Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.172
- 1####.####.80:8000
- 2####.####.140
- 2####.####.140:8080
- 6####.####.140
- c####.####.com
- d####.####.com
- g####.####.net
- g####.####.net:8080
- i####.####.com
- l####.####.com
- s####.####.cn:8080
- s####.####.com
- sd####.####.com
- w####.####.com:7758
Запросы HTTP GET:
- d####.####.com/egsb/game/getclientProvince?tel=####&iccid=####&imsi=####
- i####.####.com/ando-res/m/A6EGb*Py4u1FtWQ3Rk0AdTbn3l2VkFbr8rEbwi8yQXTViC...
- s####.####.cn:8080/MiguPay.Sdk30.Lib_12003033_2E0179DDCB715FD9A2B3CEFA6E...
- s####.####.com/download//pushmessage/image/1499415467803Img.png
Запросы HTTP POST:
- 1####.####.172/osdk/gi.do?t=####&p=####
- 1####.####.80:8000/intp/9447ba19fbcb82c2e7254ec6fbc253b5065da485
- 2####.####.140/migusdk/tl/enclog
- 2####.####.140:8080/migusdk/tl/enclog
- 6####.####.140/ando/v1/x/lv?app_id=####&r=####
- c####.####.com/ad/splash/stats.html
- g####.####.net/migusdk/verification/checkSdkUpdate
- g####.####.net:8080/migusdk/tl/tcttl
- l####.####.com/sdk.php
- sd####.####.com/behaviorLogging/eventLogging/accept?
- w####.####.com:7758/normandie/QueryConfigPolicy
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/2109.dex
- <Package Folder>/code-9713828/N91JE4GnOFu4MnC8
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_GGAD-zw35JpiL-Ad
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_GGAD-zw35JpiL-Ad-journal
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_OtWfK1qI-3fbMzswf1oAHm0ZUek=
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_OtWfK1qI-3fbMzswf1oAHm0ZUek=-journal
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_VHcXzNEtT-G9pUGX67oB3A==
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_VHcXzNEtT-G9pUGX67oB3A==-journal
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_eNFY0yAAyPgztM_mYp2E-w==
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_eNFY0yAAyPgztM_mYp2E-w==-journal
- <Package Folder>/databases/2K-SU0aF3QSJCC6PV0bN0J6WTHUJwkLK_oIB5JO7qrrM=-journal
- <Package Folder>/databases/OPAYDB
- <Package Folder>/databases/OPAYDB-journal
- <Package Folder>/files/####/-ecU9MhQQUBT8o6sS4deF7pai3k=.temp
- <Package Folder>/files/####/-z37gRfqeSnfGyXsCYaLug==
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/1H62BGQ5KC8oZBMOqZMUaDFIEOE=.new
- <Package Folder>/files/####/2RL_DSKUcvU0_vjBqJHZxWmr99wwS4mVSmgkKSff0Ko=.new
- <Package Folder>/files/####/2WQ1vS2zGvaLltlD8jTOIag7OGxL9fWOqSit6Q==.new
- <Package Folder>/files/####/3DcZbEaRPW1n2m8jUPevQ1FX3NL3T6iv.new
- <Package Folder>/files/####/6Z6kz9RT8k3j4H-Ot8BMe70s3i4=.new
- <Package Folder>/files/####/6sWGHbwN2hGJLX_DMqNb_o1LtTcPkw3Gz7amYI28-mw=.new
- <Package Folder>/files/####/8DrkeUkhU_ERNcl5V-RuRGVjFAf4U1rt.new
- <Package Folder>/files/####/H2beJRMFBu6piJachUnEb5wLmIQX_mv8ff3o1g==.new
- <Package Folder>/files/####/IeKbC2VtQO-N_4m1I6eQo5V4O93KsH4Q.new
- <Package Folder>/files/####/LZMyhLjiXcwqp-wueLLszIGPzM_LXW21.new
- <Package Folder>/files/####/LuyU4o9X6LmtGZMCsOuNxTEwmCA=
- <Package Folder>/files/####/SJbNEF3ekzoJ7d0lbo3xmXfmZiE=.temp
- <Package Folder>/files/####/Tn-mVis1Ig7vQWiRslJfv1FAUXt1QMF-.new
- <Package Folder>/files/####/V5SbJ32nxtFYz9DVPenRjRlJ2ZsYTiMp.new
- <Package Folder>/files/####/X1SnTDo0bJRnUEWYkLGs2BbiMCHbNjrQj_Im4w==.new
- <Package Folder>/files/####/_q0YwJTbTxK76yUU1BXGOQwjTkIb8GwHE-GoWSmi0gM=.new
