Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.363.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) 1####.194.222.95:443
- TCP(TLS/1.0) api.appsf####.com:443
- TCP(TLS/1.0) sf3-fe####.pglstat####.com:443
- TCP(TLS/1.0) app-mea####.com:443
- TCP(TLS/1.0) co####.uca.c####.####.com:443
- TCP(TLS/1.0) is.sn####.com.####.com:443
- TCP(TLS/1.0) prd-le####.cdp.inte####.####.com:443
- TCP(TLS/1.0) s3.amazo####.com:443
- TCP(TLS/1.0) myto####.fireba####.com:443
- TCP(TLS/1.0) u####.u####.com:443
- TCP(TLS/1.0) sf3-ttc####.ps####.com:443
- TCP(TLS/1.0) plb####.u####.com:443
- TCP(TLS/1.0) t.appsf####.com:443
- TCP(TLS/1.2) 74.1####.131.138:443
- UDP 1####.194.222.95:443
Запросы DNS:
- api.appsf####.com
- app-mea####.com
- cdp.c####.uni####.com
- co####.uca.c####.####.com
- is.sn####.com
- myto####.fireba####.com
- mytownd####.fireba####.com
- plb####.u####.com
- s3.amazo####.com
- sf3-fe####.pglstat####.com
- sf3-ttc####.ps####.com
- t.appsf####.com
- u####.u####.com
- z####.heyc####.net
- z####.heyc####.net.####.8
Запросы HTTP GET:
- api.appsf####.com:443/install_data/v3/<Package>?devkey=####&device_id=####
- myto####.fireba####.com:443//cross_promo/my_city/.json?auth=####
- myto####.fireba####.com:443//cross_promo/my_little_princess/.json?auth=#...
- myto####.fireba####.com:443//cross_promo/my_town/.json?auth=####
- myto####.fireba####.com:443//cross_promo/my_town_3D/.json?auth=####
- myto####.fireba####.com:443//cross_promo/wonderland/.json?auth=####
- myto####.fireba####.com:443//cross_promo_visibility/my_city/home/android...
- myto####.fireba####.com:443//games/my_city/.json?auth=####
- myto####.fireba####.com:443//games/my_little_princess/.json?auth=####
- myto####.fireba####.com:443//games/my_town/.json?auth=####
- myto####.fireba####.com:443//games/my_town_3D/.json?auth=####
- myto####.fireba####.com:443//games/wonderland/.json?auth=####
- myto####.fireba####.com:443//last_update/.json?auth=####
- myto####.fireba####.com:443//my_city/episode_one/games/.json?auth=####
- myto####.fireba####.com:443//my_city/episode_one/updated/.json?auth=####
- myto####.fireba####.com:443//my_city/episode_one/version/.json?auth=####
- myto####.fireba####.com:443//users/641d1bfc256cc2a6fa6c97e32159b5fc/.jso...
- s3.amazo####.com:443/mytowngames/crossmarketing/PlayNow_MC31.png
- s3.amazo####.com:443/mytowngames/crossmarketing/PlayNow_MC32.png
- s3.amazo####.com:443/mytowngames/crossmarketing/PlayNow_MC33.png
- sf3-fe####.pglstat####.com:443/obj/ad-pattern/renderer/29272d/index.html
- sf3-fe####.pglstat####.com:443/obj/ad-pattern/renderer/29272d/index.js
- sf3-fe####.pglstat####.com:443/obj/ad-pattern/renderer/29272d/vendors~lp...
- sf3-ttc####.ps####.com:443/obj/ad-pattern/renderer/package.json
Запросы HTTP POST:
- co####.uca.c####.####.com:443/
- is.sn####.com.####.com:443/api/ad/union/sdk/get_ads/
- is.sn####.com.####.com:443/api/ad/union/sdk/settings/
- is.sn####.com.####.com:443/api/ad/union/sdk/stats/
- myto####.fireba####.com:443//users/641d1bfc256cc2a6fa6c97e32159b5fc/.jso...
- plb####.u####.com:443/umpx_internal
- prd-le####.cdp.inte####.####.com:443/v1/events
- t.appsf####.com:443/api/v4/androidevent?buildnumber=####&app_id=####
- u####.u####.com:443/unify_logs
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-1127729055-1266689676
- /data/data/####/-5998622401067643521
- /data/data/####/.hptc.cache_com.mycity.home
- /data/data/####/.hptc_kache_com.mycity.home
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.jgck
- /data/data/####/1021689741840853517
- /data/data/####/FIREBASE_CLOUD_MESSAGING_LOCAL_STORAGE
- /data/data/####/FIREBASE_CLOUD_MESSAGING_LOCKFILE (deleted)
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/app_resources_lib.dex
- /data/data/####/app_resources_lib.dex.flock (deleted)
- /data/data/####/app_resources_lib.jar
- /data/data/####/appsflyer-data.xml
- /data/data/####/appsflyer-data.xml.bak
- /data/data/####/appsflyer-data.xml.bak (deleted)
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.oat
- /data/data/####/com.google.InstanceId.properties
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak
- /data/data/####/com.google.firebase.messaging.xml
- /data/data/####/com.mycity.home.v2.playerprefs.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjYzODUxNjEyMDcx;
- /data/data/####/downloader.db-journal
- /data/data/####/dpi
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/gameConf.xml
- /data/data/####/google_api_resources_lib.dex
- /data/data/####/google_api_resources_lib.dex.flock (deleted)
- /data/data/####/google_api_resources_lib.jar
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/i==1.2.0&&2.2.21_1663851607041_envelope.log
- /data/data/####/info.xml
- /data/data/####/libjiagu.so
- /data/data/####/proc_auxv
- /data/data/####/sp_reward_video_adslot.xml
- /data/data/####/t==8.0.0&&2.2.21_1663851612788_envelope.log
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/media/####/.nid
- /data/media/####/.nomedia
- /data/media/####/072e5040-154f-4b3c-b2c1-ede613351786.tmp
- /data/media/####/07f99b09-7bce-4aa4-8e47-2811cb7def38.tmp
- /data/media/####/0e9c8c61-ca8a-48d9-ad74-21de83fe34dd.tmp
- /data/media/####/2031_PlayNow_MC31.png
- /data/media/####/2032_PlayNow_MC32.png
- /data/media/####/2033_PlayNow_MC33.png
- /data/media/####/39b52561-aaa2-4ae7-be79-9584b7eca31a.tmp
- /data/media/####/437a40a63ba9484c68e77fe26f3dbdb0
- /data/media/####/4d05581ff5117b7545a4afe108b629df.tmp
- /data/media/####/4facb15e36d8918a45ab49ef3a565ae3.tmp
- /data/media/####/74df145f-5e0a-4cc8-9190-8deede17f3d4.tmp
- /data/media/####/77367ee522a087755bcfe1f885390721
- /data/media/####/8a009159-24e8-46c7-9bcc-31a0545c474e.tmp
- /data/media/####/8ab3fb82-c3ab-492b-a25e-6fc65a6e85a3.tmp
- /data/media/####/8b2aad4d-e199-4b29-9990-d48617288083.tmp
- /data/media/####/92b18de7-a456-46f2-bbee-10766bd3188b.tmp
- /data/media/####/93d1974a59c8ccb3a3738143cbd94ed2.tmp
- /data/media/####/9df3d646-11e1-47b9-8145-343bb9e23deb.tmp
- /data/media/####/9e122033-d3ea-479c-880a-15ae3570fcd5.tmp
- /data/media/####/CommonSave.json
- /data/media/####/Compat.browser
- /data/media/####/DefaultWsdlHelpGenerator.aspx
- /data/media/####/DiskAssets.asset
- /data/media/####/DiskAssets.lock
- /data/media/####/Firebase.Platform.dll-resources.dat
- /data/media/####/a2962329-1b84-4529-a88d-f4d9b249d346.tmp
- /data/media/####/b8d0f2b6-4762-4ec8-a423-7187744e5897.tmp
- /data/media/####/babytown.coloring.learn.kids.cpid
- /data/media/####/bb956db0-5d1d-4eb4-aa5c-37887bc78aed.tmp
- /data/media/####/bd4df59e-3a18-4df2-9097-11085b5773da.tmp
- /data/media/####/browscap.ini
- /data/media/####/bus_vehicle.tex2d
- /data/media/####/c
- /data/media/####/c56153eb-bd05-4c08-8cbe-c5e6f72940b9.tmp
- /data/media/####/commonData.json
- /data/media/####/config
- /data/media/####/config.xml
- /data/media/####/d
- /data/media/####/dfguibt8234tfb23urf.json
- /data/media/####/e
- /data/media/####/e166a927-7428-408c-8678-729147a7cc17.tmp
- /data/media/####/eabbbbb5-5818-4744-81b1-86d4a0bce586.tmp
- /data/media/####/f11a3971-852b-4bbf-928c-23db134aa546.tmp
- /data/media/####/f8e3ab75-aabf-472e-8640-59ec360dc30d.tmp
- /data/media/####/g
- /data/media/####/gamesData.json
- /data/media/####/global-metadata.dat
- /data/media/####/last-btime
- /data/media/####/last_update.json
- /data/media/####/machine.config
- /data/media/####/mscorlib.dll-resources.dat
- /data/media/####/mycity.afterschool.cpid
