Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.197
Сетевая активность:
Подключается к:
- 1####.####.com
- a####.####.com
- a####.####.net
- a3e3f10####.####.net
- a425667####.####.net
- a4cda08####.####.net
- a52b5e5####.####.net
- aa03599####.####.net
- aff7266####.####.net
- api-204####.####.com:84
- bonaire####.com
- c####.####.com
- ce####.####.org
- cloudfr####.####.com
- d####.####.net
- d1y04et####.####.net
- dcs-edg####.####.com
- dmp-p####.####.com
- e####.####.net
- googlea####.####.com
- gstatic####.####.com
- h####.####.net
- h####.com
- oemeoap####.####.com
- pa####.####.net
- pool####.####.net
- s####.####.com
- scon####.####.net
- sl####.####.com:8111
- spcms-g####.####.net
- st####.####.com
- star-####.####.com
- t####.####.com
- tra####.####.com
- u####.####.com
- w####.####.net
Запросы HTTP GET:
- 1####.####.com/avatar/18ac47f37bae2096eebdc1b8caa63cd5?s=####&d=####&r=#...
- a####.####.net/51652252bbddbd1468000b79.ico
- a####.####.net/51652252bbddbd1468000b7a.ico
- a####.####.net/54d8990b07830f652e000000.ico
- a####.####.net/54d8992707830f652e00000a.ico
- a####.####.net/54d9f2db07830f2c0a000038.ico
- a####.####.net/54d9f30007830f2c0a00003c.ico
- a####.####.net/54d9f5ac07830f2c0a000093.ico
- a####.####.net/54d9f60907830f2c0a0000a9.ico
- a####.####.net/54d9f92107830f2c0a0000ef.ico
- a####.####.net/553e3c4707830f4f8f00000e.ico
- a####.####.net/599a761a1fa06a336d6cd161_500x132.jpg
- a####.####.net/599b7df51fa06a336d849b34_500x333.jpg
- a####.####.net/599bda27be612e46780ee733_500x282.jpg
- a####.####.net/599bed61be612e4678115c81_500x281.jpg
- a####.####.net/599c4535be612e46781d1aab_500x288.jpg
- a####.####.net/599c4535be612e46781d1b04_500x334.jpg
- a####.####.net/599c492ebe612e46781d8b02_500x375.jpg
- a####.####.net/599c8624be612e4678262abd_500x312.jpg
- a####.####.net/599ca2babe612e467829d12a_500x281.jpg
- a####.####.net/599cbfefbe612e46782df4a9_500x297.jpg
- a####.####.net/599cc465be612e46782e9ffa_500x300.jpg
- a####.####.net/599cc55abe612e46782eb358_500x288.jpg
- a####.####.net/599cc704be612e46782ee095_500x375.jpg
- a####.####.net/599d54c6be612e467842f92f_500x337.jpg
- a####.####.net/599d58bbbe612e4678438423_500x333.jpg
- a####.####.net/599d58bbbe612e4678438424_500x281.jpg
- a3e3f10####.####.net/test.png
- a425667####.####.net/test.png
- a4cda08####.####.net/test.png
- a52b5e5####.####.net/test.png
- aa03599####.####.net/test.png
- aff7266####.####.net/test.png
- bonaire####.com/meeste-toeristen-hebben-nederlandse-of-amerikaanse-natio...
- bonaire####.com/wp-content/plugins/jetpack/_inc/genericons/genericons/Ge...
- bonaire####.com/wp-content/plugins/jetpack/_inc/genericons/genericons/ge...
- bonaire####.com/wp-content/plugins/jetpack/_inc/jquery.spin.js?ver=####
- bonaire####.com/wp-content/plugins/jetpack/_inc/social-logos/social-logo...
- bonaire####.com/wp-content/plugins/jetpack/_inc/spin.js?ver=####
- bonaire####.com/wp-content/plugins/jetpack/css/jetpack.css?ver=####
- bonaire####.com/wp-content/plugins/jetpack/modules/carousel/jetpack-caro...
