Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 52.52.2####.56:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) p####.r.su####.mobi:9003
- TCP(HTTP/1.1) hiph####.b####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) cdn.app.kac####.####.com:80
- TCP(HTTP/1.1) img####.b####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) i####.b####.com:80
- TCP(HTTP/1.1) go.hotw####.top:80
- TCP(HTTP/1.1) i####.bdst####.com:80
- TCP(HTTP/1.1) p####.r.su####.mobi:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(TLS/1.0) img####.b####.com:443
- TCP(TLS/1.0) ti####.b####.com:443
- TCP(TLS/1.0) ss0.bdst####.com:443
- TCP(TLS/1.0) i####.b####.com:443
- TCP(TLS/1.0) i####.bdst####.com:443
Запросы DNS:
- a####.u####.com
- a.hiph####.b####.com
- b####.r.su####.mobi
- b.hiph####.b####.com
- bs####.r.su####.mobi
- c.hiph####.b####.com
- cdn.app.h####.top
- cdn.app.kac####.cn
- cdn.game####.org
- cdn.img.h####.top
- d.hiph####.b####.com
- e.hiph####.b####.com
- f.hiph####.b####.com
- g.hiph####.b####.com
- go.hotw####.top
- h####.b####.com
- h.hiph####.b####.com
- hiph####.b####.com
- hm.b####.com
- i####.b####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- i####.bdst####.com
- img####.b####.com
- js.adm.c####.net
- p####.r.su####.mobi
- ss0.bdst####.com
- ss1.bdst####.com
- ss2.bdst####.com
- ss3.bdst####.com
- ti####.b####.com
- upg####.su####.mobi
Запросы HTTP GET:
- cdn.app.kac####.####.com/sfile/201712/06/all/cp_V2.8.2.txt
- cdn.app.kac####.####.com/upload/201709/7/img/20170907164855684.png
- cdn.app.kac####.####.com/upload/201711/17/img/20171117114651924.png
- cdn.app.kac####.####.com/upload/201801/23/app/20180123113019671.apk
- cdn.app.kac####.####.com/upload/201801/23/img/20180123145039877.png
- cdn.app.kac####.####.com/upload/201801/23/img/20180123160316138.png
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- hiph####.b####.com/image/h=313;crop=0,0,470,313/sign=64a565a3b81bb051902...
- hiph####.b####.com/image/w=200/sign=0e2467418a0a19d8cb03830503fb82c9/0ff...
- hiph####.b####.com/image/w=200/sign=1de1fa551ece36d3a20484300af23a24/37d...
- hiph####.b####.com/image/w=200/sign=2e1fb86bb81c8701d6b6b5e6177e9e6e/472...
- hiph####.b####.com/image/w=200/sign=55eddc0a71cb0a4685228c395b62f63e/96d...
- hiph####.b####.com/image/w=200/sign=5da29c929222720e7bcee5fa4bca0a3a/cb8...
- hiph####.b####.com/image/w=200/sign=5fe2f549df3f8794d3ff4f2ee21a0ead/aec...
- hiph####.b####.com/image/w=200/sign=6446e7952334349b74066985f9eb1521/380...
- hiph####.b####.com/image/w=200/sign=92d887f661600c33f079d9c82a4d5134/0df...
- hiph####.b####.com/image/w=200/sign=987928dcfc246b607b0eb574dbf91a35/d1a...
- hiph####.b####.com/image/w=200/sign=b9c74a213087e9504217f46c203a531b/d46...
- hiph####.b####.com/image/w=200/sign=c0a1af70c01349547e1eef64664f92dd/b81...
- hiph####.b####.com/image/w=200/sign=c6810017dc2a60595210e61a1835342d/a2c...
- hiph####.b####.com/image/w=200/sign=ca04bc60a2ec8a13141a50e0c7029157/d52...
- hiph####.b####.com/image/w=200/sign=d1f315ea06d79123e0e093749d355917/b58...
- hiph####.b####.com/image/w=200/sign=e7d5a91e89025aafd33279cbcbefab8d/060...
- hiph####.b####.com/image/w=457;crop=0,72,457,304/sign=52f1ac833d7adab43d...
- hiph####.b####.com/image/w=496;crop=0,0,496,330/sign=936002cadaa20cf4469...
- hiph####.b####.com/image/w=502;crop=0,0,502,334/sign=2cfb5353aa44ad342eb...
- hiph####.b####.com/image/w=502;crop=0,0,502,334/sign=7e2a0446ab44ad342eb...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?7a968e3####
- i####.b####.com/
- i####.b####.com/pv/pv1.gif?app=####&samplekey=####&tn=####&page=####&pty...
- i####.b####.com/search/wiseindex?tn=####
- i####.b####.com/search/wisejsonala?tn=####&ie=####&cur=####&word=####&fr...
- i####.b####.com/user/logininfo?src=####&page=####
- i####.b####.com/wisehomepage/feeds
- i####.bdst####.com/img/image/public/1231516679134.jpg
- img####.b####.com/11.gif?pid=####&type=####&app=####&samplekey=####&etyp...
- img####.b####.com/7.gif?pid=####&type=####&app=####&samplekey=####&tn=##...
- p####.r.su####.mobi/?os=####&apkv=####&wi=####&is=####&upg_type=####&op=...
- p####.r.su####.mobi/books/cover/custom/cover_2000020_2015-12-09_00-02-25...
- p####.r.su####.mobi/books/cover/custom/cover_2000052_2015-12-09_16-33-28...
- p####.r.su####.mobi/books/cover/custom/cover_2000056_2015-12-09_00-08-23...
- p####.r.su####.mobi/books/cover/custom/cover_2000089_2015-12-09_00-07-23...
- p####.r.su####.mobi/books/cover/custom/cover_2000280_2015-12-08_23-48-26...
- p####.r.su####.mobi/books/cover/custom/cover_2001622_2015-12-09_00-01-49...
- p####.r.su####.mobi/books/cover/custom/cover_2001631_2015-12-09_00-20-35...
- p####.r.su####.mobi/books/cover/custom/cover_2001665_2015-12-08_23-35-28...
- p####.r.su####.mobi/books/cover/custom/cover_2001715_2015-12-08_23-30-09...
- p####.r.su####.mobi/books/cover/custom/cover_2002236_2015-12-08_23-13-52...
- p####.r.su####.mobi/books/cover/ybdu/20151110/NpzkOzIYXaGdpYkW_JFdIQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151110/e5gCh2klUXSYFZCBVHtToA.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/8YBMUblxUF+l7jrTOEpqyQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/Jbjp9RyXWJepkXCiIlODiQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/Ng2DpXtsXOqhqycgVzKugQ.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/S99c+7WaXZ6cOmiStnNjGw.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/cW6YS5RGWguEF9a5vtFRkA.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/jcORH1scU1G9mPG_MYhZ+g.jpg
- p####.r.su####.mobi/books/cover/ybdu/20151111/qa8tAKduXnylBj9WMVYx2g.jpg
- p####.r.su####.mobi/bstore-service/choice/page?is=####&ch=####&clv=####&...
- p####.r.su####.mobi/bstore-service/res/css/brief.css
- p####.r.su####.mobi/bstore-service/res/css/global.css
- p####.r.su####.mobi/bstore-service/res/css/module.css
- p####.r.su####.mobi/bstore-service/res/css/public.css
- p####.r.su####.mobi/bstore-service/res/css/topbar.css
- p####.r.su####.mobi/bstore-service/res/image/d.png
- p####.r.su####.mobi/bstore-service/res/image/logo.png
- p####.r.su####.mobi/bullpage?bulltype=####&nt=####&sm=####&clv=####&op=#...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/css/core_3c3...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/font/iconfon...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/js/core_6b37...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/js/swiper_43...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/share_5a...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/voice_27...
- s####.jom####.com/image/mobile/n/static/wisehomepage/static/pkg/wisehome...
- s####.jom####.com/image/mobile/n/static/wisehomepage/widget/components/m...
