Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Moplus.1
Загружает из Интернета следующие детектируемые угрозы:
- Android.Moplus.1
Сетевая активность:
Подключается к:
- a####.####.com
- c####.####.com
- d####.####.com
- i####.####.com
- l####.####.com
- m####.####.com
- pi####.####.com
- pin####.####.com
Запросы HTTP GET:
- i####.####.com/data/upload/2017/0623/17/594cda97aba26.jpg
- m####.####.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&ne...
Запросы HTTP POST:
- a####.####.com/conf5
- a####.####.com/errconf
- c####.####.com/v2/cdata
- d####.####.com/dsign
- l####.####.com/ajax?c=####&k=####
- pi####.####.com/mstat/report/?index=####
- pin####.####.com/request
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_tbs/####/core_info
- <Package Folder>/app_tbs/####/tbscoreinstall.txt
- <Package Folder>/app_tbs/####/tbslock.txt
- <Package Folder>/cache/####/17afcdaa43c90b4614dd2a8cb7060aadae1c129b8a7116cbb9547ceef63f76ea.0.tmp
- <Package Folder>/cache/####/26456a7136773d70632b248b7abd3eb65a63bfd9cdaa5d1b3c520a542786cd34.0.tmp
- <Package Folder>/cache/####/4edfb71c5d17af5c5197e848227b8cbf553ae39c6de41b5af60acd9ae66cfd64.0.tmp
- <Package Folder>/cache/####/75482cc27ba8719a518b4137c289abd42f0c0bec932014f67ac746af1e671aa2.0.tmp
- <Package Folder>/cache/####/8e0a45a7a891b3def7fca67b5bbfda2e2f116362bc26e192c7cf38e85f36997a.0.tmp
- <Package Folder>/cache/####/c1cef17a2660c738ac5b973220d6e82b07b1749cdb476e98dabeb84d59dd194a.0.tmp
- <Package Folder>/cache/####/e22fa5f30f06b745601e922f1d654dc87964791eae78b6d6b445b22e295488e4.0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/hmdb
- <Package Folder>/databases/hmdb-journal
- <Package Folder>/databases/jpush_local_notification.db
- <Package Folder>/databases/jpush_local_notification.db-journal
- <Package Folder>/databases/jpush_statistics.db
- <Package Folder>/databases/jpush_statistics.db-journal
- <Package Folder>/databases/logdb.db
- <Package Folder>/databases/logdb.db-journal
- <Package Folder>/databases/pri_tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.mrecord (deleted)
- <Package Folder>/files/.statistics
- <Package Folder>/files/appPackageNames
- <Package Folder>/files/jpush_stat_cache.json
- <Package Folder>/files/jpush_stat_cache_history.json
- <Package Folder>/files/nayto_addr.db
- <Package Folder>/files/nayto_addr.db-journal
- <Package Folder>/shared_prefs/<Package>.mid.world.ro.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml.bak
- <Package Folder>/shared_prefs/Cache.xml
- <Package Folder>/shared_prefs/CityLocation_List.xml
- <Package Folder>/shared_prefs/Ex_List.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml.bak
- <Package Folder>/shared_prefs/NewSlide.xml
- <Package Folder>/shared_prefs/NyatoDate.xml
- <Package Folder>/shared_prefs/NyatoLocation.xml
- <Package Folder>/shared_prefs/ShopList.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml.bak
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml.bak
- <Package Folder>/shared_prefs/gank_device_id.xml.xml
- <Package Folder>/shared_prefs/jpush_device_info.xml
- <Package Folder>/shared_prefs/launch_city.xml
- <Package Folder>/shared_prefs/location.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml.bak
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/nyato_v3_PrefsFile.xml
- <Package Folder>/shared_prefs/openudid_prefs.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml.bak
- <Package Folder>/shared_prefs/tbs_download_config.xml
- <Package Folder>/shared_prefs/tbs_download_config.xml.bak
- <Package Folder>/shared_prefs/tbs_download_stat.xml
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rcTag
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/Nyato_DCIM/####/.launcher_loding.png
- <SD-Card>/amap/####/alsn.db
- <SD-Card>/amap/####/alsn.db-journal
- <SD-Card>/data/.push_deviceid
- <SD-Card>/tencent/####/.mid.txt
- <SD-Card>/tencent/####/.mid.txt1000001
- <SD-Card>/tencent/####/.mid.txt3
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- app_process /system/bin com.android.commands.pm.Pm list packages
- chmod 755 /data/data/com.nyato.client/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Использует специальную библиотеку для скрытия исполняемого байткода.
