Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- a####.####.com
- and####.####.com
- api####.####.com
- cld####.####.com
- d####.####.com
- g####.####.com
- i####.####.com
- m####.####.com
- s####.####.cn
- s####.####.com
- t####.####.com
- v####.####.com
- w####.####.com
Запросы HTTP GET:
- a####.####.com/getUserCreditDoublePolicy?appid=####&from=####&format=###...
- a####.####.com/ipservice/servicejump.html
- and####.####.com/detail.api?auth=####&canal=####&userLevel=####&ppi=####...
- cld####.####.com/cms/84/12/5cab394297add72d679832efb8d431c8.jpg
- d####.####.com/ikandelivery/webafp?ap=####&ct=####&callback=####
- g####.####.com/stat/1.html?aid=####
- i####.####.com/1.html?sdPg0uX####
- m####.####.com/cms/30/50/236c111783259bc15342b4fcbe840c45.png
- s####.####.cn/cms/24/85/b14cfafb56db03620a0ccd95052d10e8.jpg
- s####.####.com/cms/32/09/4ace621f5d636f730acb90e57f9e71eb.png
- t####.####.com/lpic/37e/4e8/528/6575c241b948b1ce51af89a82a1ae04b.png
- v####.####.com/sp/a9/63/a9635a08610e3d11392da657f84d5232/1494530774967.jpg
- w####.####.com/public/ppi?appid=####&appplt=####&cc=####&appver=####&dev...
Запросы HTTP POST:
- a####.####.com/app_logs
- api####.####.com/v3/log/init
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/index
- <Package Folder>/cache/applog.log
- <Package Folder>/databases/_ire-journal
- <Package Folder>/databases/pptv.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/pp_push_msg.db-journal
- <Package Folder>/files/####/ppmessager.keystore
- <Package Folder>/files/.imprint
- <Package Folder>/files/exitadinfo
- <Package Folder>/files/globalConfig.txt
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/mobclick_agent_cached_<Package>999999999
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/MATSharedPreferences.xml
- <Package Folder>/shared_prefs/USER_BILLING.xml
- <Package Folder>/shared_prefs/cn.com.mma.mobile.tracking.other.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/download.xml
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/shared_prefs/live_tabs.xml
- <Package Folder>/shared_prefs/pptv.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/unicom.xml
- <Package Folder>/shared_prefs/view_from.xml
- <Package Folder>/shared_prefs/webp.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/PPTV/####/-1004717201
- <SD-Card>/PPTV/####/-1120058866.tmp
- <SD-Card>/PPTV/####/-1178884842.tmp
- <SD-Card>/PPTV/####/-1275013324.tmp
- <SD-Card>/PPTV/####/-1281826761.tmp
- <SD-Card>/PPTV/####/-136849812.tmp
- <SD-Card>/PPTV/####/-1372088531.tmp
- <SD-Card>/PPTV/####/-1398316419.tmp
- <SD-Card>/PPTV/####/-1435749805.tmp
- <SD-Card>/PPTV/####/-1441862793.tmp
- <SD-Card>/PPTV/####/-1454352229.tmp
- <SD-Card>/PPTV/####/-1473836282.tmp
- <SD-Card>/PPTV/####/-1489593853.tmp
- <SD-Card>/PPTV/####/-1592166415.tmp
- <SD-Card>/PPTV/####/-1596386748
- <SD-Card>/PPTV/####/-1624000149
- <SD-Card>/PPTV/####/-1690311701
- <SD-Card>/PPTV/####/-1693854143.tmp
- <SD-Card>/PPTV/####/-1765491290.tmp
- <SD-Card>/PPTV/####/-1787535959.tmp
- <SD-Card>/PPTV/####/-1818098334.tmp
- <SD-Card>/PPTV/####/-1824633993
- <SD-Card>/PPTV/####/-1826859781.tmp
- <SD-Card>/PPTV/####/-183137770.tmp
- <SD-Card>/PPTV/####/-1842897749.tmp
- <SD-Card>/PPTV/####/-1871011426.tmp
- <SD-Card>/PPTV/####/-1899961788.tmp
- <SD-Card>/PPTV/####/-1917343619
- <SD-Card>/PPTV/####/-1920326167.tmp
- <SD-Card>/PPTV/####/-1922020671.tmp
- <SD-Card>/PPTV/####/-1926353407.tmp
- <SD-Card>/PPTV/####/-1932150983
- <SD-Card>/PPTV/####/-1971437136
- <SD-Card>/PPTV/####/-1974614861.tmp
- <SD-Card>/PPTV/####/-1978382443
