Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wx.q####.cn:80
- TCP(HTTP/1.1) c####.im.qq.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) t.si####.net:80
- TCP(HTTP/1.1) q.q####.cn:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) ipswitc####.fmscach####.ou####.com:80
- TCP(HTTP/1.1) sa.meme####.com:80
- TCP(HTTP/1.1) api.meme####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) idu####.qini####.com:80
- TCP(HTTP/1.1) api.meme####.com:6010
- TCP(HTTP/1.1) img-a####.b0.upa####.com:80
- TCP(HTTP/1.1) img.su####.com.####.com:80
- TCP(HTTP/1.1) f.xingch####.com.####.com:80
- TCP(HTTP/1.1) 2####.243.193.47:80
- TCP(TLS/1.0) idu####.qini####.com:443
Запросы DNS:
- a####.u####.com
- and####.b####.qq.com
- api.meme####.com
- c####.im.qq.com
- f####.su####.com
- f.xingch####.com
- img-a####.b0.upa####.com
- img.su####.com
- loc.map.b####.com
- p####.ws.su####.com
- q.q####.cn
- sa.meme####.com
- t.si####.net
- ws.meme####.com
- wx.q####.cn
Запросы HTTP GET:
- api.meme####.com/activity/packet_list
- api.meme####.com/activity/room_packet?room_id=####&qd=####
- api.meme####.com/app/index
- api.meme####.com/appload/load_page?qd=####
- api.meme####.com/properties/list
- api.meme####.com/public/blackword_list/0
- api.meme####.com/public/blackword_list/1
- api.meme####.com/public/inform?size=####&type=####
- api.meme####.com/public/poster/2
- api.meme####.com/public/room_admin/29855135
- api.meme####.com/public/room_by_ids?ids=####
- api.meme####.com/public/room_guards?id1=####
- api.meme####.com/public/room_list?sort=####&page=####&live=####&live_typ...
- api.meme####.com/public/room_sofa/29855135
- api.meme####.com/public/room_star/29855135
- api.meme####.com/public/room_star?id1=####
- api.meme####.com/public/room_viewer/29855135?page=####&size=####
- api.meme####.com/public/t_hex
- api.meme####.com/rank/room_user_live/29855135?size=####
- api.meme####.com/rank/room_user_month/29855135?size=####
- api.meme####.com/show/bell_gift_list
- api.meme####.com/show/cars_list
- api.meme####.com/show/gift_list
- api.meme####.com/show/gift_list?app_live=####
- api.meme####.com/starraceinfo2016/star?room_id=####
- api.meme####.com/statistic/welcome_event?date=####&button=####&qd=####&i...
- api.meme####.com/zone/mission_num
- api.meme####.com:6010/socket.io/?EIO=####&uid=####&f=####&app=####&rom=#...
- api.meme####.com:6010/socket.io/?EIO=####&uid=####&f=####&sid=####&app=#...
- c####.im.qq.com/cgi-bin/cgi_svrtime
- f.xingch####.com.####.com/201801/wet.jar
- idu####.qini####.com/17/1/1494842897425.jpg
- idu####.qini####.com/20/4/1441537079572.jpg
- idu####.qini####.com/21/5/1441591456725.jpg
- idu####.qini####.com/31/7/1493376986335.jpg
- idu####.qini####.com/4/4/24367748_0.jpg?v=####
- idu####.qini####.com/41/1/1492522470441.jpg
- idu####.qini####.com/42/2/1492522519786.jpg
- idu####.qini####.com/48/0/1442211575216.jpg
- idu####.qini####.com/55/7/1443428879607.jpg
- idu####.qini####.com/63/7/1443428799487.jpg
- img-a####.b0.upa####.com/25924476/1018/805669cdb7601927d6741ba67b0fa8ef....
- img-a####.b0.upa####.com/29855135/0122/f807f46255fe32d4128e4c499fe5efb0....
- img-a####.b0.upa####.com/39415081/1217/6e11f4f5a93804bb76cd7ec9f7d945a5....
- img-a####.b0.upa####.com/49197220/1023/cc1ff2d53be22db58b61b41d81ec4352....
- img-a####.b0.upa####.com/51628945/0124/3596e8ba35daeb2b12de572aea2a75c7....
- img-a####.b0.upa####.com/56211640/0108/fde3c6b81f6393d1620c63cd264ad00d....
- img-a####.b0.upa####.com/57276625/1224/ee9efc40f6e910338ad527387c084314....
- img-a####.b0.upa####.com/60410016/0123/ef26ceed6d540efa4238a8c7adb053a2....
- img-a####.b0.upa####.com/7904174/0117/cf644ed4f96dc1deaa5ff1276039c8d7.j...
- img.su####.com.####.com/12/4/1404114730316.jpg
- img.su####.com.####.com/13/5/1404114930829.jpg
- img.su####.com.####.com/13/5/1461739023373.jpg
- img.su####.com.####.com/13/5/1492522388813.jpg
- img.su####.com.####.com/18/2/1433988334482.jpg
- img.su####.com.####.com/18/2/21443794_0.jpg?v=####
- img.su####.com.####.com/19/3/27384659_0.jpg?v=####
- img.su####.com.####.com/20/4/1492536061844.jpg
- img.su####.com.####.com/22/6/1403510731734.jpg
- img.su####.com.####.com/23/7/1442305926679.jpg
- img.su####.com.####.com/25/1/1493376825241.jpg
- img.su####.com.####.com/27/3/1408010576603.jpg
- img.su####.com.####.com/27/3/1492522345371.jpg
- img.su####.com.####.com/28/4/1426750171036.jpg
- img.su####.com.####.com/28/4/1464341461148.jpg
- img.su####.com.####.com/3/3/1438841119811.jpg
- img.su####.com.####.com/31/7/29855135_0.jpg?v=####
- img.su####.com.####.com/33/1/13017185_0.jpg?v=####
- img.su####.com.####.com/34/2/1404113259106.jpg
- img.su####.com.####.com/35/3/1490841105507.jpg
- img.su####.com.####.com/35/3/1496285708963.jpg
- img.su####.com.####.com/36/4/1478766324580.jpg
- img.su####.com.####.com/36/4/1493376841764.jpg
- img.su####.com.####.com/38/6/1492522828390.jpg
- img.su####.com.####.com/39/7/1443163432551.jpg
- img.su####.com.####.com/4/4/24367748_0.jpg?v=####
- img.su####.com.####.com/42/2/1404113474090.jpg
- img.su####.com.####.com/44/4/1493376914860.jpg
- img.su####.com.####.com/45/5/1492765784685.jpg
- img.su####.com.####.com/47/7/1446715722479.jpg
- img.su####.com.####.com/47/7/1493376723055.jpg
- img.su####.com.####.com/48/0/1442456402160.jpg
- img.su####.com.####.com/49/1/1441792300401.jpg
- img.su####.com.####.com/51/3/39153267_0.jpg?v=####
- img.su####.com.####.com/53/5/1404113732021.jpg
- img.su####.com.####.com/53/5/56210485_0.jpg?v=####
- img.su####.com.####.com/54/6/1494917034358.jpg
- img.su####.com.####.com/58/2/1492522201210.jpg
- img.su####.com.####.com/59/3/12297467_0.jpg?v=####
- img.su####.com.####.com/59/3/24694331_0.jpg?v=####
- img.su####.com.####.com/60/4/1438829246268.jpg
- img.su####.com.####.com/61/5/1503651163581.jpg
- img.su####.com.####.com/62/6/1492767020670.jpg
- img.su####.com.####.com/8/0/42634824_0.jpg?v=####
- img.su####.com.####.com/complete/turtle.swf
- img.su####.com.####.com/swf/app_bicycle.swf
- ipswitc####.fmscach####.ou####.com/10000?ws_getip=####
- q.q####.cn/qqapp/101118713/4FD42F5C2B607C717E95E547B891FD65/100
- sa.meme####.com/api/vtrack/config/Android.conf
- wx.q####.cn/mmopen/L1TPDdibVibBGrXjRMFy36uVb4EG9WBBnS3K0jjlTo2HsrkibUsS4...
Запросы HTTP POST:
- a####.u####.com/app_logs
- and####.b####.qq.com/rqd/async
- loc.map.b####.com/offline_loc
- loc.map.b####.com/sdk.php
- t.si####.net/t1?requestId=####&g=####
- t.si####.net/t2
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/AllRoomList
- <Package Folder>/cache/BANNER
- <Package Folder>/cache/BELL_GIFT_LIST
- <Package Folder>/cache/CHEST_GIFT_LIST
- <Package Folder>/cache/GIFT_LIST
- <Package Folder>/cache/KEY_WORD
- <Package Folder>/cache/MISSION_COUNT
- <Package Folder>/cache/MOBILE_GIFT_LIST
- <Package Folder>/cache/MOUNT_MALL
- <Package Folder>/cache/MixRoomList
- <Package Folder>/cache/PLAZA_DATA
- <Package Folder>/cache/PROPERTIES_LIST
- <Package Folder>/cache/RECENTLY_VIEW_STAR_LIST
- <Package Folder>/cache/RECHARGE_AWARD
- <Package Folder>/cache/RED_PACKET_LIST
- <Package Folder>/cache/RTMP_BACKUP_IP
- <Package Folder>/cache/SENSITIVE_WORD
- <Package Folder>/cache/SOFA_MAP
- <Package Folder>/cache/last_cache_time
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/sensorsdata
- <Package Folder>/databases/sensorsdata-journal
- <Package Folder>/databases/show.db-journal
- <Package Folder>/databases/user_message_record.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/firll.dat
- <Package Folder>/files/####/ofl.config
- <Package Folder>/files/####/ofl_location.db
- <Package Folder>/files/####/ofl_location.db-journal
- <Package Folder>/files/####/ofl_statistics.db
- <Package Folder>/files/####/ofl_statistics.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/flag
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/mobclick_agent_cached_<Package>20180125
- <Package Folder>/files/security_info
- <Package Folder>/files/shuzilm.db
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_prefs.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/Zego_live_demo2.xml
- <Package Folder>/shared_prefs/Zego_live_demo2.xml.bak
- <Package Folder>/shared_prefs/com.sensorsdata.analytics.android...PI.xml
- <Package Folder>/shared_prefs/jg_so_upgrade_setting.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/sensorsdata.xml
- <Package Folder>/shared_prefs/st.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/xx.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/003a63ac35a4abb2682006c425301d29.tmp
- <SD-Card>/Android/####/0216af1a1dc04092aacc9b044bfec4e3.tmp
- <SD-Card>/Android/####/0741a1a2f132f8d2042b230f45fa363f.tmp
- <SD-Card>/Android/####/08e7511e970a6e46617eafd7568c97da.tmp
- <SD-Card>/Android/####/0917fc2ee5214b7f3e391c2e86c42d4d.tmp
- <SD-Card>/Android/####/09c5a2e33ae66ecdced9625cd2a62620.tmp
- <SD-Card>/Android/####/0ccb5114363c1aaff0eae438830d8e41.tmp
- <SD-Card>/Android/####/0cf7eb48e5a21c45c4ad8dddd2cebb4b.tmp
- <SD-Card>/Android/####/0ebe3541e6e005b9fc915de4d8142d38.tmp
- <SD-Card>/Android/####/122d6ea5d8802acdbf8cde8c6bd0101d.tmp
- <SD-Card>/Android/####/180cd43f832265830158df87b77d7cca.tmp
- <SD-Card>/Android/####/1893755fe830f59d1613eecbc26960d3.tmp
- <SD-Card>/Android/####/1912b39b47e7d784ff9e6e4401a2fbe6.tmp
- <SD-Card>/Android/####/1aa45273480b11a2a02f94e123c60c2b.tmp
- <SD-Card>/Android/####/1dc7a0c51b797e0dea56e1a0b734cd3e.tmp
- <SD-Card>/Android/####/20a57a612c5d57657a4077ef536dfa0e.tmp
- <SD-Card>/Android/####/20b0b26a0dd17c5064d2bf33cf383712.tmp
- <SD-Card>/Android/####/2e45caef2a3661b0544cd5950b8b8d8e.tmp
- <SD-Card>/Android/####/30153cb9d7ea459e9ecec3322cf2b3af.tmp
- <SD-Card>/Android/####/308a0c0486e05b5d8a973d7cacc588e7.tmp
- <SD-Card>/Android/####/3d2cbd0eabb58497fb9b80d02a6b6a93.tmp
- <SD-Card>/Android/####/42e88ab413fe05003ab095510a197dc6.tmp
- <SD-Card>/Android/####/44b4a13839bc2f8462c3a0f57557495f.tmp
- <SD-Card>/Android/####/499f9e322cfaf69bdcc7f0f06d9517c6.tmp
- <SD-Card>/Android/####/49d97af79a54049db74bcd7a6101a0c7.tmp
- <SD-Card>/Android/####/4bf6fec57ef1dcf7631b9b47b4470ceb.tmp
- <SD-Card>/Android/####/53d94704583f9063c57fceed7e21677a.tmp
- <SD-Card>/Android/####/53eda43ea3fd71cf619b65bf9a852e09.tmp
- <SD-Card>/Android/####/56943f1778e3f6279595345a7ea5598b.tmp
- <SD-Card>/Android/####/5f8f25df732bc987633840d815b82069.tmp
- <SD-Card>/Android/####/66165ce8d3fa4a90b31d1fa94edd33fb.tmp
- <SD-Card>/Android/####/68cd67bc014b1a54833bfe65d5545cbc.tmp
- <SD-Card>/Android/####/6e2535ea7770752a1ece767978de1eee.tmp
- <SD-Card>/Android/####/72662756908852a94eb40822a8630247.tmp
- <SD-Card>/Android/####/7670a6b9fe7c6b592de28d37daacadb5.tmp
- <SD-Card>/Android/####/7cdadbaac48e5d1baa42c45a58d0773f.tmp
- <SD-Card>/Android/####/860b9a3c411f5d53aee22e2fa20b80d1.tmp
- <SD-Card>/Android/####/8bc566d199a31aec9316c275a3468ca9.tmp
- <SD-Card>/Android/####/8e336fc7f85c9512f5e1e0aa9285469c.tmp
- <SD-Card>/Android/####/8e68c566023d4a89d10da48519751319.tmp
- <SD-Card>/Android/####/8f04ee0de122c43e1676477372f76fea.tmp
- <SD-Card>/Android/####/978ad89a2a7bace5b2fe79c4be57df70.tmp
- <SD-Card>/Android/####/97dd6d8c02250ce39684e659d1af4931.tmp
- <SD-Card>/Android/####/9b4c26632e0c3037d19773ceb757ded1.tmp
- <SD-Card>/Android/####/_driver.dat
- <SD-Card>/Android/####/_system.dat
- <SD-Card>/Android/####/a3e81ed08676518323ffd82cb4ad9e46.tmp
- <SD-Card>/Android/####/a58a5f32f3181728429351279cda2aa6.tmp
- <SD-Card>/Android/####/ac95960639dbe65e89f6121d79179673.tmp
- <SD-Card>/Android/####/adeaebab2c8faf6e568bb2face23474d.tmp
- <SD-Card>/Android/####/af08cde4e56cbc664559539cb70b5204.tmp
- <SD-Card>/Android/####/app_bicycle.swf.tmp.tmp
- <SD-Card>/Android/####/b0ab363e0851235a63059ed447633fa2.tmp
- <SD-Card>/Android/####/b26ebc9544eeeec66da58301450179c8.tmp
- <SD-Card>/Android/####/b3d9c9f26ca000b5c8f2d84b1beb3a88.tmp
- <SD-Card>/Android/####/b8ce4e373ebeef5e7a7124a0e35f578a.tmp
- <SD-Card>/Android/####/c47ed3625f5f381b2df4fa415ecaae4d.tmp
- <SD-Card>/Android/####/config.dat
- <SD-Card>/Android/####/d56d2d3e24d869edbd399a0e416bb49a.tmp
- <SD-Card>/Android/####/d74a304329bef98ecdc396c96ebbaa40.tmp
- <SD-Card>/Android/####/da454718512f1a952ffe0083d8a46783.tmp
- <SD-Card>/Android/####/e5a1634186165454b605737662cf5675.tmp
- <SD-Card>/Android/####/e6323a4bb6d8fbb40d34daf2ba84b4cf.tmp
- <SD-Card>/Android/####/ec35710ae4ef57a5522e33253066a5cc.tmp
- <SD-Card>/Android/####/f19231c964ca8f5cb43a5b9b9890df92.tmp
- <SD-Card>/Android/####/f4417f577ebe2a57529b8c801d63706e.tmp
- <SD-Card>/Android/####/f5ccef606272ac63f035034abd6ebad1.tmp
- <SD-Card>/Android/####/fe3e39dca1e91e4499f68314c71f7d2f.tmp
- <SD-Card>/Android/####/fe6a95c2471312fd76ff220356f9974f.tmp
- <SD-Card>/Android/####/lut
- <SD-Card>/Android/####/turtle.swf.tmp.tmp
- <SD-Card>/Download/####/5.0wet.jar.t
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/baidu/####/conlts.dat
- <SD-Card>/baidu/####/ller.dat
- <SD-Card>/baidu/####/ls.db
- <SD-Card>/baidu/####/ls.db-journal
- <SD-Card>/dt/restime.dat
- <SD-Card>/test.0
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop androVM.vbox_dpi
- /system/bin/sh -c getprop gsm.sim.state
- /system/bin/sh -c getprop gsm.sim.state2
- /system/bin/sh -c getprop qemu.sf.fake_camera
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.debuggable
- /system/bin/sh -c getprop ro.genymotion.version
- /system/bin/sh -c getprop ro.secure
- /system/bin/sh -c type su
- getprop androVM.vbox_dpi
- getprop gsm.sim.state2
- getprop qemu.sf.fake_camera
- getprop ro.board.platform
- getprop ro.debuggable
- getprop ro.genymotion.version
- getprop ro.secure
- ls /dev/socket
- netstat
- service call iphonesubinfo 1
- sh -c cat /proc/cpuinfo
- sh -c cat /proc/net/arp
- sh -c cat /proc/sys/kernel/osrelease
- sh -c cat /proc/sys/kernel/random/boot_id
- sh -c cat /proc/sys/kernel/random/uuid
Загружает динамические библиотеки:
- Bugly
- du
- game
- gif
- libjiagu
- locSDK6a
- openal
- zegoavkit
- zegoavkit2_jni
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- RSA
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к интерфейсу камеры.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
