Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Moplus.1
Загружает из Интернета следующие детектируемые угрозы:
- Android.Moplus.1
Сетевая активность:
Подключается к:
- a####.####.com
- c####.####.com
- d####.####.com
- i####.####.com
- m####.####.com
Запросы HTTP GET:
- i####.####.com/data/upload/2017/0615/18/59426269bb2d4.jpg
- m####.####.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&ne...
Запросы HTTP POST:
- a####.####.com/conn
- a####.####.com/errconf
- c####.####.com/v2/cdata
- d####.####.com/dinfo
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/00c64e24944051e7bedf85bfc007aee0cfb3e73020f557ba4cffbafba65287fb.0.tmp
- <Package Folder>/cache/####/1d3dc258a146ffc05894c6bf7ff7c989d250faf07333a00902266182fa0c5ad7.0.tmp
- <Package Folder>/cache/####/3d4e632379d05df9933301d134e08fa7dbde25ae2ec0d88bf9dd964b0f37b47e.0.tmp
- <Package Folder>/cache/####/419551a1aec29e24cb1f55073fe010f7c5335c1ff9775901d46e10bdc7c7a68d.0.tmp
- <Package Folder>/cache/####/48a2d6e18ec293fb0cef1f57ce9012d975260586790798da9a994195879bf41e.0.tmp
- <Package Folder>/cache/####/67688aecc10fcb96cab2bacdd14e4bc3faffba3f10fb01540bbecc5690fa8997.0.tmp
- <Package Folder>/cache/####/6aac10e4480e4ef1e05f2ed1933fef0eed49f1fd28ee8fdbfc1639e8ce023d46.0.tmp
- <Package Folder>/cache/####/85be789032208a13a4deb8f24cba64fd95fa2a66e755adad17d5f3a5632d07bd.0.tmp
- <Package Folder>/cache/####/abb4fee506bee16812e824ce3b6eefb09d8fdf5a9d8dd489875105e941873434.0.tmp
- <Package Folder>/cache/####/ae1691f3efff83953d39b1f9e56094b38e6649dfab3d01d397d411ebb7fc99f3.0.tmp
- <Package Folder>/cache/####/cbd9b585c5ff265cd92d85a98fe662c60aa5d0b490124bb897824d50d9e2cf36.0.tmp
- <Package Folder>/cache/####/dba62212f26fbffaaf511a45a0c0ebd2db4d73066e9b7cea26fc6875ff946690.0.tmp
- <Package Folder>/cache/####/e45b3c6d1e401c6091907267309d216e51d06b150a972c93fa6a403e05425448.0.tmp
- <Package Folder>/cache/####/ffa6a460b12f0f8c24519ac0fe8b92e44d4b60edab1d0ca6cedb2b4692915905.0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/hmdb
- <Package Folder>/databases/hmdb-journal
- <Package Folder>/databases/jpush_local_notification.db
- <Package Folder>/databases/jpush_local_notification.db-journal
- <Package Folder>/databases/jpush_statistics.db
- <Package Folder>/databases/jpush_statistics.db-journal
- <Package Folder>/databases/logdb.db
- <Package Folder>/databases/logdb.db-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.mrecord (deleted)
- <Package Folder>/files/.statistics
- <Package Folder>/files/appPackageNames
- <Package Folder>/files/jpush_stat_cache.json
- <Package Folder>/files/jpush_stat_cache_history.json
- <Package Folder>/files/nayto_addr.db
- <Package Folder>/files/nayto_addr.db-journal
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml.bak
- <Package Folder>/shared_prefs/Cache.xml
- <Package Folder>/shared_prefs/CityLocation_List.xml
- <Package Folder>/shared_prefs/Ex_List.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml.bak
- <Package Folder>/shared_prefs/NewSlide.xml
- <Package Folder>/shared_prefs/NyatoDate.xml
- <Package Folder>/shared_prefs/NyatoLocation.xml
- <Package Folder>/shared_prefs/ShopList.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml.bak
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml.bak
- <Package Folder>/shared_prefs/gank_device_id.xml.xml
- <Package Folder>/shared_prefs/jpush_device_info.xml
- <Package Folder>/shared_prefs/launch_city.xml
- <Package Folder>/shared_prefs/location.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml.bak
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/nyato_v3_PrefsFile.xml
- <Package Folder>/shared_prefs/openudid_prefs.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml.bak
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rcTag
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/Mob/.dk
- <SD-Card>/amap/####/alsn.db
- <SD-Card>/amap/####/alsn.db-journal
- <SD-Card>/data/.push_deviceid
Другие:
Запускает следующие shell-скрипты:
- app_process /system/bin com.android.commands.pm.Pm list packages
- chmod 755 /data/data/com.nyato.client/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Использует специальную библиотеку для скрытия исполняемого байткода.
