Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Plague.1.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.0) th.pen####.com:80
- TCP(HTTP/1.1) zhg.ali####.com:80
- TCP(HTTP/1.1) api.zhuishu####.com:80
- TCP(HTTP/1.1) adf####.b0.a####.com:80
- TCP(HTTP/1.1) ad####.m.ta####.com:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) ada####.m.ta####.com:80
- TCP(HTTP/1.1) w####.q####.s####.####.com:80
- TCP(TLS/1.0) h####.b####.com:443
Запросы DNS:
- ad####.m.ta####.com
- ada####.m.ta####.com
- api.zhuishu####.com
- chap####.zhuishu####.com
- h####.b####.com
- s.pen####.com
- sta####.zhuishu####.com
- th.pen####.com
- y####.al####.com
Запросы HTTP GET:
- ad####.m.ta####.com/rest/gc2?ak=####&av=####&c=####&d=####&sv=####&t=###...
- adf####.b0.a####.com/1456826927422.png
- adf####.b0.a####.com/1461742495055.png
- adf####.b0.a####.com/1468570102031.png
- adf####.b0.a####.com/1468570379510.png
- adf####.b0.a####.com/1468570379789.jpg
- adf####.b0.a####.com/1468570380311.jpg
- adf####.b0.a####.com/1470389107823.png
- adf####.b0.a####.com/1478855440382.png
- adf####.b0.a####.com/1478855440646.jpg
- adf####.b0.a####.com/1478855440911.jpg
- adf####.b0.a####.com/1484021540505.png
- adf####.b0.a####.com/1484708977248.png
- adf####.b0.a####.com/1492420453166.png
- adf####.b0.a####.com/1492420454364.jpg
- adf####.b0.a####.com/1492420455044.jpg
- adf####.b0.a####.com/1492487703964.png
- adf####.b0.a####.com/1492487707853.jpg
- adf####.b0.a####.com/1494313812577.png
- adf####.b0.a####.com/1494489049442.png
- adf####.b0.a####.com/1495772332105.png
- adf####.b0.a####.com/1496386062675.jpg
- adf####.b0.a####.com/1497405687561.png
- adf####.b0.a####.com/1511746932282.png
- adf####.b0.a####.com/1512542113669.png
- adf####.b0.a####.com/1512544172987.png
- adf####.b0.a####.com/1512544173480.jpg
- adf####.b0.a####.com/1512544174086.jpg
- adf####.b0.a####.com/1512544174927.apk
- adf####.b0.a####.com/1513760889321.apk
- adf####.b0.a####.com/1513762489922.apk
- adf####.b0.a####.com/1514359216362.apk
- adf####.b0.a####.com/1515059133195.apk
- adf####.b0.a####.com/1515658146458.jpg
- adf####.b0.a####.com/1515728544023.apk
- adf####.b0.a####.com/1516093402820.apk
- adf####.b0.a####.com/1516094202550.apk
- adf####.b0.a####.com/1516342766850.apk
- adf####.b0.a####.com/1516679655393.png
- adf####.b0.a####.com/1516679655831.jpg
- adf####.b0.a####.com/1516679656281.jpg
- adf####.b0.a####.com/1516679963958.jpg
- adf####.b0.a####.com/1516679964296.apk
- api.zhuishu####.com/book-list/tagType
- api.zhuishu####.com/book-list?duration=####&sort=####&start=####&limit=#...
- api.zhuishu####.com/book/recommend?gender=####
- api.zhuishu####.com/cats/lv2/statistics
- api.zhuishu####.com/mix-atoc/5825684b362c12804bf876ce?view=####
- api.zhuishu####.com/ranking/gender
- up####.v.qin####.com/chapter/http://book.my716.com/getBooks.aspx?method=...
- w####.q####.s####.####.com/agent//rm2.kingreader.com/book/1229724/m/[640...
- w####.q####.s####.####.com/agent/http://img.1391.com/api/v1/bookcenter/c...
