Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.251.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) oss-acc####.aliy####.com.####.com:80
- TCP(HTTP/1.1) q.q####.cn:80
- TCP(HTTP/1.1) a####.u####.com.####.com:80
- TCP(HTTP/1.1) 47.1####.152.28:80
- TCP(HTTP/1.1) thi####.q####.cn:80
- TCP(HTTP/1.1) 42.96.2####.144:80
- TCP(HTTP/1.1) n####.cdn.bc####.####.com:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.2) and####.google####.com:443
- TCP(TLS/1.2) 1####.250.27.101:443
- TCP(TLS/1.2) 1####.250.27.94:443
- UDP and####.google####.com:443
Запросы DNS:
- 2.and####.p####.####.org
- a####.u####.com
- and####.google####.com
- api####.oss-acc####.aliy####.com
- gmscomp####.google####.com
- n####.cdn.bc####.com
- oc.u####.co
- oc.u####.co.####.8
- oc.u####.com
- q.q####.cn
- sho####.netwa####.com
- thi####.q####.cn
Запросы HTTP GET:
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1400q10_qb1....
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1400q4_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1400q5_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1400q6_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1400q7_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q10_qb1....
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q1_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q2_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q3_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q4_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q5_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q6_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q7_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q8_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1430q9_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q1_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q3_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q4_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q5_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q6_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q7_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q8_qb1.jpg
- n####.cdn.bc####.####.com/admin/makesimg/output/gj_20221227/1500q9_qb1.jpg
- n####.cdn.bc####.####.com/guajiqbplugin-1064
- oss-acc####.aliy####.com.####.com/api.txt?-175632####
- oss-acc####.aliy####.com.####.com/api.txt?182187####
- q.q####.cn/headimg_dl?dst_uin=####&spec=####
- thi####.q####.cn/mmopen/vi_32/197ftmjibGJkNKLKYviafjCFsK8JH5Wvbp22nnqKRl...
- thi####.q####.cn/mmopen/vi_32/3NoNL2Lv2qtgWf3HFNZUpVdERoyziah9ne0JlNt5AE...
- thi####.q####.cn/mmopen/vi_32/6Dr9gcIiaHMnWqiaHoR5zkOcbfJPX63Kyjh9YzbQse...
- thi####.q####.cn/mmopen/vi_32/7fdyibiaQbdxj23T5xtoFHRusvsB8c1uteD47TtTic...
- thi####.q####.cn/mmopen/vi_32/DYAIOgq83epHQZkdoJf7b2XhjFyicEAMNdOKANJfSO...
- thi####.q####.cn/mmopen/vi_32/DYAIOgq83eq3gjp4QXOUKNn48Z03VRY1hhJ63e2QSB...
- thi####.q####.cn/mmopen/vi_32/DYAIOgq83eqezX5zN0fEDmzztKUCTfznWThFOum3LE...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTIh9yK8Saem1vlIAicnesddgibxjT1GN4...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTJEYuE856Sk93fhlPom2yYZ2DqF57q0c4...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTJJnZD5eg0KBRzZxWeJ9RPmO330E2434x...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTJR4VRqBhPeQrtTtvAr2n3B8xnBTUvzuw...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTK0icSr6qK7ox8r01ExpDnYDNrU0bmQR9...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTKak4XnSfotl3tlxkh6l4ZFGuGoyuZszh...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTL9IcRyHXOosZ4iaumQNCM2ib6s0OWtIB...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTLZVEkucibiah1k0zq94FXagmnOJcrDBe...
- thi####.q####.cn/mmopen/vi_32/Q0j4TwGTfTLcuf8LczicWQmyV67miaw9r0wClo8mXE...
- thi####.q####.cn/mmopen/vi_32/Umq9AKuIOWoibThILjjZr8kasdHSPVNjfo5ia76icz...
- thi####.q####.cn/mmopen/vi_32/W3E7AhVKOWIGgxGicSnZQBeiaqib2eJveJCq7iaOSc...
- thi####.q####.cn/mmopen/vi_32/jIujo54zIcL6hia0OgoFGa4cEiaUJQ64ibDA5v4go4...
- thi####.q####.cn/mmopen/vi_32/kHYcohAR4gkd4x76bUtxbaScX9pv60ugibbPbEdgft...
- thi####.q####.cn/mmopen/vi_32/rn6LXPd8k6L7icLH0CQplZRWGDT3uCFzibSMYHnicK...
