Техническая информация
Вредоносные функции:
Отправляет SMS:
- +85255204080: rch16745418
Выполняет код следующих детектируемых угроз:
- Android.Joker.207.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) nis####.l####.in:80
- TCP(HTTP/1.1) www.kite####.co:80
- TCP(TLS/1.0) fev.f####.com:443
- TCP(TLS/1.0) new.ads.vu####.com:443
- TCP(TLS/1.0) s####.oss-me-####.aliy####.com:443
- TCP(TLS/1.0) cdn-inn####.edg####.net:443
- TCP(TLS/1.0) wd.adco####.com:443
- TCP(TLS/1.0) cdn-sto####.unit####.uni####.####.net:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) newplay####.minte####.com:443
- TCP(TLS/1.0) 64.2####.164.94:443
- TCP(TLS/1.0) ev####.mz.uni####.com:443
- TCP(TLS/1.0) unit####.edges####.net:443
- TCP(TLS/1.0) httpk####.unit####.uni####.com:443
- TCP(TLS/1.0) android####.adco####.com:443
- TCP(TLS/1.0) fy-####.edg####.net:443
- TCP(TLS/1.0) eve####.adco####.com:443
- TCP(TLS/1.0) duals####.adc3-la####.adco####.####.net:443
- TCP(TLS/1.0) ds-####.oss-acc####.aliy####.####.com:443
- TCP(TLS/1.0) g####.face####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) www.x####.com:443
- TCP(TLS/1.0) innerac####.s3-eu-w####.amazo####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) rr4---s####.g####.com:443
- TCP(TLS/1.0) sdk.appb####.com:443
- TCP(TLS/1.0) as####.minte####.com:443
- TCP(TLS/1.0) ads.api.vu####.com:443
- TCP(TLS/1.0) media####.f####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) vast-ev####.inner-a####.mobi:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) nginx-a####.unit####.uni####.com:443
- TCP(TLS/1.0) publish####.unit####.uni####.com:443
- TCP(TLS/1.0) f####.backbla####.com:443
- TCP(TLS/1.0) cdn-cre####.acq####.unity3d####.####.net:443
- TCP(TLS/1.0) sdk-ev####.inner-a####.mobi:443
- TCP(TLS/1.2) 64.2####.164.94:443
- TCP(TLS/1.2) www.google####.com:443
Запросы DNS:
- adc-ad-####.ad####.com
- adc3-la####.adco####.com
- ads.api.vu####.com
- adx.ads.vu####.com
- and####.a####.go####.com
- and####.google####.com
- android####.adco####.com
- as####.minte####.com
- auction####.unit####.uni####.com
- c####.inner-a####.mobi
- c4d####.adco####.com
- cdn-cre####.acq####.unity3d####.com
- cdn-sto####.unit####.uni####.com
- co####.unit####.uni####.com
- dau.f####.com
- ev####.mz.uni####.com
- eve####.adco####.com
- f####.backbla####.com
- fev.f####.com
- g####.face####.com
- googl####.g.doublec####.net
- httpk####.unit####.uni####.com
- innerac####.s3-eu-w####.amazo####.com
- m####.inner-a####.mobi
- media####.f####.com
- new.ads.vu####.com
- newplay####.minte####.com
- nis####.l####.in
- p####.google####.com
- pla####.google####.com
- publish####.unit####.uni####.com
- rr4---s####.g####.com
- s####.oss-me-####.aliy####.com
- sdk-ev####.inner-a####.mobi
- sdk.appb####.com
- vast-ev####.inner-a####.mobi
- wd.adco####.com
- wv.inner-a####.mobi
- www.face####.com
- www.google####.com
- www.kite####.co
- www.x####.com
- x####.oss-acc####.aliy####.com
Запросы HTTP GET:
- as####.minte####.com:443/vm/22/09/13/14/a9104522-28d2-4dd2-a091-045f5c0c...
- cdn-cre####.acq####.unity3d####.####.net:443/assets/63f48973d4c65588bf95...
- cdn-cre####.acq####.unity3d####.####.net:443/assets/63f48a08838c3ff7754e...
- cdn-inn####.edg####.net:443/IA-JSTag/Production/centering_v1.css
- cdn-inn####.edg####.net:443/IA-JSTag/Production/centering_v1.js
- cdn-inn####.edg####.net:443/adc/3.15.1/10/8b0f5c9b94caf9f451f4a1c75094fa...
- cdn-inn####.edg####.net:443/client/ia-js-tags/MRAID-VIDEO.js
- cdn-inn####.edg####.net:443/ia-sdk-config/apps/130675/130675.json
- cdn-inn####.edg####.net:443/ia-sdk-config/config_android.json
- cdn-inn####.edg####.net:443/ia-sdk-config/features_config.json
- cdn-inn####.edg####.net:443/launch-rules/production/__controllers__/4.0....
