Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
- Android.Xiny.226.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) yes.yuchan####.com.cn:80
- TCP(HTTP/1.1) p####.r.su####.mobi:9003
- TCP(HTTP/1.1) hiph####.b####.com:80
- TCP(HTTP/1.1) 2####.243.193.48:80
- TCP(HTTP/1.1) f.xingch####.com.####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) img####.b####.com:80
- TCP(HTTP/1.1) i####.b####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) i####.bdst####.com:80
- TCP(HTTP/1.1) p####.r.su####.mobi:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(TLS/1.0) ss1.bdst####.com:443
- TCP(TLS/1.0) ti####.b####.com:443
- TCP(TLS/1.0) i####.b####.com:443
- TCP(TLS/1.0) i####.bdst####.com:443
- TCP(TLS/1.0) img####.b####.com:443
Запросы DNS:
- a####.u####.com
- a.hiph####.b####.com
- b####.r.su####.mobi
- b.hiph####.b####.com
- bs####.r.su####.mobi
- d.hiph####.b####.com
- e.hiph####.b####.com
- f.hiph####.b####.com
- f.xingch####.com
- g.hiph####.b####.com
- h####.b####.com
- hiph####.b####.com
- hm.b####.com
- i####.b####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- img####.b####.com
- js.adm.c####.net
- mt####.go####.com
- p####.r.su####.mobi
- r.eli####.cn
- ss0.bdst####.com
- ss1.bdst####.com
- ss2.bdst####.com
- ss3.bdst####.com
- ti####.b####.com
- upg####.su####.mobi
- yes.yuchan####.com.cn
Запросы HTTP GET:
- f.xingch####.com.####.com/2011/gou.jar
- hiph####.b####.com/image/w=200/sign=055bd7fe30292df597c3ab158c335ce2/71c...
- hiph####.b####.com/image/w=200/sign=077fd73e1fce36d3a20484300af13a24/37d...
- hiph####.b####.com/image/w=200/sign=0d761f3d3301213fcf3349dc64e636f8/d00...
- hiph####.b####.com/image/w=200/sign=2281c82c1fce36d3a20484300af23a24/37d...
- hiph####.b####.com/image/w=200/sign=5d4bf9e85943fbf2c52ca123807fca1e/77c...
- hiph####.b####.com/image/w=200/sign=64f99a1a49166d223877129476220945/c75...
- hiph####.b####.com/image/w=200/sign=65f3b3a3063387449cc5287c610dd937/30a...
- hiph####.b####.com/image/w=200/sign=71674ddf41fbfbeddc59317f48f2f78e/e82...
- hiph####.b####.com/image/w=200/sign=72ff5317b91c8701d6b6b5e6177e9e6e/472...
- hiph####.b####.com/image/w=200/sign=7fff017653ee3d6d22c680cb73146d41/3bf...
- hiph####.b####.com/image/w=200/sign=b4a05d7d8826cffc692ab8b289034a7d/10d...
- hiph####.b####.com/image/w=200/sign=bd335349a3014c08193b2fa53a7a025b/6a6...
- hiph####.b####.com/image/w=200/sign=cb1e38353087e9504217f46c2039531b/d46...
- hiph####.b####.com/image/w=200/sign=d6f36aa5fc246b607b0eb574dbfa1a35/d1a...
- hiph####.b####.com/image/w=200/sign=e53a04975c4e9258a63481eeac83d1d1/fd0...
- hiph####.b####.com/image/w=470;crop=0,55,470,312/sign=ce2216289d0a304e52...
- hiph####.b####.com/image/w=502;crop=0,0,502,334/sign=3ff8ada4a2d3fd1f360...
- hiph####.b####.com/image/w=502;crop=0,0,502,334/sign=75ee0942ab44ad342eb...
- hiph####.b####.com/image/w=502;crop=0,10,502,334/sign=8e3a04136259252da3...
- hiph####.b####.com/image/w=502;crop=0,8,502,334/sign=14fd49ee780e0cf3a0f...
- hm.b####.com/hm.js?7a968e3####
- i####.b####.com/
- i####.b####.com/pv/pv1.gif?app=####&samplekey=####&tn=####&page=####&pty...