Запросы HTTP POST:
- a####.u####.com/app_logs
- go.hotw####.top/dead/w/tnl/vduld
- go.hotw####.top/hadat/c/fb
- go.hotw####.top/hadat/osx/aekcn
- go.hotw####.top/hadat/rl/u
- go.hotw####.top/hadat/voixg/cxrdn
- go.hotw####.top/hadat/wqjb/euofu
- go.hotw####.top/hadat/yglz/kwes
- go.hotw####.top/jzbdt/h/eyjms
- go.hotw####.top/jzbdt/lq/ohy
- go.hotw####.top/jzbdt/xqhk/uv/em
- go.hotw####.top/sdf/ebvm
- i####.b####.com/wise/getvotenum
- p####.r.su####.mobi:9003/
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/Matrix
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/ddexe
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/debuggerd
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/fileWork
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/insta...ery.sh
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/pidof
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/su
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/supolicy
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/toolbox
- <Package Folder>/app_11a30c3d-8f62-4c4d-889d-bd2e0062e630/wsroot.sh
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/Matrix
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/ddexe
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/debuggerd
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/device.db
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/fileWork
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/insta...ery.sh
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/pidof
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/root3
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/su
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/supolicy
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/toolbox
- <Package Folder>/app_222ee5eb-788c-4de3-89ad-bb575a0bc4ba/wsroot.sh
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/Matrix
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/ddexe
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/debuggerd
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/fileWork
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/insta...ery.sh
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/pidof
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/su
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/supolicy
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/toolbox
- <Package Folder>/app_42cc8899-0679-4b62-a00a-2aaa83b4541f/wsroot.sh
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/Matrix
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/ddexe
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/debuggerd
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/fileWork
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/insta...ery.sh
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/pidof
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/su
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/supolicy
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/toolbox
- <Package Folder>/app_59c9fae5-9498-4d08-9dee-0288c1e12d78/wsroot.sh
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/Matrix
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/ddexe
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/debuggerd
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/fileWork
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/insta...ery.sh
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/pidof
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/su
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/supolicy
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/toolbox
- <Package Folder>/app_5d2ff484-3b66-4469-8c0e-75541042e297/wsroot.sh
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/Matrix
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/ddexe
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/debuggerd
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/fileWork
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/insta...ery.sh
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/pidof
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/su
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/supolicy
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/toolbox
- <Package Folder>/app_83342d61-cd32-4418-a471-2feadf67657c/wsroot.sh
- <Package Folder>/app_af29d5cf-2d46-4aee-b110-a27dd6e75b5c/checker.jar
- <Package Folder>/app_appcache/ApplicationCache.db-journal
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_plugin_download/700c96c9-8672-4652-836f-a615775d4823
- <Package Folder>/app_plugin_download/778c1fa4-9a90-4146-b6f0-d3714f715319
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/46115fb0-6e8e-41bf-aaef-95654792f90a
- <Package Folder>/app_subox_download/500dcb29-1463-45ed-9852-f0022684153c
- <Package Folder>/app_subox_download/5657f294-c812-4628-8506-c2345e930ea4
- <Package Folder>/app_subox_download/5d2e4703-2182-4f2f-986c-c722a6fb141a
- <Package Folder>/app_subox_download/8a88f5e1-d87a-43e0-bbd5-1d71e59efd32
- <Package Folder>/app_subox_download/c94cfce8-b2a4-437b-aa8f-007d30b90c7c
- <Package Folder>/app_subox_download/e9cf3dac-d88c-4f7e-bfe2-7978902263df
- <Package Folder>/app_subox_download/fec0309c-94a5-43c7-a6bc-3feb83d76ee6
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001e (deleted)
- <Package Folder>/cache/####/index
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/book_info-journal
- <Package Folder>/databases/event-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/oy.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/zp.jar
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/desk.xml
- <Package Folder>/shared_prefs/dsi.xml
- <Package Folder>/shared_prefs/job_check.xml
- <Package Folder>/shared_prefs/job_check.xml (deleted)
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/push_check.xml
- <Package Folder>/shared_prefs/read_prefs.xml
- <Package Folder>/shared_prefs/sfe.xml
- <Package Folder>/shared_prefs/subox.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/upgrade.prompt_check.xml
- <Package Folder>/shared_prefs/wv.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/3f6200a40ebcf
- <SD-Card>/Android/####/6e9114df6e437
- <SD-Card>/Android/####/7e8a1c4b2283d7ea09bc8b53384115a6.apk
- <SD-Card>/Android/####/943b0d43085f7
- <SD-Card>/Android/####/V2.8.2.txt
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/bf639d76e224d
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/7e8a1c4b2283d7ea09bc8b53384115a6.apk
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Загружает динамические библиотеки:
- _duh491
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
