Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.358.origin
Сетевая активность:
Подключается к:
- TCP(DNS) <Google DNS>
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.74.176.201:8801
- TCP(HTTP/1.1) 182f####.kaa8####.cc:80
- TCP(HTTP/1.1) 1####.23.247.140:8888
- TCP(HTTP/1.1) api.ffz####.com:80
- TCP(HTTP/1.1) a####.rin####.com:80
- TCP(HTTP/1.1) na61-####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) 1####.74.176.201:8802
- TCP(HTTP/1.1) 1####.23.247.140:7777
- TCP(HTTP/1.1) www.7####.com:80
- TCP(HTTP/1.1) survey-####.com:80
- TCP(HTTP/1.1) tv.hao####.com:80
- TCP(HTTP/1.1) www.qiyo####.com:80
- TCP(HTTP/1.1) 39.1####.226.196:8801
- TCP(HTTP/1.1) op.ys####.cn:80
- TCP(HTTP/1.1) www.lz####.com:80
- TCP(HTTP/1.1) 9####.qiangsh####.com:80
- TCP(HTTP/1.1) cdn.k####.com.####.net:80
- TCP(HTTP/1.1) ys.changme####.com:80
- TCP(HTTP/1.1) www.qy####.com:80
- TCP(HTTP/1.1) www.xingch####.com:80
- TCP(HTTP/1.1) for####.do####.com:80
- TCP(HTTP/1.1) www.vip####.net:80
- TCP(TLS/1.0) 2####.239.36.223:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) h.t####.qq.com:443
- TCP(TLS/1.0) cdn.c####.asia:443
- TCP(TLS/1.0) www.m####.cc:443
- TCP(TLS/1.0) img.ffz####.com:443
- TCP(TLS/1.0) obs.gdu####.com.####.com:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) rbks####.aliadv####.com:443
- TCP(TLS/1.0) hdr3####.ehei####.net:2929
- TCP(TLS/1.0) www.4####.org:443
- TCP(TLS/1.0) r8pf####.ehei####.net:443
- TCP(TLS/1.0) i####.doub####.com.####.cn:443
- TCP(TLS/1.2) 2####.58.207.234:443
- TCP(TLS/1.2) 1####.250.74.174:443
- TCP(TLS/1.2) 1####.250.74.46:443
- TCP(TLS/1.2) www.google####.com:443
- TCP suba####.vip:443
- TCP api.web.36####.com:443
- TCP www.ww####.com:443
- TCP y.g####.cn.####.net:443
- TCP hong####.com:443
- UDP 2####.239.36.223:443
- TCP 4####.com:443
- TCP www.g####.net:443
- TCP api.8ut####.com.####.net:443
- TCP sc####.top:443
- TCP www.k####.app:443
- TCP opencdn####.jom####.com:443
- TCP www.zi####.com:443
- TCP mtv.iju####.cc:443
- TCP ocr.w####.link:443
- TCP www.gymbor####.com:443
- TCP vod####.i####.q####.####.com:443
- TCP www.dsxys####.com:443
- TCP www.qy####.com:443
- TCP sa####.vip:443
- TCP img1-do####.b0.a####.com:443
- TCP m.cf####.com:443
- TCP www.kpk####.fun:443
- TCP i####.doub####.com:443
- TCP www.cf####.com:443
- TCP for####.do####.com:443
- TCP v.n####.cn:443
- TCP www.c####.site:443
- TCP 47.1####.90.219:9999
- TCP 3####.com:443
- TCP js####.hei####.xyz:443
- TCP 4####.ks####.space:443
- TCP www.m####.com:443
- TCP re####.pro:443
- TCP i####.doub####.com.####.com:443
Запросы DNS:
- 3####.com
- 3####.com
- 4####.com
- 4####.ks####.space
- a####.rin####.com
- a14.ki####.cn
- and####.b####.qq.com
- api.8ut####.com
- api.do####.com
- api.ffz####.com
- api.pull####.com
- api.web.36####.com
- c####.tv
- c.x####.net
- cdn.k####.com
