Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) 3####.picc####.i####.tv:80
- TCP(HTTP/1.1) log.v2.hun####.com:80
- TCP(HTTP/1.1) i2.hun####.com:80
- TCP(HTTP/1.1) go.1mi####.cn:80
- TCP(HTTP/1.1) d.xiongj####.com.####.com:80
- TCP(HTTP/1.1) 0####.picc####.i####.tv:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) q.q####.cn:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) statson####.pu####.b####.com:80
- TCP(HTTP/1.1) geo.gridsum####.com:80
- TCP(HTTP/1.1) 1####.picc####.i####.tv:80
- TCP(HTTP/1.1) 4####.h####.com.####.com:80
- TCP(HTTP/1.1) 2####.h####.i####.tv:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) com####.hun####.com:80
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) c####.im.qq.com:80
- TCP(HTTP/1.1) 3####.h####.i####.tv:80
- TCP(HTTP/1.1) 0####.h####.i####.tv:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) www.ty####.cn:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) av####.img.hun####.com:80
- TCP(HTTP/1.1) api.tui####.b####.com:80
- TCP(HTTP/1.1) e####.h####.com.####.com:80
- TCP(HTTP/1.1) rc.mpp.hun####.com:80
- TCP(HTTP/1.1) av####.h####.com.####.com:80
- TCP(HTTP/1.1) 2####.243.193.32:80
- TCP 2####.108.23.105:5287
Запросы DNS:
- 0####.h####.com
- 0####.m####.com
- 1####.h####.com
- 1####.m####.com
- 2####.h####.com
- 2####.m####.com
- 3####.h####.com
- 3####.m####.com
- 4####.h####.com
- a####.tui####.b####.com
- a####.u####.com
- api####.a####.com
- api.tui####.b####.com
- au.u####.com
- av####.h####.com
- av####.img.hun####.com
- b.scoreca####.com
- c####.im.qq.com
- com####.hun####.com
- d.xiongj####.com.cn
- e####.h####.com
- geo.gridsum####.com
- go.1mi####.cn
- i1.hun####.com
- i2.hun####.com
- i5.hun####.com
- log.v2.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- oc.u####.com
- p2.hun####.com
- q.q####.cn
- rc.mpp.hun####.com
- sa7.tui####.b####.com
- statson####.pu####.b####.com
- www.ty####.cn
- x.da.hun####.com
Запросы HTTP GET:
- d.xiongj####.com.####.com/jfile/ter.jar
- e####.h####.com.####.com/2/mava2_GCtYA4rOloai6T74yEIwZ0wruR8odjad.jpg
- geo.gridsum####.com/v2/g.aspx
Запросы HTTP POST:
- apilo####.a####.com/v3/log/init
- c####.im.qq.com/cgi-bin/cgi_svrtime
- oc.u####.com/check_config_update
- s.wagbr####.alibaba####.com/api/check_app_update
- www.ty####.cn/n
- x.da.hun####.com/json/app/boot
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_push_lib/plugin-deploy.jar
- <Package Folder>/app_push_lib/plugin-deploy.key
- <Package Folder>/databases/ImgoPad-journal
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/MV3Plugin.ini
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>.push_sync.xml
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/GridsumCommon.xml
- <Package Folder>/shared_prefs/GridsumCommon.xml.bak
- <Package Folder>/shared_prefs/MGTVCommon.xml
- <Package Folder>/shared_prefs/MGTVCommon.xml.bak
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/cSPrefs.xml
- <Package Folder>/shared_prefs/dbVersion.xml
