Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.611.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) int.d####.s####.####.cn:80
- TCP(HTTP/1.1) gc.mob####.360.cn:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) d####.iap####.com:8083
- TCP(HTTP/1.1) s####.s.360.cn:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) gs.d####.360.cn:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) rela####.gam####.360.cn:80
- TCP(HTTP/1.1) 1####.74.95.89:80
- TCP(HTTP/1.1) gn.bule####.cn:6801
- TCP(HTTP/1.1) and####.api.36####.com:80
- TCP(HTTP/1.1) p0.q####.com:80
- TCP(HTTP/1.1) md.ope####.360.cn:80
- TCP(HTTP/1.1) 1####.24.101.108:80
- TCP(HTTP/1.1) p.s.3####.cn:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) da.buywe####.com:80
- TCP(TLS/1.0) m####.360.cn:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
- TCP 1####.39.205.52:80
Запросы DNS:
- a####.u####.com
- a.appj####.com
- and####.api.36####.com
- api.gam####.360.cn
- c.appj####.com
- d####.iap####.com
- da.buywe####.com
- gc.mob####.360.cn
- gn.bule####.cn
- gs.d####.360.cn
- img.al####.com
- int.d####.s####.####.cn
- ip.ta####.com
- m####.360.cn
- md.ope####.360.cn
- oc.u####.com
- p.s.3####.cn
- p0.q####.com
- p7.q####.com
- ps.d####.360.cn
- rela####.gam####.360.cn
- s####.s.360.cn
- w####.pcon####.com.cn
Запросы HTTP GET:
- and####.api.36####.com/group/?method=####&n=b2xXY####
- md.ope####.360.cn/?product=####&version=####
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=F0#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=Mj#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=OC#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=PX#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=ei#...
- rela####.gam####.360.cn/10/popup/activity?appid=####&nonce=####&rkey=nn#...
- rela####.gam####.360.cn/10/popup/bbs?appid=####&nonce=####&rkey=AD####&s...
- rela####.gam####.360.cn/10/popup/bbs?appid=####&nonce=####&rkey=OB####&s...
- rela####.gam####.360.cn/10/popup/bbs?appid=####&nonce=####&rkey=hT####&s...
- rela####.gam####.360.cn/10/popup/floatconf?appid=####&nonce=####&m2=####...
- rela####.gam####.360.cn/10/popup/gamesetting?appid=####&nonce=####&rkey=...
- rela####.gam####.360.cn/10/popup/notice?appid=####&nonce=####&rkey=Un###...
- rela####.gam####.360.cn/10/popup/notice?appid=####&nonce=####&rkey=d2###...
- rela####.gam####.360.cn/10/popup/notice?appid=####&nonce=####&rkey=oa###...
- rela####.gam####.360.cn/10/popup/popwin?appid=####&nonce=####&rkey=i8###...
- rela####.gam####.360.cn/10/popup/popwin?appid=####&nonce=####&rkey=lK###...
- rela####.gam####.360.cn/10/popup/popwin?appid=####&nonce=####&rkey=uR###...
- rela####.gam####.360.cn/10/system/updatecertificate?appid=####&nonce=###...
- rela####.gam####.360.cn/11/complex/packages?appid=####&nonce=####&rkey=r...
- rela####.gam####.360.cn/11/complex/packages?appid=####&nonce=####&rkey=t...
- rela####.gam####.360.cn/11/complex/packages?appid=####&nonce=####&rkey=z...
- rela####.gam####.360.cn/9/popup/onexit?appid=####&nonce=####&rkey=CF####...
- rela####.gam####.360.cn/9/popup/onexit?appid=####&nonce=####&rkey=Oi####...
Запросы HTTP POST:
- a.appj####.com/jiagu/check/upgrade
- c.appj####.com/ad/splash/stats.html
- gc.mob####.360.cn/gamecenter/failedreport?sdkver=####&appid=####&errcode...
