Android.Packed.35649

Техническая информация

Вредоносные функции:

Загружает на исполнение код следующих детектируемых угроз:

Android.DownLoader.589.origin

Сетевая активность:

Подключается к:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) oc.u####.com:80
TCP(HTTP/1.1) a####.exc.mob.com:80
TCP(HTTP/1.1) 47.92.1####.96:80
TCP(HTTP/1.1) dl####.qq.com:80
TCP(HTTP/1.1) p####.ico####.com:80
TCP(HTTP/1.1) api.s####.mob.com:80
TCP(HTTP/1.1) ti####.c####.l####.####.com:80
TCP(HTTP/1.1) cdn.img.h####.####.com:80
TCP(TLS/1.0) pe.winin####.top:443
TCP(TLS/1.0) cdnapph####.b0.a####.com:443
TCP(TLS/1.0) tinyq####.ove####.b0.####.com:443
TCP(TLS/1.0) www.go####.com:443

Запросы DNS:

a####.exc.mob.com
a####.u####.com
api.s####.mob.com
c####.comi####.cn
cdn.app.h####.top
cdn.app.pin####.top
cdn.ico####.com
cdn.img.h####.top
dl####.qq.com
oc.u####.com
p####.ico####.com
pe.winin####.top
t.p####.ico####.com
www.go####.com

Запросы HTTP GET:

cdn.img.h####.####.com/upload/201711/17/img/20171117114651924.png
cdn.img.h####.####.com/upload/201711/30/img/20171130182651140.png
cdn.img.h####.####.com/upload/201801/23/app/20180123113019671.apk
cdn.img.h####.####.com/upload/201801/23/img/20180123145039877.png
dl####.qq.com/invc/zebra/pkg/V1_AND_PITU_CURRENT_NEW_BYB44_D.apk
ti####.c####.l####.####.com/11625_ccover_hp_ab55786bdd930a13.jpg?imageVi...
ti####.c####.l####.####.com/12446_ccover_hp_a27c995395fe7875.jpg?imageVi...
ti####.c####.l####.####.com/12468_ccover_hp_cd00e569d0b1f4d6.jpg?imageVi...
ti####.c####.l####.####.com/12482_ccover_hl_780ee6ff3d613865.jpg?imageVi...
ti####.c####.l####.####.com/12786_10_1_1f0252ead5cdc2b5.jpg?imageMo####
ti####.c####.l####.####.com/12786_10_2_083392f7b7b4bc7b.jpg?imageMo####
ti####.c####.l####.####.com/12786_10_3_443c00a61dd6d55d.jpg?imageMo####
ti####.c####.l####.####.com/12786_10_4_70873f37fb68f375.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_10_4261f1a4c6e48dc6.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_11_e80a767c29190158.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_12_c21d0e3cb43d3bfa.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_13_dba97fb1db78fa2e.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_14_396842e048b3d40b.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_15_140de8d47de5284a.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_16_c94f40f7f3fb0ce2.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_17_69f51a687b7634e3.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_18_3e6faee15231f5a0.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_19_2d093d3667272108.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_1_437a322a8cc7ad3d.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_20_22caa1d5ffe0f142.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_21_9dbf7503c6aec32b.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_22_36f0ae5095ba8410.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_2_f0256decb092631c.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_3_a27fcac7d34b7785.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_4_00dd1dd14558f847.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_5_05db178458d4b2cd.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_6_7c6e4f82831dc3ea.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_7_17491f31b92e7576.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_8_c9d30464308df9a3.jpg?imageMo####
ti####.c####.l####.####.com/12786_11_9_38cbdfc8de8f97fc.jpg?imageMo####
ti####.c####.l####.####.com/12786_ccover_37612aa755f2385a.jpg?imageVi####

Запросы HTTP POST:

a####.exc.mob.com/errconf
a####.u####.com/app_logs
api.s####.mob.com/conf4
api.s####.mob.com/conn
api.s####.mob.com/data2
api.s####.mob.com/log4
api.s####.mob.com/snsconf
oc.u####.com/v2/check_config_update
oc.u####.com/v2/get_update_time
p####.ico####.com/categorylist
p####.ico####.com/comicdetail
p####.ico####.com/epinfo
p####.ico####.com/getcomments2
p####.ico####.com/getextinfo
p####.ico####.com/handshake
p####.ico####.com/homepage
p####.ico####.com/splashinfo
p####.ico####.com/syncextinfo

Изменения в файловой системе:

Создает следующие файлы:

