Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.243
- Android.Triada.247.origin
- Android.Triada.248.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) md.ope####.360.cn:80
- TCP(HTTP/1.1) l.ace####.com:80
- TCP(HTTP/1.1) p.s.3####.cn:80
- TCP(HTTP/1.1) s####.s.360.cn:80
- TCP(HTTP/1.1) gs.d####.360.cn:80
- TCP(HTTP/1.1) img.ace####.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) rela####.gam####.360.cn:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) d####.iap####.com:8083
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) p0.q####.com:80
- TCP(TLS/1.0) h####.b####.com:443
- TCP(TLS/1.0) m####.360.cn:443
- TCP 1####.199.97.229:443
Запросы DNS:
- a.appj####.com
- and####.api.36####.com
- api.gam####.360.cn
- c.appj####.com
- d####.iap####.com
- gs.d####.360.cn
- h####.b####.com
- img.ace####.com
- l.ace####.com
- loc.map.b####.com
- m####.360.cn
- md.ope####.360.cn
- mt####.go####.com
- p.s.3####.cn
- p0.q####.com
- ps.d####.360.cn
- rela####.gam####.360.cn
- s####.s.360.cn
Запросы HTTP GET:
- md.ope####.360.cn/?product=####&version=####
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=QE#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=oZ#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=xW#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=zP#...
- rela####.gam####.360.cn/10/popup/bbs?appid=####&nonce=####&rkey=fc####&s...
- rela####.gam####.360.cn/10/popup/bbs?appid=####&nonce=####&rkey=rf####&s...
- rela####.gam####.360.cn/10/popup/floatconf?appid=####&nonce=####&m2=####...
- rela####.gam####.360.cn/10/popup/gamesetting?appid=####&nonce=####&rkey=...
- rela####.gam####.360.cn/10/popup/notice?appid=####&nonce=####&rkey=D7###...
- rela####.gam####.360.cn/10/popup/notice?appid=####&nonce=####&rkey=fp###...
- rela####.gam####.360.cn/10/popup/popwin?appid=####&nonce=####&rkey=I4###...
- rela####.gam####.360.cn/10/popup/popwin?appid=####&nonce=####&rkey=PF###...
- rela####.gam####.360.cn/10/system/updatecertificate?appid=####&nonce=###...
- rela####.gam####.360.cn/11/complex/packages?appid=####&nonce=####&rkey=J...
- rela####.gam####.360.cn/11/complex/packages?appid=####&nonce=####&rkey=l...
Запросы HTTP POST:
- a.appj####.com/jiagu/check/upgrade
- c.appj####.com/ad/splash/stats.html
- gs.d####.360.cn/sendstat
- l.ace####.com/ando/v1/x/ap?app_id=####&r=####
- l.ace####.com/ando/v1/x/lv?app_id=####&r=####
- l.ace####.com/ando/v1/x/qa?app_id=####&r=####
- loc.map.b####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/code-3262578/HbCbDaTUECnwsZtq
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_BeB...ournal
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_BeB...yUjw==
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_Cz4...ournal
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_TH6...ournal
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_TH6...uSEho=
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_jjz...QullNX
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_jjz...ournal
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_w_4...KvfQ==
- <Package Folder>/databases/9NF43RqMVv2dJojTTf9bxEpmElsGoFap_w_4...ournal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/0a4a11d8-904a-4b7a-a080-ae635f99d636.pic.temp
- <Package Folder>/files/####/0dIPj9tXSPYkYe8W3qTeXVAZ7fwWKEm8DP0...w=.new
- <Package Folder>/files/####/34ZnkYqcGL0O49mJgEvv2tPF8n8=.new
- <Package Folder>/files/####/5gpq8lhlNj8Jyslzy1ef_pLwi4HnsRph-A_...g=.new
- <Package Folder>/files/####/61b655e2-8690-43be-875d-4f89dc4c925b.pic
- <Package Folder>/files/####/7W7-ZMY6sdr5Cd8fF_JlpYIhv3w=.new
- <Package Folder>/files/####/967a159f-03c2-4db5-b60f-9e96068b71a2.pic
- <Package Folder>/files/####/AOgDa9m3WsKivC77gE2ALZWZ2-vvIeUR.new
- <Package Folder>/files/####/HeLhoQo5Bu_QNO0IrzpDFoEK6PE=.new
- <Package Folder>/files/####/JlYdvEyzuc6UT1Jz
- <Package Folder>/files/####/Pxc3Tgmx-Y9n3fj8YgmCxndA32L3tuIy.new
- <Package Folder>/files/####/U10C6Pt6q_hs-OJ7cPbGngYGek0K7B_lwDfmEA==.new
- <Package Folder>/files/####/XPeOYAylyxIH7DyOAxP4IFaWYN0=
- <Package Folder>/files/####/XPeOYAylyxIH7DyOAxP4IFaWYN0=.new
- <Package Folder>/files/####/Xr8CrbAoa8dEzwKs899KgJKSELVImWpj.new
- <Package Folder>/files/####/Y29tLnh6dXNvbi5jaGVzczIucWgzNjA=.tick.lock
- <Package Folder>/files/####/bf1n-wPkCgnowjefe9PgHg==
- <Package Folder>/files/####/bf1n-wPkCgnowjefe9PgHg==.new
- <Package Folder>/files/####/bfea5f72-e8af-454a-bb05-76faeeef0aab.pic.temp
- <Package Folder>/files/####/bxY6DL9fn3Mtppb2sEX5VAMHn2ijnNQiEVS...4=.new
- <Package Folder>/files/####/c9CTk5ZNqWXJ93IPzGCXwLrhjo3pSwy9_H2SGw==.new
- <Package Folder>/files/####/dICuwfgB-8I2ZoqPruZpyw==
- <Package Folder>/files/####/eahc2a73IOgP3lPV2bJHp0doMkKQOpxL.new
- <Package Folder>/files/####/gGoxrp1Q8gGpyZzP.new