- f####.do####.com
- fs-im-####.7moor####.com
- g####.b####.com
- h.t####.qq.com
- hong####.com
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- img.ffz####.com
- img.sh####.me
- ip.ta####.com
- js####.hei####.xyz
- m####.do####.com
- m.cf####.com
- mtv.iju####.cc
- obs.gdu####.com
- ocr.w####.link
- op.ys####.cn
- re####.pro
- sa####.vip
- sc####.top
- suba####.vip
- survey-####.com
- tv.99988####.xyz
- tv.hao####.com
- v.aika####.com
- v.n####.cn
- vcover-####.p####.q####.cn
- wap.iju####.cc
- www.4####.org
- www.5####.com
- www.7####.com
- www.9-####.com
- www.c####.net
- www.c####.site
- www.cf####.com
- www.dsxys####.com
- www.feisuz####.com
- www.g####.net
- www.google####.com
- www.gxf####.com
- www.gymbor####.com
- www.hd####.pro
- www.k####.app
- www.k####.tv
- www.kpk####.fun
- www.lz####.com
- www.m####.cc
- www.m####.com
- www.m####.com
- www.qiyo####.com
- www.qy####.com
- www.vip####.net
- www.ww####.com
- www.xingch####.com
- www.zi####.com
- xn--44q####.com
- y.g####.cn
- yana####.tv
- ys.changme####.com
- zq6.bie####.com
Запросы HTTP GET:
- 182f####.kaa8####.cc/hanxq/so.php
- 9####.qiangsh####.com/
- 9####.qiangsh####.com/index.php/ajax/suggest?mid=####&wd=####&limit=####
- 9####.qiangsh####.com/index.php/e.html?wd=####
- 9####.qiangsh####.com/index.php/verify/index.html?
- 9####.qiangsh####.com/rss.xml?wd=####
- a####.rin####.com/api/video/search?key=####&page=####
- a####.rin####.com/api/video/search?page=####&key=####
- api.ffz####.com/api.php/provide/vod/?ac=####&ids=####
- api.ffz####.com/api.php/provide/vod/?wd=####&pg=####
- cdn.k####.com.####.net/update/sdk/task_164.jar
- for####.do####.com/api/v2/subject_collection/subject_real_time_hotest/it...
- hdr3####.ehei####.net:2929/upload/vod/20241206-1/bbea0aeac59b82afbf0c24e...
- img.ffz####.com:443/upload/vod/20241206-1/2d6348e6d5436dafeb3ef02660e127...
- na61-####.wagbr####.ali####.####.com/service/getIpInfo.php?ip=####
- obs.gdu####.com.####.com:443/upload/movie/20241206/vod36185935.webp
- r8pf####.ehei####.net:443/
- r8pf####.ehei####.net:443/index.php/ajax/suggest?mid=####&wd=####&limit=...
- rbks####.aliadv####.com:443/
- rbks####.aliadv####.com:443/sou.html?wd=####
- survey-####.com/
- tv.hao####.com/e/sch/index.php?page=####&keyboard=####&sear=####
- www.7####.com/search.php?page=####&searchword=####&searchtype=####
- www.lz####.com/index.php/vod/search.html?wd=####
- www.qy####.com/api.php/v2.vod/androidsearch10086?page=####&wd=####
- www.qy####.com/upload/video/2024/12/06/1732782e81557aea502b667ab06a7c51....
- www.vip####.net/search.html?wd=####&submit=####
- www.xingch####.com/index.php/ajax/index.html
- www.xingch####.com/index.php/ajax/suggest?mid=####&wd=####&limit=####
- www.xingch####.com/rss.xml?wd=####
- ys.changme####.com/api.php/provide/search_result_more?app=####&video_nam...