- cdn-inn####.edg####.net:443/launch/__controllers__/4.0.0/2.2.0.2/ADCAdUn...
- cdn-inn####.edg####.net:443/launch/__libs__/legacy-mraid-3x/2.2.3/ADCMRA...
- cdn-inn####.edg####.net:443/launch/__libs__/omsdk/1.3.4/omsdk-v1.js
- cdn-inn####.edg####.net:443/libs/adunit-banner/1.4.1/c0fe21537985207c3e1...
- cdn-inn####.edg####.net:443/libs/adunit/3.9.7/0345e729e33c8e9964dd34ebf2...
- cdn-inn####.edg####.net:443/libs/composer/3.15.1/1cfd37e8d04624390f636f7...
- cdn-inn####.edg####.net:443/libs/interstitial-mraid/3.9.7/5dfe98c747773a...
- cdn-inn####.edg####.net:443/omw-ads/image/7e/f815b7d6ab1c3db7d0381f065bf...
- cdn-inn####.edg####.net:443/output_sdk_assets/end-card-close-normal-x2.png
- cdn-sto####.unit####.uni####.####.net:443/store-icons/3b15e096-36dd-45cd...
- ds-####.oss-acc####.aliy####.####.com:443/fbhx1
- ds-####.oss-acc####.aliy####.####.com:443/xjuys
- f####.backbla####.com:443/file/download-bucket/hi-there-icon.png
- f####.backbla####.com:443/file/download-bucket/hi-there-image-russian.jpg
- googl####.g.doublec####.net:443/mads/gma?submodel=####&native_templates=...
- innerac####.s3-eu-w####.amazo####.com:443/client/ia-js-tags/omsdk/1.3.28...
- media####.f####.com:443/mediate?device_type=####&country_code=####&insta...
- new.ads.vu####.com:443/api/v5/new?ifa=####&app_id=####
- nis####.l####.in/2kEhQ
- publish####.unit####.uni####.com:443/games/3546143/configuration?deviceM...
- s####.oss-me-####.aliy####.com:443/sticker
- unit####.edges####.net:443/webview/4.0.0/4dc6d871d20ed537b53bdb58d5ac90f...
- unit####.edges####.net:443/webview/4.0.1/release/config.json?ts=####&sdk...
- vast-ev####.inner-a####.mobi:443/Event?adTime=####&adomain=####&aid=####...
Запросы HTTP POST:
- ads.api.vu####.com:443/api/v5/ads
- ads.api.vu####.com:443/config
- android####.adco####.com:443/configure
- duals####.adc3-la####.adco####.####.net:443/v4/launch
- ev####.mz.uni####.com:443/operative/video
- eve####.adco####.com:443/t/5.0/ad_request?pl=X92h####&q=####
- eve####.adco####.com:443/t/5.0/install?pl=lmvj####&q=####
- eve####.adco####.com:443/t/5.0/session_start?pl=lmvj####&q=####
- fev.f####.com:443/event
- fy-####.edg####.net:443/simpleM2M/fyberMediation?spotId=####
- httpk####.unit####.uni####.com:443/v1/events
- media####.f####.com:443/reportActiveUser?app_version=####&install_id=###...
- nginx-a####.unit####.uni####.com:443/v6/games/3546143/requests?idfi=####...
- publish####.unit####.uni####.com:443/privacy/3546143/state
- sdk-ev####.inner-a####.mobi:443/Event
- sdk.appb####.com:443/api/pb?action=####
- wd.adco####.com:443/logs
- www.kite####.co/request-ad
- www.x####.com:443/xjuys/v1
- www.x####.com:443/xjuys/v2
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/026ae9c9824b3e483fa6c71fa88f57ae27816141
- /data/data/####/03efa308-d97d-47ce-ac05-31ea20cd7ce6.js
- /data/data/####/05021bc928410f4808d53f17bff79b94.js
- /data/data/####/08f69e9e-8864-401d-8aae-fde6cde429c8.mp4
- /data/data/####/1114f8a35b28bf051009090601c052cf.js
- /data/data/####/161adb42c9844adf_0
- /data/data/####/161adb42c9844adf_1
- /data/data/####/1629828815138.dex
- /data/data/####/1629828815138.dex.flock (deleted)
- /data/data/####/1629828815138.jar
- /data/data/####/1629828815138.tmp
- /data/data/####/1977133ae333f521cf024f81109cbfc4.js
- /data/data/####/422de421e0f4e019426b9abfd780746bc40740eb
- /data/data/####/4785a48c-0a90-45b7-aa56-1a3e41c82b95
- /data/data/####/4ade02d53c941f31_0
- /data/data/####/4d27b99a9d6278d4_0
- /data/data/####/5009ca398000d344_0 (deleted)
- /data/data/####/64a87090-21db-4250-997e-678b764301a4.mp4 (deleted)
- /data/data/####/6a6660380423c309_0 (deleted)
- /data/data/####/7556c1835650e1d4_0
- /data/data/####/7be11ff51b17d156_0 (deleted)
- /data/data/####/7bf3a1e7bbd31e612eda3310c2cdb8075c43c6b5
- /data/data/####/AppEventsLogger.persistedevents
- /data/data/####/AppInfo
- /data/data/####/AppVersion
- /data/data/####/Cookies-journal
