Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.170
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.117
- 2####.####.233:14000
- 6####.####.140
- a####.####.cn:8083
- i####.####.com
Запросы HTTP GET:
- 1####.####.117/d?dn=####&id=####&ttl=####
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/0...
Запросы HTTP POST:
- 2####.####.233:14000/
- a####.####.cn:8083/WebService.asmx/RegisterUser
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/code-5053515/####/kdMna7yo5as=.jar
- <Package Folder>/code-5053515/Jwrhu_eyzPUdb3Kh
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_YFQVk7nG4vAt3zVmkLUN6A==
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_YFQVk7nG4vAt3zVmkLUN6A==-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_ZQDcY5JIYsZRLpdIICgfexj7wyE=
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_ZQDcY5JIYsZRLpdIICgfexj7wyE=-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_a__kEDUMA4xUi6Fq4HcN8w==
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_a__kEDUMA4xUi6Fq4HcN8w==-journal
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_gCS52oDxkiWqEerM
- <Package Folder>/databases/hf4B9nhLrSl0WynRt8OLdhyS0vp1fS6Z_gCS52oDxkiWqEerM-journal
- <Package Folder>/databases/xg_message.db
- <Package Folder>/databases/xg_message.db-journal
- <Package Folder>/files/####/-sVsau6N1rR77NY0m09ZRXg8cZn_9KXq.new
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/00550394-c15e-437f-817d-f8c47b1da4f0.res
- <Package Folder>/files/####/0x4-3B3wiDU7XkX2GaXB66hn5hNQA5nl.new
- <Package Folder>/files/####/14AnqlxsohlEb8Up8cZQY1uRaF_xa8z2.new
- <Package Folder>/files/####/1v3u2qHG_fGOmo9s.zip
- <Package Folder>/files/####/2bfdff62-1529-4176-835f-9d82e585bb12.res.temp
- <Package Folder>/files/####/2c2a0627-b630-45cc-9823-481a100ababe.res
- <Package Folder>/files/####/348e808b-cc71-47ba-80be-14a62506e391.res.temp
- <Package Folder>/files/####/3aed3698-fecb-4669-b974-44d5be02e220.res.temp
- <Package Folder>/files/####/5aa5c39c-cb57-44f6-b6f5-1f21f2f8cf1f.res.temp
- <Package Folder>/files/####/5z6H_IrzOwNNmJS-AziJoOjDmUw=.temp
- <Package Folder>/files/####/723e773d-b778-409c-ba96-8c479b2be242.res.temp
- <Package Folder>/files/####/902f2416-ede3-40d5-b553-c00b9f31c682.res.temp
- <Package Folder>/files/####/CIVIIuxAbP-cPk6hvoTiAA==.new
- <Package Folder>/files/####/D1VSLLEJiaIhzvmds-Huvan6vt24kbqe.new
- <Package Folder>/files/####/Gkh7cLGwpVF1IFyQLRsFWYxBWpg=
- <Package Folder>/files/####/HHYxFzk3mcZUNIdp-TOceSyyEd2Lx7OSyvdHhg==.new
- <Package Folder>/files/####/MGn9cmTdMF57wxVNX5AcXVQ7vdvR5ZSs-nUtXg==.new
- <Package Folder>/files/####/MHuzg1r1h295z9RGLSD1rg==
- <Package Folder>/files/####/MHuzg1r1h295z9RGLSD1rg==.new
- <Package Folder>/files/####/NSXH6rPj-zg8gFYuZ4YXB-CNSor3YQPV3a-vmQ==.new
- <Package Folder>/files/####/NbkNI5aolqZuXzmWgz2iMA==.new
- <Package Folder>/files/####/OV2mb_SitE6KpUEmuki8rw==
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==.new
- <Package Folder>/files/####/QvDMF6PfYy6HDi4swnwJ4Q==.old (deleted)
- <Package Folder>/files/####/UVaz4-gFaZJ3MBgIfC4dnSkz0d8=.new
- <Package Folder>/files/####/Yy30KA9EG-nkWAR-R_PbKuVqOdT8r-jm.new
