Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) pub.funs####.com:80
- TCP(HTTP/1.1) po.funs####.com:80
- TCP(HTTP/1.1) i####.funs####.com:80
- TCP(HTTP/1.1) m.i####.com:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) s####.funs####.net:80
Запросы DNS:
- i####.funs####.com
- i####.funs####.com
- i####.funs####.com
- img.funs####.com
- m.i####.com
- pm.funs####.com
- po.funs####.com
- psi.funs####.com
- pu.funs####.com
- pub.funs####.com
- pv.funs####.com
- s####.funs####.net
- up####.funs####.com
Запросы HTTP GET:
- i####.funs####.com/sdw?oid=####&w=####&h=####
- m.i####.com/cfg/appkey-684f15fa71301257
- po.funs####.com/fpupdate/INI/config_update_funplayer.txt
- po.funs####.com/v5/config/cache?cl=####&ve=####
- po.funs####.com/v5/config/general?cl=####&ve=####
- po.funs####.com/v5/config/init?cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/config/log?cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/media/album?channel=####&pg=####&fudid=####&cl=####&v...
- po.funs####.com/v5/media/episode?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/media/filters?channel=####&cl=####&ve=####&mac=####&u...
- po.funs####.com/v5/media/play?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/media/profile?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/media/recommend?channel=####&pg=####&fudid=####&cl=##...
- po.funs####.com/v5/media/relate?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/media/retrieval?channel=####&pg=####&order=####&year=...
- po.funs####.com/v5/media/top?channel=####&rank=####&cl=####&ve=####&mac=...
- po.funs####.com/v5/site/mvsites?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/site/recommend?pg=####&type=####&cl=####&ve=####&mac=...
- po.funs####.com/v5/user/mediacomment?id=####&pg=####&cl=####&ve=####&mac...
- po.funs####.com/v5/video/advance?id=####&cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v5/video/recommend?channel=####&fudid=####&cl=####&ve=##...
- po.funs####.com/v7/config/channel?cl=####&ve=####&mac=####&uc=####
- po.funs####.com/v7/config/homepage?cl=####&ve=####&mac=####&uc=####
- pub.funs####.com/interface/deliver?ap=####&deliver_ver=####&uid=####&mac...
- pub.funs####.com/interface/materials?ap=####&client=####&uid=####&mac=##...
- s####.funs####.net/ecom_mobile/bootstrap?dev=####&ver=####&fudid=####&si...
- s####.funs####.net/ecom_mobile/fbuffer?dev=####&ver=####&fudid=####&sid=...
- s####.funs####.net/ecom_mobile/fplay?dev=aphone_4.3.1_<System Property>&...
- s####.funs####.net/ecom_mobile/play?dev=####&ver=####&fudid=####&sid=###...
- s####.funs####.net/ecom_mobile/servicehb?dev=####&ver=####&fudid=####&si...
- up####.v.qin####.com/sdw?oid=####&w=####&h=####
Запросы HTTP POST:
- m.i####.com/rec/se?_iwt_t=####&sv=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/databases/_ire-journal
- <Package Folder>/databases/funshion.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/shared_prefs/MATSharedPreferences.xml
