Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) a####.x####.com.####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) tinyq####.ove####.b0.####.com:80
- TCP(HTTP/1.1) f####.x####.com.####.com:80
- TCP(HTTP/1.1) mo####.xima####.com.####.com:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) d.g####.qq.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) www.so####.com:80
- TCP(HTTP/1.1) c.g####.qq.com:80
- TCP(HTTP/1.1) v.g####.qq.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(TLS/1.0) aserver####.m.ta####.com:443
Запросы DNS:
- a####.u####.com
- a####.x####.com
- a.appj####.com
- api.y####.com
- c.appj####.com
- c.g####.qq.com
- d.g####.qq.com
- f####.x####.com
- img####.er####.com
- imgc####.qq.com
- l####.tbs.qq.com
- mi.g####.qq.com
- mo####.xima####.com
- p####.g####.cn
- qzones####.g####.cn
- s####.e.qq.com
- v.g####.qq.com
- www.so####.com
Запросы HTTP GET:
- a####.x####.com.####.com/group30/M00/9A/CC/wKgJWlnPID2gwO0hAAm6ybb2bos97...
- a####.x####.com.####.com/group30/M02/28/AB/wKgJXlnMSKGD8EjnAAsv2UlhJoo83...
- c.g####.qq.com/gdt_mclick.fcg?viewid=####&jtype=####&i=####&os=####&asi=...
- d.g####.qq.com/fcg-bin/gdt_appdetail.fcg?ico=####&op_appid=####
- mi.g####.qq.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&data...
- mo####.xima####.com.####.com/mobile/discovery/v1/category/album?calcDime...
- mo####.xima####.com.####.com/mobile/others/ca/album/track/3913326/true/1...
- mo####.xima####.com.####.com/mobile/others/ca/album/track/3913326/true/2...
- tinyq####.ove####.b0.####.com/video/10_20170413120210_p4cy.png
- tinyq####.ove####.b0.####.com/video/15_20170413120211_8zqu.png
- tinyq####.ove####.b0.####.com/video/18_20170413120211_kaf6.png
- tinyq####.ove####.b0.####.com/video/2661_20170413120731_gpic.png
- tinyq####.ove####.b0.####.com/video/2700_20170413120737_zkxh.png
- tinyq####.ove####.b0.####.com/video/41_20170413120212_pam1.png
- tinyq####.ove####.b0.####.com/video/4687_20170413121153_ggsj.jpg
- tinyq####.ove####.b0.####.com/video/4704_20170413121155_gcja.jpg
- tinyq####.ove####.b0.####.com/video/4759_20170413121208_xsxd.jpg
- tinyq####.ove####.b0.####.com/video/4824_20170413121218_s0yb.jpg
- tinyq####.ove####.b0.####.com/video/4826_20170413121218_defe.jpg
- tinyq####.ove####.b0.####.com/video/4827_20170413121218_nbvd.jpg
- tinyq####.ove####.b0.####.com/video/4839_20170413121219_l7nh.jpg
- tinyq####.ove####.b0.####.com/video/4843_20170413121220_fprt.jpg
- tinyq####.ove####.b0.####.com/video/4849_20170413121221_2jxu.jpg
- tinyq####.ove####.b0.####.com/video/4855_20170413121222_zwxe.jpg
- tinyq####.ove####.b0.####.com/video/4857_20170413121222_ml9o.jpg
- tinyq####.ove####.b0.####.com/video/4859_20170413121222_6rem.jpg
- tinyq####.ove####.b0.####.com/video/4865_20170413121223_pm1v.jpg
- tinyq####.ove####.b0.####.com/video/4869_20170413121223_nedt.jpg
- tinyq####.ove####.b0.####.com/video/4873_20170413121224_eugb.jpg
- tinyq####.ove####.b0.####.com/video/4882_20170413121225_rtif.jpg
- tinyq####.ove####.b0.####.com/video/4890_20170413121227_jlsh.jpg
- tinyq####.ove####.b0.####.com/video/5097_20170413121241_iqzo.png
- tinyq####.ove####.b0.####.com/video/5098_20170413121241_hobf.png
- tinyq####.ove####.b0.####.com/video/5675_20170413121328_iqui.jpg
- tinyq####.ove####.b0.####.com/video/5825_20170413121355_nyl9.png
- tinyq####.ove####.b0.####.com/video/6361_20170413121607_2u7n.jpg
- tinyq####.ove####.b0.####.com/video/6_20170413120209_6mpa.png
- tinyq####.ove####.b0.####.com/video/9690_20170413122411_sjh0.png
- www.so####.com/dync/qqsdkv7.jar
- www.so####.com/factory/appadsdk.php?pkg=####&v=####
- www.so####.com/factory/appplaylist.php?p=####&pl=####&kw=####&v=####&pag...
- www.so####.com/factory/appupgrade.php?pkg=####&v=####
- www.so####.com/factory/mobile_erge.php?pkg=####&v=####
Запросы HTTP POST:
- a.appj####.com/jiagu/check/upgrade
- c.appj####.com/ad/splash/stats.html
- l####.tbs.qq.com/ajax?c=####&v=####&k=####
- s####.e.qq.com/activate
- s####.e.qq.com/click
- v.g####.qq.com/gdt_stats.fcg
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_dex/qqsdkv7.jar
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.next.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp
- <Package Folder>/app_e_qq_com_plugin/update_lc
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.sig
- <Package Folder>/app_e_qq_com_setting/gdt_suid
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.sig
- <Package Folder>/app_outdex/qqsdkv7.dex
- <Package Folder>/app_plugin/PlayerUIApk.apk
- <Package Folder>/app_tbs/####/core_info
- <Package Folder>/app_tbs/####/debug.conf
- <Package Folder>/app_tbs/####/tbscoreinstall.txt
- <Package Folder>/app_tbs/####/tbslock.txt
- <Package Folder>/cache/####/-126677722
- <Package Folder>/cache/####/-126707513
- <Package Folder>/cache/####/-1927304184
- <Package Folder>/cache/####/1149573080
- <Package Folder>/cache/####/226889498
- <Package Folder>/cache/####/98404
- <Package Folder>/cache/####/ApplicationCache.db-journal (deleted)
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/databases/GDTSDK.db
- <Package Folder>/databases/GDTSDK.db-journal
- <Package Folder>/databases/bebehttp.db-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/BuglySdkInfos.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/analytics_agent_header_.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/platform.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/bebe/####/-1110857368.tmp
- <SD-Card>/bebe/####/-1118413061
- <SD-Card>/bebe/####/-1118413061.tmp
- <SD-Card>/bebe/####/-1119150555.tmp
- <SD-Card>/bebe/####/-1125787067
- <SD-Card>/bebe/####/-1125787067.tmp
- <SD-Card>/bebe/####/-1257499550.tmp
- <SD-Card>/bebe/####/-1354992499
- <SD-Card>/bebe/####/-1382165714.tmp
- <SD-Card>/bebe/####/-1427022782.tmp
- <SD-Card>/bebe/####/-1448325019.tmp
- <SD-Card>/bebe/####/-1470086747.tmp
- <SD-Card>/bebe/####/-1728433284
- <SD-Card>/bebe/####/-1728433284.tmp
- <SD-Card>/bebe/####/-1789028510.tmp
- <SD-Card>/bebe/####/-1824525664
- <SD-Card>/bebe/####/-1837935801
- <SD-Card>/bebe/####/-1837935801.tmp
- <SD-Card>/bebe/####/-1943262584
- <SD-Card>/bebe/####/-1943262584 (deleted)
- <SD-Card>/bebe/####/-2029966213.tmp
- <SD-Card>/bebe/####/-2131918503.tmp
- <SD-Card>/bebe/####/-497870277.tmp
- <SD-Card>/bebe/####/-717202477.tmp
- <SD-Card>/bebe/####/-760477422
- <SD-Card>/bebe/####/-900505970
- <SD-Card>/bebe/####/1007634524
- <SD-Card>/bebe/####/1007634524.tmp
- <SD-Card>/bebe/####/1023303070.tmp
- <SD-Card>/bebe/####/1039970946.tmp
- <SD-Card>/bebe/####/1130478630.tmp
- <SD-Card>/bebe/####/1297413751.tmp
- <SD-Card>/bebe/####/1300594917
- <SD-Card>/bebe/####/1300594917.tmp
- <SD-Card>/bebe/####/1487002273.tmp
- <SD-Card>/bebe/####/1590012879.tmp
- <SD-Card>/bebe/####/1619675056.tmp
- <SD-Card>/bebe/####/1637813126.tmp
- <SD-Card>/bebe/####/1795536812.tmp
- <SD-Card>/bebe/####/185953928.tmp
- <SD-Card>/bebe/####/1876823708
- <SD-Card>/bebe/####/2019902054
- <SD-Card>/bebe/####/2019902054.tmp
- <SD-Card>/bebe/####/2043804117.tmp
- <SD-Card>/bebe/####/291035829.tmp
- <SD-Card>/bebe/####/329573426.tmp
- <SD-Card>/bebe/####/565388011
- <SD-Card>/bebe/####/565388011.tmp
- <SD-Card>/bebe/####/582726151.tmp
- <SD-Card>/bebe/####/65620071.tmp
- <SD-Card>/bebe/####/789421193
- <SD-Card>/bebe/####/789421193.tmp
- <SD-Card>/bebe/####/831163347.tmp
- <SD-Card>/bebe/####/842745975.tmp
- <SD-Card>/bebe/####/855052490.tmp
- <SD-Card>/bebe/####/872473457.tmp
- <SD-Card>/bebe/####/909692010
- <SD-Card>/bebe/####/909692010.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- mount
Загружает динамические библиотеки:
- libjiagu
- luajava
- sunpake
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- DESede-ECB-PKCS5Padding
- RSA
- RSA-ECB-NoPadding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
- desede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
