Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.165.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) for####.sf.c####.com:80
- TCP(HTTP/1.1) i4.e####.com:80
- TCP(HTTP/1.1) i1.i####.com:80
- TCP(HTTP/1.1) 001.img.pu.####.com:80
- TCP(HTTP/1.1) img.ao####.com:80
- TCP(HTTP/1.1) mfs.y####.com:80
- TCP(HTTP/1.1) gv.a.s####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) www.ao####.com:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) m.aotush####.cc:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) cdn####.gs.a.####.com:80
- TCP(HTTP/1.1) i1.p####.com:80
- TCP(HTTP/1.1) www.7####.cc:80
- TCP(HTTP/1.1) i4.c####.com:80
- TCP(HTTP/1.1) v2-uya####.b0.upa####.com:80
- TCP(HTTP/1.1) web.u####.51.la:80
- TCP(HTTP/1.1) js.u####.51.la:80
- TCP(HTTP/1.1) v3-jiat####.b0.a####.com:80
- TCP(HTTP/1.1) i####.u####.51.la:80
- TCP(HTTP/1.1) www.longx####.com:80
- TCP(HTTP/1.1) 3####.h####.i####.tv:80
- TCP(HTTP/1.1) j####.u####.cc:80
- TCP(HTTP/1.1) www.aotush####.cc:80
- TCP(HTTP/1.1) v1-ujia####.b0.a####.com:80
- TCP(HTTP/1.1) w####.p####.com.####.com:80
- TCP(HTTP/1.1) api.v2.u####.cc:80
- TCP(TLS/1.0) hm.b####.com:443
Запросы DNS:
- 0####.h####.com
- 001.img.pu.####.cn
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- a.appj####.com
- api.v2.u####.cc
- c.appj####.com
- hm.b####.com
- i####.pp####.cn
- i####.pp####.cn
- i####.u####.51.la
- i0.let####.com
- i1.c####.com
- i1.i####.com
- i1.p####.com
- i2.let####.com
- i3.let####.com
- i4.c####.com
- i4.e####.com
- i4.p####.com
- img.ao####.com
- img.ma####.com
- j####.u####.cc
- js.u####.51.la
- l####.tbs.qq.com
- m.aotush####.cc
- p####.q####.cn
- phot####.s####.com
- phot####.tv.s####.com
- r1.y####.com
- tu####.g####.com
- v1.u####.cc
- v2.u####.cc
- v3.jia####.com
- web.u####.51.la
- www.7####.cc
- www.ao####.com
- www.aotush####.cc
- www.longx####.com
- www.mj####.com
Запросы HTTP GET:
- 001.img.pu.####.com/group2/M06/CA/3A/MTAuMTAuODguODE=/MTAwMTA0XzE1MDY3Mz...
- 001.img.pu.####.com/group2/M08/C5/E0/MTAuMTAuODguODI=/MTAwMTA0XzE1MDY0Nz...
- 001.img.pu.####.com/group3/M06/CA/73/MTAuMTAuODguODQ=/MTAwMTA0XzE1MDY3ND...
- api.v2.u####.cc/v4/comment/?uid=2129759&frameid=4325298&du=&su=m.aotushi...
- gv.a.s####.com/img/20170821/vrsa_ver_1503285356194_5137528_h502I_pic26.jpg
- gv.a.s####.com/img/20170907/vrsa_ver9395603_2Y06L_pic26.jpg
- gv.a.s####.com/img/20170907/vrsa_ver9395605_4Hlk9_pic26.jpg
- gv.a.s####.com/img/20170914/vrsa_ver9398117_F6V17_pic26.jpg
- gv.a.s####.com/img/20170915/vrsa_ver9398137_01j02_pic26.jpg
- i####.u####.51.la/icon_0.gif
- m.aotush####.cc/
- m.aotush####.cc/446989e3bf4c30e1.jpg
- m.aotush####.cc/favicon.ico
- m.aotush####.cc/index.php?m=####
- m.aotush####.cc/js/tj.js
- m.aotush####.cc/npimg.php?pic=####
- m.aotush####.cc/template/dabao/ads/detail.js
- m.aotush####.cc/template/dabao/ads/piaofu.js
- m.aotush####.cc/template/dabao/images/214x300.png
- m.aotush####.cc/template/dabao/images/applogo.png
- m.aotush####.cc/template/dabao/images/arrow1.png
- m.aotush####.cc/template/dabao/images/detail.css
- m.aotush####.cc/template/dabao/images/gou.png
- m.aotush####.cc/template/dabao/images/headIcon.png
- m.aotush####.cc/template/dabao/images/ico-horn.png
- m.aotush####.cc/template/dabao/images/index.css
- m.aotush####.cc/template/dabao/images/indexIcon.png
- m.aotush####.cc/template/dabao/images/logo/qqlive.png
- m.aotush####.cc/template/dabao/images/main.css
- m.aotush####.cc/template/dabao/images/stars5.png
- m.aotush####.cc/template/dabao/js/demo.js
- m.aotush####.cc/template/dabao/js/jquery-1.7.2.min.js
- m.aotush####.cc/template/dabao/js/modernizr.custom.js
- m.aotush####.cc/template/dabao/js/swiper.min.js
- w####.p####.com.####.com/2017/08/07/15130077683_230X306.jpg
- w####.p####.com.####.com/sp160210/2016/01/18/12125489938.jpg
- www.7####.cc/categories/
- www.ao####.com/categories/
- www.longx####.com/uploads/slide/2017-08-29/27b6294f82631b192c4378e8b964e...