Запросы HTTP POST:
- and####.b####.qq.com:443/rqd/async?aid=####
- h.t####.qq.com:443/kv
- op.ys####.cn/v2/home/search
- www.qiyo####.com/search.php
- www.xingch####.com/search.php
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.hptc_kache_m.omg.himovceif
- /data/data/####/044fcc37b8ec07a269d56cd63590d96e87d9d654b821fe4....0.tmp
- /data/data/####/044fcc37b8ec07a269d56cd63590d96e87d9d654b821fe4...c4d7.0
- /data/data/####/06c98cbed438f1c2af6c007060bfff1e14697b121294a0a....0.tmp
- /data/data/####/06e29a14e0460a0eecdaaec9df96d1bb10a835f8e2f03ef...5414.0
- /data/data/####/0afd426425de1c9d918760ff7fa3c4ca60c4629333ea745...e97c.0
- /data/data/####/0d7dac8ff26f65e2598578359d54d89c4527ce91def222e...54f9.0
- /data/data/####/1004
- /data/data/####/1373037256.dex
- /data/data/####/1373037256.dex.flock (deleted)
- /data/data/####/1373037256.jar.ab04210df573be1507691bc5b569031f
- /data/data/####/1481c03c0f28f987d074366634739189462a7d7fc871ce5....0.tmp
- /data/data/####/1481c03c0f28f987d074366634739189462a7d7fc871ce5...ebfc.0
- /data/data/####/14eabec9b691e0782795c6879099674704a6d4ba0f7b439...1b13.0
- /data/data/####/16594996451403940a2e8dcee66cb66ea879801d0fad65f...1329.0
- /data/data/####/2063315211.dex
- /data/data/####/2063315211.dex.flock (deleted)
- /data/data/####/2063315211.jar
- /data/data/####/2063315211.jar.temp
- /data/data/####/2328ab16530cdae587efa700b4e604a44dc6f0f1c538310...f160.0
- /data/data/####/237bd401843dcd2133b0f217d6be0883d8bd12cb55b5f21...f92d.0
- /data/data/####/25dfec1a8a5020257b0e7b8084877d2682c7c52bc3ab7fe....0.tmp
- /data/data/####/2d8b3a974771a653f6cc2ee5d88dc341
- /data/data/####/320b89721465f38bf86743d11e9217930f71cfbe094b57c...cc0b.0
- /data/data/####/33e8a2059cded85fa1cdee94cafed2e1701802e5e50704a....0.tmp
- /data/data/####/33e8a2059cded85fa1cdee94cafed2e1701802e5e50704a...a185.0
- /data/data/####/35fa0d66ef365530dc54d36934982cdb502207d0217bc9e....0.tmp
- /data/data/####/35fa0d66ef365530dc54d36934982cdb502207d0217bc9e...48b1.0
- /data/data/####/36e53c0182463d3338b4a2f934c86c0e1bdbb26ca5fa097....0.tmp
- /data/data/####/36e53c0182463d3338b4a2f934c86c0e1bdbb26ca5fa097...98f4.0
- /data/data/####/385fc15cbdae4956e9bb0714bc93e6e13f9735b01d70c14...373c.0
- /data/data/####/3b7371c07eefca10f31786447962b669
- /data/data/####/41b1fa67f4d7a57bd310ff8fb303305d6a18c55c649def3....0.tmp
- /data/data/####/41efeb8b86b2b9aea986bc71f918ee497f72e8070fe5c4c...7380.0
- /data/data/####/45e00095a4875322a1828ff33bfed9860eed352e497405e...377d.0
- /data/data/####/46e5125e9bfc5729ac0a025b96037f93041df52ae1dd8af...9e3a.0
- /data/data/####/47e6a7dc53d94325b87cf43a8ba395748fd93b33fc333c5....0.tmp
- /data/data/####/47e6a7dc53d94325b87cf43a8ba395748fd93b33fc333c5...ba5d.0
- /data/data/####/4a75d117c59ba5ae011216f42352bdf892fa4fff35400d3...d174.0
- /data/data/####/4aa3b90bbccb7de628ac626ba703c6c87601407862f9617....0.tmp
- /data/data/####/4aa3b90bbccb7de628ac626ba703c6c87601407862f9617...9624.0
- /data/data/####/5b5835b317826c4e7ce9bcd4b22bd402b241e5960f8cfc4...f096.0
- /data/data/####/5f37aaf9d7d16bb9c8656bc1948b73543d07c97828e926f....0.tmp
- /data/data/####/5f37aaf9d7d16bb9c8656bc1948b73543d07c97828e926f...2aaa.0
- /data/data/####/5fc4679d5085924f445665fc8322586f73c309ab01ce273....0.tmp
- /data/data/####/5fc4679d5085924f445665fc8322586f73c309ab01ce273...5f60.0
- /data/data/####/60e35021abaf7d14427f9fdcb16b4f44026b082f162a0eb...0202.0
- /data/data/####/68ff0b38481dda1e5ec8bfe6c67d4efcc800434a3aefc8a...ba35.0
- /data/data/####/6b219deb5c2d6dd05cbd3c089d5ed2d8
- /data/data/####/6ed51992e10ba3d15296b6496bf1d9e9ac218170d91e191....0.tmp
- /data/data/####/6ed51992e10ba3d15296b6496bf1d9e9ac218170d91e191...8a94.0
- /data/data/####/71a22f124f40ded5ecf5a66a86221b9da68cd4c825769f9...ce81.0
- /data/data/####/71fd1b4d241f3b4ee2ba4c80c4679a959b91c1c3bf85b2c....0.tmp
- /data/data/####/71fd1b4d241f3b4ee2ba4c80c4679a959b91c1c3bf85b2c...5abc.0
- /data/data/####/7261d801e90caaae52e32d6239840210d7956ba7a0dbbd2....0.tmp
- /data/data/####/7261d801e90caaae52e32d6239840210d7956ba7a0dbbd2...5aca.0
- /data/data/####/74aba743d823a4602f46f7f85dfaf8472180472f22e4f9a...45e8.0
- /data/data/####/781422384ca8d16fed8fc2f6ae665f7f65d801eb6496bfa....0.tmp
- /data/data/####/781422384ca8d16fed8fc2f6ae665f7f65d801eb6496bfa...a11a.0
- /data/data/####/7ce2c8e3ae028b86853b8fb6206a681e
- /data/data/####/7dcd4922829661304b0907e72a94e028.dex
- /data/data/####/7dcd4922829661304b0907e72a94e028.dex.flock (deleted)
- /data/data/####/7dcd4922829661304b0907e72a94e028.jar
- /data/data/####/7dd609bdd652c4e7a6acee58ea821e49f4ad209e2e05486....0.tmp
- /data/data/####/7f2ab807f2ddf8437e1a1e36d0edc2474bb9b336f53108a....0.tmp
- /data/data/####/7f2ab807f2ddf8437e1a1e36d0edc2474bb9b336f53108a...327a.0
- /data/data/####/80bfc53c2d43212c3259bdb08b69ae56b95eb5146e41ef8....0.tmp
- /data/data/####/80bfc53c2d43212c3259bdb08b69ae56b95eb5146e41ef8...eb50.0
- /data/data/####/81c76665df5fe3a7424171a6f5cd84c4404e56981647747....0.tmp
- /data/data/####/81c76665df5fe3a7424171a6f5cd84c4404e56981647747...1ebf.0
- /data/data/####/8295fa3c1d634d31107eb797b88fbbbed424c040e98f385....0.tmp
- /data/data/####/8295fa3c1d634d31107eb797b88fbbbed424c040e98f385...6a8e.0
- /data/data/####/833d77546768cfc05d233730150c9e3b5abfc15c60207d9....0.tmp
- /data/data/####/833d77546768cfc05d233730150c9e3b5abfc15c60207d9...11f8.0
- /data/data/####/8786bad18fdb3edbaf18616e8b3e354c6804abd36a86e1c...82cf.0
- /data/data/####/8aed8564a92280fa672f46bec31c8e16f9666ba95213542....0.tmp