- <SD-Card>/PPTV/####/-1983045393.tmp
- <SD-Card>/PPTV/####/-1992238347
- <SD-Card>/PPTV/####/-2052090517.tmp
- <SD-Card>/PPTV/####/-234511999.tmp
- <SD-Card>/PPTV/####/-235583167.tmp
- <SD-Card>/PPTV/####/-249062174.tmp
- <SD-Card>/PPTV/####/-300356894.tmp
- <SD-Card>/PPTV/####/-311146098.tmp
- <SD-Card>/PPTV/####/-349108950.tmp
- <SD-Card>/PPTV/####/-350872418.tmp
- <SD-Card>/PPTV/####/-352524496.tmp
- <SD-Card>/PPTV/####/-416008135.tmp
- <SD-Card>/PPTV/####/-465549933.tmp
- <SD-Card>/PPTV/####/-50650037.tmp
- <SD-Card>/PPTV/####/-562143734.tmp
- <SD-Card>/PPTV/####/-576772910.tmp
- <SD-Card>/PPTV/####/-587140642.tmp
- <SD-Card>/PPTV/####/-605536553
- <SD-Card>/PPTV/####/-613110399.tmp
- <SD-Card>/PPTV/####/-61578655.tmp
- <SD-Card>/PPTV/####/-645134678.tmp
- <SD-Card>/PPTV/####/-736216026.tmp
- <SD-Card>/PPTV/####/-763530820.tmp
- <SD-Card>/PPTV/####/-800989811.tmp
- <SD-Card>/PPTV/####/-820046485.tmp
- <SD-Card>/PPTV/####/-833164047.tmp
- <SD-Card>/PPTV/####/-869910877.tmp
- <SD-Card>/PPTV/####/-874057658.tmp
- <SD-Card>/PPTV/####/-890902321.tmp
- <SD-Card>/PPTV/####/-909848686.tmp
- <SD-Card>/PPTV/####/-933798553.tmp
- <SD-Card>/PPTV/####/-956204772
- <SD-Card>/PPTV/####/-973936252.tmp
- <SD-Card>/PPTV/####/-983108044.tmp
- <SD-Card>/PPTV/####/-988953626.tmp
- <SD-Card>/PPTV/####/-992663990
- <SD-Card>/PPTV/####/1029061115.tmp
- <SD-Card>/PPTV/####/1108688676.tmp
- <SD-Card>/PPTV/####/1115150200
- <SD-Card>/PPTV/####/1119293528.tmp
- <SD-Card>/PPTV/####/1122221299.tmp
- <SD-Card>/PPTV/####/1168891234.tmp
- <SD-Card>/PPTV/####/1192348679.tmp
- <SD-Card>/PPTV/####/1267434246.tmp
- <SD-Card>/PPTV/####/1319257435.tmp
- <SD-Card>/PPTV/####/1410683537.tmp
- <SD-Card>/PPTV/####/1425710760.tmp
- <SD-Card>/PPTV/####/1433488136.tmp
- <SD-Card>/PPTV/####/1485984463.tmp
- <SD-Card>/PPTV/####/1547050581.tmp
- <SD-Card>/PPTV/####/1553521954.tmp
- <SD-Card>/PPTV/####/1563011890.tmp
- <SD-Card>/PPTV/####/1695345899
- <SD-Card>/PPTV/####/1749775815
- <SD-Card>/PPTV/####/1803209624.tmp
- <SD-Card>/PPTV/####/183987124.tmp
- <SD-Card>/PPTV/####/188453965.tmp
- <SD-Card>/PPTV/####/1935745259.tmp
- <SD-Card>/PPTV/####/1944484548
- <SD-Card>/PPTV/####/1976674336.tmp
- <SD-Card>/PPTV/####/2019473557.tmp
- <SD-Card>/PPTV/####/2080752313.tmp
- <SD-Card>/PPTV/####/2118990168.tmp
- <SD-Card>/PPTV/####/217739432.tmp
- <SD-Card>/PPTV/####/242644036.tmp
- <SD-Card>/PPTV/####/319605022.tmp
- <SD-Card>/PPTV/####/334704765.tmp
- <SD-Card>/PPTV/####/339838472
- <SD-Card>/PPTV/####/372244365.tmp
- <SD-Card>/PPTV/####/413181823.tmp
- <SD-Card>/PPTV/####/413416157.tmp
- <SD-Card>/PPTV/####/460567684.tmp
- <SD-Card>/PPTV/####/499154242.tmp
- <SD-Card>/PPTV/####/503740691
- <SD-Card>/PPTV/####/52136612.tmp
- <SD-Card>/PPTV/####/531961819.tmp
- <SD-Card>/PPTV/####/575023270.tmp
- <SD-Card>/PPTV/####/60694257.tmp
- <SD-Card>/PPTV/####/624572191.tmp
- <SD-Card>/PPTV/####/649390013.tmp
- <SD-Card>/PPTV/####/691890035
- <SD-Card>/PPTV/####/691890042
- <SD-Card>/PPTV/####/691890043
- <SD-Card>/PPTV/####/691890103
- <SD-Card>/PPTV/####/707065983.tmp
- <SD-Card>/PPTV/####/745008083.tmp
- <SD-Card>/PPTV/####/889862171.tmp
- <SD-Card>/PPTV/####/971054146.tmp
- <SD-Card>/PPTV/####/_livetab1
- <SD-Card>/PPTV/####/_livetab21
- <SD-Card>/PPTV/####/_livetab28
- <SD-Card>/PPTV/####/_livetab29
- <SD-Card>/PPTV/####/_livetab47
- <SD-Card>/PPTV/####/_livetabtab
Другие:
Запускает следующие shell-скрипты:
- chmod 755 /data/data/com.pplive.androidphone/files/libjiagu.so
- chmod 755 <Package Folder>/files/libjiagu.so
Использует специальную библиотеку для скрытия исполняемого байткода.