- www.longx####.com/uploads/slide/2017-09-04/cd4175d8518e9015ba911cc67e3de...
Запросы HTTP POST:
- a.appj####.com/jiagu/check/upgrade
- c.appj####.com/ad/splash/stats.html
- l####.tbs.qq.com/ajax?c=####&k=####
- l####.tbs.qq.com/ajax?c=####&v=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/anr/traces.txt
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_cache/ApplicationCache.db-journal
- <Package Folder>/app_database/####/http_m.aotushipin.cc_0.local...ournal
- <Package Folder>/app_tbs/####/core_info
- <Package Folder>/app_tbs/####/debug.conf
- <Package Folder>/app_tbs/####/tbs_report_lock.txt
- <Package Folder>/app_tbs/####/tbscoreinstall.txt
- <Package Folder>/app_tbs/####/tbslock.txt
- <Package Folder>/cache/####/WebpageIcons.db-journal
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/f_000026
- <Package Folder>/cache/####/f_000027
- <Package Folder>/cache/####/f_000028
- <Package Folder>/cache/####/f_000029
- <Package Folder>/cache/####/f_00002a
- <Package Folder>/cache/####/f_00002b
- <Package Folder>/cache/####/f_00002c
- <Package Folder>/cache/####/f_00002d
- <Package Folder>/cache/####/f_00002e
- <Package Folder>/cache/####/f_00002f
- <Package Folder>/cache/####/f_000030
- <Package Folder>/cache/####/f_000031
- <Package Folder>/cache/####/f_000032
- <Package Folder>/cache/####/f_000033
- <Package Folder>/cache/####/f_000034
- <Package Folder>/cache/####/f_000035
- <Package Folder>/cache/####/f_000036
- <Package Folder>/cache/####/f_000037
- <Package Folder>/cache/####/f_000038
- <Package Folder>/cache/####/f_000039
- <Package Folder>/cache/####/f_00003a
- <Package Folder>/cache/####/f_00003b
- <Package Folder>/cache/####/f_00003c
- <Package Folder>/cache/####/f_00003d
- <Package Folder>/cache/####/f_00003e
- <Package Folder>/cache/####/f_00003f
- <Package Folder>/cache/####/f_000040
- <Package Folder>/cache/####/f_000041
- <Package Folder>/cache/####/f_000042
- <Package Folder>/cache/####/f_000043
- <Package Folder>/cache/####/f_000044
- <Package Folder>/cache/####/f_000045
- <Package Folder>/cache/####/f_000046
- <Package Folder>/cache/####/f_000047
- <Package Folder>/cache/####/f_000048
- <Package Folder>/cache/####/f_000049
- <Package Folder>/cache/####/f_00004a
- <Package Folder>/cache/####/f_00004b
- <Package Folder>/cache/####/f_00004c
- <Package Folder>/cache/####/f_00004d
- <Package Folder>/cache/####/f_00004e
- <Package Folder>/cache/####/f_00004f
- <Package Folder>/cache/####/f_000050
- <Package Folder>/cache/####/f_000051
- <Package Folder>/cache/####/f_000052
- <Package Folder>/cache/####/f_000053
- <Package Folder>/cache/####/f_000054
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/tbs_download_config.xml
- <Package Folder>/shared_prefs/tbs_download_stat.xml
- <Package Folder>/shared_prefs/tbs_load_stat_flag.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/tbslog.txt
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
Парсит информацию из смс сообщений.
Осуществляет доступ к информации об отправленых/принятых смс.