- /data/data/####/FBAdPrefs.xml
- /data/data/####/IAConfigPrefs.xml
- /data/data/####/IAConfigurationPreferences.xml
- /data/data/####/MRAID-VIDEO.js
- /data/data/####/PersistentfileState
- /data/data/####/UnityAdsStorage-private-data.json
- /data/data/####/UnityAdsStorage-public-data.json
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a3b868e9-cecc-47dc-8145-338a6b778873.js
- /data/data/####/a4924b32c9d742ea_0
- /data/data/####/a4924b32c9d742ea_1
- /data/data/####/a5f785a627f6d2a395f351dc01c413dc.png
- /data/data/####/ab_pref_int.dat.tmp
- /data/data/####/ab_sdk_pref.dat
- /data/data/####/ab_sdk_pref.dat.tmp
- /data/data/####/adc_events_db-journal
- /data/data/####/admob.xml
- /data/data/####/androidx.work.workdb-journal (deleted)
- /data/data/####/app_set_id_storage.xml
- /data/data/####/appsflyer-data.xml
- /data/data/####/audience_network.dex
- /data/data/####/audience_network.dex.flock (deleted)
- /data/data/####/b8229b4a6bfbf5339c2b50aa4c785394.js
- /data/data/####/bd02276a3a538526_0 (deleted)
- /data/data/####/bshwai.xml
- /data/data/####/centering_v1.css
- /data/data/####/centering_v1.js
- /data/data/####/com.appbrain.ping
- /data/data/####/com.facebook.sdk.USER_SETTINGS.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.fyber.fairbid.sdk.xml
- /data/data/####/com.fyber.fairbid.user_sessions.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak (deleted)
- /data/data/####/com.naocanb.sticker.mesagis_preferences.xml
- /data/data/####/com.naocanb.sticker.mesagis_preferences.xml.bak
- /data/data/####/com.vungle.sdk.xml
- /data/data/####/com.vungle.sdk.xml.bak
- /data/data/####/dd2a1c2f-cdd8-4f8d-b583-fe03f0218744.png
- /data/data/####/dfe6b2497a7513ba_0
- /data/data/####/f038e94cb33282ab_0
- /data/data/####/f136b78e-d55e-4513-a9b9-f64a88d9ba9c.js
- /data/data/####/f1f
- /data/data/####/f60eaf12735df878_0
- /data/data/####/fairbid.ids.xml
- /data/data/####/fileState
- /data/data/####/fyber.ua.xml
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/https_googleads.g.doubleclick.net_0.localstorage-journal
- /data/data/####/ia-global.config
- /data/data/####/ia-remote.config
- /data/data/####/index
- /data/data/####/inneractive.config
- /data/data/####/install_metrics.xml
- /data/data/####/install_metrics.xml.bak
- /data/data/####/jfao
- /data/data/####/jfao.dex
- /data/data/####/jfao.dex.flock (deleted)
- /data/data/####/log
- /data/data/####/media
- /data/data/####/messenger.sqlite-journal
- /data/data/####/metrics_guid
- /data/data/####/network_requests
- /data/data/####/omid-latest.js
- /data/data/####/sprfs.xml
- /data/data/####/sprfs.xml.bak (deleted)
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/unityads-installinfo.xml
- /data/data/####/vungle_db-journal
- /data/data/####/vungle_settings
- /data/data/####/vungle_settings (deleted)
- /data/media/####/.nomedia
- /data/media/####/0.0.1678476367967.v3.exo
- /data/media/####/UnityAdsCache-2c62afeea5609b2302139990f7c0369d...b.webm
- /data/media/####/UnityAdsCache-628d4b1240deb8a59a8e9b6baa03a567...04.jpg
- /data/media/####/UnityAdsCache-6af1265f907ccbd35f48cade45c154be...cd.png
- /data/media/####/UnityAdsTest.txt (deleted)
- /data/media/####/UnityAdsWebApp.html
- /data/media/####/cached_content_index.exi
- /data/media/####/journal
- /data/media/####/journal (deleted)
- /data/media/####/log_16784763568352d940a67-f60d-4ef1-bfe8-0cda2338df76
- /data/misc/####/primary.prof
Другие:
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CTR-NoPadding
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
Осуществляет доступ к приватному интерфейсу ITelephony.
Содержит функциональность для автоматической отправки SMS.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о привязанных к устройству аккаунтах.
Отрисовывает собственные окна поверх других приложений.
Парсит информацию из SMS.
Получает информацию об отправленых/принятых SMS.
Образец из Google Play Store.