- <Package Folder>/files/####/activity_main.xml
- <Package Folder>/files/####/adapter_demo_layout.xml
- <Package Folder>/files/####/eA6c1o0SvlGFiWPvf8mniZtSyBgZziC5.new
- <Package Folder>/files/####/ec8niQXUi8upNqU4.zip
- <Package Folder>/files/####/fep9Zzdxq7u1d2c-
- <Package Folder>/files/####/g_color.xml
- <Package Folder>/files/####/g_strings.xml
- <Package Folder>/files/####/g_strings_gamepad.xml
- <Package Folder>/files/####/g_strings_leaderboard.xml
- <Package Folder>/files/####/g_styles.xml
- <Package Folder>/files/####/game_arrow_big.png
- <Package Folder>/files/####/game_arrow_little.png
- <Package Folder>/files/####/game_arrow_text.png
- <Package Folder>/files/####/game_businesscard.png
- <Package Folder>/files/####/game_check_success.png
- <Package Folder>/files/####/game_checkbox_mark.png
- <Package Folder>/files/####/game_contacts.png
- <Package Folder>/files/####/game_failure.png
- <Package Folder>/files/####/game_grey_logo.png
- <Package Folder>/files/####/game_loading.png
- <Package Folder>/files/####/game_logo.png
- <Package Folder>/files/####/game_network.png
- <Package Folder>/files/####/game_people.png
- <Package Folder>/files/####/game_piccode_refresh_touched.png
- <Package Folder>/files/####/game_save.png
- <Package Folder>/files/####/game_show_pwd.png
- <Package Folder>/files/####/game_start_logo.png
- <Package Folder>/files/####/game_success.png
- <Package Folder>/files/####/gcGf8zKvuFOdXdLE.new
- <Package Folder>/files/####/gray.png
- <Package Folder>/files/####/hfaaa_f.zip
- <Package Folder>/files/####/icon_about.png
- <Package Folder>/files/####/icon_annoucement_close.png
- <Package Folder>/files/####/icon_back.png
- <Package Folder>/files/####/icon_bind_email.png
- <Package Folder>/files/####/icon_bind_tel.png
- <Package Folder>/files/####/icon_businesscard.png
- <Package Folder>/files/####/icon_center_about.png
- <Package Folder>/files/####/icon_center_arrow.png
- <Package Folder>/files/####/icon_center_look.png
- <Package Folder>/files/####/icon_center_save.png
- <Package Folder>/files/####/icon_check_failure.png
- <Package Folder>/files/####/icon_checkbox.png
- <Package Folder>/files/####/icon_close.png
- <Package Folder>/files/####/icon_common_problem.png
- <Package Folder>/files/####/icon_compact_close.png
- <Package Folder>/files/####/icon_discount_icon.png
- <Package Folder>/files/####/icon_edit_del.png
- <Package Folder>/files/####/icon_email_icon.png
- <Package Folder>/files/####/icon_extend.png
- <Package Folder>/files/####/icon_firends_circle.png
- <Package Folder>/files/####/icon_full_arrow_down.png
- <Package Folder>/files/####/icon_full_arrow_up.png
- <Package Folder>/files/####/icon_grey_contacts.png
- <Package Folder>/files/####/icon_head.png
- <Package Folder>/files/####/icon_hide_pwd.png
- <Package Folder>/files/####/icon_magnet_draghide.png
- <Package Folder>/files/####/icon_magnet_gameshare.png
- <Package Folder>/files/####/icon_magnet_help.png
- <Package Folder>/files/####/icon_magnet_onlineservice.png
- <Package Folder>/files/####/icon_magnet_startlogin.png
- <Package Folder>/files/####/icon_magnet_welfare.png
- <Package Folder>/files/####/icon_notification.png
- <Package Folder>/files/####/icon_online_service.png
- <Package Folder>/files/####/icon_people.png
- <Package Folder>/files/####/icon_personal_bg.png
- <Package Folder>/files/####/icon_personal_bg_l.png