- bonaire####.com/wp-content/plugins/jetpack/modules/photon/photon.js?ver=...
- bonaire####.com/wp-content/plugins/jetpack/modules/related-posts/related...
- bonaire####.com/wp-content/plugins/jetpack/modules/sharedaddy/sharing.js...
- bonaire####.com/wp-content/plugins/jetpack/modules/simple-payments/simpl...
- bonaire####.com/wp-content/plugins/jetpack/modules/wpgroho.js?ver=####
- bonaire####.com/wp-content/plugins/like-box/includes/javascript/front_en...
- bonaire####.com/wp-content/plugins/like-box/includes/style/effects.css?v...
- bonaire####.com/wp-content/plugins/like-box/includes/style/style.css?ver...
- bonaire####.com/wp-content/themes/apostrophe-2-wpcom/js/apostrophe.js?ve...
- bonaire####.com/wp-content/themes/apostrophe-2-wpcom/js/navigation.js?ve...
- bonaire####.com/wp-content/themes/apostrophe-2-wpcom/js/skip-link-focus-...
- bonaire####.com/wp-content/themes/apostrophe-2-wpcom/style.css?ver=####
- bonaire####.com/wp-includes/css/dashicons.min.css?ver=####
- bonaire####.com/wp-includes/js/comment-reply.min.js?ver=####
- bonaire####.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=####
- bonaire####.com/wp-includes/js/jquery/jquery.js?ver=####
- bonaire####.com/wp-includes/js/thickbox/thickbox.css?ver=####
- bonaire####.com/wp-includes/js/thickbox/thickbox.js?ver=####
- bonaire####.com/wp-includes/js/wp-embed.min.js?ver=####
- bonaire####.com/wp-includes/js/wp-emoji-release.min.js?ver=####
- c####.####.com/2015-12-12/170df2a19c6c35c9f694e3dc7c05615b.jpeg!240
- c####.####.com/2015-12-12/1df996f0014dd1a67aa010b5ed9c7c27.jpeg!240
- c####.####.com/2015-12-12/2dbb64e898aeda520b8e85f60106a439.jpeg!240
- c####.####.com/2015-12-12/32dda1e5bb68a459e1a14d919c1259b2.jpeg!240
- c####.####.com/2015-12-12/45efd03f1bee372fb59b43442692aa75.jpeg!240
- c####.####.com/2015-12-12/e02433905b51c88ae6a2ed1764567ce7.jpeg!240
- c####.####.com/2015-12-12/e1c580fb5598be38f748da04d16dd59e.jpeg!240
- c####.####.com/2015-12-12/e3df64069ec57aa8f5f0ad24ec7bc0d5.jpeg!240
- c####.####.com/2015-12-12/fc44f98d9f4de73b10b670788be78358.jpeg!240
- c####.####.com/2017-08-01/3ba5cc3433421cf1dcd69b078d81dc3b.jpg
- c####.####.com/dp/navegg.php?pid=####&uid=####
- c####.####.com/req?v=####&id=####&acc=####&tit=####
- c####.####.com/req?v=####&upd=####&new=####&id=####&acc=####&tit=####
- c####.####.com/t.php?sc_project=####&java=####&security=####&u1=####&sc_...
- c####.####.com/v2/content/article1-1511718-1fdef09207ac7fd168f0485c41ecc...
- c####.####.com/v2/content/article1-1511722-1fdef09207ac7fd168f0485c41ecc...
- c####.####.com/v2/content/list-0-0-0-NL-5-0-1.json?1501850####
- c####.####.com/v2/system/languages.json
- c####.####.com/v2/system/models-138.json
- c####.####.com/v2/system/startimg-NL.json
- ce####.####.org/v2/content/getItemDetails-1511718.json
- ce####.####.org/v2/content/getItemDetails-1511722.json
- ce####.####.org/v2/content/recommend-1fdef09207ac7fd168f0485c41ecca9c-NL...
- ce####.####.org/v3/commentlist-1511718-1fdef09207ac7fd168f0485c41ecca9c-...