- <Package Folder>/shared_prefs/cn.com.mma.mobile.tracking.other.xml
- <Package Folder>/shared_prefs/fudid.xml
- <Package Folder>/shared_prefs/funshion.xml
- <Package Folder>/shared_prefs/funshion.xml.bak
- <Package Folder>/shared_prefs/jg_so_upgrade_setting.xml
- <Package Folder>/shared_prefs/peerid_config.xml
- <SD-Card>/.fudid
- <SD-Card>/funshion/####/07f218f811038d925b866cc1aef23ca53e3d1074.cache
- <SD-Card>/funshion/####/10b6c8zhm1h3xxefdrmxcm82p.0.tmp
- <SD-Card>/funshion/####/11agvmatox28gtaji8rarsoo1.0.tmp
- <SD-Card>/funshion/####/120lapcyza50r79orjsgbzsgq.0.tmp
- <SD-Card>/funshion/####/1510835145_20060_null.dat
- <SD-Card>/funshion/####/1510835148_23364_null.dat
- <SD-Card>/funshion/####/1510835156_30669_null.dat
- <SD-Card>/funshion/####/1510835173_47830_null.dat
- <SD-Card>/funshion/####/1ch3t5op0gapla1nkh3oj2o2c.0.tmp
- <SD-Card>/funshion/####/1n48zqr0owkgt9ck3b1n15mhx.0.tmp
- <SD-Card>/funshion/####/1nacjkfa6l9iqnn4h17f76l4w.0.tmp
- <SD-Card>/funshion/####/1o25uy9dc2uyj7dku98mmant4.0.tmp
- <SD-Card>/funshion/####/1p0xosmqw8342os2u9nkxjohc.0.tmp
- <SD-Card>/funshion/####/1r5n2712hg2o45dxpzmtpala.0.tmp
- <SD-Card>/funshion/####/1vt6nulhe5njqf0pb1jeetf41.0.tmp
- <SD-Card>/funshion/####/1ya9y3ru0vj9l4e7ynak0wl9f.0.tmp
- <SD-Card>/funshion/####/220xq0s9u2quxu1eztm428mmx.0.tmp
- <SD-Card>/funshion/####/22295e4d48ba229e7c5689e79986d1e601e271e4.cache
- <SD-Card>/funshion/####/23rkuh35issxscnru0gq1yxeh.0.tmp
- <SD-Card>/funshion/####/265807c5a7253d9dec18b8f87f336b3dbf86f491.cache
- <SD-Card>/funshion/####/2690b9kv0ezq3v091a0trthn4.0.tmp
- <SD-Card>/funshion/####/2c732a0e7ecb19c2a9985d1c630593315798a60d.cache
- <SD-Card>/funshion/####/2gn0d60b0loi4pboho438xct9.0.tmp
- <SD-Card>/funshion/####/2n3zs8scg2bgxu95wdnv50fiq.0.tmp
- <SD-Card>/funshion/####/2ndzqj10mtbyrr1wtaiwtywq4.0.tmp
- <SD-Card>/funshion/####/2qf3be3uw6qoy94o50659az22.0.tmp
- <SD-Card>/funshion/####/2r053iu6vajy1k5d1jqbewgv6.0.tmp
- <SD-Card>/funshion/####/2sf4w6v951dvhe6jec2vw6j5x.0.tmp
- <SD-Card>/funshion/####/2skq8mpl3kd2bwecxwyr9k45a.0.tmp
- <SD-Card>/funshion/####/2srctsiqad6ahkv65t5zbk60k.0.tmp
- <SD-Card>/funshion/####/2vgg5t47reg9w1f567aorcl71.0.tmp
- <SD-Card>/funshion/####/2yshynasihpxjfrw5clu32i1f.0.tmp
- <SD-Card>/funshion/####/365fe636vj9o88cbkpw4xbzci.0.tmp
- <SD-Card>/funshion/####/3a7baf61438bd96352959b3f594184164f17ba0c.cache
- <SD-Card>/funshion/####/3nphdtapl6d0o9ovvvg7u6qrw.0.tmp
- <SD-Card>/funshion/####/41hr395oeisgp5sqcg66a93m6.0.tmp
- <SD-Card>/funshion/####/42s9d8plgiypwzskpxmnihj6r.0.tmp
- <SD-Card>/funshion/####/43gq40d9h0k72lgh50byrz675.0.tmp
- <SD-Card>/funshion/####/456a31fa350c53dd2cbf7aa31db73d5d002d524b.cache
- <SD-Card>/funshion/####/465evoenv567ncncgrzm72cxf.0.tmp
- <SD-Card>/funshion/####/4njs4uol449cd4l5qi2es0o82.0.tmp
- <SD-Card>/funshion/####/4qcc656ezphh2d6je9183rrrg.0.tmp
- <SD-Card>/funshion/####/4qudm758coctbgdfqy0w41r0w.0.tmp
- <SD-Card>/funshion/####/4rsp8zp1s8m7oozgmlrcyqcz7.0.tmp
- <SD-Card>/funshion/####/4ru7qv80uetdhjyt60gt9wgs8.0.tmp