- <Package Folder>/files/####/icon_piccode.png
- <Package Folder>/files/####/icon_piccode_refresh.png
- <Package Folder>/files/####/icon_qq.png
- <Package Folder>/files/####/icon_recommend_flow_one.png
- <Package Folder>/files/####/icon_recommend_flow_third.png
- <Package Folder>/files/####/icon_recommend_flow_two.png
- <Package Folder>/files/####/icon_recommend_hall.png
- <Package Folder>/files/####/icon_rightextend.png
- <Package Folder>/files/####/icon_security_setting.png
- <Package Folder>/files/####/icon_service_tel.png
- <Package Folder>/files/####/icon_share_game.png
- <Package Folder>/files/####/icon_shrink.png
- <Package Folder>/files/####/icon_sina.png
- <Package Folder>/files/####/icon_sms.png
- <Package Folder>/files/####/icon_tel.png
- <Package Folder>/files/####/icon_transaction_detail.png
- <Package Folder>/files/####/icon_upgrade_pass.png
- <Package Folder>/files/####/icon_wechat.png
- <Package Folder>/files/####/icon_window.png
- <Package Folder>/files/####/iw41J1CWujkRrRGLgIcfPCsi2Lw=.new
- <Package Folder>/files/####/k75W4MgOKs7uyq8jIO3Fqw==
- <Package Folder>/files/####/k75W4MgOKs7uyq8jIO3Fqw==.new
- <Package Folder>/files/####/layout_main.xml
- <Package Folder>/files/####/libmiguED.so
- <Package Folder>/files/####/mOdTIcL5OfpgUcvhX-QWjJ77KVl9R-5Sw1yDfewi2ms=.new
- <Package Folder>/files/####/main.xml
- <Package Folder>/files/####/main_menu_item.xml
- <Package Folder>/files/####/messageapp.xml
- <Package Folder>/files/####/notification_message_icon.xml
- <Package Folder>/files/####/notification_message_pic.xml
- <Package Folder>/files/####/oRe4yKf5iC-gOyM0pc1K6w==.new
- <Package Folder>/files/####/opening_sound.mp3
- <Package Folder>/files/####/pay_icon_0.png
- <Package Folder>/files/####/pay_icon_1.png
- <Package Folder>/files/####/pay_icon_2.png
- <Package Folder>/files/####/pay_icon_3.png
- <Package Folder>/files/####/pay_icon_4.png
- <Package Folder>/files/####/pay_icon_5.png
- <Package Folder>/files/####/pay_icon_payment.png
- <Package Folder>/files/####/pay_icon_phonenumber.png
- <Package Folder>/files/####/pay_icon_telpoint.png
- <Package Folder>/files/####/plus_businesscard.png
- <Package Folder>/files/####/plus_check_success.png
- <Package Folder>/files/####/plus_checkbox_mark.png
- <Package Folder>/files/####/plus_contacts.png
- <Package Folder>/files/####/plus_failure.png
- <Package Folder>/files/####/plus_grey_logo.png
- <Package Folder>/files/####/plus_loading.png
- <Package Folder>/files/####/plus_logo.png
- <Package Folder>/files/####/plus_network.png
- <Package Folder>/files/####/plus_people.png
- <Package Folder>/files/####/plus_piccode_refesh_touched.png
- <Package Folder>/files/####/plus_save.png
- <Package Folder>/files/####/plus_show_pwd.png
- <Package Folder>/files/####/plus_start_logo.png
- <Package Folder>/files/####/plus_success.png
- <Package Folder>/files/####/pzZl0cayB1A9REEgVHsh9w==
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/shortcut_desktop_icon.png
- <Package Folder>/files/####/uX07t9gFhdBISa6y3KiUZ2JzirA=.new
- <Package Folder>/files/####/uqO05CtCEHRgcFeR0Kq0TRloD4kdm2Pn.new
- <Package Folder>/files/####/wuuTBa8xllmzcVUeh_8ZIg==.new
- <Package Folder>/files/####/zHRZ0vJj4tZaSdcd49JQySDJrQo=
- <Package Folder>/files/ED.ini
- <Package Folder>/files/MiguPay.Sdk30.Lib_12003031_85676173d2f977a1be990c1de9017b56_BN202.cod