- thi####.q####.cn/mmopen/vi_32/u52x1fsXiaWAx4MCwOlJWwPMksCnwyXJHNN7ibLP6f...
- thi####.q####.cn/mmopen/vi_32/y4x2eN8sKibeRT8mgt28cyKDLuhIuiaUicC1O9F1hh...
Запросы HTTP POST:
- a####.u####.com.####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-1264453570-1688508544
- /data/data/####/-678436023-1688508544
- /data/data/####/-703708861423738110
- /data/data/####/.base.dex
- /data/data/####/.base.dex.flock (deleted)
- /data/data/####/.base.jar
- /data/data/####/.imprint
- /data/data/####/184gu8kfv72ou2r5rn09eco8p
- /data/data/####/184gu8kfv72ou2r5rn09eco8p.tmp
- /data/data/####/1cb0tmwsmplx896pw90n1q4yw
- /data/data/####/1cb0tmwsmplx896pw90n1q4yw.tmp
- /data/data/####/1kw8hfa4y789bnxxmd7q5gqpo
- /data/data/####/1kw8hfa4y789bnxxmd7q5gqpo (deleted)
- /data/data/####/1mrf1t8hmcc5lm6hzvbrgobej
- /data/data/####/1mrf1t8hmcc5lm6hzvbrgobej.tmp
- /data/data/####/1pdkmbie6dzu0px310ed5x7fw
- /data/data/####/1pdkmbie6dzu0px310ed5x7fw.tmp
- /data/data/####/1st0tl1lqf8us8t9f72lj9v5o
- /data/data/####/1st0tl1lqf8us8t9f72lj9v5o.tmp
- /data/data/####/1ubnsdtulz4859xmvljvg5gyz
- /data/data/####/1ubnsdtulz4859xmvljvg5gyz (deleted)
- /data/data/####/240940343270994547
- /data/data/####/24mufrbz2bx8ckojfpv6b7vnb
- /data/data/####/24mufrbz2bx8ckojfpv6b7vnb (deleted)
- /data/data/####/27otc2aj35uxjy2i2ycjtmav7
- /data/data/####/27otc2aj35uxjy2i2ycjtmav7.tmp
- /data/data/####/2o55umknzs2ulzhvlj4tuiyml
- /data/data/####/2o55umknzs2ulzhvlj4tuiyml.tmp
- /data/data/####/2yyrsyeoxc71n5rpfhnpo4cnl
- /data/data/####/2yyrsyeoxc71n5rpfhnpo4cnl.tmp
- /data/data/####/33wn8pld7hufres264pl3mda1
- /data/data/####/33wn8pld7hufres264pl3mda1 (deleted)
- /data/data/####/357ss5jntjzm33pa6md2evdny
- /data/data/####/357ss5jntjzm33pa6md2evdny.tmp
- /data/data/####/3e3kjpqn0v39mamximr3rp6g5
- /data/data/####/3e3kjpqn0v39mamximr3rp6g5.tmp
- /data/data/####/3ldacpzui4sk7cegwyidd66br
- /data/data/####/3ldacpzui4sk7cegwyidd66br (deleted)
- /data/data/####/3mnipzalpvxjhmfo6ufp2z2kw
- /data/data/####/3mnipzalpvxjhmfo6ufp2z2kw.tmp
- /data/data/####/3t4p2a3cl8yal28i2jaruhami
- /data/data/####/3t4p2a3cl8yal28i2jaruhami.tmp
- /data/data/####/3vqru7wde2i2jrl8e0zi0f5sl
- /data/data/####/3vqru7wde2i2jrl8e0zi0f5sl.tmp
- /data/data/####/3xg5tj2f549l9fcz90ytbswkh
- /data/data/####/3xg5tj2f549l9fcz90ytbswkh.tmp
- /data/data/####/400x8lzgqd8so1zh8m0nitirl
- /data/data/####/400x8lzgqd8so1zh8m0nitirl.tmp
- /data/data/####/488mqtcwrw8591h8kgal6ntp9
- /data/data/####/488mqtcwrw8591h8kgal6ntp9.tmp
- /data/data/####/4cdmsgeu2i7pbx4vjd1w88qg4
- /data/data/####/4cdmsgeu2i7pbx4vjd1w88qg4.tmp
- /data/data/####/4fe647r5equ9jw2v1ij4ewqa1
- /data/data/####/4fe647r5equ9jw2v1ij4ewqa1.tmp
- /data/data/####/4g7k4kwa2ylb3fr358m0zf5d9
- /data/data/####/4g7k4kwa2ylb3fr358m0zf5d9 (deleted)
- /data/data/####/4il134vhd4yr0iyvv4bzzvir1
- /data/data/####/4il134vhd4yr0iyvv4bzzvir1.tmp