- w####.q####.s####.####.com/ranking-cover/142319144267827
- w####.q####.s####.####.com/ranking-cover/142319166399949
- w####.q####.s####.####.com/ranking-cover/142319314350435
- w####.q####.s####.####.com/ranking-cover/142319383473238
- w####.q####.s####.####.com/ranking-cover/144738093413066
- w####.q####.s####.####.com/ranking-cover/144738102858782
- w####.q####.s####.####.com/ranking-cover/144799960841612
- w####.q####.s####.####.com/ranking-cover/144799965747841
- w####.q####.s####.####.com/ranking-cover/14750532964058
- w####.q####.s####.####.com/ranking-cover/147505705336267
Запросы HTTP POST:
- ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
- th.pen####.com/a
- th.pen####.com/b
- zhg.ali####.com/saveWb.json
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_SGLib/libsgmainso-5.1.81.so.tmp
- <Package Folder>/app_SGLib/lock.lock
- <Package Folder>/app_kuddclasses.jar
- <Package Folder>/cache/####/19a472e6087827eec1c7c247687698be430....0.tmp
- <Package Folder>/cache/####/1a9772369590c2310bd3c548f03971a2e38....0.tmp
- <Package Folder>/cache/####/1faf063e36bbdd46f0633edd07ba52244d2....0.tmp
- <Package Folder>/cache/####/2a226a084f4d457849c6fd538b47b690857....0.tmp
- <Package Folder>/cache/####/2fd6d9d817a2cbb4e9e04ae33f45c6aca56....0.tmp
- <Package Folder>/cache/####/35f0ba7235765474c295281fb5a609c4364....0.tmp
- <Package Folder>/cache/####/380d6fe015104122e5b82c708d016da13d8....0.tmp
- <Package Folder>/cache/####/3bafba51151a02148cf7b2459d5aba11310....0.tmp
- <Package Folder>/cache/####/4795a0943ff39d2b48d87f659f4c4acc9ec....0.tmp
- <Package Folder>/cache/####/4ef54fd73ec3303e616d98ddb9726e53423....0.tmp
- <Package Folder>/cache/####/503788570f886afb9cb8b0d0516316e5ac1....0.tmp
- <Package Folder>/cache/####/5552430e9af3d1a9808a17d330668fa0d78....0.tmp
- <Package Folder>/cache/####/64253207f61933f6d4c0b57b8a5d1dff50d....0.tmp
- <Package Folder>/cache/####/648b1b52a00b2ed723157ff2f1779b5eeb9....0.tmp
- <Package Folder>/cache/####/7040363a4204600218adecfa792e634da4f....0.tmp
- <Package Folder>/cache/####/70b33cd84024820c1daef3bb1571c64219f....0.tmp
- <Package Folder>/cache/####/70cbbeb1b8e978d8fc8eab452255bac2466....0.tmp
- <Package Folder>/cache/####/76c948d58f09850f02cb975e0d3a8202f11....0.tmp
- <Package Folder>/cache/####/811b04cee007df158bf6f2a0053456fda36....0.tmp
- <Package Folder>/cache/####/854c5a3c029b1d2fb66fc15bae923935b95....0.tmp
- <Package Folder>/cache/####/92963d0003d01e5d60f8207a94b971498bb....0.tmp
- <Package Folder>/cache/####/9b80a01957a64d2f25a1030f8851f3efd7e....0.tmp
- <Package Folder>/cache/####/b6f3cbde7cc403956bf478e527cb590d4b8....0.tmp
- <Package Folder>/cache/####/bf65b21e14c147ce8f2d6e9a025685d71c9....0.tmp
- <Package Folder>/cache/####/cec28e2e2d3b000a4d39460a378c4785842....0.tmp
- <Package Folder>/cache/####/dd7b767804a153498881067fa357ed26e3e....0.tmp
- <Package Folder>/cache/####/e3a2728538146fd3144c908e02a25506f9c....0.tmp
- <Package Folder>/cache/####/e420e39955ece6655abd6c7ee09ec2df508....0.tmp
- <Package Folder>/cache/####/e6223e0d27038ada2fe8cfdc06ab4427cce....0.tmp
- <Package Folder>/cache/####/f0fd51bc0bcd3976626b8f3203ea5330cc4....0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/dbpwbc-journal
- <Package Folder>/databases/ut.db
- <Package Folder>/databases/ut.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/0a231bd8575dcf72.txt
- <Package Folder>/files/1d77ea041509fe06.lock
- <Package Folder>/files/21c22f492aba3de8.lock
- <Package Folder>/files/930a31b34bd52c08.lock
- <Package Folder>/files/SGMANAGER_DATA2.tmp
- <Package Folder>/files/__local_ap_info_cache.json
- <Package Folder>/files/__local_last_session.json
- <Package Folder>/files/__local_stat_cache.json
- <Package Folder>/files/__send_data_1510835493312
- <Package Folder>/files/ap.Lock
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/lrc
- <Package Folder>/files/sp.lock
- <Package Folder>/shared_prefs/<Package>_preference.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/UTCommon.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/baidu_mtj_sdk_record.xml
- <Package Folder>/shared_prefs/config.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.com.taobao.dp/6c709c11d2d46a7b
- <SD-Card>/.com.taobao.dp/dd7893586a493dc3
- <SD-Card>/.com.taobao.dp/hid.dat
- <SD-Card>/Download/####/1456826927422.png.dat
- <SD-Card>/Download/####/1461742495055.png.dat
- <SD-Card>/Download/####/1468570102031.png.dat
- <SD-Card>/Download/####/1468570379510.png.dat
- <SD-Card>/Download/####/1468570379789.jpg.dat
- <SD-Card>/Download/####/1468570380311.jpg.dat
- <SD-Card>/Download/####/1470389107823.png.dat
- <SD-Card>/Download/####/1478855440382.png.dat
- <SD-Card>/Download/####/1478855440646.jpg.dat
- <SD-Card>/Download/####/1478855440911.jpg.dat
- <SD-Card>/Download/####/1484021540505.png.dat
- <SD-Card>/Download/####/1484708977248.png.dat
- <SD-Card>/Download/####/1492420453166.png.dat
- <SD-Card>/Download/####/1492420455044.jpg.dat
- <SD-Card>/Download/####/1492487703964.png.dat
- <SD-Card>/Download/####/1492487707853.jpg.dat
- <SD-Card>/Download/####/1494313812577.png.dat
- <SD-Card>/Download/####/1494489049442.png.dat
- <SD-Card>/Download/####/1495772332105.png.dat
- <SD-Card>/Download/####/1496386062675.jpg.dat
- <SD-Card>/Download/####/1497405687561.png.dat
- <SD-Card>/Download/####/1511746932282.png.dat
- <SD-Card>/Download/####/1512542113669.png.dat
- <SD-Card>/Download/####/1512544172987.png.dat
- <SD-Card>/Download/####/1512544173480.jpg.dat
- <SD-Card>/Download/####/1512544174086.jpg.dat
- <SD-Card>/Download/####/1512544174927.apk.dat
- <SD-Card>/Download/####/1513760889321.apk.dat
- <SD-Card>/Download/####/1513762489922.apk.dat
- <SD-Card>/Download/####/1514359216362.apk.dat
- <SD-Card>/Download/####/1515658146458.jpg.dat
- <SD-Card>/Download/####/1516093402820.apk.dat
- <SD-Card>/Download/####/1516094202550.apk.dat
- <SD-Card>/Download/####/1516342766850.apk.dat
- <SD-Card>/Download/####/1516679655393.png.dat
- <SD-Card>/Download/####/1516679655831.jpg.dat
- <SD-Card>/Download/####/1516679656281.jpg.dat
- <SD-Card>/Download/####/1516679963958.jpg.dat
- <SD-Card>/Download/####/1516679964296.apk.dat
- <SD-Card>/backups/####/.confd
- <SD-Card>/backups/####/.confd-journal
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/backups/####/.timestamp
- <SD-Card>/cache/####/-249715954
- <SD-Card>/cache/####/-892738503
- <SD-Card>/cache/####/-943431157
- <SD-Card>/cache/####/1.txt
- <SD-Card>/cache/####/1541366825
- <SD-Card>/cache/####/2.txt
- <SD-Card>/cache/####/3.txt
- <SD-Card>/cache/####/39588614
- <SD-Card>/cache/####/4.txt
- <SD-Card>/cache/####/411477508
- <SD-Card>/cache/####/511371249
- <SD-Card>/collect/-1741312354
Другие:
Запускает следующие shell-скрипты:
- chmod 777 /storage/emulated/0/download/apk/1516342766850.apk.dat
- chmod 777 /storage/emulated/0/download/apk/1516679964296.apk.dat
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
Загружает динамические библиотеки:
- crash_analysis
- sgmainso-5.1
- ume
- ut_c_api
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- DES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
