Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.117
- 2####.####.233:8080
- 6####.####.140
- a####.####.cn
- a####.####.cn:8083
- and####.####.com
- d####.####.com:8083
- m####.####.cn
- ope####.####.cn
- p####.####.cn
- p####.####.com
- rela####.####.cn
- s####.####.cn
- sh####.####.com
Запросы HTTP GET:
- 1####.####.117/d?dn=####&id=####&ttl=####
- and####.####.com/group/?method=####&n=####
- m####.####.cn/?product=####&version=####
- ope####.####.cn/index/upgrade?package=####&version=####&apk_version=####...
- p####.####.com/t0178c548e210e9c425.png
- p####.####.com/t01dc8b1ab9f20fe42a.jpg
- rela####.####.cn/11/complex/packages?appid=####&nonce=####&rkey=####&sig...
- rela####.####.cn/9/user/silent?qid=####&m1=####&m2=####&channel=####&app...
- s####.####.cn/ak/02522a2b2726fb0a03bb19f2d8d9524d.html?m2=####
- sh####.####.com/160422/7bcec7e7c45683a01b4ffc5c68c66f94/libpatch1.so
Запросы HTTP POST:
- 2####.####.233:8080/
- 6####.####.140/ando/x/lis?app_id=####&r=####
- a####.####.cn/WebService.asmx/UpdateDeviceTokenId
- a####.####.cn:8083/WebService.asmx/RegisterUser
- d####.####.com:8083/
- p####.####.cn/pstat/plog.php
- p####.####.cn/sendstat
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/libpatch.so
- <Package Folder>/cache/####/libpatch1.so
- <Package Folder>/cache/70890d586cf404ce7770233a2beaf507_pic
- <Package Folder>/code-1951262/####/kdMna7yo5as=.jar
- <Package Folder>/code-1951262/Jwrhu_eyzPUdb3Kh
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_YFQVk7nG4vAt3zVmkLUN6A==
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_YFQVk7nG4vAt3zVmkLUN6A==-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_ZQDcY5JIYsZRLpdIICgfexj7wyE=
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_ZQDcY5JIYsZRLpdIICgfexj7wyE=-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_a__kEDUMA4xUi6Fq4HcN8w==
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_a__kEDUMA4xUi6Fq4HcN8w==-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_gCS52oDxkiWqEerM
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_gCS52oDxkiWqEerM-journal
- <Package Folder>/databases/xg_message.db
- <Package Folder>/databases/xg_message.db-journal
- <Package Folder>/files/####/-sVsau6N1rR77NY0m09ZRXg8cZn_9KXq.new
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/0x4-3B3wiDU7XkX2GaXB66hn5hNQA5nl.new
- <Package Folder>/files/####/14AnqlxsohlEb8Up8cZQY1uRaF_xa8z2.new
- <Package Folder>/files/####/1v3u2qHG_fGOmo9s.zip
- <Package Folder>/files/####/CIVIIuxAbP-cPk6hvoTiAA==.new
- <Package Folder>/files/####/D1VSLLEJiaIhzvmds-Huvan6vt24kbqe
- <Package Folder>/files/####/D1VSLLEJiaIhzvmds-Huvan6vt24kbqe.new
- <Package Folder>/files/####/D1VSLLEJiaIhzvmds-Huvan6vt24kbqe.old (deleted)
- <Package Folder>/files/####/Gkh7cLGwpVF1IFyQLRsFWYxBWpg=
- <Package Folder>/files/####/HHYxFzk3mcZUNIdp-TOceSyyEd2Lx7OSyvdHhg==.new
- <Package Folder>/files/####/MGn9cmTdMF57wxVNX5AcXVQ7vdvR5ZSs-nUtXg==.new
- <Package Folder>/files/####/MHuzg1r1h295z9RGLSD1rg==
- <Package Folder>/files/####/MHuzg1r1h295z9RGLSD1rg==.new
- <Package Folder>/files/####/NSXH6rPj-zg8gFYuZ4YXB-CNSor3YQPV3a-vmQ==.new
- <Package Folder>/files/####/NbkNI5aolqZuXzmWgz2iMA==.new
- <Package Folder>/files/####/OV2mb_SitE6KpUEmuki8rw==
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==.new
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==.old (deleted)
- <Package Folder>/files/####/UVaz4-gFaZJ3MBgIfC4dnSkz0d8=.new
- <Package Folder>/files/####/Y29tLnh6dXNvbi5nYW1lLmNoZXNz.tick.lock
- <Package Folder>/files/####/Yy30KA9EG-nkWAR-R_PbKuVqOdT8r-jm.new
- <Package Folder>/files/####/_mU9xCqOiT6hWRBuptMkix12xGiF5EUHH10XrtjfC2g=.new
- <Package Folder>/files/####/aEAJRiinpf7eNEjEuJyVbluKHik=
- <Package Folder>/files/####/aEAJRiinpf7eNEjEuJyVbluKHik=.new
- <Package Folder>/files/####/cCJybplGAbI-r4ohWM5lpBZHIxQ=
- <Package Folder>/files/####/cCJybplGAbI-r4ohWM5lpBZHIxQ=.new
- <Package Folder>/files/####/cCJybplGAbI-r4ohWM5lpBZHIxQ=.old (deleted)
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/dgIYAe6jeAFUozFgoHJa291pLjATL1OafirA9xgy1gA=.new
- <Package Folder>/files/####/fOnoKwo-wwemMpZ7YhplM0FspjEtuKHz.new
- <Package Folder>/files/####/hHlCRmx76ZP2RnUGZpZqZjwdBhc=.new
- <Package Folder>/files/####/nFGvKoKGOW485DYvW9UTuvOvrncv7TVj.new