- /data/data/####/8aed8564a92280fa672f46bec31c8e16f9666ba95213542...9827.0
- /data/data/####/90a7487b13a24b72a6dabe12d2d8218284a19f1ec342d9d....0.tmp
- /data/data/####/90a7487b13a24b72a6dabe12d2d8218284a19f1ec342d9d...c87e.0
- /data/data/####/99b434db31980a9a83d450955845a277aa7b05b6bb27ccb....0.tmp
- /data/data/####/99b434db31980a9a83d450955845a277aa7b05b6bb27ccb...a437.0
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/Utils.xml
- /data/data/####/a511318619ee7010f10d150aa6b641d6d4c3098541e80cb....0.tmp
- /data/data/####/a511318619ee7010f10d150aa6b641d6d4c3098541e80cb...b2f1.0
- /data/data/####/a870e02db6e988602486e88de51d5aa65fa97773ff2619b...8435.0
- /data/data/####/a8c63ebd800fb5ae8de862160096ba1b099a5522282c2e4....0.tmp
- /data/data/####/a8c63ebd800fb5ae8de862160096ba1b099a5522282c2e4...03a0.0
- /data/data/####/ad01734948076331
- /data/data/####/ad01734948079771
- /data/data/####/ad01734948083210
- /data/data/####/ad01734948086388
- /data/data/####/b680807bdefbb9f683f4dd9a07070edafbb6fcdeeed2d85....0.tmp
- /data/data/####/bugly_db_
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_last_us_up_tm
- /data/data/####/c52c834c6efab7c87356f0cfc6f2a57c1dbfa6181356699...b290.0
- /data/data/####/c57c9581effc4985cf3ea4da14e528ecc8e0e6757c8696b....0.tmp
- /data/data/####/c598996579fd6e0c9d26f5f48e5e045305bcbad5b171913....0.tmp
- /data/data/####/ccabc51e3be72d1f42c9dd205cc41d23
- /data/data/####/cheerio.min.js
- /data/data/####/crashrecord.xml
- /data/data/####/crypto-js.js
- /data/data/####/crypto.KEY_256.xml
- /data/data/####/d1f1475094468bafaf25b8a563444f3523734662cf221f7....0.tmp
- /data/data/####/d1f1475094468bafaf25b8a563444f3523734662cf221f7...43d4.0
- /data/data/####/d6315b1a09bb8e70a79ee68c270e23327b00b278523407e...1908.0
- /data/data/####/da1a34cc0b0e5e6131aaa99a1b6621fc30d2da0777fc09e....0.tmp
- /data/data/####/dd835831cd8915cc9a3d2f7a4a24b11e4a790a2b50533b9....0.tmp
- /data/data/####/dd835831cd8915cc9a3d2f7a4a24b11e4a790a2b50533b9...98e1.0
- /data/data/####/drpy2.min.js
- /data/data/####/e744ea592a0b151041bb17a76bb22c1bd45900923084c62....0.tmp
- /data/data/####/e744ea592a0b151041bb17a76bb22c1bd45900923084c62...2527.0
- /data/data/####/e9b1e82b0a8bcbabcbb3b23128d9a8f86b1d55327952331....0.tmp
- /data/data/####/e9b1e82b0a8bcbabcbb3b23128d9a8f86b1d55327952331...6858.0
- /data/data/####/ea1dda6ef8170c8309e1a38d6aca4c1991f61171f227812....0.tmp
- /data/data/####/ea1dda6ef8170c8309e1a38d6aca4c1991f61171f227812...d39d.0
- /data/data/####/ef9c8f761c00500fff3ebc2511d8a159b6a00e3a57f87d4....0.tmp
- /data/data/####/ef9c8f761c00500fff3ebc2511d8a159b6a00e3a57f87d4...b06d.0
- /data/data/####/f07fbff1e041c3c183e57662faa716200715978070e8574...d546.0
