Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.HiddenAds.76.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.HiddenAds.76.origin
Сетевая активность:
Подключается к:
- 1####.####.com
- 8####.####.de
- 80sfor####.ch
- as####.####.de
- cdn-rad####.####.com
- deutsch####.de
- gr####.####.com:7115
- i####.####.com
- jap####.fr
- jazzr####.fr
- mobilet####.fr
- r####.pl
- radio-b####.info
- radiokr####.pl
- radiopa####.com
- radios####.ca
- rsa-sac####.de
- s####.de
- sbli####.com
- sbli####.com:3000
- so####.com
- st####.####.de
- st####.####.gr
- st####.####.uk
- streams####.net
- swr-swr####.####.de
- tri####.com
- webr####.####.com
Запросы HTTP GET:
- 1####.####.com/sites/radiocore1.radiocenterberlin.de/files/styles/medium...
- 8####.####.de/img/radioemscherlippe_80er.jpg
- 80sfor####.ch/images/radio300x300.jpg
- as####.####.de/stationimages/492_primary_image.png
- cdn-rad####.####.com/s106855q.png
- deutsch####.de/themes/dradio/icons/dlf/favicon-196x196.png
- gr####.####.com:7115/live
- i####.####.com/image/thumb/Purple5/v4/37/65/d4/3765d408-7cb4-477d-9332-4...
- jap####.fr/img/Logo.png
- jazzr####.fr/media/radio/thumb/90x90_blues.png
- mobilet####.fr/wp-content/uploads/2016/10/franceinfo_logo.png
- r####.pl/i/logos/100x100/nostalgia.png
- radio-b####.info/webservice/v2/json/url/89774
- radiokr####.pl//resource/img/mstile-144x144.png
- radiopa####.com/78602061-9c94-4bed-bdc4-e76609d3b926.png
- radios####.ca/favicon.ico
- rsa-sac####.de/images/RSA/logo.png
- s####.de/favicon.ico
- sbli####.com/json/rsdk.json
- sbli####.com:3000/
- so####.com/img3/groovesalad-400.jpg
- st####.####.de/images/broadcasts/39/2e/14126/c175.png
- st####.####.gr/img-demo/icecast.jpg
- st####.####.uk/radio/83/1.92.20170704121920/img/logos/v2/bbc_radio_four_...
- streams####.net/services-logos/DISM9mkUFrOZMq5tiQFXcQUA52MAwr9Z3o7HwcC8-...
- swr-swr####.####.de/swr/swr3/live/mp3/128/stream.mp3
- tri####.com/images3/triplag_fb_logo.jpg
- webr####.####.com/apple-touch-icon.png
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/####/-1054688343519785461
- <Package Folder>/cache/http_80er_radioemscherlippe_de_img_radioemscherlippe_80er_jpg.dat
- <Package Folder>/cache/http_assets_radioplayer_de_stationimages_492_primary_image_png.dat
- <Package Folder>/cache/http_cdn_radiotime_logos_tunein_com_s106855q_png.dat
- <Package Folder>/cache/http_is4_mzstatic_com_image_thumb_Purple5_v4_37_65_d4_3765d408_7cb4_477d_9332_4be06cf86310_source_1200x630bb_jpg.dat
- <Package Folder>/cache/http_mobiletroopers_fr_wp_content_uploads_2016_10_franceinfo_logo_png.dat
- <Package Folder>/cache/http_radiosrood_ca_favicon_ico.dat
- <Package Folder>/cache/http_somafm_com_img3_groovesalad_400_jpg.dat
- <Package Folder>/cache/http_static_radio_de_images_broadcasts_39_2e_14126_c175_png.dat
- <Package Folder>/cache/http_stream_psychomed_gr_img_demo_icecast_jpg.dat
- <Package Folder>/cache/http_webradio_antenne_com_apple_touch_icon_png.dat
- <Package Folder>/cache/http_www_104_6rtl_com_sites_radiocore1_radiocenterberlin_de_files_styles_medium_public_radiocore_radioplayer_webstream_channels_1200x600px_rtl_80er_png_itok_5_ZZuNvg.dat
- <Package Folder>/cache/http_www_80sforever_ch_images_radio300x300_jpg.dat
- <Package Folder>/cache/http_www_deutschlandfunk_de_themes_dradio_icons_dlf_favicon_196x196_png.dat
- <Package Folder>/cache/http_www_japanfm_fr_img_Logo_png.dat
- <Package Folder>/cache/http_www_jazzradio_fr_media_radio_thumb_90x90_blues_png.dat
