Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.543.origin
Сетевая активность:
Подключается к:
- p####.####.top
- i####.####.com
- p####.####.com
- 1####.####.com
- d####.####.com
- ping####.####.com
- c####.####.cn
- a####.####.com
Запросы HTTP GET:
- 1####.####.com/ic.asp
- i####.####.com/lc04_search/201612/10/04/34/tmp_8385912295148414736.jpg
- i####.####.com/lc04_isvrs/201704/22/23/37/93374e17-8858-4bf7-8e73-178c67...
- d####.####.com/data_collect.so?position=####&uid=####&parent_eid=####&mo...
- a####.####.com/env/?uid=####&lo=####&nt=####&ro=####&xh=####&auid=####&p...
- i####.####.com/lc04_isvrs/201704/06/11/24/2c691c46-1c2c-41f1-8a10-751901...
- i####.####.com/lc05_isvrs/201704/22/23/38/4e7df500-db8f-437a-bf15-f4ad91...
- p####.####.com/draw/generalactivity?platform=####&phone=####&ts=####&ck=...
- i####.####.com/lc06_search/201612/10/04/34/tmp_8935304569388319419.jpg
- ping####.####.com/log.html?nt=####&os=####&plat=####&appId=####&locale=#...
- a####.####.com/upgrade?appid=####&appkey=####&devmodel=####&devmodel2=##...
- i####.####.com/lc04_img/201602/18/16/31/play_logo_letv.png
- i####.####.com/lc06_search/201702/15/14/09/tmp_386631575097035616.png
- a####.####.com/op/?uid=####&nt=####&auid=####&p3=####&p2=####&p1=####&bu...
- i####.####.com/lc06_search/201702/15/13/53/tmp_4296236918984767830.png
- i####.####.com/lc03_search/201702/15/14/02/tmp_8170379237422033201.png
- i####.####.com/lc05_iscms/201704/25/18/11/2803518dafc4476492a1b709bf487d...
- i####.####.com/lc07_search/201702/15/14/21/tmp_1895143098499128475.png
- i####.####.com/lc05_search/201702/15/14/16/tmp_3840441089538125518.png
- i####.####.com/lc06_isvrs/201704/11/17/34/fe1d29fd-e934-43ed-b5fe-1d5e80...
- i####.####.com/lc07_search/201612/10/04/35/tmp_142377121619026795.jpg
- a####.####.com/pgv/?uid=####&auid=####&p3=####&p2=####&p1=####&pid=####&...
- i####.####.com/lc05_search/201702/15/14/25/tmp_1983091875676441517.png
- c####.####.cn/sfile/201704/27/all/cp_V2.7.7.txt
Запросы HTTP POST:
- p####.####.top/jzbdt/gup/thsyj/q
- p####.####.top/jzbdt/bkvp/nsw/p
- p####.####.top/jzbdt/xb/oxfi
- p####.####.top/jzbdt/g/x/m
- p####.####.top/jzbdt/upus/zst/hzgva
- p####.####.top/jzbdt/wwd/f
- p####.####.top/sdf/qh
- p####.####.top/jzbdt/atnb/eyru/fvpn
Изменения в файловой системе:
Создает следующие файлы:
- /sdcard/WhatsLIVE/Cache/-194591019.tmp
- /data/data/####/shared_prefs/mzSdkProfilePrefs.xml
- /sdcard/YSDQ_LOG.txt
- /data/data/####/files/2016-11-23-18-22-54/rawso
- /sdcard/WhatsLIVE/Cache/-950185775.tmp
- /data/data/####/shared_prefs/commonsp.xml
- /sdcard/WhatsLIVE/Cache/-1941567231.tmp
- /sdcard/WhatsLIVE/Cache/-1456889749.tmp
- /sdcard/WhatsLIVE/Cache/2136458816
- /data/data/####/files/2016-11-23-18-22-54/armeabi/libtea_codecs.so
- /data/data/####/shared_prefs/Access_Preferences.xml
- /data/data/####/shared_prefs/mzSdkProfilePrefs.xml.bak
- /sdcard/WhatsLIVE/Cache/1491767623.tmp
- /data/data/####/shared_prefs/device_id.xml.xml
- /data/data/####/databases/cc/cc.db
- /data/data/####/files/libtencentloc.so
- /data/data/####/databases/common.db-journal
- /sdcard/WhatsLIVE/Cache/1472950956.tmp
