Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony)
Сетевая активность:
Подключается к:
- a####.####.com
- c####.####.com
- h####.####.com
- i####.####.com
- im####.####.com
- l####.####.com
- m####.####.com
- nsc####.####.com
- p####.####.com
- s####.####.net
- up####.####.com
- w####.####.com
Запросы HTTP GET:
- a####.####.com/mat/20170705174013-9516541.png
- c####.####.com/interface/mc?mcid=####
- i####.####.com/sdw?oid=####&w=####&h=####
- im####.####.com/8aafbf8f69f32401cd094fd8924a32ff.jpg?aid=####&tid=####&m...
- l####.####.com/
- m####.####.com/cfg/appkey-684f15fa71301257
- nsc####.####.com/v.gif?pid=####&pj=####&c_version=####&t=####&c_device_t...
- p####.####.com/interface/deliver?ap=####&deliver_ver=####&uid=####&mac=#...
- p####.####.com/v5/site/mvsites?mid=####&cl=####&ve=####&mac=####&uc=####...
- p####.####.com/v5/video/play?id=####&cl=####&ve=####&mac=####&uc=####&fu...
- p####.####.com/v7/config/personal?fudid=####&pg=####&sz=####&cl=####&ve=...
- s####.####.net/ecom-ad/appaderror?dev=####&ver=####&fudid=####&sid=####&...
- up####.####.com/v5/aggregate/init?cl=####&ve=####&mac=####&uc=####&fudid...
- w####.####.com/api/r?promoter=####&access_subtype=####&ts=####&layout_ty...
Запросы HTTP POST:
- h####.####.com/mobile_wap_adv/get_aid/?auth[token]=####&type=####&id=###...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/####/-1425865085-932492560
- <Package Folder>/cache/####/-1777881698-524874125
- <Package Folder>/cache/####/569800504-1790302199
- <Package Folder>/cache/####/824295548396662491
- <Package Folder>/cache/V2.8.8.3.txt
- <Package Folder>/databases/_ire-journal
- <Package Folder>/databases/funshion.db-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/wv_web_info.dat
- <Package Folder>/files/ev.jar
- <Package Folder>/files/is.jar
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/CookiePrefsFile.xml
- <Package Folder>/shared_prefs/MATSharedPreferences.xml
- <Package Folder>/shared_prefs/MATSharedPreferences.xml.bak
- <Package Folder>/shared_prefs/MUNION_CACHE_A.xml
- <Package Folder>/shared_prefs/MUNION_CACHE_B.xml
- <Package Folder>/shared_prefs/OfJbkLdFbPOMbGyP.xml
- <Package Folder>/shared_prefs/UMENG_TABS_CACHE.xml
- <Package Folder>/shared_prefs/cn.com.mma.mobile.tracking.other.xml
- <Package Folder>/shared_prefs/fudid.xml
- <Package Folder>/shared_prefs/funshion.xml
- <Package Folder>/shared_prefs/funshion.xml.bak
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/kr.xml.bak
- <Package Folder>/shared_prefs/peerid_config.xml
- <Package Folder>/shared_prefs/peerid_config.xml.bak
- <Package Folder>/shared_prefs/preference_aggregate.xml
- <Package Folder>/shared_prefs/vbz.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.fudid
- <SD-Card>/funshion/####/1bi0eth9ar3av28xm63nyyn2z.0.tmp
- <SD-Card>/funshion/####/1ht9w2qdd87l678b6crplc2k.0.tmp
- <SD-Card>/funshion/####/1kj2s8lsctq4el1l530a391fy.0.tmp
- <SD-Card>/funshion/####/1ldfk9pht9gpauje6sbavp1k8.0.tmp
- <SD-Card>/funshion/####/1x16re3gmm14c9woi0vdl7wxm.0.tmp
- <SD-Card>/funshion/####/27lb5u8jk7h3nq6f2g0ptltnd.0.tmp
- <SD-Card>/funshion/####/28gvyedkqz6va443r2ef7if1c.0.tmp
- <SD-Card>/funshion/####/2a0cwisdt9ibqme9m4khpi4bj.0.tmp
- <SD-Card>/funshion/####/2h7017x3f6l61t647b43kad4x.0.tmp
- <SD-Card>/funshion/####/2h7wqey4zpkonfrcgo08l7588.0.tmp
- <SD-Card>/funshion/####/2mtjda4silfe5bqngh8sjymva.0.tmp
- <SD-Card>/funshion/####/2pmkmv896y1kl8mi9yab7pwwd.0.tmp
