Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.683.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) alldo####.5####.com.####.net:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) app.onetwo####.top.####.com:80
- TCP(HTTP/1.1) db.5####.com:80
- TCP(HTTP/1.1) p####.5####.com.####.net:80
- TCP(TLS/1.0) k####.onetwo####.top:443
Запросы DNS:
- a####.u####.com
- app.onetwo####.top
- cdn.app.h####.top
- cdn.img.h####.top
- con####.5####.com
- db.5####.com
- fb.u####.com
- k####.onetwo####.top
- mt####.go####.com
- p####.5####.com
Запросы HTTP GET:
- alldo####.5####.com.####.net/plus/android/getManhuaVersion.php?action=####
- alldo####.5####.com.####.net/plus/app/wzry.php?type=####&aid=####&flag=#...
- alldo####.5####.com.####.net/plus/app/wzry.php?type=####&flag=####&keywo...
- alldo####.5####.com.####.net/plus/app/wzry.php?type=####&flag=####&perpa...
- alldo####.5####.com.####.net/plus/app/wzry.php?type=####&flag=####&uid=#...
- app.onetwo####.top.####.com/swenjian/ac
- app.onetwo####.top.####.com/upload/201801/12/app/20180112115937129.apk
- app.onetwo####.top.####.com/upload/201801/12/img/20180112115927478.png
- db.5####.com/wzry/api?type=####
- db.5####.com/wzry/api?type=####&flag=####&page=####
- db.5####.com/wzry/imageapp/hero/icon/18.png
- db.5####.com/wzry/imageapp/hero/icon/21.png
- db.5####.com/wzry/imageapp/hero/icon/22.png
- db.5####.com/wzry/imageapp/hero/icon/29.png
- db.5####.com/wzry/imageapp/hero/icon/36.png
- db.5####.com/wzry/imageapp/hero/icon/4.png
- db.5####.com/wzry/imageapp/hero/icon/51.png
- p####.5####.com.####.net/favicon.ico
- p####.5####.com.####.net/files/161024/7154484_100216_1_lit.jpg
- p####.5####.com.####.net/files/161031/7154484_16210K29.jpg
- p####.5####.com.####.net/files/161114/7154484_11520A47.jpg
- p####.5####.com.####.net/files/161117/7154484_163H2135.jpg
- p####.5####.com.####.net/files/161118/7154484_16212R60.jpg
- p####.5####.com.####.net/files/161121/7154484_105200192.jpg
- p####.5####.com.####.net/files/161123/7154484_1I052S4.jpg
- p####.5####.com.####.net/files/161205/7154484_134630R0.jpg
- p####.5####.com.####.net/files/161206/7154484_120043X0.jpg
- p####.5####.com.####.net/files/161208/7154484_133K5404.jpg
- p####.5####.com.####.net/files/161212/7154484_1A042152.jpg
- p####.5####.com.####.net/files/170315/6146134_103230_1_lit.jpg
- p####.5####.com.####.net/files/170406/6146134_100903_1_lit.jpg
- p####.5####.com.####.net/files/170407/6146134_101909_1_lit.jpg
- p####.5####.com.####.net/files/170605/6146134_133612_1_lit.png
- p####.5####.com.####.net/files/170704/6146134_114737_1_lit.jpg
- p####.5####.com.####.net/files/170704/6146134_115000_1_lit.jpg
- p####.5####.com.####.net/files/170705/6146134_095111_1_lit.jpg
- p####.5####.com.####.net/files/170705/6146134_095303_1_lit.jpg
- p####.5####.com.####.net/files/170706/6146134_132214_1.jpg
- p####.5####.com.####.net/files/170706/6146134_132214_1_lit.jpg
- p####.5####.com.####.net/files/170706/6146134_132227_1_lit.jpg
- p####.5####.com.####.net/files/170706/6146134_132239_1_lit.jpg
- p####.5####.com.####.net/files/170706/6146134_132507_1_lit.jpg
- p####.5####.com.####.net/files/170706/6146134_133116_1_lit.jpg
- p####.5####.com.####.net/files/allimg/170330/6146134_11291V352.jpg
- p####.5####.com.####.net/files/allimg/170414/6146134_105Z941b.jpg
- p####.5####.com.####.net/files/allimg/170428/6146134_10433435Y.gif
- p####.5####.com.####.net/files/allimg/170605/6146134_1339205N9.jpg
