Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.570.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c.m####.com.####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) p####.ico####.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(TLS/1.0) tinyq####.ove####.b0.####.com:443
- TCP y1.ey####.com:7073
- TCP y1.ey####.com:7072
- TCP y1.ey####.com:7071
Запросы DNS:
- a####.exc.mob.com
- a####.u####.com
- api.s####.mob.com
- c####.comi####.cn
- c.m####.com
- cdn.ico####.com
- oc.u####.com
- p####.ico####.com
- t.p####.ico####.com
- y1.ey####.com
- y2.ey####.com
- y3.ey####.com
Запросы HTTP GET:
- c.m####.com.####.com/d/30kd.jpg
- c.m####.com.####.com/d/4170.jpg
- c.m####.com.####.com/d/428n.jpg
- c.m####.com.####.com/d/428z.png
- c.m####.com.####.com/d/4292.jpg
- ti####.c####.l####.####.com/10704_ccover_48547cf170fe136d.jpg?imageVi####
- ti####.c####.l####.####.com/11374_ccover_41817a61167fcf31.jpg?imageVi####
- ti####.c####.l####.####.com/11405_ccover_hp_36bbb386cb5df1c0.jpg?imageVi...
- ti####.c####.l####.####.com/11607_ccover_hp_e04b603a726cc41e.jpg?imageVi...
- ti####.c####.l####.####.com/11643_ccover_971737c944cdf57b.jpg?imageVi####
- ti####.c####.l####.####.com/11944_ccover_26ea0389f7fa0730.jpg?imageVi####
- ti####.c####.l####.####.com/11985_ccover_hp_69d2ec401b8208e6.jpg?imageVi...
- ti####.c####.l####.####.com/12074_ccover_876975ce0fa7faa3.jpg?imageVi####
- ti####.c####.l####.####.com/12125_ccover_ddf418062aa45fe7.jpg?imageVi####
- ti####.c####.l####.####.com/12439_154_acover_aa10f0f835026326.jpg?imageV...
- ti####.c####.l####.####.com/12439_155_acover_84d2b0a2be4b1be6.jpg?imageV...
- ti####.c####.l####.####.com/12439_156_acover_6bfcc2adb0799059.jpg?imageV...
- ti####.c####.l####.####.com/12439_157_acover_1f9ab0d9308759c8.jpg?imageV...
- ti####.c####.l####.####.com/12439_158_acover_17d16af605eb6511.jpg?imageV...
- ti####.c####.l####.####.com/12439_159_acover_3ef935f2634bb02e.jpg?imageV...
- ti####.c####.l####.####.com/12439_160_acover_ada23416eb325b75.jpg?imageV...
- ti####.c####.l####.####.com/12439_161_acover_2a36e41c88b5ef11.jpg?imageV...
- ti####.c####.l####.####.com/12439_162_acover_45617ea11f218568.jpg?imageV...
- ti####.c####.l####.####.com/12439_163_acover_ab2a8eababc2a5ca.jpg?imageV...
- ti####.c####.l####.####.com/12439_164_1_87f3df416d9a2736.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_2_d7cfaa71fa2ee254.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_3_f6b5db8fd68fa247.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_4_45863a4c33002770.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_5_0b48bbbfe1a0570c.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_6_c1bd73aa772dbcd9.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_7_d47b3e29c9bca703.jpg?imageMo####
- ti####.c####.l####.####.com/12439_164_acover_045cf31e2d7258c0.jpg?imageV...
- ti####.c####.l####.####.com/12439_165_acover_9c728e527ff9c26e.jpg?imageV...
- ti####.c####.l####.####.com/12439_ccover_0b4220fb02823536.jpg?imageVi####
- ti####.c####.l####.####.com/12442_ccover_b92902f31edf9ad8.jpg?imageVi####
- ti####.c####.l####.####.com/12486_ccover_4a64b2f69445b13f.jpg?imageVi####
- ti####.c####.l####.####.com/12491_ccover_hl_0baf18d1bcc3ad9e.jpg?imageVi...