<Package Folder>/.jiagu/libjiagu.so
<Package Folder>/cache/V2.8.8.3.txt
<Package Folder>/databases/ThrowalbeLog.db-journal
<Package Folder>/databases/icomico_db-journal
<Package Folder>/databases/sharesdk.db-journal
<Package Folder>/databases/t_u.db-journal
<Package Folder>/files/####/.jg.ic
<Package Folder>/files/.imprint
<Package Folder>/files/kr.jar
<Package Folder>/files/mobclick_agent_cached_<Package>702
<Package Folder>/files/umeng_it.cache
<Package Folder>/shared_prefs/Alvin2.xml
<Package Folder>/shared_prefs/AppStore.xml
<Package Folder>/shared_prefs/ContextData.xml
<Package Folder>/shared_prefs/ICOMICO_PREFERENCE.xml
<Package Folder>/shared_prefs/count.xml
<Package Folder>/shared_prefs/kr.xml
<Package Folder>/shared_prefs/mob_sdk_exception_1.xml
<Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
<Package Folder>/shared_prefs/share_sdk_1.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/shared_prefs/umeng_message_state.xml
<Package Folder>/shared_prefs/vbz.xml
<SD-Card>/.DataStorage/ContextData.xml
<SD-Card>/.UTSystemConfig/####/Alvin2.xml
<SD-Card>/Android/####/.nomedia
<SD-Card>/Android/####/10k2lhjmzublh53kyy3bgg70e.0.tmp
<SD-Card>/Android/####/14nkucag3qgo470v2ekhnb0tv.0.tmp
<SD-Card>/Android/####/1uba65bawv4pmz4tnpcsay7b.0.tmp
<SD-Card>/Android/####/29fxfimahqi88c9nd44yydhsg.0.tmp
<SD-Card>/Android/####/29fxfimahqi88c9nd44yydhsg.downtmp.downtmp
<SD-Card>/Android/####/2cah9mfs1m83pvddldj86zn5t.0.tmp
<SD-Card>/Android/####/2mxsh48dvp605w3pbtpxd0rp3.0.tmp
<SD-Card>/Android/####/2mxsh48dvp605w3pbtpxd0rp3.downtmp.downtmp
<SD-Card>/Android/####/2qdtshcxla4y2kxnsrsvo8dca.0.tmp
<SD-Card>/Android/####/2qdtshcxla4y2kxnsrsvo8dca.downtmp.downtmp
<SD-Card>/Android/####/35c74e6c5129c1aa7def44107cd80bcc.downtmp
<SD-Card>/Android/####/35f90d35e83b347de420259ce1b92c98.downtmp
<SD-Card>/Android/####/3ijupdj2ikn0rw8krqnw1xjgt.0.tmp
<SD-Card>/Android/####/3ijupdj2ikn0rw8krqnw1xjgt.downtmp.downtmp
<SD-Card>/Android/####/3lz3etw10s8m9mw5tleangaem.0.tmp
<SD-Card>/Android/####/3myp8z0wapes96k7quzab86y4.0.tmp
<SD-Card>/Android/####/3v9oc5kfiuniard0cwv65elv7.downtmp.downtmp
<SD-Card>/Android/####/3ymubm5jcvi701cvuuq3tdf8a.0.tmp
<SD-Card>/Android/####/41i0lzfy9fb0vloo6x036wdac.0.tmp
<SD-Card>/Android/####/424967r4pljx5kia702xsnh90.0.tmp
<SD-Card>/Android/####/440dbe5m9wuxg3tiuet3k5k0u.0.tmp
<SD-Card>/Android/####/440dbe5m9wuxg3tiuet3k5k0u.downtmp.downtmp
<SD-Card>/Android/####/45g74epknjx0qi4tw4h6d0t3i.0.tmp
<SD-Card>/Android/####/45g74epknjx0qi4tw4h6d0t3i.downtmp.downtmp
<SD-Card>/Android/####/4dfo1ratmiuvt23e5si5wucxu.0.tmp
<SD-Card>/Android/####/4dfo1ratmiuvt23e5si5wucxu.downtmp.downtmp
<SD-Card>/Android/####/4mscy42ww0jqyn9f2fu7y29c9.0.tmp
<SD-Card>/Android/####/4t81euo876lorqss648tzcemu.0.tmp
<SD-Card>/Android/####/4xrkipo9n9entb77wl71yu7zo.0.tmp
<SD-Card>/Android/####/52dew2cvxewhlyyv2imqn01ph.0.tmp
<SD-Card>/Android/####/52dew2cvxewhlyyv2imqn01ph.downtmp.downtmp
<SD-Card>/Android/####/57t7qq9w5peino10p7rxpj0qg.0.tmp
<SD-Card>/Android/####/58xcew5t28k851a8lv1948dco.0.tmp
<SD-Card>/Android/####/58xcew5t28k851a8lv1948dco.downtmp.downtmp
<SD-Card>/Android/####/5g97wq6f9fv769hi5vyg7wf1y.0.tmp
<SD-Card>/Android/####/5g97wq6f9fv769hi5vyg7wf1y.downtmp.downtmp
<SD-Card>/Android/####/5grzw8ljrfkl7i5zmvmo5tp08.0.tmp
<SD-Card>/Android/####/5lxoenifvr7m2x033pja0e1dm.0.tmp
