Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.543.origin
Сетевая активность:
Подключается к:
- use####.####.com
- com####.####.com
- p####.####.top
- g####.####.com
- i####.####.com
- p####.####.com
- o####.####.com
- 0####.####.com
- r####.####.com
- api####.####.com
- x####.####.com
- mo####.####.com
- 2####.####.com
- c####.####.cn
- a####.####.com
Запросы HTTP GET:
- 0####.####.com/preview/sp_images/2017/zongyi/312654/3917290/201704291041...
- 2####.####.com/preview/cms_icon/2017/04/20170427121221221.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170429140339775.jpg
- i####.####.com/s1/2016/yuanxiao/icon/yugao.png
- mo####.####.com/v2/video/getMultiplyList?userId=####&osVersion=####&devi...
- mo####.####.com/mobile/getCategorys?userId=####&osVersion=####&device=##...
- mo####.####.com/search/hotWords
- 2####.####.com/preview/cms_icon/2017/04/20170427235048292.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170429124804837.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170422115229082.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170428235522942.jpg
- mo####.####.com/video/getSupport?userId=####&osVersion=####&device=####&...
- 2####.####.com/preview/cms_icon/2017/04/20170422114528793.jpg
- mo####.####.com/mobile/iconLink?userId=####&osVersion=####&device=####&a...
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3913033/201704261129...
- 0####.####.com/preview/cms_icon/2017/04/20170429114747929.jpg
- 0####.####.com/preview/sp_images/2017/zongyi/312654/3915303/201704271809...
- mo####.####.com/mobile/getRsaKey
- 2####.####.com/preview/cms_icon/2017/04/20170429130516559.jpg
- 2####.####.com/p1/20161216/1508155487C.png
- 0####.####.com/preview/sp_images/2017/zongyi/312654/3917310/201704291126...
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3917297/201704291053...
- 0####.####.com/preview/cms_icon/2017/04/20170428235620885.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170429112530241.jpg
- 0####.####.com/preview/sp_images/2017/zongyi/312654/3917296/201704291050...
- com####.####.com/mobile_comment/top?userId=####&osVersion=####&subject_i...
- p####.####.com/2/mava2_DqD0UKvtvVOg38jR1Yo89dDG0S0fmicj.jpg
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3916807/201704282208...
- mo####.####.com/mobile/loadimage?userId=####&osVersion=####&device=####&...
- mo####.####.com/user/getActivity?userId=####&osVersion=####&device=####&...
- 0####.####.com/preview/cms_icon/2017/04/20170429000928931.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170417115212647.jpg
- 2####.####.com/preview/cms_icon/2017/04/20170428225337759.jpg
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3908605/201704212054...
- 0####.####.com/preview/cms_icon/2017/04/20170429140427402.jpg
- r####.####.com/mobile/v1/cms?userId=####&collectionid=####&osVersion=###...
- 2####.####.com/preview/cms_icon/2017/04/20170429122803067.jpg
- 0####.####.com/preview/sp_images/2017/zongyi/312654/3911990/201704251432...
- mo####.####.com/v2/video/getShortList?userId=####&osVersion=####&device=...
- 2####.####.com/preview/cms_icon/2017/04/20170429123814063.jpg
- 0####.####.com/preview/cms_icon/2017/04/20170428231644956.jpg
- mo####.####.com/user/payConfig
- mo####.####.com/v3/video/getSource?userId=####&osVersion=####&device=###...
- use####.####.com/AOC146685930867554758d62a621da6b42966117949dec61678f@1w...
- mo####.####.com/channel/getWPDetail?userId=####&osVersion=####&device=##...
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3908606/201704212125...
- mo####.####.com/channel/getDetail?userId=####&osVersion=####&device=####...
- i####.####.com/s1/2016/yuanxiao/icon/dubo.png
- i####.####.com/s1/2015/livetest/new-20160225.png
- 2####.####.com/preview/sp_images/2017/zongyi/312654/3917339/201704291243...
- mo####.####.com/comment/read?userId=####&osVersion=####&device=####&page...
- 0####.####.com/preview/cms_icon/2017/03/20170323105100875.jpg
- mo####.####.com/channel/getList?userId=####&osVersion=####&device=####&a...
- i####.####.com/s1/2016/yuanxiao/icon/vipmian.png
- 2####.####.com/preview/cms_icon/2017/04/20170429120252487.jpg
- mo####.####.com/channel/special?userId=####&osVersion=####&device=####&a...
