Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) i.p####.com:80
- TCP(HTTP/1.1) sr4.pp####.cn:80
- TCP(HTTP/1.1) m.p####.com:80
- TCP(HTTP/1.1) mo####.b####.com:80
- TCP(HTTP/1.1) ub####.baidust####.com:80
- TCP(HTTP/1.1) v.p####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) fp.su####.com.####.com:80
- TCP(HTTP/1.1) api.pass####.p####.com:80
- TCP(HTTP/1.1) mobi####.jom####.com:80
- TCP(HTTP/1.1) wn.pos.b####.com:80
- TCP(HTTP/1.1) fuciyua####.biaoqin####.com:80
- TCP(HTTP/1.1) as.a####.p####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) m.b####.com:80
- TCP(HTTP/1.1) mobads-####.b####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) res.su####.cn.####.com:80
- TCP(HTTP/1.1) w####.p####.com.####.com:80
- TCP(HTTP/1.1) fupi####.biaoqin####.com.####.com:80
- TCP(HTTP/1.1) s####.su####.com.####.com:80
- TCP(TLS/1.0) aserver####.m.ta####.com:443
- TCP(TLS/1.0) fp.su####.com.####.com:443
Запросы DNS:
- a####.u####.com
- a.appj####.com
- ap####.sc.p####.com
- api.pass####.p####.com
- api.y####.com
- aplu####.p####.com
- as.a####.p####.com
- dt.su####.com
- fp.su####.com
- fuciyua####.biaoqin####.com
- fuciyua####.biaoqin####.com
- fupi####.biaoqin####.com
- hm.b####.com
- i.p####.com
- m.b####.com
- m.p####.com
- mo####.b####.com
- mobads-####.b####.com
- mobads-####.b####.com
- mt####.go####.com
- oc.u####.com
- pl####.a####.p####.com
- res.su####.cn
- s####.su####.com
- s1.pp####.cn
- sr1.pp####.com
- sr2.pp####.com
- sr3.pp####.com
- sr4.pp####.cn
- sr4.pp####.com
- sta####.pp####.cn
- u####.biaoqin####.com
- u.zntia####.com
- u1.zntia####.com
- u2.zntia####.com
- ub####.baidust####.com
- v.p####.com
- web.d####.pp####.com
- wn.pos.b####.com
Запросы HTTP GET:
- api.pass####.p####.com/checkShow?cb=####&channel=####&sceneFlag=####&for...
- api.pass####.p####.com/phoneRegister?cb=####&phoneNum=####&passwo####&sc...
- fuciyua####.biaoqin####.com/fuciyuan/v1//videov1main_1.json?plat=####&ve...
- fuciyua####.biaoqin####.com/search?key=####&plat=####&ver=####&uid=####&...
- hm.b####.com/hm.js?3c5dd86####
- mo####.b####.com/ads/pa/7/__pasys_remote_banner.php??b####&osand####&v##...
- mo####.b####.com/cpro/ui/mads.php?code2=####
- mobads-####.b####.com/dz.zb?type=####&dlWay=####&ts=####&pack=####&dlCnt...
- mobads-####.b####.com/dz.zb?type=####&sn=####&t=####&ts=####&v=####&vd=#...
- mobi####.jom####.com/upload/apps/NewsArticle_baidu_dsp28_and6_v1.0.0_a94...
- res.su####.cn.####.com/project/ssa/script/2aaef4fe-a99f-49a3-9fc3-fbc9d0...
- ub####.baidust####.com/media/v1/0f000nTw6xrV2f9Xpq-CE0.jpg
- w####.p####.com.####.com/cms/11/62/2e3be409ff9e3d5a73afb73282fe6b99.png
- w####.p####.com.####.com/cms/41/18/ca7a696ec8dbf0d6ad9adcc8d6ef0f59.png
- w####.p####.com.####.com/mcms/footer/download/1469704704023.jpg
- w####.p####.com.####.com/mcms/footer/download/1469704737595.jpg
- w####.p####.com.####.com/mobile/msite/v_20170509113807/dist/assets/heade...
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/assets/sprit...
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/assets/verti...
