Adware.Adpush.2690

Adware.Adpush.2690

Added to the Dr.Web virus database: 2018-09-19

Virus description added: 2018-09-19

Technical information

Malicious functions:

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) l####.har####.com:80
TCP(HTTP/1.1) ip.p####.co:80
TCP(HTTP/1.1) l####.tala####.ir:80
TCP(HTTP/1.1) l####.hot####.ir:80
TCP(TLS/1.0) and####.cli####.go####.com:443
TCP 1####.183.128.131:443
TCP 1####.183.129.25:443
TCP 2####.195.52.73:443
TCP 2####.195.53.201:443
TCP 2####.195.52.72:443
TCP 2####.195.53.189:443
TCP 2####.195.52.31:443
TCP 2####.195.54.159:443
TCP 1####.154.167.51:443
TCP 2####.195.52.228:443
TCP 2####.195.53.224:443

DNS requests:

and####.cli####.go####.com
ip.p####.co
l####.har####.com
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.hot####.ir
l####.tala####.ir
l####.tala####.ir
l####.tala####.ir
l####.tala####.ir
l####.tala####.ir
l####.tala####.ir

HTTP GET requests:

ip.p####.co/geoip
l####.har####.com/v3/config?appVer=####&apiVer=####&slt=####&appId=####
l####.hot####.ir/v3/config?appVer=####&apiVer=####&slt=####&appId=####
l####.hot####.ir/v3/proxy?slt=####&appId=####
l####.tala####.ir/v3/config?appVer=####&apiVer=####&slt=####&appId=####
l####.tala####.ir/v3/proxy?slt=####&appId=####

Modified file system:

Creates the following files:

/data/data/####/-1062949297-640251436
/data/data/####/-14171482021198583591
/data/data/####/-17760360801060170340
/data/data/####/-1847675759-1382353943
/data/data/####/-308887317-457635794
/data/data/####/-4086003831388050035
/data/data/####/-737706980606197076
/data/data/####/-978783050-1308063232
/data/data/####/108241811-1563103985
/data/data/####/1105314164-1362459023
/data/data/####/1491615700-1291753735
/data/data/####/1991935273-1184284153
/data/data/####/482243465-1175938886
/data/data/####/502706291-648132657
/data/data/####/5027062911855689673
/data/data/####/720120659-1048006576
/data/data/####/Blue.attheme
/data/data/####/HockeyApp.xml
/data/data/####/MultiDex.lock
/data/data/####/Stors.xml
/data/data/####/__pushe_base_lib_db-journal
/data/data/####/cache4.db-journal
/data/data/####/co.ronash.pushe.keystore.xml
/data/data/####/com.google.InstanceId.properties
/data/data/####/com.google.android.gms.appid-no-backup
/data/data/####/com.google.android.gms.appid.xml
/data/data/####/com.google.android.gms.measurement.prefs.xml
/data/data/####/dc2conf.dat
/data/data/####/device_id.xml.xml
/data/data/####/evernote_jobs.db-journal
/data/data/####/evernote_jobs.xml
/data/data/####/mainconfig.xml
/data/data/####/multidex.version.xml
/data/data/####/tgnet.dat
/data/data/####/themeconfig.xml
/data/data/####/tmp-org.telegeram.mesenger-1.apk.classes-862671415.zip
/data/data/####/unsent_requests
/data/data/####/userconfig1.xml
/data/data/####/userconfig2.xml
/data/data/####/userconfing.xml
/data/media/####/.nomedia
/data/media/####/000000000_999999_temp.doc
/data/media/####/000000000_999999_temp.jpg
/data/media/####/000000000_999999_temp.mp4
/data/media/####/000000000_999999_temp.ogg

Miscellaneous:

Loads the following dynamic libraries:

tmessages

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5PADDING

Gains access to geolocation.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Gains access to information about accounts (Google, Facebook, etc.) registered on the device.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial