Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Moplus.1
Загружает из Интернета следующие детектируемые угрозы:
- Android.Moplus.1
Сетевая активность:
Подключается к:
- a####.####.com
- c####.####.com
- d####.####.com
- l####.####.com
- m####.####.com
- pi####.####.com
- pin####.####.com
Запросы HTTP GET:
- m####.####.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&ne...
Запросы HTTP POST:
- a####.####.com/errconf
- a####.####.com/snsconf
- c####.####.com/v2/cdata
- d####.####.com/dinfo
- l####.####.com/ajax?c=####&k=####
- pi####.####.com/mstat/report/?index=####
- pin####.####.com/request
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_tbs/####/core_info
- <Package Folder>/app_tbs/####/tbscoreinstall.txt
- <Package Folder>/app_tbs/####/tbslock.txt
- <Package Folder>/cache/####/1fa0a507aa267ef59ce9693d0a961a95d7ae2253e9b8ca45b5bcf8b0e6fc9dc2.0.tmp
- <Package Folder>/cache/####/270e9215604688ec801fcad56f6bf136686b4b230f0c2a470bd0118b36009d8f.0.tmp
- <Package Folder>/cache/####/33f53edda0aae62df45402f96e6b0c269580ee82f1e584e763e770f4f5485328.0.tmp
- <Package Folder>/cache/####/3ae74f43698e126d2d85a04577cc017e88978413151feeb2af3e959e7a39ba3a.0.tmp
- <Package Folder>/cache/####/4edfb71c5d17af5c5197e848227b8cbf553ae39c6de41b5af60acd9ae66cfd64.0.tmp
- <Package Folder>/cache/####/66ac7ab11e4fa8cf4887045a8c887ad43dd8cad26cb646d85a7f6eabd7301724.0.tmp
- <Package Folder>/cache/####/73aef9e1e0203c24d308fac5540aa0bcb5c35928c19f51bf519bad341bae8a41.0.tmp
- <Package Folder>/cache/####/807d6c8679c6ec053e71a2de531cea6196d113443fbaff9f41d2c3044fe04814.0.tmp
- <Package Folder>/cache/####/8e0a45a7a891b3def7fca67b5bbfda2e2f116362bc26e192c7cf38e85f36997a.0.tmp
- <Package Folder>/cache/####/961c6b70695bdaae5d44c5d895cfb1e15cbc7b0d3912ffb4605bbeaa88575ca9.0.tmp
- <Package Folder>/cache/####/9ff8f30c01a13f3acac3190ce9e8ba385a6d8a7cdc6aed7b9e8cdec6eea68238.0.tmp
- <Package Folder>/cache/####/a2d07bf9773b3641fc5ce7aab491ce956cf590e0489e1ad439fb4dd44eb67167.0.tmp
- <Package Folder>/cache/####/ad3660ee63013bd8f709a3e34a9479cddd36a3b810c41eb6230df1fe1057ee16.0.tmp
- <Package Folder>/cache/####/b8b2237e5f2aa3f8762800f73a5a816eafb2828a745c40249002c70db3a015ce.0.tmp
- <Package Folder>/cache/####/bce4b907a9ec5ac73bf459b69c1ae0121899f70b0ccb8fb0bccc7e597e56c26e.0.tmp
- <Package Folder>/cache/####/c1cef17a2660c738ac5b973220d6e82b07b1749cdb476e98dabeb84d59dd194a.0.tmp
- <Package Folder>/cache/####/e2e441dd6f352f67aff7780f4c5b3f6e26100bd7f18b918cdd61be2697a99e2c.0.tmp
- <Package Folder>/cache/####/fb43a89967de55b4f98a781efd9bcb877f72b40319f4ac3bdfbab37031b7b965.0.tmp
- <Package Folder>/cache/####/journal
- <Package Folder>/databases/hmdb
- <Package Folder>/databases/hmdb-journal
- <Package Folder>/databases/logdb.db
- <Package Folder>/databases/logdb.db-journal
- <Package Folder>/databases/pri_tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.mrecord (deleted)
- <Package Folder>/files/.statistics
- <Package Folder>/files/nayto_addr.db
- <Package Folder>/files/nayto_addr.db-journal
- <Package Folder>/shared_prefs/<Package>.mid.world.ro.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/Cache.xml
- <Package Folder>/shared_prefs/CityLocation_List.xml
- <Package Folder>/shared_prefs/Ex_List.xml
- <Package Folder>/shared_prefs/NewSlide.xml
- <Package Folder>/shared_prefs/NyatoDate.xml
- <Package Folder>/shared_prefs/NyatoLocation.xml
- <Package Folder>/shared_prefs/ShopList.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/gank_device_id.xml.xml
- <Package Folder>/shared_prefs/launch_city.xml
- <Package Folder>/shared_prefs/location.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/nyato_v3_PrefsFile.xml
- <Package Folder>/shared_prefs/openudid_prefs.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml.bak
- <Package Folder>/shared_prefs/tbs_download_config.xml
- <Package Folder>/shared_prefs/tbs_download_config.xml.bak
- <Package Folder>/shared_prefs/tbs_download_stat.xml
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rcTag
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/Nyato_DCIM/####/.launcher_loding.png
- <SD-Card>/amap/####/alsn.db
- <SD-Card>/amap/####/alsn.db-journal
- <SD-Card>/tencent/####/.mid.txt
- <SD-Card>/tencent/####/.mid.txt1000001
- <SD-Card>/tencent/####/.mid.txt3
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- app_process /system/bin com.android.commands.pm.Pm list packages
- chmod 755 /data/data/com.nyato.client/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Использует специальную библиотеку для скрытия исполняемого байткода.