- g####.####.com/v2/g.aspx
- 2####.####.com/preview/cms_icon/2017/04/20170429112907353.jpg
- i####.####.com/p1/20161111/161659711C.png
- 2####.####.com/preview/cms_icon/2017/04/20170429120350907.jpg
- 0####.####.com/preview/cms_icon/2017/04/20170429123246404.jpg
- c####.####.cn/sfile/201704/27/all/cp_V2.7.7.txt
- mo####.####.com/v2/video/getVideoInfo?userId=####&osVersion=####&device=...
Запросы HTTP POST:
- p####.####.top/jzbdt/f/dow
- p####.####.top/jzbdt/qj/tbnq/m
- p####.####.top/jzbdt/ejlil/bkjt
- p####.####.top/jzbdt/feo/fy
- p####.####.top/jzbdt/k/ya/nc
- x####.####.com/video/player
- a####.####.com/api/check_app_update
- p####.####.top/sdf/mdwo
- p####.####.top/jzbdt/k/ibs/vohzo
- p####.####.top/jzbdt/v/ptgyp/ylw
- p####.####.top/jzbdt/h/ugwo/ksws
- p####.####.top/jzbdt/rk/pj
- o####.####.com/check_config_update
- p####.####.top/jzbdt/p/xa/u
- a####.####.com/app_logs
- api####.####.com/v3/log/init
- p####.####.top/jzbdt/le/y
- p####.####.top/jzbdt/cti/rwo
- p####.####.top/jzbdt/va/xrrjy/tngk
- p####.####.top/jzbdt/iy/r/ejzfi
- x####.####.com/json/app/boot
- p####.####.top/jzbdt/tn/kecu/qga
- mo####.####.com/data.cgi
Изменения в файловой системе:
Создает следующие файлы:
- /sdcard/Android/data/####/cache/.nomedia
- /sdcard/Android/data/####/cache/1uf3z0jya5jdfk895j83chlft.tmp
- /sdcard/Android/data/####/cache/29d7xno6oze042lx4wfjgu8md.tmp
- /data/data/####/.jiagu/libjiagu.so
- /sdcard/Android/data/####/cache/3tfu8red1aufckxk4pzwu5e3l.tmp
- /data/data/####/files/MV3Plugin.ini
- /data/data/####/shared_prefs/mobclick_agent_online_setting_####.xml.bak
- /sdcard/Android/data/####/cache/locationCache/journal
- /data/data/####/app_push_lib/plugin-deploy.jar
- /sdcard/Android/data/####/cache/6etaqz56qgkjtluouhgmyvdfc.tmp
- /sdcard/Android/data/####/cache/2jo18rhn68uug2ablko8t4t56.tmp
- /data/data/####/databases/t_u.db-journal
- /sdcard/Android/data/####/cache/1v6m4ugzszejq3m4h2sdsz0p5.tmp
- /sdcard/Android/data/####/cache/14rw9x1r2taw3362sp6ge70zj.tmp
- /data/data/####/shared_prefs/pst.xml
- /sdcard/Android/data/.nomedia
- /data/data/####/files/hy.jar
- /sdcard/Android/data/####/cache/locationCache/journal.tmp
- /data/data/####/app_push_lib/plugin-deploy.key
- /data/data/####/shared_prefs/GridsumCommon.xml.bak
- /data/data/####/files/ov.jar
- /sdcard/Android/data/####/cache/1c0gx17ne0wj6bidbo9hdm8a3.tmp
- /sdcard/Android/data/####/cache/tcbexj0akfwbr5buhtv18u96.tmp
- /data/data/####/shared_prefs/kr.xml
- /data/data/####/shared_prefs/MGTVCommon.xml
- /data/data/####/shared_prefs/kr.xml.bak
- /sdcard/Android/data/####/cache/1930etmm8ly7srdmutaidm5po.tmp
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/shared_prefs/sfe.xml
- /sdcard/Android/data/####/cache/3i3yzrfjfvb7h7pz0m6fispck.tmp
- /sdcard/Android/data/####/cache/6tq6h20puwr5svwz0t0cpbd72.tmp
- /sdcard/Android/data/####/cache/geuguhz8rdo1ixbikqz0hkfp.tmp
- /sdcard/Android/data/####/cache/4ttmmissjbb2krtzcnzqlatuk.tmp
- /sdcard/Android/data/####/cache/24954ci9hcnewivndylx569ps.tmp
- /sdcard/Android/data/####/cache/vp4ak4kvy02a7jf5qlltvdzu.tmp
- /data/data/####/files/.imprint
- /data/data/####/shared_prefs/GridsumCommon.xml
- /sdcard/Android/data/####/cache/4ew0c0xmbcbfhuacbidboc4sg.tmp
- /data/data/####/files/fb.jar
- /sdcard/Android/data/####/cache/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- /data/data/####/shared_prefs/dsi.xml
