Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- 1####.####.104:8022
- 7j####.####.com
- a####.####.com
- i####.####.com
- m####.####.com
- o####.####.com
- s####.####.com
- st####.####.com
- t####.####.net
- u####.####.com
Запросы HTTP GET:
- 1####.####.104:8022/rest/api3.do?ttid=####&t=####&deviceId=####&imei=###...
- 7j####.####.com/tdata_gbU702
- i####.####.com/service/getIpInfo.php?ip=####
- st####.####.com/avatar/002/65/01/18_avatar_big.jpg_80x80.jpg?_148319####
- u####.####.com/activeip/?agoo_apn=####&app_version_code=####&agoo_networ...
- u####.####.com/rest/api3.do?ttid=####&t=####&imei=####&appKey=####&v=###...
Запросы HTTP POST:
- a####.####.com/app_logs
- a####.####.com/log4
- m####.####.com/register
- o####.####.com/check_config_update
- s####.####.com/api.php?format=####&t=####
- t####.####.net/g/d
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_plugin/PlayerUIApk.apk
- <Package Folder>/cache/####/-1848725386
- <Package Folder>/cache/####/2060118002
- <Package Folder>/cache/####/679276025
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/databases/alarm-journal
- <Package Folder>/databases/increment.db-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/tmpd8.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/.jiagu.ls
- <Package Folder>/files/TDtcagent.db
- <Package Folder>/files/TDtcagent.db-journal
- <Package Folder>/files/gdaemon_20151105
- <Package Folder>/files/init.pid
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/mobclick_agent_cached_<Package>7001
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/files/td.lock
- <Package Folder>/files/tdata_OSo290.jar
- <Package Folder>/files/tdata_OSo290.tmp
- <Package Folder>/files/tdata_gbU702.jar
- <Package Folder>/files/tdata_gbU702.tmp
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/AGOO_HOST.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/IndexDB.xml
- <Package Folder>/shared_prefs/SlientUserDB.xml
- <Package Folder>/shared_prefs/SlientUserDB.xml.bak
- <Package Folder>/shared_prefs/_appcode.xml
- <Package Folder>/shared_prefs/analytics_agent_header_.xml
- <Package Folder>/shared_prefs/com.blueware.android.agent.v1_<Package>.xml
- <Package Folder>/shared_prefs/com.blueware.android.agent.v1_<Package>.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/pref_longtime.xml
- <Package Folder>/shared_prefs/pref_longtime.xml.bak
- <Package Folder>/shared_prefs/pref_shorttime.xml
- <Package Folder>/shared_prefs/pref_shorttime.xml.bak
- <Package Folder>/shared_prefs/share_sdk_0.xml
- <Package Folder>/shared_prefs/share_sdk_0.xml.bak
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.tcookieid
- <SD-Card>/.test_princess_readonly
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/139f6wc20l0yp5ch51jnq7h0j.0.tmp
- <SD-Card>/Android/####/163lu1f8fwpdke3yb30fnws9n.0.tmp
- <SD-Card>/Android/####/1a9lf1a41cxpagd5nixmntrbg.0.tmp
- <SD-Card>/Android/####/1fsnei1rhsr5ygjr3wubcv241.0.tmp
- <SD-Card>/Android/####/1heisbpy7ci59yfefzbli0trr.0.tmp
- <SD-Card>/Android/####/2072y8kqa4bvpsbn2q5h6fq94.0.tmp
- <SD-Card>/Android/####/2ddk2gov4jzzvyvi06cbljyz5.0.tmp
- <SD-Card>/Android/####/2drpsxqoef89p0m8hf7vrqt85.0.tmp
- <SD-Card>/Android/####/2tkjiu5w47m2yqfe45u3h9fwc.0.tmp
- <SD-Card>/Android/####/33085z4iw13ok8bkp3rbb9mgf.0.tmp
- <SD-Card>/Android/####/3dfrnlfjgrxat4p9vcge7ffw9.0.tmp
- <SD-Card>/Android/####/3s2f2i40cc7tlye699gr9v488.0
- <SD-Card>/Android/####/3uo37ljhgtzml1b6z6ghle99u.0.tmp
- <SD-Card>/Android/####/3xa4bqkr3lwnvbss5yh6w3j8i.0.tmp
- <SD-Card>/Android/####/48oiv7forkak1kb10aned2w19.0.tmp
- <SD-Card>/Android/####/4czvolhbc6av6qe7gk9uhvpka.0.tmp
- <SD-Card>/Android/####/4e565lhgd9mtiqd90lmi7tg2d.0.tmp
- <SD-Card>/Android/####/4p6pv19gkvplbe6y32dmalmxj.0.tmp
- <SD-Card>/Android/####/4pn039iqfimsrft5aqeuxy8sr.0.tmp
- <SD-Card>/Android/####/4qsu04klu9vau15q3npfdbri5.0.tmp
- <SD-Card>/Android/####/4ww67o8pjdh86dnx70zkik40l.0.tmp
- <SD-Card>/Android/####/51smbsc860dkeoykavblue5ya.0.tmp
- <SD-Card>/Android/####/5ffg0j4ncpxidmteofkzcwj37.0.tmp
- <SD-Card>/Android/####/5keowy6y20fmsn00kls82v8tn.0.tmp
- <SD-Card>/Android/####/5qboa8r8xxc4sgq6vcbrqh6a3.0.tmp
- <SD-Card>/Android/####/5uahve0sgtzd0khxvm6tx2ppn.0.tmp
- <SD-Card>/Android/####/5xs3v1z5j1f3gt37bximkhemh.0.tmp
- <SD-Card>/Android/####/6soyu3cvdrdv7alq1vmxw1daq.0.tmp
- <SD-Card>/Android/####/6uv8ik5ub4db20y1ecgrzqi8q.0.tmp
- <SD-Card>/Android/####/72ta0ma5oj5g0wgckknbo3xej.0.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/w8qhwkzbjdl9q9nkseu9kpma.0.tmp
- <SD-Card>/ShareSDK/.ba
- <SD-Card>/ShareSDK/.dk
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/system/####/tdata_OSo290
- <SD-Card>/system/####/tdata_gbU702
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.buykee.princessmakeup/files/gdaemon_20151105 0 com.buykee.princessmakeup/com.igexin.sdk.PushService 25570 300 0
- <dexopt>
- chmod 700 /data/data/com.buykee.princessmakeup/files/gdaemon_20151105
- chmod 700 <Package Folder>/files/gdaemon_20151105
- sh <Package Folder>/files/gdaemon_20151105 0 <Package>/com.igexin.sdk.PushService 25570 300 0
Использует специальную библиотеку для скрытия исполняемого байткода.
