Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.HiddenAds.3057
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) to####.ctobsn####.com.####.com:443
- TCP(TLS/1.0) st####.yx####.com.####.net:443
- TCP(TLS/1.0) 1####.250.179.138:443
- TCP(TLS/1.0) basefil####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) pang####.sn####.com.####.net:443
- TCP(TLS/1.2) 1####.251.36.46:443
- UDP 1####.251.36.42:443
Запросы DNS:
- basefil####.oss-cn-####.aliy####.com
- o####.e.kuai####.com
- pang####.sn####.com
- s####.e.qq.com
- st####.yx####.com
- to####.ctobsn####.com
Запросы HTTP GET:
- basefil####.oss-cn-####.aliy####.com:443/Video/ad_exchange_bd.json
- basefil####.oss-cn-####.aliy####.com:443/Video/version_dm_00005_221.json
- st####.yx####.com.####.net:443/udata/pkg/commercial_res_test/ks_so-Tachi...
- to####.ctobsn####.com.####.com:443/service/2/app_alert_check/?aid=####&t...
Запросы HTTP POST:
- pang####.sn####.com.####.net:443/api/ad/union/sdk/stats/batch/
- pang####.sn####.com.####.net:443/service/2/app_log/?device_platform=####...
- to####.ctobsn####.com.####.com:443/service/2/app_log/?device_platform=##...
- to####.ctobsn####.com.####.com:443/service/2/device_register/?aid=####&t...
- to####.ctobsn####.com.####.com:443/service/2/log_settings/?device_platfo...
Изменения в файловой системе:
Создает следующие файлы:
- /data/anr/traces.txt
- /data/data/####/.cl
- /data/data/####/.fsgkea
- /data/data/####/.jg.ac
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jg.store.report_pid
- /data/data/####/7d92d75c7aa0784b9baecd3e48879a4e-4019-4019.apk
- /data/data/####/PowerAssistService_native_clean
- /data/data/####/PowerAssistService_native_other
- /data/data/####/PowerAssistService_service_clean
- /data/data/####/PowerAssistService_service_other
- /data/data/####/PowerCleanService_native_assist
- /data/data/####/PowerCleanService_native_other
- /data/data/####/PowerCleanService_service_assist
- /data/data/####/PowerCleanService_service_other
- /data/data/####/PowerOtherService_native_assist
- /data/data/####/PowerOtherService_native_clean
- /data/data/####/PowerOtherService_service_assist
- /data/data/####/PowerOtherService_service_clean
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/applog_stats.xml
- /data/data/####/base-1.apk
- /data/data/####/base-1.dex
- /data/data/####/base-1.dex.flock (deleted)
- /data/data/####/bd_tea_agent.db-journal
- /data/data/####/bdtracker_dr_migrate_detector.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.oat
- /data/data/####/com.hai.video.bd_preferences.xml
- /data/data/####/default_bg.webp
- /data/data/####/gdt_plugin.dex
- /data/data/####/gdt_plugin.dex.flock (deleted)
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/header_custom.xml
- /data/data/####/header_custom.xml.bak
- /data/data/####/indicator2_d
- /data/data/####/indicator2_d-c
- /data/data/####/indicator2_p
- /data/data/####/indicator2_p-c
- /data/data/####/indicator_d
- /data/data/####/indicator_d-c
- /data/data/####/indicator_p
- /data/data/####/indicator_p-c
- /data/data/####/ksadrep.db
- /data/data/####/ksadrep.db-journal
- /data/data/####/ksadsdk_device_sig.xml
- /data/data/####/ksadsdk_model.xml
- /data/data/####/ksadsdk_pref.xml
- /data/data/####/ksadsdk_seq.xml
- /data/data/####/ksadsdk_splash_preload_id_list.xml
- /data/data/####/kssdk_api_pref.xml
- /data/data/####/last_sp_session.xml
- /data/data/####/libPglmetasec_ml.so
- /data/data/####/libavmdl_lite.so
- /data/data/####/libkwad-fb.so
- /data/data/####/libkwad-j2v8.so
- /data/data/####/libkwad-yoga.so
- /data/data/####/libtobEmbedEncrypt.so
- /data/data/####/libttmplayer_lite.so
- /data/data/####/metrics_guid
- /data/data/####/pangle_meta_data_sp.xml
- /data/data/####/pangle_meta_data_sp.xml.bak
- /data/data/####/proc_auxv
- /data/data/####/snssdk_openudid.xml
- /data/data/####/snssdk_openudid.xml.bak
- /data/data/####/sotk-v7a165274939826269244051.tmp
- /data/data/####/sotk-v7a16527494039601184646437.tmp
- /data/data/####/sotk-v7a16527494039601184646437.tmp (deleted)
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/ug_install_settings_pref.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/update_lc
- /data/data/####/video_data.xml
- /data/data/####/xx_sp.xml
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh
- app_process32 / c.j.a.f.h AgAAAEcAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEMAbABlAGEAbgBTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBvAHQAaABlAHIAAABIAAAALwBkAGEAdABhAC8AdQBzAGUAcgAvADAALwBjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAC8AYQBwAHAAXwBUAG0AcABEAGkAcgAvAFAAbwB3AGUAcgBBAHMAcwBpAHMAdABTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBvAHQAaABlAHIAAAAAAAUAAABvAHQAaABlAHIAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAAKgAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBFAHgAcABvAHIAdABTAGUAcgB2AGkAYwBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAAIQAAAGEAbgBkAHIAbwBpAGQAeAAuAGMAbwByAGUALgBhAHAAcAAuAFUAUABEAEEAVABFAF8AUgBFAEMARQBJAFYARQBSAAAAAAAAAP////8AAAAAEAAAAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQAAAAAAP////8AAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAALAAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBJAG4AcwB0AHIAdQBtAGUAbgB0AGEAdABpAG8AbgAAAAAAAAAAAAAAAAAAAAAAAAAAAP7///8AAAAA --application --nice-name=other --daemon
- app_process32 / c.j.a.f.h AgAAAEgAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEEAcwBzAGkAcwB0AFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGMAbABlAGEAbgAAAAAARwAAAC8AZABhAHQAYQAvAHUAcwBlAHIALwAwAC8AYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAvAGEAcABwAF8AVABtAHAARABpAHIALwBQAG8AdwBlAHIATwB0AGgAZQByAFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGMAbABlAGEAbgAAAAUAAABjAGwAZQBhAG4AAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAAKgAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBFAHgAcABvAHIAdABTAGUAcgB2AGkAYwBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAAIQAAAGEAbgBkAHIAbwBpAGQAeAAuAGMAbwByAGUALgBhAHAAcAAuAFUAUABEAEEAVABFAF8AUgBFAEMARQBJAFYARQBSAAAAAAAAAP////8AAAAAEAAAAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQAAAAAAP////8AAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAALAAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBJAG4AcwB0AHIAdQBtAGUAbgB0AGEAdABpAG8AbgAAAAAAAAAAAAAAAAAAAAAAAAAAAP7///8AAAAA --application --nice-name=clean --daemon
- app_process32 / c.j.a.f.h AgAAAEgAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEMAbABlAGEAbgBTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBhAHMAcwBpAHMAdAAAAAAASAAAAC8AZABhAHQAYQAvAHUAcwBlAHIALwAwAC8AYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAvAGEAcABwAF8AVABtAHAARABpAHIALwBQAG8AdwBlAHIATwB0AGgAZQByAFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGEAcwBzAGkAcwB0AAAAAAAGAAAAYQBzAHMAaQBzAHQAAAAAAAEAAAD/////AAAAAP////8AAAAA/////xAAAABjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAAAAAAAqAAAAYwBvAG0ALgBkAG8AdABjAC4AawBlAGUAcABsAGkAdgBlAC4AcABvAHcAZQByAC4AUABvAHcAZQByAEUAeABwAG8AcgB0AFMAZQByAHYAaQBjAGUAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAAAEAAAAhAAAAYQBuAGQAcgBvAGkAZAB4AC4AYwBvAHIAZQAuAGEAcABwAC4AVQBQAEQAQQBUAEUAXwBSAEUAQwBFAEkAVgBFAFIAAAAAAAAA/////wAAAAAQAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD+////AAAAAAEAAAD/////AAAAAP////8AAAAA/////xAAAABjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAAAAAAAsAAAAYwBvAG0ALgBkAG8AdABjAC4AawBlAGUAcABsAGkAdgBlAC4AcABvAHcAZQByAC4AUABvAHcAZQByAEkAbgBzAHQAcgB1AG0AZQBuAHQAYQB0AGkAbwBuAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAA= --application --nice-name=assist --daemon
- cat /sys/class/net/wlan0/address
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.letv.release.version
- getprop ro.miui.ui.version.name
- getprop ro.product.system.manufacturer
- getprop ro.smartisan.version
- getprop ro.vivo.os.build.display.id
- getprop ro.vivo.os.version
- sh
Загружает динамические библиотеки:
- libjiagu
- libkwad-fb
- libkwad-j2v8
- libkwad-yoga
- libleoric
- libnets
- libsgcore
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7PADDING
- RSA-ECB-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