- ti####.c####.l####.####.com/12578_ccover_652679cb08d032cc.jpg?imageVi####
- ti####.c####.l####.####.com/12800_ccover_4e47d4fcbc8843ac.jpg?imageVi####
- ti####.c####.l####.####.com/12812_ccover_cd676b802af904c1.jpg?imageVi####
- ti####.c####.l####.####.com/12832_ccover_fcde4b53add304ce.jpg?imageVi####
- ti####.c####.l####.####.com/12882_ccover_5da2fad87a8ad008.jpg?imageVi####
- ti####.c####.l####.####.com/12898_ccover_1fe37c3c5ea8141a.jpg?imageVi####
- ti####.c####.l####.####.com/12913_ccover_47b656321c3989a1.jpg?imageVi####
- ti####.c####.l####.####.com/12916_ccover_aabe79e53821791b.jpg?imageVi####
- ti####.c####.l####.####.com/693_ccover_acaca573ec48d79f.jpg?imageVi####
- ti####.c####.l####.####.com/707_ccover_15013fa5afc813ec.jpg?imageVi####
- ti####.c####.l####.####.com/77_ccover_f8a8ab492151efa7.jpg?imageVi####
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- a####.u####.com/app_logs
- api.s####.mob.com/conf4
- api.s####.mob.com/conn
- api.s####.mob.com/data2
- api.s####.mob.com/log4
- api.s####.mob.com/snsconf
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- p####.ico####.com/allcomic
- p####.ico####.com/categorylist
- p####.ico####.com/comicdetail
- p####.ico####.com/epinfo
- p####.ico####.com/eventreport
- p####.ico####.com/getcomments2
- p####.ico####.com/getextinfo
- p####.ico####.com/handshake
- p####.ico####.com/homepage
- p####.ico####.com/splashinfo
- p####.ico####.com/syncextinfo
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/databases/<IMEI>yd.db-journal
- <Package Folder>/databases/ThrowalbeLog.db-journal
- <Package Folder>/databases/icomico_db-journal
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/0.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>576
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/ICOMICO_PREFERENCE.xml
- <Package Folder>/shared_prefs/ICOMICO_PREFERENCE.xml.bak (deleted)
- <Package Folder>/shared_prefs/aypa0000.xml
- <Package Folder>/shared_prefs/aypb0000.xml
- <Package Folder>/shared_prefs/aypc0000.xml
- <Package Folder>/shared_prefs/ayqa0000.xml
- <Package Folder>/shared_prefs/ayqb0000.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml
- <Package Folder>/shared_prefs/mob_sdk_exception_1.xml.bak (deleted)
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/yysa.xml
- <Package Folder>/shared_prefs/yysa<IMEI>.xml
- <Package Folder>/shared_prefs/yysb<IMEI>.xml
- <Package Folder>/shared_prefs/yysc<IMEI>.xml
- <Package Folder>/shared_prefs/yysd<IMEI>.xml
- <Package Folder>/shared_prefs/yysf<IMEI>.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Android/####/10b2tx9qemy89xzrsx4nhenkj.0.tmp
- <SD-Card>/Android/####/1203sud4mrmtq3itry5nltu8y.0.tmp
- <SD-Card>/Android/####/1203sud4mrmtq3itry5nltu8y.downtmp.downtmp
- <SD-Card>/Android/####/1ckwo499v82qoouzou9jhl7iw.0.tmp
- <SD-Card>/Android/####/1gkzmckj6ycq3o3m3uxq913a8.0.tmp
- <SD-Card>/Android/####/1h3mb6xpuxfeczmyvwafux861.0.tmp
- <SD-Card>/Android/####/1iqorqf6sdyct6q2im0ln0as7.0.tmp
- <SD-Card>/Android/####/1lfpf8920gm12vyowxl4csuzr.0.tmp
- <SD-Card>/Android/####/1pa41b7xubu4fngdx1axsteqd.0.tmp
- <SD-Card>/Android/####/1wg7tnimdjkvsnn5aht2w9ow4.0.tmp