- <Package Folder>/files/####/_mU9xCqOiT6hWRBuptMkix12xGiF5EUHH10XrtjfC2g=.new
- <Package Folder>/files/####/aEAJRiinpf7eNEjEuJyVbluKHik=.new
- <Package Folder>/files/####/b7c143fa-c72b-47a4-9056-757a572a8125.res.temp
- <Package Folder>/files/####/c413c5e8-97c1-4416-adc7-a62a2614172d.res.temp
- <Package Folder>/files/####/cCJybplGAbI-r4ohWM5lpBZHIxQ=
- <Package Folder>/files/####/cCJybplGAbI-r4ohWM5lpBZHIxQ=.new
- <Package Folder>/files/####/d4f31bdf-1ca9-4c4a-b56a-83fc405e4bb1.res.temp
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/dd7025c4-98f8-41f0-b80c-8d44c7915049.res.temp
- <Package Folder>/files/####/dgIYAe6jeAFUozFgoHJa291pLjATL1OafirA9xgy1gA=.new
- <Package Folder>/files/####/e34230dc-830e-4cf5-b6fd-6ff6d7777e4a.res.temp
- <Package Folder>/files/####/e4b58157-b5fc-4e45-b10f-959b900d5cb7.res.temp
- <Package Folder>/files/####/fOnoKwo-wwemMpZ7YhplM0FspjEtuKHz.new
- <Package Folder>/files/####/hHlCRmx76ZP2RnUGZpZqZjwdBhc=.new
- <Package Folder>/files/####/nFGvKoKGOW485DYvW9UTuvOvrncv7TVj.new
- <Package Folder>/files/####/oMVm1GZ85We0gHK4iB-Ly_VaA2w=.temp
- <Package Folder>/files/####/ojWVL0j0meP9AL79g6QA8SeDEYE=
- <Package Folder>/files/####/pVmD41fxyy88rQB7
- <Package Folder>/files/####/qldgXcbN-txvMLu4.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/tbepua_f.zip
- <Package Folder>/files/####/wDXLxR0Kjs1fPcElImwXnh647Vs6W9eF67hnPw==.new
- <Package Folder>/files/####/wNPe-1PHlLNkAIHbbncJAHWL3_bnkZc39fFUAmFvphk=.new
- <Package Folder>/files/account_yTxwhiWgusaW8kNZYPlMWh8VoqA4GnL9_5aafcb464a38ccd8ed5d58776fcf7b4f
- <Package Folder>/files/rdata_comczpvcunh.new
- <Package Folder>/shared_prefs/.tpns.service.xml.xml
- <Package Folder>/shared_prefs/.tpns.settings.xml.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/device_id.xml
- <Package Folder>/shared_prefs/tpush.shareprefs.xml
- <Package Folder>/shared_prefs/tpush.shareprefs.xml.bak
- <SD-Card>/.armsd/####/000c9c7f-3b63-4930-a53a-b4b0563476bc.res
- <SD-Card>/.armsd/####/08c517be-4b42-4dbc-a72e-02a293a4f747.res
- <SD-Card>/.armsd/####/2fe5343d-bb44-47e8-8ab7-060d745ff91b.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/6c4fe7e7-04c8-40a6-9eed-171f2f9d6084.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/a05409ae-908f-477c-8841-e2bd584c207c.res
- <SD-Card>/.armsd/####/f9778498-05f4-499d-b1c2-d413f6b4245d.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/Tencent/####/.mid.txt
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.xzuson.game.chess.huawei/code-5053515/Jwrhu_eyzPUdb3Kh -p com.xzuson.game.chess.huawei -c com.czpv.cunh.vwqquq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- chmod 755 /data/data/com.xzuson.game.chess.huawei/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/code-5053515/Jwrhu_eyzPUdb3Kh -p <Package> -c com.czpv.cunh.vwqquq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/lib/libxguardian.so <Package>,2100260689;<Package>,2100260689; 55071 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : d927a6901b68606342aca207ce7ce664134706e0 , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.1 , mf : unknown , apn : %s }}] 0 18
Использует специальную библиотеку для скрытия исполняемого байткода.