- /data/data/####/shared_prefs/com.admaster.sdk.sohu.other.xml
- /sdcard/Android/data/.nomedia
- /sdcard/WhatsLIVE/Cache/-1743433421.tmp
- /sdcard/WhatsLIVE/Cache/1021981288.tmp
- /data/data/####/shared_prefs/kr.xml
- /sdcard/WhatsLIVE/Cache/1463956424.tmp
- /data/data/####/databases/trackingplugin.db-journal
- /data/data/####/shared_prefs/kr.xml.bak
- /data/data/####/shared_prefs/bigdata.xml
- /data/data/####/databases/cc/cc.db-journal
- /data/data/####/databases/mzmonitor
- /data/data/####/shared_prefs/cde_config.xml
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/shared_prefs/sfe.xml
- /data/data/####/databases/miaozhen.db
- /data/data/####/databases/mzmonitor-journal
- /data/data/####/shared_prefs/ywPrefsTools.xml
- /data/data/####/databases/infinitemovie.db
- /data/data/####/libs/version.txt
- /data/data/####/shared_prefs/dsi.xml
- /data/data/####/databases/t_u.db-journal
- /data/data/####/databases/download.db-journal
- /data/data/####/shared_prefs/commonsp.xml.bak
- /data/data/####/files/extractor.html
- /data/data/####/shared_prefs/is_show_score_pop.xml
- /data/data/####/databases/miaozhen.db-journal
- /data/data/####/files/.jglogs/.jg.ic
- /sdcard/WhatsLIVE/Cache/195547181.tmp
- /data/data/####/app_jgls/.log.lock
- /data/data/####/shared_prefs/cn.jpush.preferences.v2.xml
- /data/data/####/databases/webview.db-journal
- /sdcard/Android/data/####/files/Download/V2.7.7.txt
- /data/data/####/shared_prefs/wv.xml.bak
- /data/data/####/shared_prefs/sfe.xml.bak
- /data/data/####/files/sbf_version
- /data/data/####/shared_prefs/####_preferences.xml
- /sdcard/WhatsLIVE/Cache/1902957573.tmp
- /data/data/####/shared_prefs/sohu_player.xml
- /data/data/####/databases/trackingplugin.db
- /sdcard/WhatsLIVE/Cache/364082316.tmp
- /data/data/####/files/2016-11-23-18-22-54/armeabi/libteanb.so
- /data/data/####/files/mobclick_agent_cached_####706
- /data/data/####/shared_prefs/firstlaunch.xml
- /data/data/####/files/fk.jar
- /sdcard/Android/data/####/cde.txt
- /data/data/####/app_jgls/.log.ls
- /data/data/####/shared_prefs/umeng_general_config.xml.bak
- /data/data/####/shared_prefs/report.xml
- /data/data/####/shared_prefs/wv.xml
- /data/data/####/files/gc.jar
- /sdcard/Infinitemovies/shareqrcode
- /sdcard/WhatsLIVE/Cache/-1942697628.tmp
- /data/data/####/shared_prefs/setting_relative_sharepreference.xml
- /data/data/####/databases/infinitemovie.db-journal
- /data/data/####/shared_prefs/priornetstate.xml
- /sdcard/.mm1/.ucf.dat
- /sdcard/WhatsLIVE/Cache/2081927608.tmp
- /data/data/####/shared_prefs/multidex.version.xml
- /data/data/####/shared_prefs/snifferHtml.xml
- /data/data/####/shared_prefs/ip.xml
- /data/data/####/.jiagu/libjiagu.so
- /data/data/####/databases/common.db
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dexopt --dex 27 47 40 215232 /data/data/####/files/gc.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/fra
- /system/bin/dexopt --dex 27 110 40 215232 /data/data/####/files/fk.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/fr
- chmod 755 /data/data/####/.jiagu/libjiagu.so
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