- <SD-Card>/funshion/####/2qou0v8wd1j6cag1juqu3h2ua.0.tmp
- <SD-Card>/funshion/####/35j4or5r90h5gv3qkrjngqpk3.0.tmp
- <SD-Card>/funshion/####/3bmvel6jaqqu3f75issnvm5ll.0.tmp
- <SD-Card>/funshion/####/3c5pkoizw8csiliond6mn7597.0.tmp
- <SD-Card>/funshion/####/3d4yg36tykevprzfn0r8ims5k.0.tmp
- <SD-Card>/funshion/####/3f8idlne3saejb2efikjrmdx5.0.tmp
- <SD-Card>/funshion/####/3io9mztwf55b7xv6y8uar1iwa.0.tmp
- <SD-Card>/funshion/####/3ub47k6940ass86cgpcdxw9no.0.tmp
- <SD-Card>/funshion/####/3v6v02sqz8ryb0dek65o3lj15.0.tmp
- <SD-Card>/funshion/####/401e0434129c71c1d6aa5b1dc706d9c2fb4765bc.cache
- <SD-Card>/funshion/####/40dz3bhffyxatnv9cvl9hc26a.0.tmp
- <SD-Card>/funshion/####/44tac6tfalckyiixj6857xboo.0.tmp
- <SD-Card>/funshion/####/4afae4447c69bbb19e9ac2a2370394d986c4a159
- <SD-Card>/funshion/####/4dkr1tjgkfgpf1jwzav7uds93.0.tmp
- <SD-Card>/funshion/####/4fzgg2cktcu1vrzibsyxj1e28.0
- <SD-Card>/funshion/####/4g5s3epskjcyl4wgu0yi0scoj.0.tmp
- <SD-Card>/funshion/####/4x8ujtw66db3dmftkvwcmjlat.0.tmp
- <SD-Card>/funshion/####/4xfm0f4xc2btz3r34smdnnvp9.0.tmp
- <SD-Card>/funshion/####/57qeb4zrd1ybppxs3o20dq75s.0.tmp
- <SD-Card>/funshion/####/5e6e825c112618450538e7f233149ed1da97bc8c.cache
- <SD-Card>/funshion/####/5i2gc58qthxvkpkd95589j98v.0.tmp
- <SD-Card>/funshion/####/5ztqklr1q621ssjfsfr7smzrg.0.tmp
- <SD-Card>/funshion/####/649nq5ripo3f6jit8ml1pqywb.0.tmp
- <SD-Card>/funshion/####/64a6kwurqp0wjslwf1hm1chww.0
- <SD-Card>/funshion/####/657c6fe87cd6a29074b1c3e8a0fac103b1afe6d2.cache
- <SD-Card>/funshion/####/6g3r4pd29u0tt2uthz6rev2dp.0.tmp
- <SD-Card>/funshion/####/6rw34whjwkj75qrqdxvx20uf5.0.tmp
- <SD-Card>/funshion/####/6y8c4e6v6tqjee39dn69gdsa5.0.tmp
- <SD-Card>/funshion/####/71348ee125276b871e8009d82f7e1b95a600cfa9.cache
- <SD-Card>/funshion/####/738n2v3z5fryeu75ox74q2zz6.0.tmp
- <SD-Card>/funshion/####/7d2of6innaays50tprq66zocj.0.tmp
- <SD-Card>/funshion/####/7efxf6nraq1ng89vhkp6nc8mu.0.tmp
- <SD-Card>/funshion/####/7px5fkzy8zc75uopt6pfywbn.0.tmp
- <SD-Card>/funshion/####/7tobcwgejqrqbbz7yvmjd85w.0.tmp
- <SD-Card>/funshion/####/98e06e44fb1421bb23f357b0cf9952d9bc4047f3.cache
- <SD-Card>/funshion/####/9e505272967e00de51992dc7d29a2c7d31ae2c0a.cache
- <SD-Card>/funshion/####/9lurbxsywiqqd25pl4flepfv.0.tmp
- <SD-Card>/funshion/####/ab723f2ea4520a2a137259bd3b52fc9f90a2f9b4.cache
- <SD-Card>/funshion/####/cache.rules.tmp
- <SD-Card>/funshion/####/config.ini.tmp
- <SD-Card>/funshion/####/d5ada450ddd20b89c6d961cfe9b11bce0ec2709e.cache
- <SD-Card>/funshion/####/f94ad25f81f76d60b934bc12cb38d36d781ab6d9.cache
- <SD-Card>/funshion/####/funshion.ini
- <SD-Card>/funshion/####/funshion_aphone_6.4.0_afaff2700673_20170727.log
- <SD-Card>/funshion/####/gtvoecpegn4mj25imoxkunqj.0.tmp
- <SD-Card>/funshion/####/journal
- <SD-Card>/funshion/####/journal.tmp
- <SD-Card>/funshion/####/otgncdjbg9xtmc57cba4fg5l.0.tmp
- <SD-Card>/funshion/####/p2p_config.ini
- <SD-Card>/funshion/####/u9ewfzt3xt9mprnqmewzauhz.0.tmp
- <SD-Card>/funshion/####/y0v2bydodvr3w6hcx4kpfcoa.0.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 /data/data/lanhai.free.perfect.films/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- fsp2p
- libjiagu
- loginclient
- lsv
- mresearch
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации
Осуществляет доступ к информации о сети
Осуществляет доступ к информации о телефоне (номер, imei и тд.)
Осуществляет доступ к информации о запущенных приложениях
Отрисовывает собственные окна поверх других приложений
