Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- a####.####.com
- ad-####.####.com
- adse####.####.com
- b####.####.com
- bosb####.####.com
- h####.####.com
- i####.####.com
Запросы HTTP GET:
- 6####.####.140/ando/i/mon?k=####&d=####
- ad-####.####.com/ad1/resource/Image/xx.jpg
- adse####.####.com/resource/image/appx_download.png
- b####.####.com/pcsuite-dev/apk/8481f6ec8975fa4036564d6baa769a95.apk
- bosb####.####.com/v1/baitong/upload/file/source/594224e3545d9.jpg?author...
- h####.####.com/wisegame/pic/item/9f039245d688d43f10fe740b7b1ed21b0ff43bf...
- i####.####.com/ando-res/ads/4/5/d73ab4a4-4c75-43a7-a3c9-5bdabd9437c8/d26...
Запросы HTTP POST:
- a####.####.com/ad-service/ad/mark
- a####.####.com/api.ashx
- a####.####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/code-4462476/####/BXfDoTp0H9s=.jar
- <Package Folder>/code-4462476/FJr2yvpsdqVLQaVJ
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_JBY570hPAdilWvWRzgARYn_NoOc=
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_JBY570hPAdilWvWRzgARYn_NoOc=-journal
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_eBWcELImoZxzDgwF
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_eBWcELImoZxzDgwF-journal
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_na8te4NrbGbSo8ukOUJYEg==
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_na8te4NrbGbSo8ukOUJYEg==-journal
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_xZshcDJ0MiJU2YUoxvo3AQ==
- <Package Folder>/databases/i6SbZP2nznXh6rWVEXXMEX7zcw_nKqnm_xZshcDJ0MiJU2YUoxvo3AQ==-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/08765c57-77ab-4f17-9471-ee42ee24c2f9.res.temp
- <Package Folder>/files/####/093ce54b-8318-4adf-ba15-4e699ed1625a.res.temp
- <Package Folder>/files/####/1095f7e4-9a60-415d-8219-f2cddb047fda.res.temp
- <Package Folder>/files/####/1b68c26d-2abd-438f-8b71-76f1062b5b59.res.temp
- <Package Folder>/files/####/304c0d21-cf91-4754-9e55-66d39158e9cd.res
- <Package Folder>/files/####/3Zrcw3DzJM1e_RGZVgzxUvEHWMJP_i5s.new
- <Package Folder>/files/####/5R30lJnEbDog9AknQyg75WVPhYkpjZ2h0jHeZQ==.new
- <Package Folder>/files/####/5f0f644e-0746-456a-b978-2c94608c9010.res.temp
- <Package Folder>/files/####/6c10682f-8792-48ef-8f01-496c5ed1292c.res.temp
- <Package Folder>/files/####/6grs_ULjSbciCx52iMTrRL6bJ9EXla6_.new
- <Package Folder>/files/####/7119ba5a-439e-44c9-935a-3619e46dbad4.res.temp
- <Package Folder>/files/####/79173bca-5f6b-49db-a816-02303aca44fa.res.temp
- <Package Folder>/files/####/Lb-DH78s6tUU4wLcILllodoTEs4=.new
- <Package Folder>/files/####/Q9KrDGrhC6lx71SuleWcTKGLYZHeNz9PeSLCDQ==.new
- <Package Folder>/files/####/S2liZNO_c1gryyCmZsUBEA==
- <Package Folder>/files/####/SD5oyfo6AncqN_YtKUt_dyfbS5M=.new
- <Package Folder>/files/####/STbv122KxELjdjBqhfdrbNZDoMXsezlM.new
- <Package Folder>/files/####/ViLLqp5zrV1J_Mvf2xQ5xA==
- <Package Folder>/files/####/ViLLqp5zrV1J_Mvf2xQ5xA==.new
- <Package Folder>/files/####/ViLLqp5zrV1J_Mvf2xQ5xA==.old (deleted)
- <Package Folder>/files/####/X-v5V-oJ79HMoJCHL9DhxRaVCeA=
- <Package Folder>/files/####/X-v5V-oJ79HMoJCHL9DhxRaVCeA=.new
- <Package Folder>/files/####/X-v5V-oJ79HMoJCHL9DhxRaVCeA=.old (deleted)
- <Package Folder>/files/####/a1O4KgmYkVqRRMzJVlkkCtTRedykU2B9nFHEOQ==.new
- <Package Folder>/files/####/b8946848-da2c-4073-b28e-8822038f0b38.res.temp
- <Package Folder>/files/####/bbgYCf2fC__q-9kZ6306xA==
- <Package Folder>/files/####/bbgYCf2fC__q-9kZ6306xA==.new
- <Package Folder>/files/####/c2c33bbb-43a6-4429-87f4-d8ce3c569968.res.temp
- <Package Folder>/files/####/cfTyeE4sbYJqb_LULxPw0gOXM_mLsWpqEg9TIrUmg2g=.new
- <Package Folder>/files/####/d18f7309-b9c5-4216-b2a5-16b3e6efff6e.res.temp
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/db7979e5-836e-458b-96b6-369554acf068.res
- <Package Folder>/files/####/e4f1696d-bedd-4dfd-baf9-280d1351a3a4.res.temp
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/hu8OlRD-NvReGGQPr5XJ7s5CGeyzQy49.new
- <Package Folder>/files/####/jy5xFzfe2S3eW6ceBOmYIcKPuaQ=.new
- <Package Folder>/files/####/kBffSP6D-gg8Qzoh36riXg==
- <Package Folder>/files/####/kBffSP6D-gg8Qzoh36riXg==.new
- <Package Folder>/files/####/kiRPraWeyI_rTikUlGszoSngtuN0cYjz.new
- <Package Folder>/files/####/lI7Ox_ICKGXFhCj9-vXaWNJtD8xSVvy5.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/suLS0w712Alz_jfFMETDjQ==.new
- <Package Folder>/files/####/t2eqX3z8gvXZNId7Uo2umAHkvjPtX-v-eXJntg==.new
- <Package Folder>/files/####/tkzdvq_f.zip
- <Package Folder>/files/####/u6X0jGoauf1uG8rr.zip
- <Package Folder>/files/####/v57eMlEzC197OUZY
- <Package Folder>/files/####/wCd4f7-HJcvluqWbahmQwGHuZzI=
- <Package Folder>/files/####/yPMQNR7gZINBjzObhnOLrg7Kchw=
- <Package Folder>/files/####/yTeD0bwrudcqqpZDytAsQ4UTCqi56UyWwdo6G-q_7OQ=.new
- <Package Folder>/files/####/yoGyvJqVMBZxAyW5.new
- <Package Folder>/files/####/z3SkrIAwhrSfr5fS2Uyf5vJwvtOUC4BEOpW05ZhaWvw=.new
- <Package Folder>/files/####/zsYxRPwhXoErMitUL4i1q9__F2Ih2NqP.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/rdata_comcdbapp.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/1e322b5b-3f6b-4e71-b4de-0185162985f9.res
- <SD-Card>/.armsd/####/3531f518-cc44-4403-9401-51e31edc2176.res
- <SD-Card>/.armsd/####/3646b2b3-bb59-4ec7-a26b-696c9ea3ea61.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/5f29da8b-48ac-411a-ba15-f22354ab2c35.res
- <SD-Card>/.armsd/####/6af7abfb-c82a-4285-b74a-c92f5360605c.res
- <SD-Card>/.armsd/####/77a72d44-ccd1-4b3c-8120-46d00b9dc21f.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/Android/####/0640ab5325d864959dd9c8e64d31adc9.png
- <SD-Card>/Android/####/16311cc1dbf95f8e2ef24f42cd97d34d.png
- <SD-Card>/Android/####/67cbf5ce6295d082f8238107885c072a.png
- <SD-Card>/Android/####/Appwallf4deb095f44865d7d201e9fb2aafd316.jpg
- <SD-Card>/Android/####/Banner8a40680ae3a87c9f4d120f68377c90a2.jpg?authorization=bce-auth-v1%2F664bbf983f0140fc83e6b0f25ea8dcd9%2F2017-06-15T06%3A10%3A43Z%2F1800%2F%2F99e7642ddc37a68a7b8fbd404f2682a061f1740e4dfe9a741b1fd1cf41077ca3
- <SD-Card>/Android/####/Intersti754abc658cb9c86d31cefd49a960201b.jpg
- <SD-Card>/ImageCache/CloseIcon.png
- <SD-Card>/ImageCache/CornerIcon.png
- <SD-Card>/ImageCache/DownloadIcon.png
- <SD-Card>/ImageCache/ResourceVersion
- <SD-Card>/appX.DownloadApp.hiyo/com.baidu.appsearch.apk
- <SD-Card>/baidu/.cuid
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.cdjssq.app/code-4462476/FJr2yvpsdqVLQaVJ -p com.cdjssq.app -c com.cdb.app.vvncva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- chmod 755 /data/data/com.cdjssq.app/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/code-4462476/FJr2yvpsdqVLQaVJ -p <Package> -c com.cdb.app.vvncva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует специальную библиотеку для скрытия исполняемого байткода.
