API tools faq
paste
Advertisement
Guest User

AdLibrary:Generisk

a guest
Jan 17th, 2018
1,961
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.81 KB | None | 0 0
raw download clone embed print report
  1. 3 engines detected this file
  2. SHA-256 dde3d2a2162c728579475a2913e453619e3acb3aaf4c40e4bb80b76b6c875f64
  3. File name base.apk
  4. File size 24.85 MB
  5. Last analysis 2018-01-16 14:51:48 UTC
  6. Detection
  7. Details
  8. Relations
  9. Behavior
  10. Community
  11.  
  12. DrWeb
  13.  
  14. Android.DownLoader.679.origin
  15.  
  16. Symantec Mobile Insight
  17.  
  18. AdLibrary:Generisk
  19.  
  20. Trustlook
  21.  
  22. Android.Malware.General
  23.  
  24. -----------------
  25.  
  26. Android.RemoteCode.127.origin
  27.  
  28. Added to Dr.Web virus database: 2018-01-17
  29. Virus description was added: 2018-01-17
  30. SHA1:
  31.  
  32. 80b86b0f07e1136e26d7fa2a32edc2cb350638ae
  33. 798c2ac391ff8d566ba01be1dd784d474aef843e
  34. b21179ac556f67500c023375c8f7118d00abd33b
  35. 1c87a5646a8416c63a3f46436aad70acdfd2e96b
  36. 96e98103f7b9a417c73fab98cc10f86d61677f95
  37. 7d98c8d2f069696de96baf5f229ad0cc4adcc864
  38. 8ea63ac78e719de757a0368de8a3fcfce3128b53
  39. d6d3a6009e886630e892ded6fa5d984669aa347a
  40. fe874c15147f18bdbac51adefbe6f72aede5ca4c
  41. 70d8dc3077f5a793e45522cf36ea0eb6bafe5132
  42. 782e68113c59bbd5a9c29aeb89c55fc97a7fdca1
  43. d00104160c1b49eeba096d06c919497aabb2f348
  44. c1fd29723e7f3680abf617b1b303454a6dc4b174
  45. f1e840fc7cc9fe31412e6eec911eadc0724bc77e
  46. d32c71b5dd70e65e5063edc6a748e292e2f30be1
  47. 415918324dc12f569d08f2b2bc3541a7f0e89786
  48. 7812cc65e892318924ed5047c2343d5285776656
  49. 17814586a220c3c8161bba88207cbb32eb904dd8
  50. fc2853bd0148aadb0319a8cc156ba4f44cfccba6
  51. 47ff84252d2ab71e2ce3bf5f746a6637991f51fe
  52. f3eccae75e8359748e6cddeacf048b8561b8288e
  53. 8d92758f8597a2cb2e4dadbe1fdea26d8def6437
  54. 661cdb32d08eba55d4d5201735347b5bbf962ff1
  55. b7da8a34b13181804d7725f461f061536a0b74aa
  56. bdac7863f3de3af3e91ce0082b921043e6dc07ca
  57. f8e84cc7d493bba61b8acd5bb062166f22d05bb4
  58. 5454b1a2272811f3efc5c9f6e4c1654459af06a4
  59. ae4b467d8aa9a4866ea70d91c9149b307ea3e4b4
  60.  
  61. A Trojan for Android included in SDK ε‘€ε‘€δΊ‘ (Ya Ya Yun). It is used in software development. This SDK provides users with an opportunity to exchange text, voice and video messages. The main purpose of Android.RemoteCode.127.origin is a covert download and launch of additional malicious modules.
  62.  
  63. Launch of Android.RemoteCode.127.origin depends on the method used by a developer to initialize SDK in their application. Usually it happens when the program is launched either in the Application class, or in any of its Activities. Once launched, the Trojan sends a request to the C&C server https://hs.***bao.com/get (in some modifications it is http://hs.***vv.info:9800/get) which looks the following way:
  64.  
  65. {
  66. "operatorType":"",
  67. "model":"Philips_S307",
  68. "osVersion":"4.4.2",
  69. "appId":"1001305",
  70. "vendor":"Philips",
  71. "imei":"********0006551",
  72. "androidId":"********743b4627",
  73. "connectionType":"WIFI",
  74. "mac":"**:**:**:81:77:dc",
  75. "requestType":"jar",
  76. "osType":1,
  77. "ip":"***.***.137.136",
  78. "sdkVersion":"1.0.3",
  79. "appVersion":"1.8",
  80. "longitude":"",
  81. "latitude":"",
  82. "imsi":"",
  83. "uuid":"************4807a86dac9556ff07de",
  84. "idfa":""
  85. }
  86.  
  87. In addition, if an application with the Trojan SDK has privileges to determine coordinates, the request gets an indication of the last known location of the infected device.
  88.  
  89. In return, the server can send to the malicious program a task which looks the following way:
  90.  
  91. {
  92. "result":0,
  93. "msg":null,
  94. "tasks":[
  95. "tasks":[
  96. {
  97. "id":356,
  98. "scriptType":null,
  99. "type":0,
  100. "binUrl":" " https://v.***aya.cn/core_xd_356 ,
  101. "md5":"92801af38f6dfe38fbb8b63748006deb",
  102. "className":"com.x.d.core.service",
  103. "function":"main",
  104. "functionParam":null,
  105. "shell":"",
  106. "pkage":"",
  107. "exeDelay":0,
  108. "scheduleTime":null,
  109. "cancel":null,
  110. "partnerId":null,
  111. "countLimitType":2,
  112. "binNumber":"leyou",
  113. "taskType":1,
  114. "activity":null,
  115. "taskFlag":0,
  116. "msgId":"********f6a7f20cbe2499cf"
  117. }
  118. ]
  119. }
  120.  
  121. It has a link to download one of the malicious modules, for example Android.RemoteCode.126.origin. After the download, the module is launched using the DexClassLoader class.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!