Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.266.origin
- Android.Triada.38.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) c.m.1####.com:80
- TCP(HTTP/1.1) ptmgtd0####.wsclou####.com:80
Запросы DNS:
- b####.52####.com
- c.m.1####.com
- cms-bu####.n####.127.net
- kst.sd####.com
- wqo.wh####.com
Запросы HTTP GET:
- ptmgtd0####.wsclou####.com/0437dfd522fb45a5bbe2d121930e18302017090119140...
- ptmgtd0####.wsclou####.com/092cdce044874c39b8201c13dce74df12017090115582...
- ptmgtd0####.wsclou####.com/0dacbe0fba1a4ae1bf652794c0a1d4a32017083015455...
- ptmgtd0####.wsclou####.com/129eb29630904c56becf99a60c7324822017090411165...
- ptmgtd0####.wsclou####.com/15faf7b7c9d848d6bc984429cf314e122017090408032...
- ptmgtd0####.wsclou####.com/165defe3384d416580309bcb91eba7fb2017090409473...
- ptmgtd0####.wsclou####.com/1fc823c820e64d6491993cf24ca0c6912017090220471...
- ptmgtd0####.wsclou####.com/362af27362ff45029d3712cdacd8ed742017090207103...
- ptmgtd0####.wsclou####.com/3b843ba56a7a471bb8596ad483a757652017090410083...
- ptmgtd0####.wsclou####.com/42f1bc4efa3447448fd306ceceb64a922017083117180...
- ptmgtd0####.wsclou####.com/4ac6096a76a64c4eab6a69814edf4cf72017090408224...
- ptmgtd0####.wsclou####.com/5baf3abb22a44e388835c7cc3fa0bcdb2017090407083...
- ptmgtd0####.wsclou####.com/5c9a6b9d1bbd4ea7bc3d2f16101d104d2017090311054...
- ptmgtd0####.wsclou####.com/643035747cd14769b31ff07cbe1ecea22017090411232...
- ptmgtd0####.wsclou####.com/65962040d3e848b6bec82371d0a6c5392017090407554...
- ptmgtd0####.wsclou####.com/691789f91f1c4a3998cdd1a827feae852017083106455...
- ptmgtd0####.wsclou####.com/87e27206d9c04308a655e2d08334ac1f2017090409321...
- ptmgtd0####.wsclou####.com/a7a387aa8e1145058feef620da849bfd2017090407011...
- ptmgtd0####.wsclou####.com/ab63c370d26d4f838f6cbf8e41135eb82017083019013...
- ptmgtd0####.wsclou####.com/ae0de0fc4ff643ebab76ce1ec5dae5c62017082417554...
- ptmgtd0####.wsclou####.com/bb6d5a1973d84e56bdd013be885b44652017090408244...
- ptmgtd0####.wsclou####.com/c2fd872fd7214c8bb9329eeb611e8c152017090413023...
- ptmgtd0####.wsclou####.com/c32d390267794864870054c2853510532017090413340...
- ptmgtd0####.wsclou####.com/cfec5ce4cf89426bac287c32e33b77112017090408584...
- ptmgtd0####.wsclou####.com/d148a02d65fa4d19997e53cf4c44b3e12017090413475...
- ptmgtd0####.wsclou####.com/d9c4a944e0d34bd88fde47ee61e217cd2017090411412...
- ptmgtd0####.wsclou####.com/e6fce683a92342d6b8c23edb36b812fd2017090407342...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/04ee7035f283d6dfaa4429d85508dadb69c....0.tmp
- <Package Folder>/cache/####/0c00bea40e9c7960902d22fcec976675909....0.tmp
- <Package Folder>/cache/####/153354ab60a6073657e98407c7417869e1d....0.tmp
- <Package Folder>/cache/####/17293bab9d66cd88ed51776deb88f895412....0.tmp
- <Package Folder>/cache/####/1934821080f9ace0e6ab0f255379db3ef9b....0.tmp
- <Package Folder>/cache/####/1ece4fa4520526292f0bbcc406d8ecb8ad6....0.tmp
- <Package Folder>/cache/####/230041a5fd96edd82dfd90ac46cfbf9da78....0.tmp
- <Package Folder>/cache/####/2309b6d6c1543cd3e6d42d07e16e7d56771....0.tmp
- <Package Folder>/cache/####/2e747f914d98515935998d45a1770c59bb5....0.tmp
- <Package Folder>/cache/####/33aec35ae003e1b9a7e11c541885557ad5e....0.tmp
- <Package Folder>/cache/####/34181b936da5d5d413f90a2dd879ec64577....0.tmp
- <Package Folder>/cache/####/58bde41854dd1d8bd928213853a98a60c16....0.tmp
- <Package Folder>/cache/####/594f50cab3dd4a36f5eea5d9a2b49d2fbab....0.tmp
- <Package Folder>/cache/####/597a08afef5bdf015c2a551c31351742624....0.tmp
- <Package Folder>/cache/####/7166723668daf8a5012f04940af32f3513f....0.tmp
- <Package Folder>/cache/####/7dac8bf6d9d9f3f80048e9b6703a0a4727f....0.tmp
- <Package Folder>/cache/####/7f6168c18bf557f87d8c33849b55c393471....0.tmp
- <Package Folder>/cache/####/808e933f2cf45a5ac3a80ce4b6f8548086b....0.tmp
- <Package Folder>/cache/####/91ce3eb9155d1c4239d3a01741cce07dd5e....0.tmp
- <Package Folder>/cache/####/99be57d88e307b3673a9262665182d5e06a....0.tmp
- <Package Folder>/cache/####/9bff935e1cfe9914005b54352c3f0d739a4....0.tmp
- <Package Folder>/cache/####/ade02179749458d52fc895bb8cd91630f4f....0.tmp
- <Package Folder>/cache/####/ae0b7a7cffc14276f11ac22d96de0826652....0.tmp
- <Package Folder>/cache/####/bd6393e85d574cf59086b6886b017c77345....0.tmp
- <Package Folder>/cache/####/ce41d550d72dfe811c7fcaca3b12253bfa8....0.tmp
- <Package Folder>/cache/####/de5ae709c5188000c858bfa90a1e7dbf33b....0.tmp
- <Package Folder>/cache/####/e309c0fb90f9f4f1c0007f95648ab3cef97....0.tmp
- <Package Folder>/cache/####/ed64e74fd797d12f90577a9e25c73f0435b....0.tmp
- <Package Folder>/cache/####/ee4b95fceed1765580827b78e66cf64f85a....0.tmp
- <Package Folder>/cache/####/eed8e0042d777024b5fb8304a0a0bf0fe72....0.tmp
- <Package Folder>/cache/####/f6f33797c18a1adfbb209a7082f2de5257f....0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/files/jefh.png
- <Package Folder>/files/ru
- <Package Folder>/files/ru.apk
- <Package Folder>/files/tbqh
- <Package Folder>/files/tbqh.jar
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/xapcinfo.xml
Другие:
Запускает следующие shell-скрипты:
- conbb od2gf04pd9
- cufsdosck ac554db364f
- cufsmgr eb47495f7bb
- service call appops 0 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 1 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 10 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 11 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 12 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 13 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 14 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 15 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 16 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 17 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 18 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 19 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 2 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 3 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 4 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 5 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 6 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 8 i32 15 i32 10044 s16 <Package> i32 0
- service call appops 9 i32 15 i32 10044 s16 <Package> i32 0
- sh
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
