Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.DownLoader.589.origin
Сетевая активность:
Подключается к:
- 1####.####.com
- a####.####.com
- c####.####.top
- i####.####.com
- mo####.####.com
- p####.####.com
- r####.####.com
- s####.####.cn
Запросы HTTP GET:
- 1####.####.com/ic.asp
- a####.####.com/log.html?nt=####&os=####&plat=####&appId=####&locale=####...
- a####.####.com/pgv/?uid=####&auid=####&p3=####&p2=####&p1=####&pid=####&...
- c####.####.top/upload/201706/29/app/20170629181228418.apk
- i####.####.com/lc02_search/201707/17/18/06/tmp_5031258139856895848.jpg
- i####.####.com/lc04_search/201706/22/15/50/tmp_4542453632997127010.jpg
- i####.####.com/lc06_search/201707/12/16/52/tmp_7855833939181259820.jpg
- mo####.####.com/cpro/ui/mads.php?code2=####&b1500380604333=####
- p####.####.com/draw/generalactivity?platform=####&phone=####&ts=####&ck=...
- r####.####.com/05160000595B777CADBC09B4DC05D9B3
- s####.####.cn/imgs/icon/qq.png
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__409ba868-321f-405f-9a80-7cb91075d046.jar
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.localstorage-journal
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.localstorage-journal (deleted)
- <Package Folder>/app_database/ApplicationCache.db-journal
- <Package Folder>/app_database/ApplicationCache.db-journal (deleted)
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/cache/V2.8.8.1.txt
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/common.db
- <Package Folder>/databases/common.db-journal
- <Package Folder>/databases/download.db-journal
- <Package Folder>/databases/infinitemovie.db
- <Package Folder>/databases/infinitemovie.db-journal
- <Package Folder>/databases/miaozhen.db
- <Package Folder>/databases/miaozhen.db-journal
- <Package Folder>/databases/mzmonitor
- <Package Folder>/databases/mzmonitor-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/trackingplugin.db
- <Package Folder>/databases/trackingplugin.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal (deleted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/libtea_codecs.so
- <Package Folder>/files/####/libteanb.so
- <Package Folder>/files/####/rawso
- <Package Folder>/files/extractor.html
- <Package Folder>/files/gn.jar
- <Package Folder>/files/libtencentloc.so
- <Package Folder>/files/mobclick_agent_cached_<Package>640
- <Package Folder>/files/sbf_version
- <Package Folder>/files/xq.jar
- <Package Folder>/libs/version.txt
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Access_Preferences.xml
- <Package Folder>/shared_prefs/__x_adsdk_agent_header__.xml
- <Package Folder>/shared_prefs/__xadsdk_downloaded__version__.xml
- <Package Folder>/shared_prefs/bigdata.xml
- <Package Folder>/shared_prefs/cde_config.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/com.admaster.sdk.sohu.other.xml
- <Package Folder>/shared_prefs/com.baidu.mobads.loader.xml
