Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.SmsSend.1567.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.SmsSend.1567.origin
Сетевая активность:
Подключается к:
- 3db####.com
- a####.####.com
- c####.####.com
- h####.com
- imgc####.####.com
- q####.####.cn
- s####.####.com
- w####.####.cn
Запросы HTTP GET:
- 3db####.com/present_resources/6.jpg
- c####.####.com/product_resources2/com.idddx.lwp.concert3d/14f1a64ddd7579...
- h####.com/cgi-bin/cell?sk=####&sn=####&ev=####&op=####&ts=####&wl=####&a...
- imgc####.####.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his...
- q####.####.cn/qqapp/1101508244/5C2C6387D7EE38D76F6D10DAF60317DD/100
- w####.####.cn/mmopen/lzoCdmoJPBDcvlpgZoyYXibicCMtjCenPibXjFv3QrX5UFD3RlF...
Запросы HTTP POST:
- a####.####.com/ad-service/ad/mark
- a####.####.com/api/check_app_update
- a####.####.com/app_logs
- s####.####.com/activate
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.next.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp
- <Package Folder>/app_e_qq_com_plugin/update_lc
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.sig
- <Package Folder>/app_e_qq_com_setting/gdt_suid
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.sig
- <Package Folder>/app_ewte/<Package>.apk
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/2092103641
- <Package Folder>/cache/####/818579719
- <Package Folder>/databases/StoreProvider.db-journal
- <Package Folder>/databases/dynamic.db
- <Package Folder>/databases/dynamic.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/TrineaAndroidCommon.xml
- <Package Folder>/shared_prefs/TrineaAndroidCommon.xml.bak
- <Package Folder>/shared_prefs/dynamic_prefers.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/preferences_app.xml
- <Package Folder>/shared_prefs/preferences_flags.xml
- <Package Folder>/shared_prefs/preferences_splash.xml
- <Package Folder>/shared_prefs/preferences_user.xml
- <Package Folder>/shared_prefs/umeng_feedback_conversations.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/myShareLWP/####/-1098282436.tmp
- <SD-Card>/myShareLWP/####/-1152394478.tmp
- <SD-Card>/myShareLWP/####/-1156268310.tmp
- <SD-Card>/myShareLWP/####/-1156515880.tmp
- <SD-Card>/myShareLWP/####/-1170502703.tmp
- <SD-Card>/myShareLWP/####/-1183924343.tmp
- <SD-Card>/myShareLWP/####/-1226908292
- <SD-Card>/myShareLWP/####/-1311819524.tmp
- <SD-Card>/myShareLWP/####/-1312743045.tmp
- <SD-Card>/myShareLWP/####/-1314590087.tmp
- <SD-Card>/myShareLWP/####/-1316437129.tmp
- <SD-Card>/myShareLWP/####/-131769541
- <SD-Card>/myShareLWP/####/-1319207692.tmp
- <SD-Card>/myShareLWP/####/-1524957058.tmp
- <SD-Card>/myShareLWP/####/-1544380405.tmp
- <SD-Card>/myShareLWP/####/-1589279579.tmp
- <SD-Card>/myShareLWP/####/-1599931475.tmp
- <SD-Card>/myShareLWP/####/-1757722479.tmp
- <SD-Card>/myShareLWP/####/-1775988966.tmp
- <SD-Card>/myShareLWP/####/-1822480039.tmp
- <SD-Card>/myShareLWP/####/-2071567426.tmp
- <SD-Card>/myShareLWP/####/-2118197191.tmp
- <SD-Card>/myShareLWP/####/-501250988.tmp
- <SD-Card>/myShareLWP/####/-507571630.tmp
- <SD-Card>/myShareLWP/####/-509215526.tmp
- <SD-Card>/myShareLWP/####/-532867599.tmp
- <SD-Card>/myShareLWP/####/-540897245.tmp
- <SD-Card>/myShareLWP/####/-566194632.tmp
- <SD-Card>/myShareLWP/####/-571043126.tmp
- <SD-Card>/myShareLWP/####/-625722493.tmp
- <SD-Card>/myShareLWP/####/-83560362.tmp
- <SD-Card>/myShareLWP/####/-842320725.tmp
- <SD-Card>/myShareLWP/####/-963799904.tmp
- <SD-Card>/myShareLWP/####/1008721389.tmp
- <SD-Card>/myShareLWP/####/1009690730.tmp
- <SD-Card>/myShareLWP/####/1048332108.tmp
- <SD-Card>/myShareLWP/####/1053237881.tmp
- <SD-Card>/myShareLWP/####/1104506693.tmp
- <SD-Card>/myShareLWP/####/1144713746.tmp
- <SD-Card>/myShareLWP/####/121515158
- <SD-Card>/myShareLWP/####/1374832592.tmp
- <SD-Card>/myShareLWP/####/1415150343.tmp
- <SD-Card>/myShareLWP/####/1436221406.tmp
- <SD-Card>/myShareLWP/####/1599386130
- <SD-Card>/myShareLWP/####/1690247621.tmp
- <SD-Card>/myShareLWP/####/174763083.tmp
- <SD-Card>/myShareLWP/####/1869582941.tmp
- <SD-Card>/myShareLWP/####/1985323397.tmp
- <SD-Card>/myShareLWP/####/2011845047.tmp
- <SD-Card>/myShareLWP/####/20178173.tmp
- <SD-Card>/myShareLWP/####/2052709905.tmp
- <SD-Card>/myShareLWP/####/2055132540.tmp
- <SD-Card>/myShareLWP/####/2058906311.tmp
- <SD-Card>/myShareLWP/####/2059829832.tmp
- <SD-Card>/myShareLWP/####/2061676874.tmp
- <SD-Card>/myShareLWP/####/2082917857.tmp
- <SD-Card>/myShareLWP/####/2084764899.tmp
- <SD-Card>/myShareLWP/####/319852428.tmp
- <SD-Card>/myShareLWP/####/326626483.tmp
- <SD-Card>/myShareLWP/####/336764426.tmp
- <SD-Card>/myShareLWP/####/36151049.tmp
- <SD-Card>/myShareLWP/####/371519331.tmp
- <SD-Card>/myShareLWP/####/412384725
- <SD-Card>/myShareLWP/####/444791329.tmp
- <SD-Card>/myShareLWP/####/543000837.tmp
- <SD-Card>/myShareLWP/####/586648978.tmp
- <SD-Card>/myShareLWP/####/705577004.tmp
- <SD-Card>/myShareLWP/####/866650521.tmp
- <SD-Card>/myShareLWP/####/download.db
- <SD-Card>/myShareLWP/####/download.db-journal
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
- chmod 755 /data/data/com.idddx.usglsvappstore.myshare.cn/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Использует специальную библиотеку для скрытия исполняемого байткода.
