Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.543.origin
Предлагает установить сторонние приложения.
Сетевая активность:
Подключается к:
- 3####.####.com
- com####.####.com
- av####.####.com
- mo####.####.com
- 1####.####.67
- i####.####.com
- c####.####.org
- o####.####.com
- 0####.####.com
- p####.####.com
- p####.####.top
- x####.####.com
- api####.####.com
- g####.####.com
- 5####.####.56
- statson####.####.com
- c####.####.cn
- a####.####.com
- b####.####.com
Запросы HTTP GET:
- c####.####.cn/upload/201705/12/img/20170512181047179.png
- 3####.####.com/preview/cms_icon/2017/05/20170513133859907.jpg
- i####.####.com/s1/2016/yuanxiao/icon/yugao.png
- c####.####.cn/sfile/201705/17/all/cp_V2.7.8.txt
- mo####.####.com/mobile/getCategorys?userId=####&osVersion=####&device=##...
- 5####.####.56/checker
- c####.####.cn/upload/201704/19/app/20170419164327750.apk
- 0####.####.com/preview/cms_icon/2017/05/20170516114942909.jpg
- c####.####.cn/upload/201607/12/img/20160712113200038.png
- 3####.####.com/preview/sp_images/2017/xinwen/308828/3936697/201705161814...
- 3####.####.com/preview/cms_icon/2017/05/20170509094302106.jpg
- b####.####.com/p2?c1=####&c2=####&ns_ap_an=####&ns_ap_pn=####&c12=####&n...
- mo####.####.com/mobile/p2pSwitch?userId=####&osVersion=####&device=####&...
- mo####.####.com/v2/video/getSource?userId=####&osVersion=####&device=###...
- mo####.####.com/mobile/getRsaKey
- 3####.####.com/preview/cms_icon/2017/05/20170517235452032.jpg
- 3####.####.com/preview/cms_icon/2017/05/20170514094148837.jpg
- c####.####.cn/upload/201611/29/img/20161129171402411.png
- 3####.####.com/preview/cms_icon/2017/05/20170516105703782.jpg
- 3####.####.com/preview/cms_icon/2017/05/20170517115600264.jpg
- com####.####.com/mobile_comment/top?userId=####&osVersion=####&subject_i...
- c####.####.org/strategy/loss_4.3
- i####.####.com/s1/2016/yuanxiao/icon/mianfeibo.png
- av####.####.com/6/37515e62/WOUFmZzZyWKetfk5?x-oss-process=####
- mo####.####.com/mobile/iconLink?userId=####&osVersion=####&device=####&a...
- c####.####.org/strategy/sul18
- c####.####.org/strategy/symlink-adbd
- 3####.####.com/preview/cms_icon/2017/05/20170513204955889.jpg
- c####.####.org/strategy/dev_root2
- c####.####.cn/upload/201705/15/img/20170515155019500.png
- c####.####.org/strategy/UnknownDev
- 3####.####.com/preview/cms_icon/2017/05/20170513134601328.jpg
- c####.####.cn/upload/201705/17/app/20170517101453957.apk
- 0####.####.com/preview/cms_icon/2017/05/20170513120508905.jpg
- 0####.####.com/preview/cms_icon/2017/05/20170513143735385.jpg
- mo####.####.com/channel/getDetail?userId=####&osVersion=####&device=####...
- c####.####.org/strategy/base
- 0####.####.com/preview/cms_icon/2017/05/20170517171409721.jpg
- 3####.####.com/preview/cms_icon/2017/05/20170513113130869.jpg
- c####.####.org/strategy/dev_root
- mo####.####.com/comment/read?userId=####&osVersion=####&device=####&page...
- 0####.####.com/preview/cms_icon/2017/05/20170517135359378.jpg
- mo####.####.com/channel/getList?userId=####&osVersion=####&device=####&a...
- c####.####.org/strategy/larger4.3
- 5####.####.56/core
- g####.####.com/v2/g.aspx
- 3####.####.com/preview/cms_icon/2017/05/20170517235622640.jpg
- c####.####.cn/upload/201705/12/app/20170512181057113.apk
- mo####.####.com/v2/video/getVideoInfo?userId=####&osVersion=####&device=...