- <Package Folder>/files/####/gd7JjIw6TDbvPlLrlK85TQ==
- <Package Folder>/files/####/gd7JjIw6TDbvPlLrlK85TQ==.new
- <Package Folder>/files/####/ghvBsaEBou4ah6EGj2OqxkooZ4_2tT0c-pb...c=.new
- <Package Folder>/files/####/ipOa2V6rWM64f3QiHIYwSqIF25jMesXolN9sow==.new
- <Package Folder>/files/####/l3rfXlVpuzJdoILd7VFxHUbaQrE=
- <Package Folder>/files/####/mxaSwxeBfO78lDb3wjG8vQ==
- <Package Folder>/files/####/mxaSwxeBfO78lDb3wjG8vQ==.new
- <Package Folder>/files/####/n3LfA6NaUKb0X7bQJ1YPd-NxFZk=.new
- <Package Folder>/files/####/pUygHpzIWaQlamc9Jqza5A==
- <Package Folder>/files/####/qTuB5cdGrW5uHGSF.zip
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sCl8zKGXoIwDfAWO0OjeiA5qKrlhCBSt.new
- <Package Folder>/files/####/slOcowxSQzkIQvYp2nJ4e4l_MCy89SMD.new
- <Package Folder>/files/####/smfwzuM6OI7A1CLL57cNfcAat8yyrCNo
- <Package Folder>/files/####/smfwzuM6OI7A1CLL57cNfcAat8yyrCNo.new
- <Package Folder>/files/####/smfwzuM6OI7A1CLL57cNfcAat8yyrCNo.old (deleted)
- <Package Folder>/files/####/sxfyaq_f.zip
- <Package Folder>/files/####/xRwpBQHmsR9LzM4iLzFL81_BsevzfStb.new
- <Package Folder>/files/account_nF5ZDAKwuEFwZS2RmXNmp7dK_079fd1c...c6c91a
- <Package Folder>/files/frameso
- <Package Folder>/files/iapp_crash.txt
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/nF5ZDAKwuEFwZS2RmXNmp7dK__local_except_cache.json
- <Package Folder>/files/nF5ZDAKwuEFwZS2RmXNmp7dK__local_last_session.json
- <Package Folder>/files/nF5ZDAKwuEFwZS2RmXNmp7dK__local_stat_cache.json
- <Package Folder>/files/qhpush_game_stat_log.json
- <Package Folder>/files/qihoo_game_stat_ex.log
- <Package Folder>/files/qihoo_game_stat_log.json
- <Package Folder>/files/rdata_comcssebholz
- <Package Folder>/files/rdata_comcssebholz.new
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/Pay_config.xml
- <Package Folder>/shared_prefs/Pay_config.xml.bak
- <Package Folder>/shared_prefs/QH_DeviceSDK.xml
- <Package Folder>/shared_prefs/QH_SDK_M2.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml.bak
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03...4d.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03...leted)
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03...ml.bak
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml.bak
- <Package Folder>/shared_prefs/WukongSDKPre.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/coolcloud_config.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml.bak
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml.bak (deleted)
- <Package Folder>/shared_prefs/iapppay_config.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/qh_login_cfg.xml
- <Package Folder>/shared_prefs/qh_login_cfg.xml.bak
- <Package Folder>/shared_prefs/qhopen_game_session_info.xml
- <Package Folder>/shared_prefs/qhpush_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_online_conf.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml.bak
- <Package Folder>/shared_prefs/qihoo_hosts_cfg.xml
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml.bak
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/qlocal_float_sdk_share_preference.xml
- <Package Folder>/shared_prefs/qlocal_float_sdk_share_preference.xml.bak
- <Package Folder>/shared_prefs/sdk_apk_info.xml
- <SD-Card>/.360gamecentersdk/####/3aa12bb0ca606697b898d97993a3320e.png
- <SD-Card>/.armsd/####/24218a93-6f97-4d27-97a9-e7df1d2a9bc3.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/ba4388aa-382d-42a6-80bb-a6c18b07ebc0.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/360/####/02522a2b2726fb0a03bb19f2d8d9524d
- <SD-Card>/360/####/BIS
- <SD-Card>/360/####/BIS (deleted)
- <SD-Card>/360/####/SJy
- <SD-Card>/360/####/SJy (deleted)
- <SD-Card>/360/####/Y29tLnh6dXNvbi5jaGVzczIucWgzNjA=
- <SD-Card>/360/####/Y29tLnh6dXNvbi5jaGVzczIucWgzNjA= (deleted)
- <SD-Card>/360/####/Y29tLnh6dXNvbi5jaGVzczIucWgzNjA=.tmp
- <SD-Card>/360/####/dcsdid.dat
- <SD-Card>/360/.deviceId
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/backups/####/.confd
- <SD-Card>/backups/####/.confd-journal
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/backups/####/.timestamp
- <SD-Card>/data/####/5EC933F67106023291__<Package>
- <SD-Card>/data/####/<Package>
- <SD-Card>/data/####/randId
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/code-3262578/HbCbDaTUECnwsZtq -p <Package> -c com.csseb.holz.uarhaa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/360gamecentersdk/.cache/image
- sh <Package Folder>/code-3262578/HbCbDaTUECnwsZtq -p <Package> -c com.csseb.holz.uarhaa.hi.hi.pw.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Загружает динамические библиотеки:
- cocos2dcpp
- frameso
- libjiagu
- qhsdk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- RSA
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