- /data/data/####/f138864bdedf54887d9e7d389e1937dd8a89d3c53b875dc....0.tmp
- /data/data/####/f51614d2be6f0a96672ddaacdbb175967b64347fe914592...0a82.0
- /data/data/####/f894502271105f2d3d7d744e4c6f88c458617baf4c37b99....0.tmp
- /data/data/####/f894502271105f2d3d7d744e4c6f88c458617baf4c37b99...514e.0
- /data/data/####/f97497bee24c2f614fb39d406158555722fa5cb1cee276a....0.tmp
- /data/data/####/f97497bee24c2f614fb39d406158555722fa5cb1cee276a...86ab.0
- /data/data/####/fad93ce129b645a419204a6726694dd8b04894312723502...bea9.0
- /data/data/####/fdf868acee18af3d7ae8a59d654686bc50667c5f397eae9....0.tmp
- /data/data/####/fdf868acee18af3d7ae8a59d654686bc50667c5f397eae9...e541.0
- /data/data/####/gbk.js
- /data/data/####/hawk.kva
- /data/data/####/hawk.kvb
- /data/data/####/jinja.js
- /data/data/####/journal
- /data/data/####/jsencrypt.js
- /data/data/####/json5.js
- /data/data/####/libdecjni.v7.so
- /data/data/####/local_crash_lock
- /data/data/####/log00c0a4523ffa81ac064c93e773549802
- /data/data/####/log3fc6b96c789a377bf8325d25fd91a6dd
- /data/data/####/log570146841734948073702
- /data/data/####/log570146841734948089052
- /data/data/####/log570146841734948117499
- /data/data/####/log570146841734948126028
- /data/data/####/log5c47334598edae7a9a66c25749762fe4
- /data/data/####/logad441503ac2447bcd874709788d5b178
- /data/data/####/logdfc8b589365f0cc4130c04ae8e86ff4e
- /data/data/####/logf461654cae85161ed5fadc407b58088d
- /data/data/####/native_record_lock
- /data/data/####/native_record_lock (deleted)
- /data/data/####/node-rsa.js
- /data/data/####/okgo.db
- /data/data/####/okgo.db-journal
- /data/data/####/pako.min.js
- /data/data/####/plugin_file.name
- /data/data/####/proc_auxv
- /data/data/####/qyg0.js
- /data/data/####/qyg1.js
- /data/data/####/qyg2.js
- /data/data/####/qyg3.js
- /data/data/####/qyg4.js
- /data/data/####/qyg5.js
- /data/data/####/sdtv.js
- /data/data/####/share_date.xml
- /data/data/####/share_date.xml.bak
- /data/data/####/spUtils.xml
- /data/data/####/tvbox.v3.db
- /data/data/####/tvbox.v3.db-journal
- /data/data/####/tvbox.v3.db.lck
- /data/data/####/模板.js
- /data/media/####/.config
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- /system/bin/sh -c getprop
- cat /sys/class/net/eth0/address
- cat /sys/class/net/wlan0/address
- chmod 755 /data/user/0/<Package>/files/.kad
- chmod 777 /storage/emulated/0/TVBox/.config
- getprop
- logcat -d -v threadtime
- sh
Загружает динамические библиотеки:
- libBugly_Native
- libconceal
- libijkffmpeg
- libijksdl
- libjp
- libplayer
- libquickjs-android-wrapper
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- RSA
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
Имеет подозрительные повреждения, типичные для вредоносных файлов.