- 3####.####.com/preview/cms_icon/2017/05/20170513105749593.jpg
Запросы HTTP POST:
- 1####.####.67/log/interface.html
- a####.####.com/api/check_app_update
- p####.####.top/hadat/uz/j
- p####.####.top/jzbdt/zrv/g
- p####.####.top/hadat/ilsyn/c
- 1####.####.67/strategy/interface.html
- p####.####.top/jzbdt/fk/dowz
- p####.####.top/hadat/y/pi
- p####.####.top/hadat/gmq/tbgjb
- p####.####.top/hadat/yj/ygor
- a####.####.com/ad-service/ad/mark
- p####.####.top/hadat/k/hmru
- p####.####.top/hadat/yvhxu/af
- p####.####.top/jzbdt/qmujf/pu/slqp
- o####.####.com/check_config_update
- a####.####.com/app_logs
- p####.####.com/api/statis/3e47ba4d845b8456f45d1d4bbc191ac29/game-EF1516E...
- p####.####.com/api/q/a/3e47ba4d845b8456f45d1d4bbc191ac29
- p####.####.top/jzbdt/cev/bpd/zsi
- a####.####.com/rest/2.0/channel/channel
- p####.####.top/hadat/qpux/ljogy
- api####.####.com/v3/log/init
- p####.####.top/sdf/cvq
- p####.####.top/hadat/xcz/ypit
- p####.####.top/hadat/qsj/zb
- p####.####.top/jzbdt/b/f
- p####.####.top/hadat/hau/pjme
- statson####.####.com/pushlog
- x####.####.com/json/app/boot
- p####.####.top/hadat/vfa/kc
- p####.####.top/hadat/go/z
- a####.####.com/rest/2.0/channel/3769550902960538385
- p####.####.top/hadat/nmq/b
- mo####.####.com/data.cgi
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/shared_prefs/sfe.xml.bak
- <Package Folder>/app_subox_download/50bd5d7a-d821-48b6-9310-2d9c0e8ec61e
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/fileWork
- <Package Folder>/shared_prefs/<Package>.push_sync.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/kr.xml.bak
- <Package Folder>/shared_prefs/GridsumCommon.xml.bak
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/fileWork
- <Package Folder>/app_subox_download/f0d78305-a2e7-4319-890d-79c8d4f656e4
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/su
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/wsroot.sh
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/pidof
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/device.db
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/debuggerd
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/su
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/ddexe
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/pidof
- <Package Folder>/shared_prefs/wv.xml.bak
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/pidof
- <Package Folder>/app_subox_download/e1e37106-d126-44aa-a77b-208dd963932b
- <Package Folder>/files/MV3Plugin.ini
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/wsroot.sh
- <Package Folder>/shared_prefs/dsi.xml
- <Package Folder>/shared_prefs/GridsumCommon.xml
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/install-recovery.sh
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/supolicy
- <Package Folder>/app_subox_download/5b5838a5-d332-48f8-b0bb-48be87628fd4
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/supolicy
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/shared_prefs/dbVersion.xml
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/supolicy
- <Package Folder>/app_9192704f-3142-433e-b62c-328d83a7857b/checker.jar
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/supolicy
- <Package Folder>/app_subox_download/902491e9-5770-4319-860d-85f75be3f7c8
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/ddexe
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/Matrix
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/wsroot.sh
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/toolbox
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/debuggerd
- <Package Folder>/shared_prefs/subox.xml
- <Package Folder>/files/.jglogs/.jg.ic
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/Matrix
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/su
- <Package Folder>/app_subox_download/2a9421ce-bb04-4ae9-960f-10329bc0ae3b
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/Matrix
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/toolbox
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/ddexe
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/root3
- <Package Folder>/files/ei.jar
- <Package Folder>/files/dk.jar
- <Package Folder>/shared_prefs/pst.xml
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/debuggerd
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/fileWork
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/fileWork
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/supolicy
- <Package Folder>/shared_prefs/sfe.xml
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/ddexe
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/debuggerd
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/su
- <Package Folder>/files/.imprint
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/install-recovery.sh
- <Package Folder>/app_subox_download/21300169-12d7-4b4c-a3df-250e87e34c12
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/pidof