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/css/common.css
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/css/style-vo...
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/css/style.css
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/swiper.js
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/vendor.js
- w####.p####.com.####.com/mobile/msite/v_20170908101546/dist/vod.js
- w####.p####.com.####.com/pub/weixin/v_20170602145855/wxajax.js
- w####.p####.com.####.com/sta.js?debug=####
- w####.p####.com.####.com/website/common/analytics/v_20170908110915/dist/...
- w####.p####.com.####.com/website/common/user/v_20170907185323/dist/asset...
- w####.p####.com.####.com/website/common/user/v_20170907185323/dist/css/m...
- w####.p####.com.####.com/website/common/user/v_20170907185323/dist/login...
- w####.p####.com.####.com/website/common/user/v_20170907185323/dist/regis...
- w####.p####.com.####.com/website/common/user/v_20170907185323/dist/vendo...
- wn.pos.b####.com/adx.php?c=####&ext=####
Запросы HTTP POST:
- a.appj####.com/ad-service/ad/mark
- fuciyua####.biaoqin####.com/uplog?ver=####&uid=####&sid=####&app=####
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_baidu_ad_sdk/__xadsdk__remote__final__builtin__.jar
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_plugin/PlayerUIApk.apk
- <Package Folder>/app_ruxzclasses.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/index
- <Package Folder>/databases/dbqtljv-journal
- <Package Folder>/databases/funvcomic.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-jou...leted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/__sdk_m_0f000nTw6xrV2f9Xpq-CE0.jpg
- <Package Folder>/files/mobclick_agent_cached_<Package>50
- <Package Folder>/files/nlz
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppInfo.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/__sdk_remote_dl_2.xml
- <Package Folder>/shared_prefs/__x_adsdk_agent_header__.xml
- <Package Folder>/shared_prefs/analytics_agent_header_.xml
- <Package Folder>/shared_prefs/com.baidu.mobads.loader.xml
- <Package Folder>/shared_prefs/install_sent.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_feedback_user_info.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Funvking/####/-1002467377.jpg
- <SD-Card>/Funvking/####/-1057758762.jpg
- <SD-Card>/Funvking/####/-1072650289.jpg
- <SD-Card>/Funvking/####/-1455792010.jpg
- <SD-Card>/Funvking/####/-1646140817.jpg
- <SD-Card>/Funvking/####/-1681232273.jpg
- <SD-Card>/Funvking/####/-1756789128.jpg
- <SD-Card>/Funvking/####/-1845058417.jpg
- <SD-Card>/Funvking/####/-1919660356.jpg
- <SD-Card>/Funvking/####/-1924673482.jpg
- <SD-Card>/Funvking/####/-1962717524.jpg
- <SD-Card>/Funvking/####/-2008884561.jpg
- <SD-Card>/Funvking/####/-2051544628-316799939.5184000_2017_10_0...32.dat
- <SD-Card>/Funvking/####/-219359438.jpg
- <SD-Card>/Funvking/####/-230059249.jpg
- <SD-Card>/Funvking/####/-722291284.jpg
- <SD-Card>/Funvking/####/-791763376.jpg
- <SD-Card>/Funvking/####/1021442572.jpg
- <SD-Card>/Funvking/####/1025406610
- <SD-Card>/Funvking/####/1396015500.jpg
- <SD-Card>/Funvking/####/1658472444.jpg
- <SD-Card>/Funvking/####/1838553472.jpg
- <SD-Card>/Funvking/####/187710210.jpg
- <SD-Card>/Funvking/####/2095458050.jpg
- <SD-Card>/Funvking/####/455821402
- <SD-Card>/Funvking/####/671083567.jpg
- <SD-Card>/Funvking/####/870001167.jpg
- <SD-Card>/Funvking/####/962890796.jpg
- <SD-Card>/Funvking/####/986351116.jpg
- <SD-Card>/Funvking/####/990167062.jpg
- <SD-Card>/Funvking/####/999478561
- <SD-Card>/bddownload/5e50a389439a6468bed49e29d05b3bd3.apk.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
- luajava
- rlgc
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-ECB-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
