Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Appsad.5.origin
- Android.RemoteCode.71
- Android.RemoteCode.88.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.apxadtr####.net:80
- TCP(HTTP/1.1) smart####.google####.com:80
- TCP(HTTP/1.1) mo####.go2af####.com:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) f####.gst####.com:80
- TCP(HTTP/1.1) 1####.243.32.94:80
- TCP(HTTP/1.1) t####.sm4####.com:80
- TCP(HTTP/1.1) spxt####.com:80
- TCP(HTTP/1.1) www.4g####.net:80
- TCP(HTTP/1.1) atracki####.appf####.com:80
- TCP(HTTP/1.1) t####.greenho####.com:80
- TCP(HTTP/1.1) offer####.online:80
- TCP(HTTP/1.1) www.bigt####.com:80
- TCP(HTTP/1.1) vi####.faceboo####.com:80
- TCP(HTTP/1.1) lk.secure-####.com:80
- TCP(HTTP/1.1) c.px####.com:80
- TCP(HTTP/1.1) y####.ottero####.com:80
- TCP(HTTP/1.1) s2s.go2af####.com:80
- TCP(HTTP/1.1) www.fl####.com:80
- TCP(HTTP/1.1) ald####.com:80
- TCP(HTTP/1.1) con####.face####.net:80
- TCP(HTTP/1.1) www.greatmo####.mobi:80
- TCP(HTTP/1.1) 2-01-2c####.cdx.ced####.net:80
- TCP(HTTP/1.1) cdn.pop####.net:80
- TCP(HTTP/1.1) peaches####.echtma####.net:80
- TCP(HTTP/1.1) sdk.mob####.com:80
- TCP(TLS/1.0) p####.lead####.com:443
- TCP(TLS/1.0) con####.face####.net:443
- TCP(TLS/1.0) d####.sli####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) c.n####.com:443
- TCP(TLS/1.0) s####.w.org:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) questio####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) sdk.adti####.com:443
Запросы DNS:
- a####.u####.com
- a####.umengc####.com
- ald####.com
- atracki####.appf####.com
- c.n####.com
- c.px####.com
- cdn.jsde####.net
- cdn.pop####.net
- con####.face####.net
- d####.sli####.com
- f####.google####.com
- f####.gst####.com
- googl####.g.doublec####.net
- lk.secure-####.com
- mo####.go2af####.com
- normale####.com
- offer####.online
- p####.lead####.com
- peaches####.echtma####.net
- questio####.com
- s####.w.org
- s2s.go2af####.com
- sdk.adti####.com
- sdk.mob####.com
- smart####.google####.com
- spxt####.com
- stat####.face####.com
- t####.bruce####.com
- t####.greenho####.com
- t####.sm4####.com
- vi####.faceboo####.com
- www.4g####.net
- www.apxadtr####.net
- www.bigt####.com
- www.face####.com
- www.fl####.com
- www.googlet####.com
- www.greatmo####.mobi
- y####.ottero####.com
Запросы HTTP GET:
- 2-01-2c####.cdx.ced####.net/wp/wp-slimstat/tags/4.7.2.2/wp-slimstat.min.js
- ald####.com/ck.php?line_item_id=####&cid=####&site=####&_uu=####
- ald####.com/ck_jump?id=cz03####&__if=####&__type=####&__ref=####
- atracki####.appf####.com/transaction/post_click?offer_id=####&aff_id=###...
- c.px####.com/?x=####&s=####&pbc=####
- cdn.pop####.net/pop.js
- con####.face####.net/connect/xd_arbiter/r/lY4eZXm_YWu.js?version=####
- con####.face####.net/de_DE/sdk.js
- f####.google####.com/css?family=####
- f####.gst####.com/s/permanentmarker/v7/9vYsg5VgPHKK8SXYbf3sMgZBvSiGYh7ff...
- lk.secure-####.com/delivery/click.php?metalink=####&aff_sub=####&aff_sub...
- mo####.go2af####.com/click?pid=####&offer_id=####&sub5=####&sub1=####
- mo####.go2af####.com/sl?id=####&pid=####&sub3=####
- offer####.online/r/fe3a1e62-ea2c-11e7-a1f3-1143802b7802/0/
- offer####.online/r/fe3a1e62-ea2c-11e7-a1f3-1143802b7802/1/
- peaches####.echtma####.net/
- peaches####.echtma####.net/?clickid=####&traaaaaaa=####
- peaches####.echtma####.net/wp-content/plugins/simple-embed-code/css/vide...
- peaches####.echtma####.net/wp-content/plugins/super-socializer/css/front...
- peaches####.echtma####.net/wp-content/plugins/super-socializer/css/share...