- gn.bule####.cn:6801/bvmain.aspx
- gn.bule####.cn:6801/bvupload.aspx
- gs.d####.360.cn/sendstat
- int.d####.s####.####.cn/iplookup/iplookup.php?format=####
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- w####.pcon####.com.cn/ip.jsp
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_kernel/videokernel.apk
- <Package Folder>/app_res_out/VideoRes.apk
- <Package Folder>/app_temp/id
- <Package Folder>/cache/de1f14cb5d0e71f7908848370108e53d_pic
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/Y29tLmh1b3NoZS56enoucWlob28=.tick.lock
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/video_db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/frameso
- <Package Folder>/files/iapp_crash.txt
- <Package Folder>/files/qhpush_game_stat_log.json
- <Package Folder>/files/qihoo_game_stat_ex.log
- <Package Folder>/files/qihoo_game_stat_log.json
- <Package Folder>/files/statistics.log (deleted)
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/Pay_config.xml
- <Package Folder>/shared_prefs/Pay_config.xml.bak
- <Package Folder>/shared_prefs/QH_DeviceSDK.xml
- <Package Folder>/shared_prefs/QH_SDK_M2.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData.xml.bak
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03...4d.xml
- <Package Folder>/shared_prefs/QH_SDK_UserData02522a2b2726fb0a03...ml.bak
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml
- <Package Folder>/shared_prefs/QH_SDK_sessionID.xml.bak
- <Package Folder>/shared_prefs/WukongSDKPre.xml
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/coolcloud_config.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml
- <Package Folder>/shared_prefs/gamecenter_sdk_plugin_pre.xml.bak
- <Package Folder>/shared_prefs/iapppay_config.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/onlineconfig_agent_online_setting...e>.xml
- <Package Folder>/shared_prefs/qhopen_game_session_info.xml
- <Package Folder>/shared_prefs/qhpush_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_online_conf.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml.bak
- <Package Folder>/shared_prefs/qihoo_game_session_info.xml.bak (deleted)
- <Package Folder>/shared_prefs/qihoo_hosts_cfg.xml
- <Package Folder>/shared_prefs/qihoo_hosts_cfg.xml.bak
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml
- <Package Folder>/shared_prefs/qihoo_https_cer_pre.xml.bak
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/sdk_apk_info.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/360/####/02522a2b2726fb0a03bb19f2d8d9524d
- <SD-Card>/360/####/9rO
- <SD-Card>/360/####/9rO (deleted)
- <SD-Card>/360/####/N3F
- <SD-Card>/360/####/N3F (deleted)
- <SD-Card>/360/####/Y29tLmh1b3NoZS56enoucWlob28=
- <SD-Card>/360/####/Y29tLmh1b3NoZS56enoucWlob28= (deleted)
- <SD-Card>/360/####/dcsdid.dat
- <SD-Card>/360/####/iZH
- <SD-Card>/360/####/iZH (deleted)
- <SD-Card>/360/.deviceId
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/data/####/5EC88295048DDD61AB__<Package>
- <SD-Card>/data/####/<Package>
- <SD-Card>/data/####/randId
- <SD-Card>/play/####/kernel-1.dat
- <SD-Card>/play/####/kernel-2.dat
- <SD-Card>/play/####/kernel.dat
- <SD-Card>/sdtmp/id14e2a6479-2991-4b34-bd27-acf4b4f659cb.tmp
- <SD-Card>/sdtmp/id15cc441a1-f37a-4cdf-9517-9493f1c07661.tmp
- <SD-Card>/sdtmp/id1afcd2fa1-efc8-4f37-81d7-16d417e1b83b.tmp
- <SD-Card>/sdtmp/id1d3bac962-25de-45df-85c6-678c11be5f99.tmp
- <SD-Card>/sdtmp/id229c3871b-105d-4eb5-8776-18ca97a129a3.tmp
- <SD-Card>/sdtmp/id283655bc7-10e2-4466-acc7-dc786b74a138.tmp
- <SD-Card>/sdtmp/id2b32c4b57-3083-4463-ab34-883b405d689c.tmp
- <SD-Card>/sdtmp/id2bbd87ad2-6b33-43e3-a1ed-fbccdb72a129.tmp
Другие:
Запускает следующие shell-скрипты:
- cat /sys/class/net/wlan0/address
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/360gamecentersdk/.cache/image
Загружает динамические библиотеки:
- frameso
- gdx
- libjiagu
- qhsdk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
- RSA
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
