Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) httpsdk####.b0.a####.com:80
- TCP(HTTP/1.1) cdn.img.h####.####.com:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) d####.b0.upa####.com:80
- TCP(HTTP/1.1) 47.92.1####.96:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(HTTP/1.1) 42.1####.63.141:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(TLS/1.0) st####.suiyue####.com.####.com:443
- TCP(TLS/1.0) m####.wind####.top:443
- TCP(TLS/1.0) httpsdk####.b0.a####.com:443
Запросы DNS:
- a####.u####.com
- api####.a####.com
- cdn.app.3####.top
- cdn.app.xingh####.cn
- cdn.game####.org
- cdn.img.h####.top
- d####.b0.upa####.com
- m####.wind####.top
- n-####.qi####.tv
- st####.suiyue####.com
Запросы HTTP GET:
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- cdn.img.h####.####.com/upload/201711/30/img/20171130182651140.png
- d####.b0.upa####.com//album_logo/3c/ad/3cad6b10d5772b44cae6fcc0d2721c29....
- d####.b0.upa####.com//album_logo/5b/ac/5bac1a2ab6b3b134af93fe70eeaa002c....
- d####.b0.upa####.com//album_logo/72/49/7249c0049511fe498fbb0ca02774c141....
- d####.b0.upa####.com//album_logo/78/0b/780b7c1cc7681122132c6f2d33f33da3....
- d####.b0.upa####.com//album_logo/8c/03/8c03f5bace5d5ed9c65954f71bafa88d....
- d####.b0.upa####.com//album_logo/a3/14/a314b8ca2188f5147b3391f8c9ea3c83....
- d####.b0.upa####.com//album_logo/bb/10/bb10375ce82986b01243537a8c10b7a5....
- d####.b0.upa####.com//album_logo/bf/f0/bff05ce774d273ddb4ae856462068212....
- d####.b0.upa####.com//album_logo/de/9f/de9f4db752abade6084ad4cc5c1707c6....
- d####.b0.upa####.com//topicContentImage/a8/5f/a85f7e65edb5b5da00ef9c3ac9...
- d####.b0.upa####.com//topicContentImage/cc/6f/cc6f9bd1190d5f128bbbca243e...
- d####.b0.upa####.com//topicContentImage/f2/50/f250c698eb96e3e5b3788a6d0c...
- d####.b0.upa####.com//topicContentImage/f4/88/f488b504fa09ae852b13c279ff...
- httpsdk####.b0.a####.com/lupload/clo/he
Запросы HTTP POST:
- a####.u####.com/app_logs
- apilo####.a####.com/v3/log/init
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/Matrix
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/ddexe
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/debuggerd
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/fileWork
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/insta...ery.sh
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/pidof
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/su
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/supolicy
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/toolbox
- <Package Folder>/app_035b6674-fd3d-4f60-8f80-822224779b9f/wsroot.sh
- <Package Folder>/app_1eb2c34c-0507-4bda-92d2-7b7ddbd98302/374e3...969ee7
- <Package Folder>/app_1eb2c34c-0507-4bda-92d2-7b7ddbd98302/92745...ac.jar
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/Matrix
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/ddexe
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/debuggerd
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/fileWork
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/insta...ery.sh
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/pidof
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/su
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/supolicy
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/toolbox
- <Package Folder>/app_1fe0609e-25b0-4e54-a36f-8bd7d25d7b42/wsroot.sh
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/Matrix
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/ddexe
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/debuggerd
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/fileWork
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/insta...ery.sh
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/pidof
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/su
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/supolicy
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/toolbox
- <Package Folder>/app_3ed54fdb-75a6-4d8e-9ef7-e38a1fb50129/wsroot.sh
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/Matrix
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/ddexe
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/debuggerd
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/fileWork
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/insta...ery.sh
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/pidof
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/su
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/supolicy
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/toolbox
- <Package Folder>/app_496d8027-08e2-4b8f-9135-f5df889542da/wsroot.sh
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/Matrix
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/ddexe
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/debuggerd
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/fileWork
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/insta...ery.sh
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/pidof
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/su
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/supolicy
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/toolbox
- <Package Folder>/app_63b63081-3a98-4bf8-8c62-d9b1848a55c0/wsroot.sh
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/Matrix
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/ddexe
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/debuggerd
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/device.db
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/fileWork
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/insta...ery.sh
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/pidof
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/root3
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/su
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/supolicy
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/toolbox
- <Package Folder>/app_7386f803-2835-4aa2-86ba-c50d93a46826/wsroot.sh
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/1daed9dd-fbd5-41c1-a6d0-c7efbac6fda1
- <Package Folder>/app_subox_download/2879d3c7-8ec2-44c6-9ebd-97469e7a742e
- <Package Folder>/app_subox_download/4cb252ec-e4ab-42ae-b696-4deeda93d0fd
- <Package Folder>/app_subox_download/679b6781-df3a-4271-9321-87762c8aba04
- <Package Folder>/app_subox_download/72606efd-55d0-4a09-80cf-d0382a2741cb
- <Package Folder>/app_subox_download/80165968-424d-48dd-8389-4f2b77b68583
- <Package Folder>/app_subox_download/cabd1ffd-2169-46d0-9497-cd1f805ff010
- <Package Folder>/app_subox_download/ef6bcfc2-32d2-48fe-8547-ff9670987fc1
- <Package Folder>/cache/####/-360828429-4020781
- <Package Folder>/cache/####/-360828441-1249535738
- <Package Folder>/cache/V2.9.5.txt
- <Package Folder>/cache/album_home.cache
- <Package Folder>/databases/db_qiaqia-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/ah.jar
- <Package Folder>/files/bw.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>50
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/cn.jpush.serverconfig.xml
- <Package Folder>/shared_prefs/count.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/tv.qiaqia.xml.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/vbz.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/10592bk6mr6flojnks4bwjoc.0.tmp
- <SD-Card>/Android/####/1azv9kbr7icsxcbywjej6sdva.0.tmp
- <SD-Card>/Android/####/2ewx19biuekq1xy2e8wys9jre.0.tmp
- <SD-Card>/Android/####/2fyz2s2yajqoq5kj40gv4efq5.0.tmp
- <SD-Card>/Android/####/32ythafbco6zgp17tuxvoggmy.0.tmp
- <SD-Card>/Android/####/3cd736du7u9zqsgeabwsq8paf.0.tmp
- <SD-Card>/Android/####/3le1w9a0a2dpdh5oy4c6w0ykm.0.tmp
- <SD-Card>/Android/####/3qetfvy20z2m9j23vt068buk0.0.tmp
- <SD-Card>/Android/####/3v31els5cupzjlpj216x4muap.0.tmp
- <SD-Card>/Android/####/4pr8ast5brdxiwojiaxpsssdk.0.tmp
- <SD-Card>/Android/####/6muqmett9hs9wwk0ud78r0k3u.0.tmp
- <SD-Card>/Android/####/6qkivueqwt7ensq6thx0ymvxb.0.tmp
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/b08ffbe76bc53
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/upcvmsrfzdiglzedqxk8ghto.0.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Загружает динамические библиотеки:
- jpush174
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