- peaches####.echtma####.net/wp-content/plugins/super-socializer/js/front/...
- peaches####.echtma####.net/wp-content/plugins/tablepress/css/default.min...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad-tamara-milf...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/fonts/font-...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/fonts/forum...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/abou...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/back...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/foll...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/line...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/link...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/note...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/oute...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/whit...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/images/yell...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/js/html5.js
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/js/smoothsc...
- peaches####.echtma####.net/wp-content/themes/anarcho-notepad/style.css
- peaches####.echtma####.net/wp-content/uploads/sites/17/2017/10/37209590-...
- peaches####.echtma####.net/wp-content/uploads/sites/17/2017/10/37209599-...
- peaches####.echtma####.net/wp-content/uploads/sites/17/2017/10/37209602-...
- peaches####.echtma####.net/wp-content/uploads/sites/17/2017/10/37209628-...
- peaches####.echtma####.net/wp-content/uploads/sites/17/2017/10/37209642-...
- peaches####.echtma####.net/wp-includes/js/jquery/jquery-migrate.min.js?v...
- peaches####.echtma####.net/wp-includes/js/jquery/jquery.js?ver=####
- peaches####.echtma####.net/wp-includes/js/wp-embed.min.js?ver=####
- peaches####.echtma####.net/wp-includes/js/wp-emoji-release.min.js?ver=####
- s2s.go2af####.com/click?pid=####&offer_id=####&sub1=####&sub2=####
- smart####.google####.com/?utm_medium=####&utm_campaign=####&1=####&cid=#...
- smart####.google####.com/?utm_term=####&clickverify=####&utm_content=####
- smart####.google####.com/proc.php?11fe47f####
- spxt####.com/d/5185560ac77d48a6f?source=####&sub3=Uz####&sub=####
- spxt####.com/d/5185560ac77d48a6f?source=####&sub3=Uz####&sub=####&code=#...
- spxt####.com/gw?url=http://vnvvg.datefacebookgirl.com/c/fae1c0e44d508b57...
- t####.greenho####.com/39a11bd5-fc2e-4ff6-9408-685af215db4b?clickid=####&...
- t####.sm4####.com/click?cid=####&s1=####&s2=####
- t####.sm4####.com/game/hextris
- t####.sm4####.com/game/hextris/
- www.apxadtr####.net/iclk/redirect.php?apxcode=####&id=####&dv2=####
- www.apxadtr####.net/iclk/redirect.php?code=####&id=####&dv2=####
- www.fl####.com/rc/0219fa04c8?affclick=####&pubid=####
- www.greatmo####.mobi/?sl=####&data1=####&data2=####&data3=####
- y####.ottero####.com/?utm_medium=####&utm_campaign=####
Запросы HTTP POST:
- sdk.mob####.com/upload
- vi####.faceboo####.com/api/ls
- vi####.faceboo####.com/api/o
- vi####.faceboo####.com/api/pc
- vi####.faceboo####.com/api/va
- www.4g####.net/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=###...
- www.bigt####.com/ad/adc?gffw=####&frrw=####&zfbd=####&dlkvv=####&wdazz=#...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_bin/daemon
- <Package Folder>/app_mbj/####/classes.zip
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/index
- <Package Folder>/cache/1459442732877.jar
- <Package Folder>/cache/1459442732877.tmp
- <Package Folder>/cache/ApplicationCache.db-journal
- <Package Folder>/cache/ApplicationCache.db-journal (deleted)
- <Package Folder>/databases/adcomeon.db-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/easv.data-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/DMLABC9CE10FEVA11
- <Package Folder>/files/exid.dat
- <Package Folder>/files/ob1.zip
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/AdsBusiness-data.xml
- <Package Folder>/shared_prefs/appKey.xml
- <Package Folder>/shared_prefs/appshell.xml
- <Package Folder>/shared_prefs/appshell.xml.bak (deleted)
- <Package Folder>/shared_prefs/aps.xml
- <Package Folder>/shared_prefs/apscomm.xml
- <Package Folder>/shared_prefs/apstest.xml
- <Package Folder>/shared_prefs/com.powercleaner_pref.xml
- <Package Folder>/shared_prefs/local_storage0.xml
- <Package Folder>/shared_prefs/local_storage1.xml
- <Package Folder>/shared_prefs/local_storage33.xml
- <Package Folder>/shared_prefs/local_storage999.xml
- <Package Folder>/shared_prefs/m_scene.xml
- <Package Folder>/shared_prefs/sp.xml
- <Package Folder>/shared_prefs/sp.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal (deleted)
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/baidu/####/journal.tmp
- <SD-Card>/baidu/.cuid
Другие:
Запускает следующие shell-скрипты:
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/app_bin/daemon
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