- <Package Folder>/shared_prefs/commonsp.xml
- <Package Folder>/shared_prefs/commonsp.xml.bak
- <Package Folder>/shared_prefs/device_id.xml.xml
- <Package Folder>/shared_prefs/firstlaunch.xml
- <Package Folder>/shared_prefs/ip.xml
- <Package Folder>/shared_prefs/is_show_score_pop.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/kr.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/mzSdkProfilePrefs.xml
- <Package Folder>/shared_prefs/priornetstate.xml
- <Package Folder>/shared_prefs/report.xml
- <Package Folder>/shared_prefs/setting_relative_sharepreference.xml
- <Package Folder>/shared_prefs/snifferHtml.xml
- <Package Folder>/shared_prefs/sohu_player.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak (deleted)
- <Package Folder>/shared_prefs/vbz.xml
- <Package Folder>/shared_prefs/ywPrefsTools.xml
- <SD-Card>/.mm1/.ucf.dat
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/620af6b667da3
- <SD-Card>/Android/####/63393dd99e503
- <SD-Card>/Android/####/78d10be7831efbcd1e62a93023a126bc.apk
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/cde.txt
- <SD-Card>/Android/####/eaf84e7555d2f1932bdfa3c0db788ac4.apk
- <SD-Card>/Infinitemovies/shareqrcode
- <SD-Card>/WhatsLIVE/####/-1024683331.tmp
- <SD-Card>/WhatsLIVE/####/-1067418307.tmp
- <SD-Card>/WhatsLIVE/####/-1071936589.tmp
- <SD-Card>/WhatsLIVE/####/-1082828704.tmp
- <SD-Card>/WhatsLIVE/####/-1264066043.tmp
- <SD-Card>/WhatsLIVE/####/-1276742951.tmp
- <SD-Card>/WhatsLIVE/####/-1326954526.tmp
- <SD-Card>/WhatsLIVE/####/-1359901762
- <SD-Card>/WhatsLIVE/####/-1406920310.tmp
- <SD-Card>/WhatsLIVE/####/-1493421725.tmp
- <SD-Card>/WhatsLIVE/####/-1504116596.tmp
- <SD-Card>/WhatsLIVE/####/-1538639880.tmp
- <SD-Card>/WhatsLIVE/####/-1558750212.tmp
- <SD-Card>/WhatsLIVE/####/-1673103163.tmp
- <SD-Card>/WhatsLIVE/####/-1752419498.tmp
- <SD-Card>/WhatsLIVE/####/-1773198961.tmp
- <SD-Card>/WhatsLIVE/####/-1783397098.tmp
- <SD-Card>/WhatsLIVE/####/-1835774480.tmp
- <SD-Card>/WhatsLIVE/####/-1836127210.tmp
- <SD-Card>/WhatsLIVE/####/-1867819023.tmp
- <SD-Card>/WhatsLIVE/####/-1873606462.tmp
- <SD-Card>/WhatsLIVE/####/-199921148.tmp
- <SD-Card>/WhatsLIVE/####/-2002152547
- <SD-Card>/WhatsLIVE/####/-2020619274.tmp
- <SD-Card>/WhatsLIVE/####/-2053151153.tmp
- <SD-Card>/WhatsLIVE/####/-2053414974.tmp
- <SD-Card>/WhatsLIVE/####/-2082966609
- <SD-Card>/WhatsLIVE/####/-2096207432.tmp
- <SD-Card>/WhatsLIVE/####/-2109951559.tmp
- <SD-Card>/WhatsLIVE/####/-371909268.tmp
- <SD-Card>/WhatsLIVE/####/-433181025.tmp
- <SD-Card>/WhatsLIVE/####/-706805964.tmp
- <SD-Card>/WhatsLIVE/####/-714769189.tmp
- <SD-Card>/WhatsLIVE/####/-752816022.tmp
- <SD-Card>/WhatsLIVE/####/-777849469.tmp
- <SD-Card>/WhatsLIVE/####/-808074545.tmp
- <SD-Card>/WhatsLIVE/####/-840476391.tmp
- <SD-Card>/WhatsLIVE/####/-870501346.tmp
- <SD-Card>/WhatsLIVE/####/-891045636.tmp
- <SD-Card>/WhatsLIVE/####/-914785606.tmp