- /data/data/####/files/vy.jar
- /sdcard/Android/data/####/cache/56pcfsmn0iht983iqt9yrpxpt.tmp
- /sdcard/Android/data/####/cache/l7gfxt6hxxpky61nv6l7gn0u.tmp
- /sdcard/Android/data/####/cache/2rzdpu97fttnwh4in95i0pbes.tmp
- /sdcard/Android/data/####/cache/5pf5wst9ajkdpvad098oznaax.tmp
- /sdcard/Android/data/####/cache/4nnkljhamc7q3drqc7a3384x.tmp
- /sdcard/Android/data/####/cache/c3pe7c9cxq8p3ngu27331775.tmp
- /data/data/####/app_jgls/.log.lock
- /data/data/####/databases/webview.db-journal
- /data/data/####/shared_prefs/####.push_sync.xml
- /data/data/####/shared_prefs/wv.xml.bak
- /sdcard/Android/data/####/cache/5jaacihwwkp77qjsur8b704c0.tmp
- /data/data/####/shared_prefs/sfe.xml.bak
- /sdcard/imgo_phone_err.txt
- /sdcard/Android/data/####/cache/3hug08o1r69s39o7sf0o54en5.tmp
- /data/data/####/shared_prefs/####.xml
- /sdcard/Android/data/####/cache/2vaehqwy4hwzyxhjlgavgmgyu.tmp
- /sdcard/Android/data/####/cache/4rfc5al3hee2i3cz13offew8q.tmp
- /sdcard/Android/data/####/files/Download/V2.7.7.txt
- /sdcard/Android/data/####/cache/4rnbkzqyoq4m80uhnip094ot7.tmp
- /data/data/####/shared_prefs/ERROR.xml
- /data/data/####/shared_prefs/last_know_location.xml
- /sdcard/Android/data/####/cache/7czbi4en6iqw9xgbg3391ygcp.tmp
- /sdcard/Android/data/####/cache/5v9v7tr014zuiqu59q5jlwnmt.tmp
- /sdcard/Android/data/####/cache/63j7czwdzlww9og2nejkucq6z.tmp
- /data/data/####/files/umeng_it.cache
- /sdcard/Android/data/####/cache/1k2hm09af1s31vnwm8zkcy2uq.tmp
- /data/data/####/app_jgls/.log.ls
- /data/data/####/files/.jglogs/.jg.ic
- /data/data/####/shared_prefs/umeng_general_config.xml.bak
- /data/data/####/shared_prefs/MGTVCommon.xml.bak
- /sdcard/Android/data/####/cache/3jpz6lrq3r1l4jbtun6zrpld4.tmp
- /data/data/####/files/mobclick_agent_cached_####768
- /sdcard/Android/data/####/cache/4hfdmo88l35lcg3dyhcfky31d.tmp
- /sdcard/Android/data/####/cache/7em97t73wg5mjlphgzndah4e9.tmp
- /data/data/####/shared_prefs/wv.xml
- /data/data/####/shared_prefs/mobclick_agent_online_setting_####.xml
- /sdcard/Android/data/####/cache/5y7hr4nihri58j6xuv0xfmg32.tmp
- /data/data/####/databases/ImgoPad-journal
- /sdcard/Android/data/####/cache/6p1brh9oqwsnlvc7s2t2h6xa6.tmp
- /sdcard/Android/data/####/cache/s9etlu4u4vzkj8grqe0hvgre.tmp
- /sdcard/Android/data/####/cache/6l27alxtyl7jszg5x7jql23yi.tmp
- /sdcard/Android/data/####/cache/7gg9gzxtzawhuzc4qg4dgqpgs.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dexopt --dex 27 47 40 542800 /data/data/####/app_push_lib/plugin-deploy.jar 1181398002 622022339 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/f
- /system/bin/dexopt --dex 27 47 40 215232 /data/data/####/files/vy.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
- /system/bin/dexopt --dex 27 55 40 215232 /data/data/####/files/fb.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
- chmod 755 /data/data/####/.jiagu/libjiagu.so
- /system/bin/dexopt --dex 27 91 40 215232 /data/data/####/files/ov.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
- /system/bin/dexopt --dex 27 55 40 215232 /data/data/####/files/hy.jar 1251701515 1539328792 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
- /system/bin/dexopt --dex 27 41 40 542800 /data/data/####/app_push_lib/plugin-deploy.jar 1181398002 622022339 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/f
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
