Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Was.1.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) g####.62####.com:8001
- TCP(HTTP/1.1) a.da####.com:9127
- TCP(TLS/1.0) l####.chartb####.com:443
- TCP(TLS/1.0) ttplu####.tt####.info:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) mi.g####.qq.com:443
- TCP(TLS/1.0) p####.tt####.info:443
- TCP(TLS/1.0) in2-pro####.traffic####.net:443
- TCP(TLS/1.0) 2####.58.208.202:443
- TCP(TLS/1.0) securit####.sp####.mig.####.net:443
- TCP(TLS/1.0) co####.uca.c####.####.com:443
- TCP(TLS/1.0) promo-i####.tt####.info:443
- TCP(TLS/1.0) ecomm####.iap.uni####.com:443
- TCP(TLS/1.0) kin####.us-ea####.amazo####.com:443
- TCP(TLS/1.0) prd-le####.cdp.inte####.####.com:443
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.2) and####.cli####.go####.com:443
- TCP(TLS/1.2) 1####.217.16.10:443
- TCP(TLS/1.2) 1####.217.16.3:443
Запросы DNS:
- 191.41.210.####.arpa
- 65.19.222.####.arpa
- a.da####.com
- and####.cli####.go####.com
- android####.go####.com
- api.sa####.com
- api.sa####.com.####.8
- cdp.c####.uni####.com
- co####.sa####.com
- co####.sa####.com.####.8
- co####.uca.c####.####.com
- collect####.delt####.net
- collect####.delt####.net.####.8
- ecomm####.iap.uni####.com
- engage1####.delt####.net
- engage1####.delt####.net.####.8
- firebas####.google####.com
- g####.62####.com
- in.appce####.ms
- instant####.google####.com
- kin####.us-ea####.amazo####.com
- l####.chartb####.com
- mi.g####.qq.com
- p####.tt####.info
- promo-i####.tt####.info
- s####.e.qq.com
- t####.m.qq.com
- ttplu####.tt####.info
- www.a####.com
Запросы HTTP GET:
- a.da####.com:9127/ll/gs?baseversion=####&version=####&appversion=####&ch...
- mi.g####.qq.com:443/gdt_mview.fcg?actual_width=####&fc=####&datatype=###...
- mi.g####.qq.com:443/gdt_mview.fcg?count=####&adposcount=####&fc=####&dat...
- mi.g####.qq.com:443/gdt_mview.fcg?fc=####&datatype=####&posh=####&count=...
- promo-i####.tt####.info:443/nativeCampaign/zips/Dentist_Bling_Native_UA_...
- promo-i####.tt####.info:443/nativeCampaign/zips/MultiMaze_BB0_12_33s_452...
- promo-i####.tt####.info:443/promotionsImages/DIY-Keyboard-x152_ce8bb0f4....
- promo-i####.tt####.info:443/promotionsImages/iOS_152_StringPull_store-ic...
- promo-i####.tt####.info:443/promotionsImages/ico_152_AMAZE_store-icon_D2...
- promo-i####.tt####.info:443/promotionsImages/ico_152_DIYMakeup_store-ico...
- promo-i####.tt####.info:443/promotionsImages/ico_152_TieDye_store-icon_P...
- promo-i####.tt####.info:443/promotionsImages/icon_152_BlowThemUp_store-i...
- promo-i####.tt####.info:443/promotionsImages/icon_152_MultiMaze_store-ic...
- promo-i####.tt####.info:443/promotionsImages/icon_152_PhoneCaseDIY_store...
- promo-i####.tt####.info:443/promotionsImages/icon_152_Polestar_store-ico...
- promo-i####.tt####.info:443/promotionsImages/icon_152_SculptPeople_store...
- promo-i####.tt####.info:443/promotionsZips/adunit_ASMR_Slicing_Icon_set_...
- promo-i####.tt####.info:443/promotionsZips/adunit_Acrylic_Nails_Icon_set...
- promo-i####.tt####.info:443/promotionsZips/adunit_Amaze_Icon_set_6_defau...
- promo-i####.tt####.info:443/promotionsZips/adunit_Blow_Them_UP_Poster_se...
- promo-i####.tt####.info:443/promotionsZips/adunit_Blow_Them_up_Icon_set_...
- promo-i####.tt####.info:443/promotionsZips/adunit_DIY_Keyboard_Icon_set_...
- promo-i####.tt####.info:443/promotionsZips/adunit_DIY_Keyboard_Poster_se...
- promo-i####.tt####.info:443/promotionsZips/adunit_DIY_Makeup_Icon_set_4_...
- promo-i####.tt####.info:443/promotionsZips/adunit_Diamond_Painting_Icon_...
- promo-i####.tt####.info:443/promotionsZips/adunit_Hair_Dye_Icon_set_2_de...
- promo-i####.tt####.info:443/promotionsZips/adunit_Multi_Maze_Icon_set_1_...
- promo-i####.tt####.info:443/promotionsZips/adunit_Multi_Maze_Poster_set_...
- promo-i####.tt####.info:443/promotionsZips/adunit_Phone_Case_DIY_Icon_se...
- promo-i####.tt####.info:443/promotionsZips/adunit_Pole_Star_Icon_set_1_d...
- promo-i####.tt####.info:443/promotionsZips/adunit_Pole_Star_Poster_set_1...
- promo-i####.tt####.info:443/promotionsZips/adunit_Sculpt_People_Icon_set...
- promo-i####.tt####.info:443/promotionsZips/adunit_Soap_Cutting_Icon_set_...
- promo-i####.tt####.info:443/promotionsZips/adunit_String_Pull_Icon_set_3...
- promo-i####.tt####.info:443/promotionsZips/adunit_String_Pull_Poster_set...
- promo-i####.tt####.info:443/promotionsZips/adunit_Tie_Dye_Icon_set_4_def...
- promo-i####.tt####.info:443/skins/stand/crazylabs/5.15.0/skin.zip
- ttplu####.tt####.info:443/analytics-remote/google/<Package>
- ttplu####.tt####.info:443/geolocation
- ttplu####.tt####.info:443/houseads/google/<Package>
- ttplu####.tt####.info:443/native-campaign/google/<Package>
- ttplu####.tt####.info:443/stand/remote-config/v1/google/<Package>?orient...
Запросы HTTP POST:
- a.da####.com:9127/ll//uu?t=####
- firebas####.google####.com:443/v1/projects/463602206551/namespaces/fireb...
- g####.62####.com:8001/adStatistics
- g####.62####.com:8001/addNewApp
- g####.62####.com:8001/gameState
- in2-pro####.traffic####.net:443/logs?api-version=####
- kin####.us-ea####.amazo####.com:443/
- l####.chartb####.com:443/api/config
- l####.chartb####.com:443/api/install
- l####.chartb####.com:443/webview/v2/prefetch
- securit####.sp####.mig.####.net:443/?mc=####
- ttplu####.tt####.info:443/elephant/register/google//<Package>
- ttplu####.tt####.info:443/privacy/remote-config/v1/google/<Package>
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.SNZ
- /data/data/####/.cl
- /data/data/####/.hptc.cache_tpack.vs.colors
- /data/data/####/.hptc_kache_tpack.vs.colors
- /data/data/####/.jg.ic
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jgck
- /data/data/####/.turing.dat
- /data/data/####/.
- /data/data/####/0963098a1b84d2f2_0
- /data/data/####/3459.yaqcookie
- /data/data/####/5b4e10f30a277b58_0
- /data/data/####/5b4e10f30a277b58_1
- /data/data/####/AppCenter.xml
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/Cookies-journal
- /data/data/####/FBAdPrefs.xml
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/SafeDKToggles.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a5d06ab9424d7650_0
- /data/data/####/appsflyer-data.xml
- /data/data/####/audience_network.dex
- /data/data/####/audience_network.dex.flock (deleted)
- /data/data/####/cbPrefs.xml
- /data/data/####/cheuu
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/classes.dex;classes6.dex
- /data/data/####/classes.oat
- /data/data/####/com.crazylabs.jetpack.vs.colors.v2.playerprefs.xml
- /data/data/####/com.crazylabs.jetpack.vs.colors.xml
- /data/data/####/com.crazylabs.jetpack.vs.colors_preferences.xml
- /data/data/####/com.deltadna.android.sdk-journal
- /data/data/####/com.deltadna.android.sdk.xml
- /data/data/####/com.facebook.ads.idfa.xml
- /data/data/####/com.google.InstanceId.properties
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak
- /data/data/####/com.google.firebase.remoteconfig_legacy_settings.xml
- /data/data/####/com.microsoft.appcenter.persistence-journal
- /data/data/####/com.qq.e.sdkconfig.xml
- /data/data/####/config
- /data/data/####/ea83071caa2585d9_0
- /data/data/####/fd0517a4550c8f07_0
- /data/data/####/frc_1;463602206551;android;28ddc9cc3181084dc0a0...e.json
- /data/data/####/frc_1;463602206551;android;28ddc9cc3181084dc0a0...gs.xml
- /data/data/####/frc_1;463602206551;android;28ddc9cc3181084dc0a0...h.json
- /data/data/####/frc_1;463602206551;android;28ddc9cc3181084dc0a0...s.json
- /data/data/####/gdt_plugin.dex
- /data/data/####/gdt_plugin.dex.flock (deleted)
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/index
- /data/data/####/libMMANDKSignature.2f018e3a.so
- /data/data/####/libjiagu.so
- /data/data/####/libturingau.2f018e3a.so
- /data/data/####/libyaqbasic.2f018e3a.so
- /data/data/####/libyaqpro.2f018e3a.so
- /data/data/####/metrics_guid
- /data/data/####/mpdc_105498_1
- /data/data/####/proc_auxv
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/tmd
- /data/data/####/turingfd_conf_105498_auMini.xml
- /data/data/####/turingfd_protect_105498_41_auMini.xml
- /data/data/####/tv
- /data/data/####/update_lc
- /data/data/####/uuloi
- /data/data/####/vva
- /data/data/####/vva.dex
- /data/data/####/vva.dex.flock (deleted)
- /data/data/####/vva.jar
- /data/data/####/yaq.2f018e3a.sec
- /data/data/####/yaq2.2f018e3a.sec
- /data/data/####/yaq3_0.2f018e3a.sec
- /data/data/####/yaqsdkcookie
- /data/media/####/.nomedia
- /data/media/####/.turing.dat
- /data/media/####/1db2141b-99b6-421a-9682-84d39a527951
- /data/media/####/2b03021a-4f2d-4949-a9af-4c68ec662239
- /data/media/####/30896948-9d82-4c4f-9545-f514ffb79f2e
- /data/media/####/41c8894c-64f3-4f32-bae9-070fdcb5b3cf
- /data/media/####/530f1e769f9d38eeda41b658021c5a88_tmp (deleted)
- /data/media/####/5b465e9c-06d1-47b3-abe8-464ab11d31f5
- /data/media/####/76e527be-7bd0-4458-b32c-ff34db7f39e4
- /data/media/####/922c9750d3cd27acaa464c81c3f4d347
- /data/media/####/9b5cc877-dc2b-4fed-8f5a-73f6dd9b52f2
- /data/media/####/BlowThemUp_B0_1600x900__IB0_xvkDX__EN_efc6890a.jpg
- /data/media/####/Compat.browser
- /data/media/####/DIY-Keyboard-x152_ce8bb0f4.png
- /data/media/####/DIYKeyboard_B0_1600x900__IB0_qInlI__EN_a7e733bc.jpg
- /data/media/####/DefaultWsdlHelpGenerator.aspx
- /data/media/####/DeltaDNAAgent_1.json
- /data/media/####/MultiMaze_BB0_12.33s_452x452__VBB0_YG8TU__EN_c66e9e12.mp4
- /data/media/####/MultiMaze_BB0_12_33s_452x452__VBB0_YG8TU__EN_c...p4.zip
- /data/media/####/Raleway-Bold.woff
- /data/media/####/SP_1600x900_e456c5fa.jpg
- /data/media/####/StandPromo_1600x900_fa1ca620.jpg
- /data/media/####/StringPull_StandPromotion_1600x900_0f3dfbf9.jpg
- /data/media/####/ad-indication.6db3049d.png
- /data/media/####/ad_badge.png
- /data/media/####/ad_badge.png.meta
- /data/media/####/adunit_ASMR_Slicing_Icon_set_1_default.zip (deleted)
- /data/media/####/adunit_Acrylic_Nails_Icon_set_1_default.zip
- /data/media/####/adunit_Amaze_Icon_set_6_default.zip
- /data/media/####/adunit_Blow_Them_UP_Poster_set_1_portrait.zip
- /data/media/####/adunit_Blow_Them_up_Icon_set_1_default.zip
- /data/media/####/adunit_DIY_Keyboard_Icon_set_2_default.zip
- /data/media/####/adunit_DIY_Keyboard_Poster_set_1_portrait.zip
- /data/media/####/adunit_DIY_Makeup_Icon_set_4_default.zip (deleted)
- /data/media/####/adunit_Diamond_Painting_Icon_set_4_default.zip
- /data/media/####/adunit_Hair_Dye_Icon_set_2_default.zip
- /data/media/####/adunit_Multi_Maze_Icon_set_1_default.zip
- /data/media/####/adunit_Multi_Maze_Poster_set_1_portrait.zip
- /data/media/####/adunit_Phone_Case_DIY_Icon_set_5_default.zip
- /data/media/####/adunit_Pole_Star_Icon_set_1_default.zip
- /data/media/####/adunit_Pole_Star_Poster_set_1_portrait.zip
- /data/media/####/adunit_Sculpt_People_Icon_set_3_default.zip
- /data/media/####/adunit_Soap_Cutting_Icon_set_4_default.zip
- /data/media/####/adunit_String_Pull_Icon_set_3_default.zip
- /data/media/####/adunit_String_Pull_Poster_set_1_portrait.zip
- /data/media/####/adunit_Tie_Dye_Icon_set_4_default.zip
- /data/media/####/arrowSprite.8c368c57.png
- /data/media/####/breadCrumbs.data
