Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 52.52.2####.56:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) dl####.qq.com:80
- TCP(HTTP/1.1) m.a####.so.com:80
- TCP(HTTP/1.1) p4.q####.com.####.com:80
- TCP(HTTP/1.1) p5.q####.com.####.com:80
- TCP(HTTP/1.1) s.3####.cn:80
- TCP(HTTP/1.1) cdn.app.kac####.####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) ope####.mob####.360.cn:80
- TCP(HTTP/1.1) p0.q####.com.####.com:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(HTTP/1.1) go.hotw####.top:80
- TCP(HTTP/1.1) s2.q####.com:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(HTTP/1.1) s9.q####.com:80
- TCP(TLS/1.0) cdn.session####.com:443
- TCP(TLS/1.0) st####.suiyue####.com.####.com:443
Запросы DNS:
- a####.u####.com
- a.appj####.com
- cdn.app.kac####.cn
- cdn.game####.org
- cdn.img.h####.top
- cdn.session####.com
- dl####.qq.com
- go.hotw####.top
- m.a####.so.com
- oc.u####.com
- ope####.mob####.360.cn
- p0.q####.com
- p1.q####.com
- p3.q####.com
- p4.q####.com
- p5.q####.com
- p8.q####.com
- s.3####.cn
- s0.q####.com
- s2.q####.com
- s3.q####.com
- s4.q####.com
- s9.q####.com
- st####.suiyue####.com
Запросы HTTP GET:
- cdn.app.kac####.####.com/sfile/201711/16/all/cp_V2.8.3.txt
- cdn.app.kac####.####.com/upload/201711/30/img/20171130182651140.png
- cdn.app.kac####.####.com/upload/201801/23/img/20180123145039877.png
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- dl####.qq.com/invc/zebra/pkg/V1_AND_PITU_CURRENT_NEW_BYB44_D.apk
- m.a####.so.com/detail/index?pname=####&id=####
- m.a####.so.com/message/index?page=####&requestType=####&_t=####&name=####
- m.a####.so.com/static/css/base.css
- m.a####.so.com/static/css/details.css
- m.a####.so.com/static/js/127.js?v=####
- m.a####.so.com/static/js/common.js?v=####
- m.a####.so.com/static/js/record.js
- m.a####.so.com/static/js/swipeview.js
- m.a####.so.com/static/js/web_app_status.js
- ope####.mob####.360.cn/qing/getgamebookinfo?_=####&callback=####
- p0.q####.com.####.com/d/inn/2ddc5fd6/logo_0413.png
- p0.q####.com.####.com/d/inn/6db6be32/arr_more.png
- p0.q####.com.####.com/t01096c583f56ee2d8b.png
- p4.q####.com.####.com/d/inn/465ff3dd/wenda_icon.png
- p4.q####.com.####.com/d/inn/ba55408d/video_icon.png
- p4.q####.com.####.com/t01264dc4e907fd00d1.gif
- p4.q####.com.####.com/t013bc02133a88cda70.png
- p4.q####.com.####.com/t018f53fd949cf15b75.png
- p4.q####.com.####.com/t01fcda6e3542002db2.png
- p5.q####.com.####.com/d/inn/579351d4/image_icon.png
- s.3####.cn/w360/s.htm?p=mobilegame&u=http://m.app.so.com/detail/index?id...
- s2.q####.com/static/45be3c09c978b362.js
- s2.q####.com/t01db2e6d28cb212497.png
- s9.q####.com/apc/zepto.min/45.js
- s9.q####.com/monitor/;monitor/2edd36ee.js
- s9.q####.com/static/3675c70f40c0dbaa.js
- s9.q####.com/static/a839ec0ad22b001b.js
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- go.hotw####.top/hadat/h/iysjy
- go.hotw####.top/hadat/islh/dti
- go.hotw####.top/hadat/kpe/bp
- go.hotw####.top/hadat/u/st
- go.hotw####.top/hadat/uzz/ngouu
- go.hotw####.top/jzbdt/c/ztxec/x
- go.hotw####.top/jzbdt/ct/d
- go.hotw####.top/jzbdt/l/a
- go.hotw####.top/sdf/neq
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/Matrix
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/ddexe
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/debuggerd
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/fileWork
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/insta...ery.sh
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/pidof
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/su
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/supolicy
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/toolbox
- <Package Folder>/app_4a5fc066-d552-443e-b73f-5ba12ce0f645/wsroot.sh
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/Matrix
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/ddexe
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/debuggerd
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/fileWork
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/insta...ery.sh
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/pidof
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/su
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/supolicy
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/toolbox
- <Package Folder>/app_69387e7a-43bc-4bda-bf3a-87c4b3f8e443/wsroot.sh
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/Matrix
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/ddexe
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/debuggerd
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/fileWork
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/insta...ery.sh
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/pidof
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/su
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/supolicy
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/toolbox
- <Package Folder>/app_965b6d70-40b0-4cfb-939f-acf172b02a90/wsroot.sh
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/Matrix
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/ddexe
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/debuggerd
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/fileWork
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/insta...ery.sh
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/pidof
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/su
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/supolicy
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/toolbox
- <Package Folder>/app_a84bdab0-5db1-418b-ad90-208a2be67879/wsroot.sh
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/Matrix
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/ddexe
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/debuggerd
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/device.db
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/fileWork
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/insta...ery.sh
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/pidof
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/root3
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/su
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/supolicy
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/toolbox
- <Package Folder>/app_ab6449d0-f063-41bc-b43b-4b3ffef4aa78/wsroot.sh
- <Package Folder>/app_d4157a68-1341-4689-8432-4d833571a898/checker.jar
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/Matrix
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/ddexe
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/debuggerd
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/fileWork
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/insta...ery.sh
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/pidof
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/su
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/supolicy
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/toolbox
- <Package Folder>/app_d910dddb-f6d9-4615-8ab3-81c67b22c146/wsroot.sh
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_plugin_download/5da3840d-91d5-4144-b9cc-9ce7bd18eab6
- <Package Folder>/app_plugin_download/68e8eca6-884d-47b8-8ec0-77df2e86b04b
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/17e3e9a0-2c64-409e-a157-f6201e6af90c
- <Package Folder>/app_subox_download/4cf0fa8c-2e9a-4756-adb7-0dc7e4d929c4
- <Package Folder>/app_subox_download/53788ef5-c4b8-499c-be92-f9374c0cb4fd
- <Package Folder>/app_subox_download/8dcc42c0-57d7-427b-bdee-088f94a59d5d
- <Package Folder>/app_subox_download/e144abe1-0b48-4ad1-8ae8-0f0a1d1e0355
- <Package Folder>/app_subox_download/e732efa7-066d-40f5-acc0-f702b12cf3d5
- <Package Folder>/app_subox_download/f580e78c-8c4f-4537-ab65-090925add09d
- <Package Folder>/app_subox_download/fa7e8fb6-a86d-4167-8e8b-faaa552e2a64
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/index
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/bg.jar
- <Package Folder>/files/exid.dat
- <Package Folder>/files/ib.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/onlineconfig_agent_online_setting...e>.xml
- <Package Folder>/shared_prefs/qsb.xml
- <Package Folder>/shared_prefs/sfe.xml
- <Package Folder>/shared_prefs/subox.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/wv.xml
- <SD-Card>/Android/####/791c567332ac770e90709810c76d4bd9.apk
- <SD-Card>/Android/####/V2.8.3.txt
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/b08ffbe76bc53
- <SD-Card>/Android/####/bf639d76e224d
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/791c567332ac770e90709810c76d4bd9.apk
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Загружает динамические библиотеки:
- _ksky113
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