- ce####.####.org/v3/commentlist-1511722-1fdef09207ac7fd168f0485c41ecca9c-...
- ce####.####.org/v3/system/countrys.json
- ce####.####.org/v3/system/initcountrytopic.json
- cloudfr####.####.com/x.png
- d####.####.net/r/dd/id/L2NzaWQvMS9jaWQvMjYzNTYzMzIvdC8y/dpuid/33980929007/
- d1y04et####.####.net/20170814160356-nativeon131
- dcs-edg####.####.com/demconf.jpg?et:ibs|data:dpid=822&dpuuid=33980929007...
- dcs-edg####.####.com/ibs:dpid=822&dpuuid=33980929007&redir=https://sync....
- dmp-p####.####.com/ups/19764/sync?uid=####&_origin=####&redir=####
- dmp-p####.####.com/ups/19764/sync?uid=####&_origin=####&redir=####&verif...
- e####.####.net/sync/img?redir=https://sync.navdmp.com/sync?img=####&mdia...
- googlea####.####.com/css?family=####
- gstatic####.####.com/s/opensans/v14/MTP_ySUJH_bn48VBG8sNSpS3E-kSBmtLoNJP...
- gstatic####.####.com/s/opensans/v14/cJZKeOuBrn4kERxqtaUH3SZ2oysoEQEeKwjg...
- h####.####.net/ct/upi/pid/DuqQKWX7/?redir=https://sync.navdmp.com/sync?p...
- h####.####.net/upi/pid/DuqQKWX7/?redir=https://sync.navdmp.com/sync?prti...
- h####.com/
- h####.com/_a/insights/publications?publicationIds=####
- h####.com/_a/news/articles/home
- h####.com/_a/news/trends/articles?trends[]=####&country=####
- h####.com/_a/news/trends/articles?trends[]=####&trends[]=####&trends[]=#...
- h####.com/article/566c2427f186fd202d2e0194?view=####
- h####.com/article/566c24fbf186fd202d2e0d33?view=####
- h####.com/article/599b7df51fa06a336d849b34
- h####.com/articles/599a761a1fa06a336d6cd161
- h####.com/articles/599b7df51fa06a336d849b34/related?limit=####&offset=####
- h####.com/content?url=####
- h####.com/css/img/category_icons.png
- h####.com/css/img/icons_sprite.png
- h####.com/css/img/settings_banner.jpg
- h####.com/css/style.css?bust=####
- h####.com/images/get_android_app.png
- h####.com/images/get_firefoxos_app.png
- h####.com/js/bundles/404.js?bust=####
- h####.com/js/bundles/article.js?bust=####
- h####.com/js/bundles/cookies.js
- h####.com/js/bundles/home.js?bust=####
- h####.com/js/bundles/settings.js?bust=####
- h####.com/settings
- pa####.####.net/pixel?google_nid=####&googl####&id=####
- pa####.####.net/pixel?google_nid=####&google_cm=####&id=####&google_tc=#...
- pool####.####.net/aa/y8a2thbi7v8xdodcoa82
- pool####.####.net/ul_cb/aa/y8a2thbi7v8xdodcoa82
- s####.####.com/js/gprofiles.js?ver=####
- s####.####.com/sync?prtid=####&admid=####
- s####.####.com/sync?prtid=####&aolid=####
- s####.####.com/sync?prtid=####&id=####&google_gid=####&google_cver=####
- s####.####.com/sync?prtid=####&tdaid=C####
- scon####.####.net/connect/xd_arbiter/r/0sTQzbapM8j.js?version=####
- scon####.####.net/en_US/sdk.js
- spcms-g####.####.net/cms?partner_id=####
- st####.####.com/c/hotjar-113364.js?sv=####
- star-####.####.com/v2.6/plugins/page.php?adapt_container_width=####&cont...
- t####.####.com/site/31435?id=33980929007&redir=https://sync.navdmp.com/s...
- t####.####.com/site/31436?dt=####&r=####&sig=####&bkca=####
- t####.####.com/tm42098.js
- tra####.####.com/redir/?bl=1&tgds=dmp-Z4L25a2Pwm&tgda=cm&tgdid=339809290...
