Android.RemoteCode.4061

Добавлен в вирусную базу Dr.Web: 2019-03-29

Описание добавлено: 2019-03-29

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.RemoteCode.178.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) 2-01-28####.cdx.ced####.net:80
TCP(HTTP/1.1) w####.a10.com:80
TCP(HTTP/1.1) ssl.gst####.com:80
TCP(HTTP/1.1) www.face####.com:80
TCP(HTTP/1.1) tickle####.com:80
TCP(HTTP/1.1) ad.doublec####.net:80
TCP(HTTP/1.1) a####.a####.com:80
TCP(HTTP/1.1) p####.h5.mob####.cn:80
TCP(HTTP/1.1) st####.ho####.com.####.io:80
TCP(SSL/3.0) st####.ho####.com.####.io:443
TCP(SSL/3.0) vendor####.cons####.org:443
TCP(TLS/1.0) api.s####.1####.com:443
TCP(TLS/1.0) ssl.gst####.com:443
TCP(TLS/1.0) f####.gst####.com:443
TCP(TLS/1.0) acco####.go####.com:443
TCP(TLS/1.0) s.y####.com:443
TCP(TLS/1.0) www.googlet####.com:443
TCP(TLS/1.0) l####.spilg####.com:443
TCP(TLS/1.0) tpc.googles####.com:443
TCP(TLS/1.0) 1####.217.20.78:443
TCP(TLS/1.0) www.go####.com:443
TCP(TLS/1.0) www.gst####.com:443
TCP(TLS/1.0) s####.g.doublec####.net:443
TCP(TLS/1.0) vendor####.cons####.org:443
TCP(TLS/1.0) tickle####.com:443
TCP(TLS/1.0) www.face####.com:443
TCP(TLS/1.0) a####.go####.com:443
TCP(TLS/1.0) f####.google####.com:443
TCP(TLS/1.0) st####.ho####.com.####.io:443
TCP(TLS/1.0) www.go####.nl:443
TCP(TLS/1.0) www.you####.com:443
TCP(TLS/1.0) 2-01-28####.cdx.ced####.net:443
TCP(TLS/1.0) st####.xx.f####.net:443

DNS requests:

a####.a####.com
a####.go####.com
acco####.go####.com
ad.doublec####.net
api.unm####.u17888####.com
f####.cdn.spilc####.com
f####.google####.com
f####.gst####.com
l####.spilg####.com
p####.h5.mob####.cn
s####.g.doublec####.net
s.y####.com
sc####.ho####.com
ssl.gst####.com
st####.ho####.com
st####.xx.f####.net
sta####.spi####.com
tickle####.com
tpc.googles####.com
v####.ho####.com
vendor####.cons####.org
w####.a10.com
www.face####.com
www.go####.com
www.go####.nl
www.google-####.com
www.googlet####.com
www.gst####.com
www.you####.com

HTTP GET requests:

2-01-28####.cdx.ced####.net/sa/3.14.01/4/121/js/spilgames.api.js
a####.a####.com/cmp/docs/portal.bundle.js
a####.a####.com/cmp/docs/portal.html
a####.a####.com/cmp/docs/vendorlist.json
ad.doublec####.net/ddm/ad/Atwxi/Aeld
ad.doublec####.net/ddm/adj/Adalk/Bpze
ad.doublec####.net/ddm/adj/Advaw/Alcblh
p####.h5.mob####.cn/js/statistics.js
ssl.gst####.com/s2/oz/images/stars/po/bubblev1/border_3.gif
ssl.gst####.com/s2/oz/images/stars/po/bubblev1/bubbleDropB_3.png
ssl.gst####.com/s2/oz/images/stars/po/bubblev1/bubbleDropR_3.png
ssl.gst####.com/s2/oz/images/stars/po/bubblev1/bubbleSprite_3.png
st####.ho####.com.####.io/c/hotjar-1041923.js?sv=####
tickle####.com/d0ef7d421e80694443916dda9605531106153a3facb8e1b600a6adf64...
w####.a10.com/
w####.a10.com/purposes.json
w####.a10.com/wdg/css_aggregator-12.39.14/css/a10/themes/a10.css
w####.a10.com/wdg/css_aggregator-12.39.14/fonts/a10/a10icons-webfont.svg
w####.a10.com/wdg/css_aggregator-12.39.14/images/a10/logos/wide_logo_up....
w####.a10.com/wdg/footer-active/js/minified/wdg_footer-MINIFIED-b04182b2...
w####.a10.com/wdg/js_aggregator-active/js/minified/wdg_js_aggregator-MIN...
w####.a10.com/wdg/js_aggregator-active/js/module/monetisation/advertisem...
w####.a10.com/wdg/page_thumbnail_grid-active/js/minified/wdg_page_thumbn...
w####.a10.com/wdg/popup_login-active/js/minified/wdg_popup_login-MINIFIE...
w####.a10.com/wdg/popup_oauth-active/js/minified/wdg_popup_oauth-MINIFIE...
w####.a10.com/wdg/popup_register-active/js/minified/wdg_popup_register-M...
w####.a10.com/wdg/popup_register_feedback-active/js/minified/wdg_popup_r...
w####.a10.com/wdg/recaptcha-active/js/minified/wdg_recaptcha-MINIFIED-4d...
w####.a10.com/wdg/recaptcha_invisible-active/js/minified/wdg_recaptcha_i...
w####.a10.com/wdg/search_bar-active/js/minified/wdg_search_bar-MINIFIED-...
w####.a10.com/wdg/set-active/js/minified/wdg_set-MINIFIED-5f994a4e530237...
w####.a10.com/wdg/tracking_footer-active/js/minified/wdg_tracking_footer...
w####.a10.com/wdg/user_status-active/js/minified/wdg_user_status-MINIFIE...
w####.a10.com/wdg/vda-active/js/minified/wdg_vda-MINIFIED-e45fcd23d97911...
www.face####.com/plugins/like.php?layout=####&width=####&height=####&sen...

File system changes:

Creates the following files:

/data/data/####/118082200002512083516c4103fefdc9d88c27b8f856a9a...sp.xml
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/external.apk
/data/data/####/external.so
/data/data/####/external_dex.apk
/data/data/####/external_dex.so
/data/data/####/index
/data/data/####/mid.dex
/data/data/####/moduleinfos
/data/data/####/u3kmid.db-journal
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/media/####/.nomedia
/data/media/####/sub_imei.txt

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

Uses the following algorithms to encrypt data:

AES-ECB-PKCS5Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-ECB-PKCS5Padding
DES

Gets information about phone status (number, IMEI, etc.).

Displays its own windows over windows of other apps.

Технології

Терміни

Навчання

Міфи

Technical information

Рекомендации по лечению

Демо бесплатно на 14 дней