- p####.5####.com.####.net/files/allimg/170704/6146134_11460L500.jpg
- p####.5####.com.####.net/files/litimg/170210/09533061461341a1.jpg
Запросы HTTP POST:
- a####.u####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/####/-11314523181465142388
- <Package Folder>/cache/####/-1674220549-1122122997
- <Package Folder>/cache/####/-16742208871205573719
- <Package Folder>/cache/####/-192554509-1380194445
- <Package Folder>/cache/####/-192554509-1452524361
- <Package Folder>/cache/####/-192554509-290838016
- <Package Folder>/cache/####/-192554509-645019816
- <Package Folder>/cache/####/-192554509-659843971
- <Package Folder>/cache/####/-192554509-963615401
- <Package Folder>/cache/####/-1925545091337816900
- <Package Folder>/cache/####/-1925545091599185263
- <Package Folder>/cache/####/-192554509676469539
- <Package Folder>/cache/####/-192554509685930146
- <Package Folder>/cache/####/-192554509737264414
- <Package Folder>/cache/####/-192554509744413371
- <Package Folder>/cache/####/-361239837-1695450287
- <Package Folder>/cache/####/-361239837-99587888
- <Package Folder>/cache/####/-3612398371251492878
- <Package Folder>/cache/####/-3612398371737271153
- <Package Folder>/cache/####/-715283375-1278684275
- <Package Folder>/cache/####/-715283375-1530181782
- <Package Folder>/cache/####/-715283375-1658008725
- <Package Folder>/cache/####/-715283375-277885244
- <Package Folder>/cache/####/-715283375-867706908
- <Package Folder>/cache/####/-7152833751364085181
- <Package Folder>/cache/####/-7152833751444926815
- <Package Folder>/cache/####/-7152833751918340591
- <Package Folder>/cache/####/-715283375705243559
- <Package Folder>/cache/####/1815939064-1964506780
- <Package Folder>/cache/####/1815939064-396048211
- <Package Folder>/cache/####/2894850522008914098
- <Package Folder>/cache/####/751315337-1224885591
- <Package Folder>/cache/####/7513153371575841474
- <Package Folder>/cache/####/994067302-1470778798
- <Package Folder>/cache/####/994067302-1523419495
- <Package Folder>/cache/####/994067302-1549278083
- <Package Folder>/cache/####/994067302-1555742730
- <Package Folder>/cache/####/994067302-1556666251
- <Package Folder>/cache/####/994067302-1578830755
- <Package Folder>/cache/####/9940673021752721300
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/index
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/pqwn.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/YcuService.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/TrineaAndroidCommon.xml
- <Package Folder>/shared_prefs/VqActivity.xml
- <Package Folder>/shared_prefs/YcuService.xml
- <Package Folder>/shared_prefs/com.youxibao.wzry.xml
- <Package Folder>/shared_prefs/ebn.xml
- <Package Folder>/shared_prefs/fb_audio_switch.xml
- <Package Folder>/shared_prefs/feedback_push.xml
- <Package Folder>/shared_prefs/umeng_feedback_conversations.xml
- <Package Folder>/shared_prefs/umeng_feedback_user_info.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/umeng_socialize_qq.xml
- <SD-Card>/com.youxibao.wzry/Hero
- <SD-Card>/com.youxibao.wzry/Item
- <SD-Card>/com.youxibao.wzry/Message
- <SD-Card>/com.youxibao.wzry/Rune
- <SD-Card>/img/8f76b4cf934db
- <SD-Card>/instal/55f5980110a21e4288eff0c65b135b56.apk
- <SD-Card>/instal/c.tmp
- <SD-Card>/instal/c.tmp (deleted)
- <SD-Card>/umeng_cache/814F1
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/instal/55f5980110a21e4288eff0c65b135b56.apk
Загружает динамические библиотеки:
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