- /data/media/####/mycity.airport.cpid
- /data/media/####/mycity.babysitter.cpid
- /data/media/####/mycity.bank.cpid
- /data/media/####/mycity.campingvacation.cpid
- /data/media/####/mycity.dentist.cpid
- /data/media/####/mycity.friends.cpid
- /data/media/####/mycity.friendshouse.cpid
- /data/media/####/mycity.grandparents.cpid
- /data/media/####/mycity.highschool.cpid
- /data/media/####/mycity.home.cpid
- /data/media/####/mycity.hospital.cpid
- /data/media/####/mycity.hotel.cpid
- /data/media/####/mycity.jailbreak.cpid
- /data/media/####/mycity.london.cpid
- /data/media/####/mycity.mansion.cpid
- /data/media/####/mycity.mayorsoffice.cpid
- /data/media/####/mycity.newbornbaby.cpid
- /data/media/####/mycity.newyork.cpid
- /data/media/####/mycity.office.cpid
- /data/media/####/mycity.orphan.cpid
- /data/media/####/mycity.petstore.cpid
- /data/media/####/mycity.pjparty.cpid
- /data/media/####/mycity.police.cpid
- /data/media/####/mycity.popstar.cpid
- /data/media/####/mycity.seaport.cpid
- /data/media/####/mycity.shopping.cpid
- /data/media/####/mycity.skiresort.cpid
- /data/media/####/mycity.stable.cpid
- /data/media/####/mycity.students.cpid
- /data/media/####/mycity.university.cpid
- /data/media/####/mycity.wedding.cpid
- /data/media/####/mycity.ymca.cpid
- /data/media/####/mylittleprincess.castle.cpid
- /data/media/####/mylittleprincess.castle.free.cpid
- /data/media/####/mylittleprincess.fairy.cpid
- /data/media/####/mylittleprincess.stores.cpid
- /data/media/####/mylittleprincess.stores.free.cpid
- /data/media/####/mylittleprincess.wizard.cpid
- /data/media/####/mylittleprincess.wizard.free.cpid
- /data/media/####/mytown.airport.cpid
- /data/media/####/mytown.amusementpark.cpid
- /data/media/####/mytown.bakery.cpid
- /data/media/####/mytown.beach.cpid
- /data/media/####/mytown.beautycontest.cpid
- /data/media/####/mytown.cinema.cpid
- /data/media/####/mytown.danceschool.cpid
- /data/media/####/mytown.daycare.cpid
- /data/media/####/mytown.farm.cpid
- /data/media/####/mytown.fashion.cpid
- /data/media/####/mytown.firestation.cpid
- /data/media/####/mytown.friendshouse.cpid
- /data/media/####/mytown.games3d.cpid
- /data/media/####/mytown.garage.cpid
- /data/media/####/mytown.grandparents.cpid
- /data/media/####/mytown.hauntedhouse.cpid
- /data/media/####/mytown.home.cpid
- /data/media/####/mytown.hospital.cpid
- /data/media/####/mytown.hotel.cpid
- /data/media/####/mytown.mall.cpid
- /data/media/####/mytown.museum.cpid
- /data/media/####/mytown.pets.cpid
- /data/media/####/mytown.police.cpid
- /data/media/####/mytown.preschool.cpid
- /data/media/####/mytown.school.cpid
- /data/media/####/mytown.spa.cpid
- /data/media/####/mytown.stores.cpid
- /data/media/####/mytown.street.cpid
- /data/media/####/mytown.wedding.cpid
- /data/media/####/mytown.world.cpid
- /data/media/####/s
- /data/media/####/settings.map
- /data/media/####/temp_pkg_info.json
- /data/media/####/values
- /data/media/####/web.config
- /data/media/####/wonderland.beauty.cpid
- /data/media/####/wonderland.mermaid.cpid
- /data/media/####/wonderland.peterpan.cpid
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh
- cat /proc/version
- cat /sys/class/android_usb/android0/idProduct
- cat /sys/class/android_usb/android0/idVendor
- getprop
- getprop ro.build.version.emui
- getprop ro.letv.release.version
- getprop ro.vivo.os.build.display.id
- ls -l /dev
- ls -l /dev/__properties__
- ls -l /dev/block
- ls -l /dev/block/pci
- ls -l /dev/block/pci/pci0000:00
- ls -l /dev/block/pci/pci0000:00/0000:00:1f.2
- ls -l /dev/block/pci/pci0000:00/0000:00:1f.2/by-num
- ls -l /dev/block/vold
- ls -l /dev/bus
- ls -l /dev/bus/usb
- ls -l /dev/bus/usb/001
- ls -l /dev/com.android.settings
- ls -l /dev/com.android.settings.daemon
- ls -l /dev/cpuctl
- ls -l /dev/cpuset
- ls -l /dev/cpuset/background
- ls -l /dev/cpuset/foreground
- ls -l /dev/cpuset/foreground/boost
- ls -l /dev/cpuset/system-background
- ls -l /dev/cpuset/top-app
- ls -l /dev/fscklogs
- ls -l /dev/graphics
- ls -l /dev/input
- ls -l /dev/memcg
- ls -l /dev/memcg/apps
- ls -l /dev/pts
- ls -l /dev/socket
- ls -l /dev/stune
- ls -l /dev/stune/background
- ls -l /dev/stune/foreground
- ls -l /dev/stune/top-app
- ls /
- ls /sys/class/thermal
- ps
Загружает динамические библиотеки:
- libFirebaseCppApp-6.1.1
- libjiagu
- libmain
- libnms
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