- <Package Folder>/cache/http_www_radiokrakow_pl_resource_img_mstile_144x144_png.dat
- <Package Folder>/cache/http_www_radioparadise_com_78602061_9c94_4bed_bdc4_e76609d3b926_png.dat
- <Package Folder>/cache/http_www_rmfon_pl_i_logos_100x100_nostalgia_png.dat
- <Package Folder>/cache/http_www_rsa_sachsen_de_images_RSA_logo_png.dat
- <Package Folder>/cache/http_www_salue_de_favicon_ico.dat
- <Package Folder>/cache/http_www_streamsolution_net_services_logos_DISM9mkUFrOZMq5tiQFXcQUA52MAwr9Z3o7HwcC8_400x400_jpg.dat
- <Package Folder>/cache/http_www_streamsolution_net_services_logos_GzmpYKkzXOAZStWxT11Pz0AcURORJxaswxqYpwwe_400x400_png.dat
- <Package Folder>/cache/https_i3_radionomy_com_radios_400_16f0899d_e88b_4a2e_a6ea_fa51f42a4acf_png_clearcache_true_version_636321768337227894_original_true.dat
- <Package Folder>/cache/https_i3_radionomy_com_radios_400_e998fade_5c2a_426c_9520_0aa02849f49e_jpg_clearcache_true_version_636321761844328654_original_true.dat
- <Package Folder>/cache/https_ichef_bbci_co_uk_images_ic_336xn_p029jc4l_jpg.dat
- <Package Folder>/cache/https_r2_err_ee_Content_favicon_favikon_raadio2_png.dat
- <Package Folder>/cache/https_sputniknews_com_i_sputnik_png.dat
- <Package Folder>/cache/https_upload_wikimedia_org_wikipedia_commons_thumb_b_b9_SWR3_Logo_svg_175px_SWR3_Logo_svg_png.dat
- <Package Folder>/cache/https_upload_wikimedia_org_wikipedia_commons_thumb_e_ed_Ostseewelle_Logo_svg_200px_Ostseewelle_Logo_svg_png.dat
- <Package Folder>/cache/https_upload_wikimedia_org_wikipedia_en_thumb_1_15_87_8_UCFM_Logo_jpg_250px_87_8_UCFM_Logo_jpg.dat
- <Package Folder>/cache/https_upload_wikimedia_org_wikipedia_en_thumb_9_9b_Canal_M_logo_svg_962px_Canal_M_logo_svg_png.dat
- <Package Folder>/cache/https_www_franceinter_fr_img_logo_app_png.dat
- <Package Folder>/cache/www_radio_browser_info_webservice_json_countries
- <Package Folder>/cache/www_radio_browser_info_webservice_json_languages
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_bycountryexact_afghanistan
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_bytagexact_80er
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_lastchange_100
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_lastclick_100
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_topclick_100
- <Package Folder>/cache/www_radio_browser_info_webservice_json_stations_topvote_100
- <Package Folder>/cache/www_radio_browser_info_webservice_json_tags
- <Package Folder>/cache/www_radio_browser_info_webservice_v2_json_url_371
- <Package Folder>/cache/www_radio_browser_info_webservice_v2_json_url_87480
- <Package Folder>/cache/www_radio_browser_info_webservice_v2_json_url_89774
- <Package Folder>/cache/www_radio_browser_info_webservice_v2_json_url_90115
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/ckd1
- <Package Folder>/files/dk.jar
- <Package Folder>/files/ek.jar
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/SSPPrefe.xml
- <Package Folder>/shared_prefs/conf.xml.xml
- <Package Folder>/shared_prefs/system_device_id.xml
- <SD-Card>/Android/channel_id
- <SD-Card>/Android/system_device_id
- <SD-Card>/DCIM/channel_id
- <SD-Card>/DCIM/system_device_id
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
- chmod 755 /data/data/com.mgyun.shua.su/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- ps |grep sysser
Использует специальную библиотеку для скрытия исполняемого байткода.