- <SD-Card>/Android/####/1wvx9k6k4wa08dpjlnsi6f90g.0.tmp
- <SD-Card>/Android/####/1yuyg1s9vlm98pifldwt50o27.0.tmp
- <SD-Card>/Android/####/2lboshumobliti8k9l5f19mmk.0.tmp
- <SD-Card>/Android/####/340we27pjvsc4q2uhol3k9vkp.0.tmp
- <SD-Card>/Android/####/35c74e6c5129c1aa7def44107cd80bcc.downtmp
- <SD-Card>/Android/####/35f90d35e83b347de420259ce1b92c98.downtmp
- <SD-Card>/Android/####/3bwzvkh93rka1vxqbs4fk3j7r.0.tmp
- <SD-Card>/Android/####/3sfssnx10yriwukqsa2yq0mai.0.tmp
- <SD-Card>/Android/####/3vllmin3s7wwd6gwvu04j8n7b.0.tmp
- <SD-Card>/Android/####/3vllmin3s7wwd6gwvu04j8n7b.downtmp.downtmp
- <SD-Card>/Android/####/434nuioa88e0v8zmz2xyv1vej.0.tmp
- <SD-Card>/Android/####/488m8bcy69nbsorx7h4uxgivs.0.tmp
- <SD-Card>/Android/####/4blvis5nyulqf9558if0nukla.0.tmp
- <SD-Card>/Android/####/4k1ky40mr54auyzf3owdhes1h.0.tmp
- <SD-Card>/Android/####/4ngo5meq9r4w2sxuhgkkrtrtu.0.tmp
- <SD-Card>/Android/####/4tkb2zb6ejdit2adure9fcwwo.0.tmp
- <SD-Card>/Android/####/53f96yvso14anr88sas6x4uc3.0.tmp
- <SD-Card>/Android/####/558b0427587da0f712272aa8520b3ac3.downtmp
- <SD-Card>/Android/####/5ckcqt0vnljxp07gpspezjfye.0.tmp
- <SD-Card>/Android/####/5dl8f4mypxfhihvfp6nrbx6jy.0.tmp
- <SD-Card>/Android/####/5fx56wfqexhmxcncydrxijqje.0.tmp
- <SD-Card>/Android/####/5lu7izydhkdnyy4xr0y0a38pq.0.tmp
- <SD-Card>/Android/####/5lxkjvzuwjoxiib8gzfhfhy7y.0.tmp
- <SD-Card>/Android/####/5zu3ln48sbvthjn6aq6ila2ql.0.tmp
- <SD-Card>/Android/####/6087754185b6e0c23d08a48a6a760397.downtmp
- <SD-Card>/Android/####/62fodrr9ejwgv9e8lh8hpbd6p.0.tmp
- <SD-Card>/Android/####/670b88ab27dd12df8110846cc45ee247.downtmp
- <SD-Card>/Android/####/68fdyb8ywhgi260eeid767tp8.0.tmp
- <SD-Card>/Android/####/69fbah7iuvy2m9ukyx6fk1cn2.0.tmp
- <SD-Card>/Android/####/6ge2ic7v76ulj7mja74ihmgh0.0.tmp
- <SD-Card>/Android/####/6ltuorrr7dlam1ea97k7ee8f6.0.tmp
- <SD-Card>/Android/####/6yd6huk1cgz9625y4s8ffijer.0.tmp
- <SD-Card>/Android/####/78643chgtf29ps85gc5rhrvs8.0.tmp
- <SD-Card>/Android/####/78643chgtf29ps85gc5rhrvs8.downtmp.downtmp
- <SD-Card>/Android/####/7a50sluohunbvvr8ceszd660r.0.tmp
- <SD-Card>/Android/####/7d28ohzkh0vc8kf3dhr01z7ck.0.tmp
- <SD-Card>/Android/####/7j8cprqn25tpxnlc8p4talybs.0.tmp
- <SD-Card>/Android/####/7j8cprqn25tpxnlc8p4talybs.downtmp.downtmp
- <SD-Card>/Android/####/7y9ihpkvlzoih01ztviyuog7.0.tmp
- <SD-Card>/Android/####/8nwcd4sgwgvj9psx231l9ogj.0.tmp
- <SD-Card>/Android/####/c148d49c52bb3a273c9c30d240f2810a.downtmp
- <SD-Card>/Android/####/f233525dbfe68c0f39cd0213f41e38fd.downtmp
- <SD-Card>/Android/####/f6b1baabf1ae29a1387cc55899ef0468.downtmp
- <SD-Card>/Android/####/iuui3b4j2q8uyprqf2qz7i2h.0.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/nwwhl5djr8xq112czzpy7the.0.tmp
- <SD-Card>/Android/####/uqb4all2ns6vvjstc9a3n4lg.0.tmp
- <SD-Card>/ShareSDK/####/.lock
- <SD-Card>/ShareSDK/.ba
- <SD-Card>/ShareSDK/.dk
- <SD-Card>/down/####/30kd.jpg.tmp
- <SD-Card>/down/####/4170.jpg.tmp
- <SD-Card>/down/####/428n.jpg.tmp
- <SD-Card>/down/####/428z.png.tmp
- <SD-Card>/down/####/4292.jpg.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- ag
- libjiagu
- neh
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