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/pst.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/z.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/115r0skoayiguinvwiwrjg9us.tmp
- <SD-Card>/Android/####/122dnk4420mch39s69ggfi0i5.tmp
- <SD-Card>/Android/####/14cyn7kqe43dt17jr3vlkqzva
- <SD-Card>/Android/####/1511b1a7xxx548bkb5smecszo.tmp
- <SD-Card>/Android/####/160qh9od3nkw4o317gtyfcd3t.tmp
- <SD-Card>/Android/####/1biuuh4a6ms2jxgwg3f5s1jou.tmp
- <SD-Card>/Android/####/1f4anvdsuzcslt9d9xbyywhwa
- <SD-Card>/Android/####/1ie4w4wbn9oblfz4jzzr0wydy.tmp
- <SD-Card>/Android/####/1phnyir9i7zi3e39p4mdspc2q.tmp
- <SD-Card>/Android/####/1q0spjq75ryh2sex221jgxwco.tmp
- <SD-Card>/Android/####/1r4t0flpkd5lua7xtxjzs9zfa.tmp
- <SD-Card>/Android/####/1xhn8b84vv1q9aepl6ic4dllg.tmp
- <SD-Card>/Android/####/1zrjg1a2hz462b8hm4xqhh9al.tmp
- <SD-Card>/Android/####/204vqa9l773vx1szh35nbrmb1.tmp
- <SD-Card>/Android/####/22tb4m17yo2nikw055yhky735.tmp
- <SD-Card>/Android/####/25xbpyvzykto15yv178hw9fii.tmp
- <SD-Card>/Android/####/26es1urbyn6vvxds09s6mas11.tmp
- <SD-Card>/Android/####/27o7jkwoaecuw0hfd3hxtr1go.tmp
- <SD-Card>/Android/####/2doukac3aa5m0zzg3qck939pi.tmp
- <SD-Card>/Android/####/2gendrxu4vlnml9y5v60htyrc.tmp
- <SD-Card>/Android/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- <SD-Card>/Android/####/2n2a1ck3aezebigkqnvm375m9.tmp
- <SD-Card>/Android/####/2niiz8ibmudh2h4rwxkst32pk.tmp
- <SD-Card>/Android/####/2pao3cphcjsuhyo8vreos7ha1.tmp
- <SD-Card>/Android/####/2sgx5yr5c22oiygs5hmu8niz3.tmp
- <SD-Card>/Android/####/2vm0k0uuj33brlt2erq3a4nyf.tmp
- <SD-Card>/Android/####/2wjezzxud6mbc8rec1okn9yin.tmp
- <SD-Card>/Android/####/2z8tpfetm686mlb7d57esaja6.tmp
- <SD-Card>/Android/####/31q1o10b3tbs1feng246ooju5.tmp
- <SD-Card>/Android/####/34bpg7s12h42suuv7zkwbj8pg.tmp
- <SD-Card>/Android/####/354880jqtpxb5mspm1fc0nx0v.tmp
- <SD-Card>/Android/####/35wohz49gn06ej6xfuljpqzyt.tmp
- <SD-Card>/Android/####/3cxau6lkhphaqael3or7xpgsb.tmp
- <SD-Card>/Android/####/3hnmazrre90gkga8v3ajqa2hs.tmp
- <SD-Card>/Android/####/3lt3w0ili4n9qlc9t7l8opxvb.tmp
- <SD-Card>/Android/####/3lt54q0sew9tiw3m27i7rfpl3.tmp
- <SD-Card>/Android/####/3pdn7r6njj94dwetwt3losg85.tmp
- <SD-Card>/Android/####/3pxe10etkjc2lhpqmv5f2vhbu.tmp
- <SD-Card>/Android/####/3rqj2aoidz4ui24k1dd6ohol8.tmp
- <SD-Card>/Android/####/3wyyo6i55ikamf4jvwy05l0l0.tmp
- <SD-Card>/Android/####/3x3wzz1618cr7a6mlbv8l1k9f.tmp
- <SD-Card>/Android/####/3yup2g6mph4io1ymjblrxcrn9.tmp
- <SD-Card>/Android/####/42uchrew6cufcg9by94leglwk.tmp
- <SD-Card>/Android/####/46csuq3xklmu2psspbcd1k1vu
- <SD-Card>/Android/####/46edndavffyarmq3sebw8b8tj.tmp
- <SD-Card>/Android/####/4771rxsejwsu12chbtu7bbuin.tmp
- <SD-Card>/Android/####/49xessnxswpqih0aybj5jy4no.tmp
- <SD-Card>/Android/####/4fn1z8gf3v2nwyyznngvungmj.tmp
- <SD-Card>/Android/####/4fn47oxav924lke5nhf25hk0l.tmp
- <SD-Card>/Android/####/4jm2udzf0ymkzcfqnf7w6arer.tmp
- <SD-Card>/Android/####/4lhxmb3cu0gpncopw5ijdqrqy.tmp
- <SD-Card>/Android/####/4pqitw151e7wnhr7vstdusglh.tmp