- tra####.####.com/redir/?tgds=dmp-Z4L25a2Pwm&tgda=cm&tgdid=33980929007&tg...
- u####.####.com/usr?v=####&acc=####&id=####&jds=####&wst=####
- u####.####.com/usr?v=####&acc=####&upd=####&new=####&wst=####
- w####.####.net/counter/counter.js
Запросы HTTP POST:
- a####.####.com/app_logs
- api-204####.####.com:84/sdk/aff_getpolicy
- ce####.####.org/auth/gather
- oemeoap####.####.com/e
- sl####.####.com:8111/native/api/v1/update
- sl####.####.com:8111/native/sdk/api/ad/client_action
- sl####.####.com:8111/native/sdk/api/regclient
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_cache/ApplicationCache.db-journal (deleted)
- <Package Folder>/app_osdk/adflash_shell.jar
- <Package Folder>/app_osdk/t.zip
- <Package Folder>/cache/####/542324769-1749282151
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_0 (deleted)
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_1 (deleted)
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_2 (deleted)
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/data_3 (deleted)
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/index (deleted)
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/Zuoyoo_db
- <Package Folder>/databases/Zuoyoo_db-journal
- <Package Folder>/databases/track_event
- <Package Folder>/databases/track_event-journal
- <Package Folder>/databases/virgo_mpsp.db
- <Package Folder>/databases/virgo_mpsp.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/adflashcore.jar
- <Package Folder>/files/t.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/AppStore.xml.bak
- <Package Folder>/shared_prefs/BSModelForPlaced.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/CountryRelevant.xml
- <Package Folder>/shared_prefs/CurArticleInfo.xml
- <Package Folder>/shared_prefs/EVENTS_EXT_SP.xml
- <Package Folder>/shared_prefs/GATHER.xml
- <Package Folder>/shared_prefs/Game_recommend.xml
- <Package Folder>/shared_prefs/Game_recommend.xml.bak
- <Package Folder>/shared_prefs/MASTER_DATA.xml
- <Package Folder>/shared_prefs/Module_Switch_DATA.xml
- <Package Folder>/shared_prefs/Module_Switch_DATA.xml.bak
- <Package Folder>/shared_prefs/Prophet.xml
- <Package Folder>/shared_prefs/adflash.xml
- <Package Folder>/shared_prefs/adflash.xml.bak
- <Package Folder>/shared_prefs/coolook.minisite.xml
- <Package Folder>/shared_prefs/test.xml
- <Package Folder>/shared_prefs/track_event.<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/v2_local_login.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/<Package>/####/3ba5cc3433421cf1dcd69b078d81dc3b.jpg
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/1z6zvfpz292r66bw5lmgi6f8b.0
- <SD-Card>/Android/####/25rq5n07ym2zjjisy8bf92jc0.0.tmp
- <SD-Card>/Android/####/2ql0blcc9oztuoqwf5zxfinte.0.tmp
- <SD-Card>/Android/####/4iy7jxd7mwrjkadxsu7xh0o2j.0.tmp
- <SD-Card>/Android/####/59bdjkv1xkb26ovo7t487fgha.0.tmp
- <SD-Card>/Android/####/5j5d90d4rstsz20wimgudy55o.0.tmp
- <SD-Card>/Android/####/5pkon9g2vsjkxno38qbwi40nh.0
- <SD-Card>/Android/####/6i37snv1m9z7hxvuic474q7jn.0.tmp
- <SD-Card>/Android/####/72ua7q3op5xoe7k7l5r4xq8ne.0
- <SD-Card>/Android/####/delay_20170804123643655_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123653353_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123704936_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123706439_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123718142_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123729811_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/delay_20170804123733895_1fdef09207ac7fd168f0485c41ecca9c_s.dat
- <SD-Card>/Android/####/inapp_dev.txt
- <SD-Card>/Android/####/journal.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- DES
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-ECB-PKCS5Padding
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