- /data/data/####/4u1w7kiz5bv4inmah4321o7j9
- /data/data/####/4u1w7kiz5bv4inmah4321o7j9.tmp
- /data/data/####/556i3oxdbltrejl5crsuk41l2
- /data/data/####/556i3oxdbltrejl5crsuk41l2.tmp
- /data/data/####/565hpqgwqy4jq3x8dmc2yolnh
- /data/data/####/565hpqgwqy4jq3x8dmc2yolnh.tmp
- /data/data/####/5789txj7l6vemjgqg3gs920y
- /data/data/####/5789txj7l6vemjgqg3gs920y.tmp
- /data/data/####/578c40177rjxe5fbhyu8yjx0j
- /data/data/####/578c40177rjxe5fbhyu8yjx0j (deleted)
- /data/data/####/59v0tsb0bfwvq9n3ghe5u4rl
- /data/data/####/59v0tsb0bfwvq9n3ghe5u4rl.tmp
- /data/data/####/5centkjgvjd67m78asvgfa7e3
- /data/data/####/5centkjgvjd67m78asvgfa7e3 (deleted)
- /data/data/####/5hbf5i994xtlu1z4gjq14f913
- /data/data/####/5hbf5i994xtlu1z4gjq14f913.tmp
- /data/data/####/5nv2uhfiixgkcxhfw85z5jwac
- /data/data/####/5nv2uhfiixgkcxhfw85z5jwac.tmp
- /data/data/####/5p1e4r11y0vvqzbi87ffo6ift
- /data/data/####/5p1e4r11y0vvqzbi87ffo6ift.tmp
- /data/data/####/5uiljqsd8w2727e73oq71skmx
- /data/data/####/5uiljqsd8w2727e73oq71skmx.tmp
- /data/data/####/60cbdykua8j416gqrv6h4nnas
- /data/data/####/60cbdykua8j416gqrv6h4nnas.tmp
- /data/data/####/63cpaw2p0z55fm51lnkzucru5
- /data/data/####/63cpaw2p0z55fm51lnkzucru5.tmp
- /data/data/####/66rt2kg4u5g6dzk7ian4kkmf7
- /data/data/####/66rt2kg4u5g6dzk7ian4kkmf7 (deleted)
- /data/data/####/6h0yfv6df0mmgj9j3owkvbkrq
- /data/data/####/6h0yfv6df0mmgj9j3owkvbkrq.tmp
- /data/data/####/6jx857un27pii1h8nsibp5ji4
- /data/data/####/6jx857un27pii1h8nsibp5ji4 (deleted)
- /data/data/####/764v16kg749advg4kmdlzk3bd
- /data/data/####/764v16kg749advg4kmdlzk3bd (deleted)
- /data/data/####/766457229-96881284
- /data/data/####/7ei60vuujn5i77n9qd1msr9t
- /data/data/####/7ei60vuujn5i77n9qd1msr9t.tmp
- /data/data/####/8oon6qobnqcf4pkg1hunt7ct
- /data/data/####/8oon6qobnqcf4pkg1hunt7ct.tmp
- /data/data/####/com.jayawgw7e.c2shrx5pwa.xml
- /data/data/####/com.jayawgw7e.c2shrx5pwa.xml.bak
- /data/data/####/com.jayawgw7e.c2shrx5pwa.xml.bak (deleted)
- /data/data/####/mobclick_agent_online_setting_com.jayawgw7e.c2shrx5pwa.xml
- /data/data/####/mytask.db
- /data/data/####/mytask.db-journal
- /data/data/####/proc_auxv
- /data/data/####/q26dw3mmtipswiq3pa36davc
- /data/data/####/q26dw3mmtipswiq3pa36davc.tmp
- /data/data/####/rdxr314y2c5rio2g01jtgghm
- /data/data/####/rdxr314y2c5rio2g01jtgghm.tmp
- /data/data/####/tqm0g9o6v9vi1q6y1fo859y7
- /data/data/####/tqm0g9o6v9vi1q6y1fo859y7.tmp
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/win.apk
- /data/data/####/win.apk (deleted)
- /data/data/####/win.dex
- /data/data/####/win.dex.flock (deleted)
- /data/media/####/.nomedia
- /data/media/####/guajiqbplugin-1064
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/user.data
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- liblbdfas
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