- <SD-Card>/WhatsLIVE/####/-979491396
- <SD-Card>/WhatsLIVE/####/1036358063.tmp
- <SD-Card>/WhatsLIVE/####/1099324389
- <SD-Card>/WhatsLIVE/####/1106693060.tmp
- <SD-Card>/WhatsLIVE/####/1133064119.tmp
- <SD-Card>/WhatsLIVE/####/1147262452.tmp
- <SD-Card>/WhatsLIVE/####/1182065369.tmp
- <SD-Card>/WhatsLIVE/####/1236359281.tmp
- <SD-Card>/WhatsLIVE/####/1237337520.tmp
- <SD-Card>/WhatsLIVE/####/1240769632.tmp
- <SD-Card>/WhatsLIVE/####/1258767952.tmp
- <SD-Card>/WhatsLIVE/####/1282613330
- <SD-Card>/WhatsLIVE/####/1295903287.tmp
- <SD-Card>/WhatsLIVE/####/1298502489.tmp
- <SD-Card>/WhatsLIVE/####/1347972287.tmp
- <SD-Card>/WhatsLIVE/####/1355514927.tmp
- <SD-Card>/WhatsLIVE/####/136623652.tmp
- <SD-Card>/WhatsLIVE/####/1366664387.tmp
- <SD-Card>/WhatsLIVE/####/1447343117.tmp
- <SD-Card>/WhatsLIVE/####/146955363.tmp
- <SD-Card>/WhatsLIVE/####/1567691300.tmp
- <SD-Card>/WhatsLIVE/####/1581255259.tmp
- <SD-Card>/WhatsLIVE/####/158914930.tmp
- <SD-Card>/WhatsLIVE/####/1605370647.tmp
- <SD-Card>/WhatsLIVE/####/1699844176.tmp
- <SD-Card>/WhatsLIVE/####/1720350682
- <SD-Card>/WhatsLIVE/####/1727177567.tmp
- <SD-Card>/WhatsLIVE/####/1768270280.tmp
- <SD-Card>/WhatsLIVE/####/1769929726.tmp
- <SD-Card>/WhatsLIVE/####/1879242147.tmp
- <SD-Card>/WhatsLIVE/####/1938251578.tmp
- <SD-Card>/WhatsLIVE/####/2022812805.tmp
- <SD-Card>/WhatsLIVE/####/2112805617.tmp
- <SD-Card>/WhatsLIVE/####/2129468123.tmp
- <SD-Card>/WhatsLIVE/####/26136873.tmp
- <SD-Card>/WhatsLIVE/####/288756501.tmp
- <SD-Card>/WhatsLIVE/####/402154300.tmp
- <SD-Card>/WhatsLIVE/####/422837106.tmp
- <SD-Card>/WhatsLIVE/####/453772135.tmp
- <SD-Card>/WhatsLIVE/####/456515144.tmp
- <SD-Card>/WhatsLIVE/####/458434085.tmp
- <SD-Card>/WhatsLIVE/####/490954930.tmp
- <SD-Card>/WhatsLIVE/####/493117958.tmp
- <SD-Card>/WhatsLIVE/####/509483330.tmp
- <SD-Card>/WhatsLIVE/####/533664297.tmp
- <SD-Card>/WhatsLIVE/####/535916308.tmp
- <SD-Card>/WhatsLIVE/####/559465411.tmp
- <SD-Card>/WhatsLIVE/####/706937712.tmp
- <SD-Card>/WhatsLIVE/####/75705971.tmp
- <SD-Card>/WhatsLIVE/####/789697317
- <SD-Card>/WhatsLIVE/####/802214362.tmp
- <SD-Card>/WhatsLIVE/####/82513682
- <SD-Card>/WhatsLIVE/####/845097435.tmp
- <SD-Card>/WhatsLIVE/####/877332072.tmp
- <SD-Card>/YSDQ_LOG.txt
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
- chmod 755 /data/data/com.txj.movies.quanneng/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/78d10be7831efbcd1e62a93023a126bc.apk
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/eaf84e7555d2f1932bdfa3c0db788ac4.apk
- chmod 777 /storage/emulated/0/Android/data/com.txj.movies.quanneng/files/Download/Android/azb/78d10be7831efbcd1e62a93023a126bc.apk
- chmod 777 /storage/emulated/0/Android/data/com.txj.movies.quanneng/files/Download/Android/azb/eaf84e7555d2f1932bdfa3c0db788ac4.apk
Использует специальную библиотеку для скрытия исполняемого байткода.