- <Package Folder>/files/####/ojWVL0j0meP9AL79g6QA8SeDEYE=
- <Package Folder>/files/####/pVmD41fxyy88rQB7
- <Package Folder>/files/####/qldgXcbN-txvMLu4.new
- <Package Folder>/files/####/runner_info.prop
- <Package Folder>/files/####/tbepua_f.zip
- <Package Folder>/files/####/wDXLxR0Kjs1fPcElImwXnh647Vs6W9eF67hnPw==.new
- <Package Folder>/files/####/wNPe-1PHlLNkAIHbbncJAHWL3_bnkZc39fFUAmFvphk=.new
- <Package Folder>/files/account_yTxwhiWgusaW8kNZYPlMWh8VoqA4GnL9_8d61ce1535a9f822d68f206e1a6b2518
- <Package Folder>/files/frameso
- <Package Folder>/files/qhpush_game_stat_log.json
- <Package Folder>/files/qihoo_game_stat_log.json
- <Package Folder>/files/rdata_comczpvcunh.new
- <Package Folder>/files/statistics.log (deleted)
- <Package Folder>/libs/####/libpatch
- <Package Folder>/libs/####/libpatch1
- <Package Folder>/shared_prefs/.tpns.service.xml.xml
- <Package Folder>/shared_prefs/.tpns.settings.xml.xml
- <Package Folder>/shared_prefs/.tpns.settings.xml.xml.bak
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/Pay_config.xml
- <Package Folder>/shared_prefs/Pay_config.xml.bak
- <Package Folder>/shared_prefs/QH_DeviceSDK.xml
- <Package Folder>/shared_prefs/QH_SDK_M2.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml.bak
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03bb19f2d8d9524d.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03bb19f2d8d9524d.xml.bak
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml.bak
- <Package Folder>/shared_prefs/WukongSDKPre.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/chess_game_prefs.xml
- <Package Folder>/shared_prefs/coolcloud_config.xml
- <Package Folder>/shared_prefs/device_id.xml
- <Package Folder>/shared_prefs/gameSetting.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml.bak
- <Package Folder>/shared_prefs/iapppay_config.xml
- <Package Folder>/shared_prefs/qh_login_cfg.xml
- <Package Folder>/shared_prefs/qh_login_cfg.xml.bak
- <Package Folder>/shared_prefs/qhopen_game_session_info.xml
- <Package Folder>/shared_prefs/qhpush_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml.bak
- <Package Folder>/shared_prefs/qihoo_hosts_cfg.xml
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml.bak
- <Package Folder>/shared_prefs/qlocal_float_sdk_share_preference.xml
- <Package Folder>/shared_prefs/qlocal_float_sdk_share_preference.xml.bak
- <Package Folder>/shared_prefs/qlocal_float_sdk_share_preference.xml.bak (deleted)
- <Package Folder>/shared_prefs/sdk_apk_info.xml
- <Package Folder>/shared_prefs/share_data_updatesdk.xml
- <Package Folder>/shared_prefs/silent_lg_dj.xml
- <Package Folder>/shared_prefs/silent_lg_dj.xml.bak
- <Package Folder>/shared_prefs/tpush.shareprefs.xml
- <Package Folder>/shared_prefs/tpush.shareprefs.xml.bak
- <Package Folder>/update.qh
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/360/####/02522a2b2726fb0a03bb19f2d8d9524d
- <SD-Card>/360/####/Y29tLnh6dXNvbi5nYW1lLmNoZXNz
- <SD-Card>/360/####/Y29tLnh6dXNvbi5nYW1lLmNoZXNz (deleted)
- <SD-Card>/360/####/dcsdid.dat
- <SD-Card>/360/####/oLb
- <SD-Card>/360/####/oLb (deleted)
- <SD-Card>/360/.deviceId
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/2srnjblqxn03998ej90uotas2.0.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Tencent/####/.mid.txt
- <SD-Card>/data/####/0CC337C16906897703__<Package>
- <SD-Card>/data/####/<Package>
- <SD-Card>/data/####/randId
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.xzuson.game.chess/code-1951262/Jwrhu_eyzPUdb3Kh -p com.xzuson.game.chess -c com.czpv.cunh.vwqquq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- chmod 755 /data/data/com.xzuson.game.chess/.jiagu/libjiagu.so
- chmod 755 /data/data/com.xzuson.game.chess/cache/360Download
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/cache/360Download
- chmod 777 /storage/emulated/0/360gamecentersdk/.cache/image
- sh <Package Folder>/code-1951262/Jwrhu_eyzPUdb3Kh -p <Package> -c com.czpv.cunh.vwqquq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/lib/libxguardian.so <Package>,2100260689;<Package>,2100260689; 55135 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : c5c1cc528117361145719452325efd578dd5fcdb , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.1 , mf : unknown , apn : %s }}] 0 18
Использует специальную библиотеку для скрытия исполняемого байткода.