- <SD-Card>/Android/####/4qejmx8zad2lky09zoebqb393.tmp
- <SD-Card>/Android/####/4rdc83e37tfjh8l4ajx709wgn.tmp
- <SD-Card>/Android/####/4vu87ytguq4cjnajr4y0htoey.tmp
- <SD-Card>/Android/####/52fgxignc7ylm95emyxx2l876.tmp
- <SD-Card>/Android/####/52tve34x41knie4pgvymd08pa.tmp
- <SD-Card>/Android/####/5an7g6bs7jr4z0cq5ij8ddla3
- <SD-Card>/Android/####/5jfwzbt466hckpy7ovsnhd7ty.tmp
- <SD-Card>/Android/####/5o4lnznsb68gl3qq6l3lxpgn3.tmp
- <SD-Card>/Android/####/5qseamofp0855guqymk0blbp7.tmp
- <SD-Card>/Android/####/5s2fcx70efn0j7rcnsobofpzd.tmp
- <SD-Card>/Android/####/5u696adm5d7epvgggc56mahm7.tmp
- <SD-Card>/Android/####/5uhqd44a58o75ac6ex6ulz8ic.tmp
- <SD-Card>/Android/####/5v9v7tr014zuiqu59q5jlwnmt.tmp
- <SD-Card>/Android/####/5wjlzxon0500zoqniwsly30aw.tmp
- <SD-Card>/Android/####/5xw3ng9xeqq1otl1j9tw8txvr.tmp
- <SD-Card>/Android/####/5y7hr4nihri58j6xuv0xfmg32.tmp
- <SD-Card>/Android/####/611e3m2wp8c02gezhs98ezu6y.tmp
- <SD-Card>/Android/####/61bt6dyd2f6f8vlx6z3cnmzwj
- <SD-Card>/Android/####/64of28lh2jkmuxymbp2s7jxzm.tmp
- <SD-Card>/Android/####/66bjpybbf3nv95yu7zv3wp4fk
- <SD-Card>/Android/####/6aqmg943t7hbvf0mts0g8tp4c.tmp
- <SD-Card>/Android/####/6ccs1qdi1hwdfb96q5i8lal5f.tmp
- <SD-Card>/Android/####/6cfhzlkujzq9ysoqzyp92ijo6.tmp
- <SD-Card>/Android/####/6hhs49v2g8rrnpwy2vqobug4m.tmp
- <SD-Card>/Android/####/6ilwnihde865pmmr5ch69hw3k.tmp
- <SD-Card>/Android/####/6t654ke74j3mufp0oobrc2l3x.tmp
- <SD-Card>/Android/####/6uxrumpwjv25opya2uso7cie7.tmp
- <SD-Card>/Android/####/6vrhi6xb1v0avyoknqzbs2dwv.tmp
- <SD-Card>/Android/####/6wujr1r3l6fdfr3y2as57p3gu
- <SD-Card>/Android/####/74d3onzoq33qkzo5mbxiztzuf.tmp
- <SD-Card>/Android/####/7550idtxop7ipjnybi73ali9y.tmp
- <SD-Card>/Android/####/7684qs42dcqcmwdj4xah70k7o.tmp
- <SD-Card>/Android/####/7bacltsh4jo03tsjx3pe6i1dx.tmp
- <SD-Card>/Android/####/7hkta86abyki1a39ibbkiyh9p.tmp
- <SD-Card>/Android/####/7iktxz81e49rmeovdycc4cvt7
- <SD-Card>/Android/####/8nso9lxvgpnmk1jkrmxzjzfs.tmp
- <SD-Card>/Android/####/a96m9kvmjpvjerbm5bh77lvb.tmp
- <SD-Card>/Android/####/i6nf207n7mi82zsfb3o5urxs.tmp
- <SD-Card>/Android/####/jmhe27r07pqbk99oqsho9e61.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/omiocd9zif94sv1yfj03rumf.tmp
- <SD-Card>/Android/####/qcl1326pusiqarlehsrm4fxc.tmp
- <SD-Card>/Android/####/qn8mmfb77jmlqpsohqfcb06p.tmp
- <SD-Card>/Android/####/tt46riymjpavyzonj7rnlfhy.tmp
- <SD-Card>/Android/####/yjofo67hecdbbdd0zebr9f4p.tmp
- <SD-Card>/Android/####/zdd6xzivu9kntfn1lzg9jtby.tmp
- <SD-Card>/Download/####/5.0ter.jar
- <SD-Card>/baidu/####/apps
- <SD-Card>/baidu/####/lightapp_V4.db
- <SD-Card>/baidu/####/lightapp_V4.db-journal
- <SD-Card>/baidu/####/pushlappv2.db
- <SD-Card>/baidu/####/pushlappv2.db-journal
- <SD-Card>/baidu/####/pushstat_4.4.db
- <SD-Card>/baidu/####/pushstat_4.4.db-journal
- <SD-Card>/baidu/.cuid
- <SD-Card>/dt/restime.dat
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- bdpush_V2_2
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
- yfnet_mongotv
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
