Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Moplus.1
Загружает из Интернета следующие детектируемые угрозы:
- Android.Moplus.1
Сетевая активность:
Подключается к:
- a####.####.com
- b####.com
- c####.####.com
- d####.####.com
- i####.####.com
- l####.####.com
- m####.####.com
- n####.com
- p####.####.com
- pi####.####.com
- pin####.####.com
Запросы HTTP GET:
- a####.####.com/s.gif?l=####
- b####.com/search/error.html
- i####.####.com/data/upload/2017/0623/17/594cda97aba26.jpg
- m####.####.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&ne...
- n####.com/addons/theme/stv1/_static/csswap/wap.css?v=####
- p####.####.com/push.js
Запросы HTTP POST:
- a####.####.com/conn
- a####.####.com/errconf
- c####.####.com/v2/cdata
- d####.####.com/dsign
- l####.####.com/ajax?c=####&k=####
- pi####.####.com/mstat/report/?index=####
- pin####.####.com/request
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_tbs/####/core_info
- <Package Folder>/app_tbs/####/tbscoreinstall.txt
- <Package Folder>/app_tbs/####/tbslock.txt
- <Package Folder>/cache/####/1501690378978dc4f8cd6e0360c6dd07ab53734b4fa663c6423b9e09e3399fd8.0.tmp
- <Package Folder>/cache/####/270e9215604688ec801fcad56f6bf136686b4b230f0c2a470bd0118b36009d8f.0.tmp
- <Package Folder>/cache/####/4edfb71c5d17af5c5197e848227b8cbf553ae39c6de41b5af60acd9ae66cfd64.0.tmp
- <Package Folder>/cache/####/8b1f67889a277fa18e0aebc18680217ab72ff626dccfc4dc98f2c802f8b33469.0.tmp
- <Package Folder>/cache/####/8e0a45a7a891b3def7fca67b5bbfda2e2f116362bc26e192c7cf38e85f36997a.0.tmp
- <Package Folder>/cache/####/be6b39a8a7f7ecd6d2960972861d5ab2a6aec1b0a3ef678a05f7cd388ae04959.0.tmp
- <Package Folder>/cache/####/c1cef17a2660c738ac5b973220d6e82b07b1749cdb476e98dabeb84d59dd194a.0.tmp
- <Package Folder>/cache/####/c9241fb4d8872a806f205b92b411c76d642d81b8bc062133d709cd33d0273b6b.0.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/e22fa5f30f06b745601e922f1d654dc87964791eae78b6d6b445b22e295488e4.0.tmp
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal
- <Package Folder>/databases/hmdb
- <Package Folder>/databases/hmdb-journal
- <Package Folder>/databases/jpush_local_notification.db
- <Package Folder>/databases/jpush_local_notification.db-journal
- <Package Folder>/databases/jpush_statistics.db
- <Package Folder>/databases/jpush_statistics.db-journal
- <Package Folder>/databases/logdb.db
- <Package Folder>/databases/logdb.db-journal
- <Package Folder>/databases/pri_tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/tencent_analysis.db_<Package>-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.mrecord (deleted)
- <Package Folder>/files/.statistics
- <Package Folder>/files/appPackageNames
- <Package Folder>/files/jpush_stat_cache.json
- <Package Folder>/files/jpush_stat_cache_history.json
- <Package Folder>/files/nayto_addr.db
- <Package Folder>/files/nayto_addr.db-journal
- <Package Folder>/shared_prefs/<Package>.mid.world.ro.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml
- <Package Folder>/shared_prefs/COUNTLY_STORE.xml.bak
- <Package Folder>/shared_prefs/Cache.xml
- <Package Folder>/shared_prefs/CityLocation_List.xml
- <Package Folder>/shared_prefs/Ex_List.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml.bak
- <Package Folder>/shared_prefs/NewSlide.xml
- <Package Folder>/shared_prefs/NyatoDate.xml
- <Package Folder>/shared_prefs/NyatoLocation.xml
- <Package Folder>/shared_prefs/ShopList.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml.bak
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml.bak
- <Package Folder>/shared_prefs/gank_device_id.xml.xml
- <Package Folder>/shared_prefs/jpush_device_info.xml
- <Package Folder>/shared_prefs/launch_city.xml
- <Package Folder>/shared_prefs/location.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml.bak
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/nyato_v3_PrefsFile.xml
- <Package Folder>/shared_prefs/openudid_prefs.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml.bak
- <Package Folder>/shared_prefs/tbs_download_config.xml
- <Package Folder>/shared_prefs/tbs_download_config.xml.bak
- <Package Folder>/shared_prefs/tbs_download_stat.xml
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rcTag
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/amap/####/alsn.db
- <SD-Card>/amap/####/alsn.db-journal
- <SD-Card>/data/.push_deviceid
- <SD-Card>/tencent/####/.mid.txt
- <SD-Card>/tencent/####/.mid.txt1000001
- <SD-Card>/tencent/####/.mid.txt3
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- app_process /system/bin com.android.commands.pm.Pm list packages
- chmod 755 /data/data/com.nyato.client/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Использует специальную библиотеку для скрытия исполняемого байткода.
