e28d34413b5db545864b5f08624dd0be381a1fa86....0.tmp
- /data/media/####/63bbdb0ef2f59fd0b96d96b39d6326049243e7aa33a6dd....0.tmp
- /data/media/####/67e343bcc9684dbc26e00b1654c606fa7c294516fc3320....0.tmp
- /data/media/####/6e4b1f53b604f29a3e12816f2e9c10aeec76766469f405....0.tmp
- /data/media/####/6e76502b40e80b2e87cf89ba42d6e5617b53661f38c4d5....0.tmp
- /data/media/####/726e0b0d2041d4e98ddf06a4a5c89e7c5f8392156aff94....0.tmp
- /data/media/####/72ea5c1c52af98815f84581f4b03c2601a752b52d76ca8....0.tmp
- /data/media/####/7728d8d260cbba9573d913d4e2aa4589353613406801f2....0.tmp
- /data/media/####/7786bb32d05ce1fc5b96d4ecd40b9a5e48641cda911cac....0.tmp
- /data/media/####/786dd5d57b8647979e40b0c32a9f6605db96905d07fb54....0.tmp
- /data/media/####/7b3ccc98c951dd2b7479cae1a42f01980590d32aaa41f4....0.tmp
- /data/media/####/7bd4a15128d1580a90a164980777f57c9e3fed57328215....0.tmp
- /data/media/####/7f596775bba64953467c9267cb03dc48132e4c5d345e90...f3d0.0
- /data/media/####/82660d3731dfcfd6dd23788441eb78f573a1614bb8ae72....0.tmp
- /data/media/####/833e049695fafe7b741762e0dca96a87a52d8d5de5759d....0.tmp
- /data/media/####/89ab9214a2809a7100a0411f367d7fafd4114775007e0c....0.tmp
- /data/media/####/8ea8e73116861f133a48186e0b40c496d5ec8916e4d3cd....0.tmp
- /data/media/####/923fe85e1f13196b155bf000cc86be586a7a1daa091e92....0.tmp
- /data/media/####/9ba30970cfc0d0a337f23eff7690b700b40ea37b945859....0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/LOCK
- /data/media/####/LOG
- /data/media/####/LOG.old (deleted)
- /data/media/####/MANIFEST-000001
- /data/media/####/MANIFEST-000002
- /data/media/####/a282ed2e7685f6cdd09728560a51d81b0a7dcf95e8d6a1...6c82.0
- /data/media/####/a875420103a004ef5d7c320e2e8590c2308da59ae18ad0....0.tmp
- /data/media/####/b00873d48f54adacfde2d1d1a2766fcaa90f9bd867a53d....0.tmp
- /data/media/####/b3aaed5007dba6982c54f4cb9bffa58f61a4dbf56669d4....0.tmp
- /data/media/####/b45703c7ffc7d4bbd9025f03d52ad9b8625ee87c7ad194....0.tmp
- /data/media/####/b71f536ed8f3ecd749813f8532a7aedae187d8119fe526....0.tmp
- /data/media/####/bd1d67abdd9206f3da9866c96ea860eb4c40350f4e597f....0.tmp
- /data/media/####/be58a31f3a4c3f0b378db3ec49e03fe99f1d9526af412c....0.tmp
- /data/media/####/be9a335030985c62bb7a33d60c12a013fc8fca462ed514....0.tmp
- /data/media/####/c0c5158956f046d851d81163c8d6d96e5ee26bcb60d57d....0.tmp
- /data/media/####/c21d212786bb43191769013ecc1f40e68532dca048f26e....0.tmp
- /data/media/####/c296a2e67f52a13b6b5fb3f69f1806c3a6fc8292b8977a....0.tmp
- /data/media/####/c45bfd0fa6b947ed08c194d39b9aee22b181e5b2bd0e8f....0.tmp
- /data/media/####/c551cf451261adb23a5fca5d306d57c79f2e168e601ffe....0.tmp
- /data/media/####/c559337694c80b1118e3611e20c38ad86a90bee6e14f9c....0.tmp
- /data/media/####/c77a2f77207c2aaa56a2793f0f51594bbeacd96d0efd53....0.tmp
- /data/media/####/ca2bbbc3d6a5388a671590d0352a76b304cf8f1e37a24c....0.tmp
- /data/media/####/cb31d7d66c71b92e0a96278d5a76d9f3c0f3e9de1d0018....0.tmp
- /data/media/####/cd043f9d75536af71c4d8b76703ecf46ba58e52505b2b7....0.tmp
- /data/media/####/cde743d6879943e6a1df767fb9f339d4fb3fe7a725d68c....0.tmp
- /data/media/####/cfc286d2c2594f9813958e2f52e8cba389d3b5798699e4....0.tmp
- /data/media/####/d38b9f253aab0589a168d63aa457d68798fd58dcb85f0c....0.tmp
- /data/media/####/d9265235380bf4f69fe8796c35b35326abc08c3550f59c...68ba.0
- /data/media/####/db18d2bfcf9b5cf27552d94bad8bfbf60089a67901ad49....0.tmp
- /data/media/####/dd22393c13e1db92f4ba5b5cba67853850d35488a99e78....0.tmp
- /data/media/####/demo_20211105.log
- /data/media/####/e4dbe311d4d2221fa0350af47f2c3ae441da8b669ad413....0.tmp
- /data/media/####/ec7ef2d9743a414a0fe3d5c7ee3e5946473aaf8d0feb5d....0.tmp
- /data/media/####/f08059c4b91c60ce45fe66563ae363412a8365c3349a37....0.tmp
- /data/media/####/f1e4e1b2096a00cf40f534ff41a62a8b7045ca1f8a7d91....0.tmp
- /data/media/####/fc04463357aafd5bc0b80fdd0db5237f2210e98d819fcc....0.tmp
- /data/media/####/iflyworkdir_test (deleted)
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/nim_sdk.log
- /data/media/####/root_cert
- /data/media/####/zego_did_config.db
- /data/media/####/zegoavlog1.txt
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
- ps
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