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/toolbox
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/Matrix
- <Package Folder>/app_anonymous_files/anonymous_core.so
- <Package Folder>/shared_prefs/wv.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml.bak
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/Matrix
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/pidof
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/Matrix
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/wsroot.sh
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/su
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/fileWork
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/toolbox
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/toolbox
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/supolicy
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/ddexe
- <Package Folder>/shared_prefs/cSPrefs.xml
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/ddexe
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/toolbox
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/wsroot.sh
- <Package Folder>/app_0b23db4a-e262-48d4-bd43-4b2748490e7e/debuggerd
- <Package Folder>/shared_prefs/MGTVCommon.xml.bak
- <Package Folder>/app_push_lib/plugin-deploy.jar
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/shared_prefs/MGTVCommon.xml
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/debuggerd
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/wsroot.sh
- <Package Folder>/app_plugin_download/78d56820-7069-4479-b466-079d749a3c03
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/su
- <Package Folder>/app_3dfc0227-fec6-454c-b7cc-8992ea7c6ca1/install-recovery.sh
- <Package Folder>/app_subox_download/508b4b85-fd54-4fc7-b333-c1254cb0e4db
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/install-recovery.sh
- <Package Folder>/app_f4b52c99-4063-44d3-afb7-b29eab77620c/pidof
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/app_6222c7ad-bf5d-4d5b-856d-9b25ce0f80cd/install-recovery.sh
- <Package Folder>/app_push_lib/plugin-deploy.key
- <Package Folder>/app_aca01525-8d8a-4b46-9c9e-e3646aa3e34c/install-recovery.sh
- <Package Folder>/app_plugin_download/f03a3b62-34a2-42c5-97d7-07aaab77fbc4
- <Package Folder>/app_c8894f16-d27d-4a3a-adc1-8c9c084e2e4a/fileWork
Другие:
Запускает следующие shell-скрипты:
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/d20b9c9d3d1e2f04037d0db0678470fe.apk
- sh -c echo QTk2RjcxODY0RTlDNzg0MTZBQTA4NTg4Mjc1RDU3QjU0ODRERDA6OUI3MzEzOkRDRDM4RA== > /sdcard/Android/Data/System/local/_android.dat
- sh -c cat /sdcard/.aio.dat
- sh -c cat /sdcard/._system.dat
- sh -c cat /sdcard/Android/Data/System/local/_driver.dat
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > /sdcard/._system.dat
- sh -c cat /proc/meminfo
- id
- sh -c echo QTk2RjcxODY0RTlDNzg0MTZBQTA4NTg4Mjc1RDU3QjU0ODRERDA6OUI3MzEzOkRDRDM4RA== > /sdcard/._android.dat
- sh -c cat /sys/class/net/wlan0/address
- chmod 755 /data/data/com.gzlok.papa.show/.jiagu/libjiagu.so
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > /sdcard/Android/Data/System/local/_system.dat
- sh -c cat /proc/cpuinfo
- sh -c echo MDVDQjg1MkE3Mzk0NUM5M0Y3M0Y0NUM3MzdFOUQyMUUxNDk1MDA1OTM4OTA5 > /sdcard/.lut
- sh -c cat /sys/class/net/eth1/address
- sh -c cat /proc/self/status
- sh -c echo MDVDQjg1MkE3Mzk0NUM5M0Y3M0Y0NUM3MzdFOUQyMUUxNDk1MDA1OTM4OTA5 > /sdcard/Android/Data/System/local/lut
- sh -c cat /proc/sys/kernel/random/uuid
- sh -c cat
- sh -c echo NTAyNUEwOURGRDcyQ0ZCMTQ5NzMyNjI2NjRCMzZGQURGQTc4RjY6RjVDN0IzOkI0NDk1Ng== > /sdcard/._driver.dat
- ls /dev/socket
- sh -c cat /sdcard/Android/Data/System/local/_system.dat
- ps
- df
- chmod 755 /data/data/####/.jiagu/libjiagu.so
- sh -c cat /sys/class/net/eth0/address
- sh -c echo NTAyNUEwOURGRDcyQ0ZCMTQ5NzMyNjI2NjRCMzZGQURGQTc4RjY6RjVDN0IzOkI0NDk1Ng== > /sdcard/Android/Data/System/local/_driver.dat
- sh -c cat /proc/sys/kernel/random/boot_id
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- sh -c cat /sys/class/net/eth2/address
- service call iphonesubinfo 1
- sh -c cat /sdcard/Android/Data/System/local/_android.dat
- sh -c cat /sdcard/._android.dat
- date
- sh -c cat /proc/net/arp
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh -c cat /proc/sys/kernel/osrelease
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/a8789410e9808332904ad9aaf69237cc.apk
- sh -c cat /sdcard/._driver.dat
- mkdir -p /sdcard/Android/Data/System/local/
- chmod 777 /storage/emulated/0/Android/data/####/files/Download/Android/azb/a8789410e9808332904ad9aaf69237cc.apk
- <error:2>
- chmod 777 /storage/emulated/0/Android/data/####/files/Download/Android/azb/d20b9c9d3d1e2f04037d0db0678470fe.apk
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- ls /system/fonts
- sh
- sh -c cat /sdcard/Android/Data/System/local/aio.dat
- sh -c cat /proc/uptime
- <dexopt>
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