- /data/media/####/browscap.ini
- /data/media/####/btnFreeSprite.08dc6b61.png
- /data/media/####/buy.png
- /data/media/####/buy.png.meta
- /data/media/####/c
- /data/media/####/close-btn.73f20dc9.png
- /data/media/####/config
- /data/media/####/config.json
- /data/media/####/config.json.meta
- /data/media/####/config.xml
- /data/media/####/content.json
- /data/media/####/css.meta
- /data/media/####/d
- /data/media/####/e
- /data/media/####/faddd673-5ff6-4ebd-b383-24dab675022b
- /data/media/####/free.png
- /data/media/####/free.png.meta
- /data/media/####/g
- /data/media/####/global-metadata.dat
- /data/media/####/house-ads.9860ea70.css
- /data/media/####/house-ads.9860ea70.css.meta
- /data/media/####/house-ads.b28cf84c.js
- /data/media/####/house-ads.b28cf84c.js.meta
- /data/media/####/houseAds.json
- /data/media/####/houseAds_new.json
- /data/media/####/houseads.zip
- /data/media/####/iOS_152_DIYMakeup_store-icon_M0_152x152_IOSsto...dd.png
- /data/media/####/iOS_152_DiamondPainting_store-icon_G2_152x152_...93.png
- /data/media/####/iOS_152_StringPull_store-icon_E1_152x152_IOSst...77.png
- /data/media/####/ico_152_AMAZE_store-icon_D2_152x152_IOSstorebu...25.png
- /data/media/####/ico_152_DIYKeyboard_store-icon_D0_152x152_IOSs...e2.png
- /data/media/####/ico_152_DIYMakeup_store-icon_E0_152x152__801b01d1.png
- /data/media/####/ico_152_TieDye_store-icon_P0_152x152_IOSstoreb...f9.png
- /data/media/####/icon-title-first.6d38a8a0.png
- /data/media/####/icon-title-second.4de185ea.png
- /data/media/####/icon-title-second_portrait.88e277d6.png
- /data/media/####/icon_152_BlowThemUp_store-icon_B0_152x152_IOSs...fc.png
- /data/media/####/icon_152_HairDye_store-icon_F2_152x152__f3b8df14.png
- /data/media/####/icon_152_MultiMaze_store-icon_C1_152x152_IOSst...dd.png
- /data/media/####/icon_152_PhoneCaseDIY_store-icon_A1_152x152_IO...d7.png
- /data/media/####/icon_152_PhoneCaseDIY_store-icon_O0_152x152__f1240ccd.png
- /data/media/####/icon_152_Polestar_store-icon_A0_152x152_IOSsto...07.png
- /data/media/####/icon_152_SculptPeople_store-icon_H1_152x152__29bfabd1.png
- /data/media/####/icon_152_SoapCutting_store-icon_G1_152x152_IOS...eb.png
- /data/media/####/icons-bg-portrait.6cdd5db7.png
- /data/media/####/icons-bg-portrait_21.df3e72e3.png
- /data/media/####/icons-bg.8c1f9b48.png
- /data/media/####/icons_111_ae3d1d1c.png
- /data/media/####/icons_113_50a98731.png
- /data/media/####/icons_12_412263f4.png
- /data/media/####/icons_1_95d5c506.png
- /data/media/####/icons_1_9c41d4fb.png
- /data/media/####/icons_1_a51e3815.png
- /data/media/####/icons_1_c0b79a73.png
- /data/media/####/icons_1_cde01e79.png
- /data/media/####/icons_1_f6024cec.png
- /data/media/####/icons_25_23515ef7.png
- /data/media/####/icons_stand_1_ca82437b.png
- /data/media/####/icons_stand_23cf8595.png
- /data/media/####/icons_stand_cbd1ee34.png
- /data/media/####/index.html
- /data/media/####/index.html.meta
- /data/media/####/js.meta
- /data/media/####/last-btime
- /data/media/####/machine.config
- /data/media/####/md5.txt
- /data/media/####/mscorlib.dll-resources.dat
- /data/media/####/play.png
- /data/media/####/play.png.meta
- /data/media/####/promo-indication-landscape.42a85bc5.png
- /data/media/####/promo-indication-portrait.afff4ed1.png
- /data/media/####/s
- /data/media/####/settings.map
- /data/media/####/skin.zip
- /data/media/####/stand-cl.935d69bd.js
- /data/media/####/stand-cl.e75c1cf4.css
- /data/media/####/ttkinesislog-save.txt
- /data/media/####/unity.ver
- /data/media/####/values
- /data/media/####/web.config
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/df
- /system/bin/getprop
- /system/bin/ping -c 1 www.apple.com
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