- i####.b####.com/search/wiseindex?tn=####
- i####.b####.com/search/wisejsonala?tn=####&ie=####&cur=####&word=####&fr...
- i####.b####.com/user/logininfo?src=####&page=####
- i####.b####.com/wisehomepage/feeds
- i####.bdst####.com/img/image/public/121514876862.jpg
- img####.b####.com/11.gif?pid=####&type=####&app=####&samplekey=####&etyp...
- img####.b####.com/7.gif?pid=####&type=####&app=####&samplekey=####&tn=##...
- p####.r.su####.mobi/?os=####&apkv=####&wi=####&is=####&upg_type=####&op=...
- p####.r.su####.mobi/books/cover/custom/cover_2000020_2015-12-09_00-02-25...
- p####.r.su####.mobi/books/cover/custom/cover_2000052_2015-12-09_16-33-28...
- p####.r.su####.mobi/books/cover/custom/cover_2000056_2015-12-09_00-08-23...
- p####.r.su####.mobi/books/cover/custom/cover_2000089_2015-12-09_00-07-23...
- p####.r.su####.mobi/books/cover/custom/cover_2000280_2015-12-08_23-48-26...
- p####.r.su####.mobi/books/cover/custom/cover_2001622_2015-12-09_00-01-49...
- p####.r.su####.mobi/books/cover/custom/cover_2001631_2015-12-09_00-20-35...
- p####.r.su####.mobi/books/cover/custom/cover_2001665_2015-12-08_23-35-28...
- p####.r.su####.mobi/books/cover/custom/cover_2001715_2015-12-08_23-30-09...
- p####.r.su####.mobi/books/cover/custom/cover_2002236_2015-12-08_23-13-52...
- p####.r.su####.mobi/books/cover/ybdu/20151110/NpzkOzIYXaGdpYkW_JFdIQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151110/e5gCh2klUXSYFZCBVHtToA.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/8YBMUblxUF+l7jrTOEpqyQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/Jbjp9RyXWJepkXCiIlODiQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/Ng2DpXtsXOqhqycgVzKugQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/S99c+7WaXZ6cOmiStnNjGw.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/cW6YS5RGWguEF9a5vtFRkA.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/jcORH1scU1G9mPG_MYhZ+g.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/qa8tAKduXnylBj9WMVYx2g.jpg
- p####.r.su####.mobi/bstore-service/choice/page?is=####&ch=####&clv=####&...
- p####.r.su####.mobi/bstore-service/res/css/brief.css
- p####.r.su####.mobi/bstore-service/res/css/global.css
- p####.r.su####.mobi/bstore-service/res/css/module.css
- p####.r.su####.mobi/bstore-service/res/css/public.css
- p####.r.su####.mobi/bstore-service/res/css/topbar.css
- p####.r.su####.mobi/bstore-service/res/image/d.png
- p####.r.su####.mobi/bstore-service/res/image/logo.png
- p####.r.su####.mobi/bullpage?bulltype=####&nt=####&sm=####&clv=####&op=#...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/css/core_3c3...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/font/iconfon...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/js/core_6b37...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/js/swiper_43...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/share_5a...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/voice_27...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/wisehome...
- s####.jom####.com/image/mobile/n/static/wisehomepage/widget/components/m...
Запросы HTTP POST:
- a####.u####.com/app_logs
- i####.b####.com/wise/getvotenum
- p####.r.su####.mobi:9003/
- yes.yuchan####.com.cn/k1?requestId=####&g=####&ua=####
- yes.yuchan####.com.cn/k2?protocol=####&version=####&cid=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_appcache/ApplicationCache.db-journal
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/index
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/book_info-journal
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/event-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/shared_prefs/job_check.xml
- <Package Folder>/shared_prefs/push_check.xml
- <Package Folder>/shared_prefs/read_prefs.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/upgrade.prompt_check.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Download/####/4.8_gou.jar.tmp
- <SD-Card>/dt/restime.dat
- <SD-Card>/suishireader/####/<Package>.ver.etag
- <SD-Card>/suishireader/####/<Package>.ver.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- epdyw
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