- <SD-Card>/funshion/####/4xiycszozary6k44b2smd4dpy.0.tmp
- <SD-Card>/funshion/####/4yvv7k93g09q9blqaefm6hg2r.0.tmp
- <SD-Card>/funshion/####/509w1mrmvcfe6shu27na5n3pf.0.tmp
- <SD-Card>/funshion/####/5c8eoc0dct8s5vkq3qf4581rb.0.tmp
- <SD-Card>/funshion/####/5cku7k7kbznbr5mprifyt5imf.0.tmp
- <SD-Card>/funshion/####/5edllv3wxcclrmko5clik2yng.0.tmp
- <SD-Card>/funshion/####/5eifsc6xzhv4ii21fj5osl30m.0.tmp
- <SD-Card>/funshion/####/5njzk5s6zw0637h21ytutfka.0.tmp
- <SD-Card>/funshion/####/5nuymlhibnr6bsyeuifyzjotm.0.tmp
- <SD-Card>/funshion/####/5tke3mulpjbwy8j6e7sm8h1kb.0.tmp
- <SD-Card>/funshion/####/5w8ryounu0u6c69eydqkn2het.0.tmp
- <SD-Card>/funshion/####/62mq7c0hzsnr7n08y7crslpx0.0.tmp
- <SD-Card>/funshion/####/69a393a8ae3177004c6f460d1aed17c6f3aa772e.cache
- <SD-Card>/funshion/####/6a8y1m7pvjhm5easv1zazyfn3.0.tmp
- <SD-Card>/funshion/####/6ctpv2kq0d9b24l6x6ksd7j1g.0.tmp
- <SD-Card>/funshion/####/6ec6ffa2f343cb8ae9db968c7d87c0d4dd374349.cache
- <SD-Card>/funshion/####/6fcd01dc72f6c659dcbea5c5ef87a184c3f2daad.cache
- <SD-Card>/funshion/####/6j1hgatud4blshy7dngs5jjvh.0.tmp
- <SD-Card>/funshion/####/6yxacs1hqynp9f2sgezl6i7n1.0.tmp
- <SD-Card>/funshion/####/7207x633bc2ej435wcq0f7kay.0.tmp
- <SD-Card>/funshion/####/79f1w0xwzthh3q4ltglmghyeo.0.tmp
- <SD-Card>/funshion/####/79tv5lkplis4bwaar8zmm59g8.0.tmp
- <SD-Card>/funshion/####/7b4phhdw0cmaj0zlzz9jcv8q7.0.tmp
- <SD-Card>/funshion/####/7c71yk2euoibp72edpiu1e35c.0.tmp
- <SD-Card>/funshion/####/7dodjm455e3mrtkq0hw386r1j.0.tmp
- <SD-Card>/funshion/####/92211e3c2008ece42f465ad96e582de7bcbf5859.cache
- <SD-Card>/funshion/####/934d54dfd849a75a1d5de4c8808a7c0bd8233f61.cache
- <SD-Card>/funshion/####/a4dc30ca52f1bf00fafaa1d8b77fbbfd7cf232a6.cache
- <SD-Card>/funshion/####/b2c748bfccfaf442cc1b955412cab283c5a9f8fe.cache
- <SD-Card>/funshion/####/cache.rules.tmp
- <SD-Card>/funshion/####/config.ini.tmp
- <SD-Card>/funshion/####/e43aac2495ebb2f7e8d16b977e244a32d73a3d7d.cache
- <SD-Card>/funshion/####/eb6210a6407c2fc661bd8394016d723901c5aa0e.cache
- <SD-Card>/funshion/####/f49713f0131f828ad1d69efdfc63280d99e623fd.cache
- <SD-Card>/funshion/####/funshion.ini
- <SD-Card>/funshion/####/funshion_aphone_3.5_afaf38ad426b_20171116.log
- <SD-Card>/funshion/####/i2xqbv2giadjz8e9zjq4eh8r.0.tmp
- <SD-Card>/funshion/####/intznkdi2wklext42fl4ejpr.0.tmp
- <SD-Card>/funshion/####/journal.tmp
- <SD-Card>/funshion/####/k2dr7nbztk5147wqy298bkee.0.tmp
- <SD-Card>/funshion/####/kkpi5c42a2muj32oy3rkgak.0.tmp
- <SD-Card>/funshion/####/muvstppnkan02g4rwftzv1en.0.tmp
- <SD-Card>/funshion/####/p2p_config.ini
- <SD-Card>/funshion/####/rp4w05r33uz5959cag0p300v.0.tmp
- <SD-Card>/funshion/####/snusbblj2imt4s04bn4zaazd.0.tmp
- <SD-Card>/funshion/####/v5zj68vygrovpadrp1r8xz5j.0.tmp
- <SD-Card>/funshion/####/xptktsnqnbma4yb908iupzs5.0.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- fsp2p
- libjiagu
- loginclient
- lsv
- mresearch
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