<SD-Card>/Android/####/5p1uxen03natz9thuh18un8fl.0.tmp
<SD-Card>/Android/####/5p1uxen03natz9thuh18un8fl.downtmp.downtmp
<SD-Card>/Android/####/5z5q7jfe1yi3tx4kg7nk2ynv7.0.tmp
<SD-Card>/Android/####/5z5q7jfe1yi3tx4kg7nk2ynv7.downtmp.downtmp
<SD-Card>/Android/####/5ztozpx7vyf1rdxg9bfehowhk.0.tmp
<SD-Card>/Android/####/6014bed182a781c993da5e6538b05204.downtmp
<SD-Card>/Android/####/66vwrhldh9t5eca0i10c1h0yb.0.tmp
<SD-Card>/Android/####/670b88ab27dd12df8110846cc45ee247.downtmp
<SD-Card>/Android/####/67b7428zgslcwzt2q438t48m1.0
<SD-Card>/Android/####/67b7428zgslcwzt2q438t48m1.downtmp.downtmp
<SD-Card>/Android/####/6e1woeop7qpulpidevwf1ymnx.0.tmp
<SD-Card>/Android/####/6e1woeop7qpulpidevwf1ymnx.downtmp.downtmp
<SD-Card>/Android/####/6er1pbyux3ds5leb7wv057c5u.0.tmp
<SD-Card>/Android/####/6kca9jid9a9ulgflsakyveev.0.tmp
<SD-Card>/Android/####/6kca9jid9a9ulgflsakyveev.downtmp.downtmp
<SD-Card>/Android/####/6nkbzxyi6frbbl9ra0aya5wcj.0.tmp
<SD-Card>/Android/####/6yekaum505a3su7dx9xl6xw69.0.tmp
<SD-Card>/Android/####/6yeo9wsq55oks5z5es1vfompa.0.tmp
<SD-Card>/Android/####/75wgi861wcktuodkj74lbegv8.0.tmp
<SD-Card>/Android/####/7e8a1c4b2283d7ea09bc8b53384115a6.apk
<SD-Card>/Android/####/7fkzv4j1c9xcv4fh5l88ouce5.0.tmp
<SD-Card>/Android/####/7fkzv4j1c9xcv4fh5l88ouce5.downtmp.downtmp
<SD-Card>/Android/####/7hq8g7b22zt3ip97wqz1xrhup.0.tmp
<SD-Card>/Android/####/8dx76h2tzv0kww3sb2m11mpp.0.tmp
<SD-Card>/Android/####/921p3jh9nvuf04ejigj64iph.0.tmp
<SD-Card>/Android/####/943b0d43085f7
<SD-Card>/Android/####/b.tmp
<SD-Card>/Android/####/b08ffbe76bc53
<SD-Card>/Android/####/b3oe76nqb92delqnb790a3qa.0.tmp
<SD-Card>/Android/####/bf639d76e224d
<SD-Card>/Android/####/f1cc500667dc3fcd2f125855474b34af.downtmp
<SD-Card>/Android/####/f233525dbfe68c0f39cd0213f41e38fd.downtmp
<SD-Card>/Android/####/f6b1baabf1ae29a1387cc55899ef0468.downtmp
<SD-Card>/Android/####/gq88p6mpzswo6u5qsov1sce1.0.tmp
<SD-Card>/Android/####/journal.tmp
<SD-Card>/Android/####/lootrdfdeurmwuzzirnb3g7z.0.tmp
<SD-Card>/Android/####/lootrdfdeurmwuzzirnb3g7z.downtmp.downtmp
<SD-Card>/Android/####/qs7uftiqrj95py22pbq0fqb8.0.tmp
<SD-Card>/Android/####/qs7uftiqrj95py22pbq0fqb8.downtmp.downtmp
<SD-Card>/Android/####/vnboibjujnh5pbb8ihcqiu7u.0.tmp
<SD-Card>/Android/####/y8pevuyu9xk45o16ya67obu2.0.tmp
<SD-Card>/Android/####/y8pevuyu9xk45o16ya67obu2.downtmp.downtmp
<SD-Card>/ShareSDK/####/.lock
<SD-Card>/ShareSDK/.ba
<SD-Card>/ShareSDK/.dk

Другие:

Запускает следующие shell-скрипты:

chmod 755 <Package Folder>/.jiagu/libjiagu.so
chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/7e8a1c4b2283d7ea09bc8b53384115a6.apk

Загружает динамические библиотеки:

libjiagu
neh

Использует следующие алгоритмы для шифрования данных:

AES-CBC-PKCS5Padding
AES-ECB-PKCS7Padding

Использует следующие алгоритмы для расшифровки данных:

AES-ECB-NoPadding
DES

Использует специальную библиотеку для скрытия исполняемого байткода.

Осуществляет доступ к информации о геолокации.

Осуществляет доступ к информации о сети.

Осуществляет доступ к информации о телефоне (номер, imei и тд.).

Осуществляет доступ к информации об установленных приложениях.

Осуществляет доступ к информации о запущенных приложениях.

Добавляет задания в системный планировщик.

Отрисовывает собственные окна поверх других приложений.

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней