Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.570.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.com:80
- TCP(HTTP/1.1) mo####.miaob####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) www.zuoye####.com.cn:80
- TCP(HTTP/1.1) t####.web.w####.####.cn:80
- TCP(TLS/1.0) hm.b####.com:443
- TCP a3.a####.com:7701
- TCP a3.a####.com:7703
- TCP a3.a####.com:7702
Запросы DNS:
- a####.u####.com
- a3.a####.com
- au.u####.co
- au.u####.com
- hm.b####.com
- mo####.miaob####.com
- oc.u####.com
- res.miaob####.com
- t####.web.w####.####.cn
- www.zuoye####.com.cn
Запросы HTTP GET:
- mo####.miaob####.com/
- mo####.miaob####.com/course/courseList?courseType=####
- mo####.miaob####.com/css/style.css
- mo####.miaob####.com/css/swiper.min.css
- mo####.miaob####.com/dist/bootstrap/css/bootstrap.min.css
- mo####.miaob####.com/dist/bootstrap/css/bootstrapValidator.css
- mo####.miaob####.com/dist/bootstrap/js/bootstrap.min.js
- mo####.miaob####.com/dist/bootstrap/js/bootstrapValidator.js?_=####
- mo####.miaob####.com/dist/iconfont/iconfont.css?id=####
- mo####.miaob####.com/dist/iconfont/iconfont.ttf?t=####
- mo####.miaob####.com/images/add/arc-edge.png
- mo####.miaob####.com/images/add/lsmb_05.jpg
- mo####.miaob####.com/images/add/xueduanicon.png
- mo####.miaob####.com/images/add/zuowenicon.png
- mo####.miaob####.com/images/icon/index-icon1.jpg
- mo####.miaob####.com/js/avalon/avalon.js
- mo####.miaob####.com/js/avalon/avalon.js?_=####
- mo####.miaob####.com/js/common/common.js
- mo####.miaob####.com/js/common/common.js?v=####
- mo####.miaob####.com/js/cookie.js?1####
- mo####.miaob####.com/js/cookie.js?_=####
- mo####.miaob####.com/js/jquery-1.11.1.min.js
- mo####.miaob####.com/js/jquery.cookie.js
- mo####.miaob####.com/js/md5.js
- mo####.miaob####.com/js/monitor.js?4####
- mo####.miaob####.com/js/monitor.js?9####
- mo####.miaob####.com/js/swiper.min.js
- mo####.miaob####.com/js/touchslider.js
- mo####.miaob####.com/userClick?tagText=####&pageUrl=####&pageUrlPattern=...
- mo####.miaob####.com/userClick?tagText=全部&pageUrl=http://mobile.miaobi10...
- mo####.miaob####.com/userClick?tagText=阅读训练&pageUrl=http://mobile.miaobi...
- mo####.miaob####.com/visitLog?system=####&browser=####&deviceType=####&p...
- sni.c####.q####.####.com//group1/M00/00/00/3061abae-cdda-43e6-a45f-6b12a...
- sni.c####.q####.####.com//group1/M00/00/00/637317d7-2b12-4ebe-a017-29a5e...
- sni.c####.q####.####.com//group1/M00/00/00/68a5f36a-a8b7-4842-8b97-c7747...
- sni.c####.q####.####.com//group1/M00/00/00/6b244c82-6865-4f9c-9955-c03ca...
- sni.c####.q####.####.com//group1/M00/00/00/8fb51c5f-e4db-4bca-9499-a7ee4...
- sni.c####.q####.####.com//group1/M00/00/00/9168da67-ab7a-4124-a3fd-481cf...
- sni.c####.q####.####.com//group1/M00/00/00/ae123c00-5267-4bb1-a7ec-f204b...
- sni.c####.q####.####.com//group1/M00/00/00/b8f736ca-c781-42b1-8fd5-64cfa...
- sni.c####.q####.####.com//group1/M00/00/00/ba04095b-ec2d-40f8-b96b-f17b4...
- sni.c####.q####.####.com//group1/M00/00/00/bfcf7950-674f-4cd8-8f44-7f20c...
- sni.c####.q####.####.com//group1/M00/00/00/c3a6cfa1-5148-4082-82b0-e7af0...
- sni.c####.q####.####.com//group1/M00/00/00/d52d5a9d-6a21-4747-9e94-e808f...
- sni.c####.q####.####.com//group1/M00/00/00/eaf78c39-c3f7-41e9-b155-8a9b5...
- sni.c####.q####.####.com//group1/M00/00/00/ed9e8c6e-3fac-4fbe-8ea0-50c28...
- sni.c####.q####.####.com//group1/M00/00/00/fa9fa370-0557-4651-81d2-5b5ca...
- sni.c####.q####.####.com//group1/M00/00/00/fe0c0b01-24cc-4bb6-9594-f15c6...
- sni.c####.q####.####.com//group1/M00/00/00/ff4da67e-82db-4b10-ba4b-41c40...
- sni.c####.q####.####.com//group1/M00/02/74/oYYBAFgilbOAPvKeAAEKh_H3Iac72...
- sni.c####.q####.####.com//group1/M00/03/AB/oYYBAFg_kfKAAugIAAA45rrr1lo81...
- sni.c####.q####.####.com//group1/M00/06/15/oYYBAFhvRJKAOuCMAAC2WozfRMg01...
- sni.c####.q####.####.com//group1/M00/06/22/oYYBAFhzLTyADAfNAACzshlamU461...
- sni.c####.q####.####.com//group1/M00/06/AD/oYYBAFibzjuAbMgKAAA9FpZirO084...
- sni.c####.q####.####.com//group1/M00/06/B4/oYYBAFidHvyAJIxPAAA5-KzLYyU07...
- sni.c####.q####.####.com//group1/M00/07/11/oYYBAFiqUBiAHuB-AABCAZHwDvk30...
- sni.c####.q####.####.com//group1/M00/07/61/oYYBAFi00AKAQhnOAAA5eQJGS-I58...
- sni.c####.q####.####.com//group1/M00/0C/39/oYYBAFkRdQuAXY1bAABytjB8stE81...
- t####.web.w####.####.cn/WxJsApiHandler.ashx?mp_id=####&debugger=####&url...
- www.zuoye####.com.cn/app/banners?platform=####&dpi=####&v=####
- www.zuoye####.com.cn/app/splash/baidu2?w=####
- www.zuoye####.com.cn/security/ocrtoken?id=####&sn=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- mo####.miaob####.com/course/queryCourseInfo
- mo####.miaob####.com/getSessionUserInfo
- mo####.miaob####.com/loginPop
- oc.u####.com/check_config_update
- s.wagbr####.alibaba####.com/api/check_app_update
- www.zuoye####.com.cn/security/jytoken
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_libs/result_xml_pdf_template.so
- <Package Folder>/cache/####/-11711265601425525583
- <Package Folder>/cache/####/-771132034-12413057
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/index
- <Package Folder>/cache/ApplicationCache.db-journal
- <Package Folder>/databases/JingYouMath.db-journal
- <Package Folder>/databases/push_message.db-journal
- <Package Folder>/databases/soi.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/0.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>1010
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/.tpns.xml.xml
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/aa.xml
- <Package Folder>/shared_prefs/aa<IMEI>.xml
- <Package Folder>/shared_prefs/bb<IMEI>.xml
- <Package Folder>/shared_prefs/cc<IMEI>.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- abu
- bspatch
- libjiagu
- tpnsSecurity
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
