Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
Загружает из Интернета следующие детектируемые угрозы:
- Android.Xiny.20
Сетевая активность:
Подключается к:
- a####.####.com
- a####.####.com:8011
- and####.####.com
- d####.####.cn
- solo-la####.com
- solo-m####.####.com
- y####.####.cn
Запросы HTTP GET:
- a####.####.com/mediation/config?publisher_id=####&slot_id=####&app_id=##...
- a####.####.com/v0/upgrade/group?package_name=####
- d####.####.cn/jarFile/SDKAutoUpdate/wet4.jar
- solo-la####.com/v1/diylocker/wallpaper/images?page=####&size=####&device...
- solo-m####.####.com/group1/M00/00/4B/LThZZFeMgJmAcl3sAAEHifg9v8w826.jpg
Запросы HTTP POST:
- a####.####.com/ad-service/ad/mark
- a####.####.com/rqd/async
- a####.####.com:8011/rqd/async
- and####.####.com/rqd/async
- y####.####.cn/k1?requestId=####&g=####&ua=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/background.png
- <Package Folder>/cache/####/-16002993231412413147
- <Package Folder>/cache/####/-1600351218833940118
- <Package Folder>/cache/####/-1643221498500296472
- <Package Folder>/cache/####/-1979922665357602805
- <Package Folder>/cache/####/-3055057354813571
- <Package Folder>/cache/####/0facb6f40c39a80faa7c0061e05d922e91ad9fb6f59ae4b689ee7cb0cf623257.0.tmp
- <Package Folder>/cache/####/1b09bc03a77e88c32c4e9e86bdfd540982d0a1fc754ab5e9fd78557d9272551b.0.tmp
- <Package Folder>/cache/####/3b44d9fc6a9c4d97feb32b3f21ae15773b4767ce64a64121cce818b9a58dcfc5.0.tmp
- <Package Folder>/cache/####/42f6276977d37958196b7d0023dc96b72810107800a9679d9e157e7f7da4da68.0.tmp
- <Package Folder>/cache/####/472b74f54c867598c19542a9bbddf1a08a338bb2e0eacd79d7b623b5f0e626c3.0.tmp
- <Package Folder>/cache/####/53e3aad64834c5dce9f1f33548a7a5da60bb27a5f414626b29cb103e79e73ee1.0.tmp
- <Package Folder>/cache/####/868d73d4e1f3b877da0bd89dfba783477fddad55ad6b6e5e91cb62bb96951b53.0.tmp
- <Package Folder>/cache/####/964077355605835716
- <Package Folder>/cache/####/977ac2eebd8b1995ae7683472c254bedcded0554d86a335b6095f7e461b489f6.0.tmp
- <Package Folder>/cache/####/a92d682efbccd8bfe0451d1d50dc00932b4c5ab7da1d8b3c90b2568e9a0f915a.0.tmp
- <Package Folder>/cache/####/c27136ef56476e73a2a5e9645de39594996eee9b2a08517d769da34954e4cf6a.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/e2740f4b725fa86a79f5068888ce36df05508d67d0975214dc64e81364dd3eff.0.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/cover.db-journal
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/lockerscreen.db
- <Package Folder>/databases/lockerscreen.db-journal
- <Package Folder>/databases/main_screen_style.db-journal
- <Package Folder>/databases/music.db-journal
- <Package Folder>/databases/notification.db-journal
- <Package Folder>/databases/timer.db
- <Package Folder>/databases/timer.db-journal
- <Package Folder>/databases/vungle-journal
- <Package Folder>/databases/weather.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/mobclick_agent_cached_<Package>41
- <Package Folder>/files/security_info
- <Package Folder>/ptinnormal.png
- <Package Folder>/ptinpressed.png
- <Package Folder>/ptnormal.png
- <Package Folder>/ptpressed.png
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/ACTIVATE_SERVICE.xml
- <Package Folder>/shared_prefs/BasedSharedPref.xml
- <Package Folder>/shared_prefs/BasedSharedPref.xml.bak
- <Package Folder>/shared_prefs/BatterySharedPref.xml
- <Package Folder>/shared_prefs/EnvSharedPref.xml
- <Package Folder>/shared_prefs/EnvSharedPref.xml.bak
- <Package Folder>/shared_prefs/FBAdPrefs.xml
- <Package Folder>/shared_prefs/SDKIDFA.xml
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/shared_prefs/a.xml.bak
- <Package Folder>/shared_prefs/appsflyer-data.xml
- <Package Folder>/shared_prefs/appsflyer-data.xml.bak
- <Package Folder>/shared_prefs/com.diylocker.lock_preferences.xml
- <Package Folder>/shared_prefs/com.diylocker.lock_preferences.xml.bak
- <Package Folder>/shared_prefs/com.facebook.ads.FEATURE_CONFIG.xml
- <Package Folder>/shared_prefs/com.pingstart.adsdk.preference.xml
- <Package Folder>/shared_prefs/com.pingstart.adsdk.preference.xml.bak
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/wallpaper.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Download/####/4.8_wet4.jar.tmp
- <SD-Card>/dt/restime.dat
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop androVM.vbox_dpi
- /system/bin/sh -c getprop gsm.sim.state
- /system/bin/sh -c getprop gsm.sim.state2
- /system/bin/sh -c getprop qemu.sf.fake_camera
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.debuggable
- /system/bin/sh -c getprop ro.genymotion.version
- /system/bin/sh -c getprop ro.secure
- /system/bin/sh -c type su
- <dexopt>
- chmod 755 /data/data/com.diylocker.lockxm/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop androVM.vbox_dpi
- getprop gsm.sim.state
- getprop gsm.sim.state2
- getprop qemu.sf.fake_camera
- getprop ro.board.platform
- getprop ro.debuggable
- getprop ro.genymotion.version
- getprop ro.secure
Использует специальную библиотеку для скрытия исполняемого байткода.