- <Package Folder>/files/MiguPay.Sdk30.Lib_12003031_85676173d2f977a1be990c1de9017b56_BN202.dat
- <Package Folder>/files/MiguPay.Sdk30.Res_00026008_7E6B1033A285AE62FBFA3FC9B2A1F552_BN202.zip
- <Package Folder>/files/S5VD
- <Package Folder>/files/S5VD.jar
- <Package Folder>/files/libmgRun_04.22.09_01.so
- <Package Folder>/files/mgAS.dat
- <Package Folder>/files/mgSS.dat
- <Package Folder>/files/mgid.dat
- <Package Folder>/files/ors.jar
- <Package Folder>/files/ors.png
- <Package Folder>/files/rdata_comcpqnlfen
- <Package Folder>/files/rdata_comcpqnlfen.new
- <Package Folder>/files/save_data
- <Package Folder>/files/sdk_prefs
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/opaysdk.xml
- <Package Folder>/shared_prefs/senderReceiver.xml
- <Package Folder>/update/MiguPay.Sdk30.Lib_12003033_2ef7e474df9346e4b808e3b0179c72c7_BN202.cod
- <Package Folder>/update/MiguPay.Sdk30.Lib_12003033_2ef7e474df9346e4b808e3b0179c72c7_BN202.dat
- <Package Folder>/update/libmiguED.so
- <Package Folder>/update/mgSS.dat
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/fc397e31-d62a-45a3-a40a-c4dcabf3f6f0.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/Download/####/617116061156userInfo.txt
- <SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003033_2E0179DDCB715FD9A2B3CEFA6E471BC2_BN202.zip
- <SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003033_2ef7e474df9346e4b808e3b0179c72c7_BN202.cod
- <SD-Card>/Download/####/MiguPay.Sdk30.Lib_12003033_2ef7e474df9346e4b808e3b0179c72c7_BN202.dat
- <SD-Card>/Download/####/MiguPay.Sdk30.Res_00026008_7E6B1033A285AE62FBFA3FC9B2A1F552_BN202.zip
- <SD-Card>/Download/####/ShareData.txt
- <SD-Card>/Download/####/app_info.txt
- <SD-Card>/Download/####/deviceId
- <SD-Card>/Download/####/libmiguED.so
- <SD-Card>/Download/####/miguED_02_30_702499BE8A340A9810D7D996F472E493.zip
- <SD-Card>/Download/####/miguLog_1496212851172
- <SD-Card>/Download/####/miguLog_1496212851174
- <SD-Card>/Download/####/miguLog_1496212851195
- <SD-Card>/Download/####/miguLog_1496212854616
- <SD-Card>/Download/####/miguLog_1496212854625
- <SD-Card>/Download/####/miguLog_1496212854706
- <SD-Card>/Download/####/miguLog_1496212873656
- <SD-Card>/Download/####/miguLog_1496212873681
- <SD-Card>/Download/####/miguLog_1496212873700
- <SD-Card>/Download/####/miguLog_1496212876236
- <SD-Card>/Download/####/miguLog_1496212876921
- <SD-Card>/Download/####/miguLog_1496212878486
- <SD-Card>/Download/####/miguLog_1496212879667
- <SD-Card>/Download/####/miguLog_1496212889545
- <SD-Card>/Download/####/miguLog_1496212889563
- <SD-Card>/Download/####/miguLog_1496212903559
- <SD-Card>/Download/####/miguLog_1496212906224
- <SD-Card>/Download/####/miguLog_1496212906237
- <SD-Card>/Download/####/sdk_prefs.txt
- <SD-Card>/cmgame/####/marketing_104.jar
- <SD-Card>/cmgame/####/pushDB.txt
- <SD-Card>/cmgame/####/pushTime.txt
- <SD-Card>/cmgame/####/pushTotal.txt
Другие:
Запускает следующие shell-скрипты:
- /data/data/hw.zwbjjs3.xly/code-9713828/N91JE4GnOFu4MnC8 -p hw.zwbjjs3.xly -c com.cpqn.lfen.bfrfaq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- chmod 755 /data/data/hw.zwbjjs3.xly/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/code-9713828/N91JE4GnOFu4MnC8 -p <Package> -c com.cpqn.lfen.bfrfaq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует специальную библиотеку для скрытия исполняемого байткода.
