Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) bsy####.cdn.k####.####.com:80
- TCP(HTTP/1.1) lxq####.mia####.com:80
- TCP(HTTP/1.1) si####.us####.cdnetw####.net:80
- TCP(HTTP/1.1) 47.92.1####.96:80
- TCP(HTTP/1.1) d####.cdn.k####.####.com:80
- TCP(HTTP/1.1) cdn.app.e####.####.com:80
- TCP(HTTP/1.1) idv####.qini####.com:80
- TCP(HTTP/1.1) v.11####.com:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(TLS/1.0) y####.e####.top:443
Запросы DNS:
- bsy####.cdn.k####.cn
- cdn.app.e####.top
- cdn.app.h####.top
- cdn.game####.org
- cdn.img.h####.top
- d####.cdn.k####.cn
- lxq####.mia####.com
- v.11####.com
- wsq####.mia####.com
- ww2.sin####.cn
- y####.e####.top
Запросы HTTP GET:
- bsy####.cdn.k####.####.com/stream/tXymPC9R4zgAWq792q69cQ___m.jpg
- cdn.app.e####.####.com/sfile/201711/16/all/cp_V3.0.0.txt
- cdn.app.e####.####.com/upload/201803/1/app/20180301132200019.apk
- cdn.app.e####.####.com/upload/201803/1/img/20180301132145970.png
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- d####.cdn.k####.####.com/images/2hgldjk8EDxOLUMJQBF1KnBOxnkE-6ps5GwJRg__...
- d####.cdn.k####.####.com/images/4nX-wtpkrjzrLsNwbeinSOLzouvC71d4mM4wng__...
- d####.cdn.k####.####.com/images/6P8hnwqirXerTVgSS3HGuuHLEmNmXtfdY4SLNw__...
- d####.cdn.k####.####.com/images/AxgBmlCXwZyl1DNvL2QmGc4WGMAXMC93-VxubQ__...
- d####.cdn.k####.####.com/images/HhROLwbybyFnqbj6upyB1ci3JT5WChtrU9Ra9Q__...
- d####.cdn.k####.####.com/images/IWzLIFvwmio5qX8K4WriXf4~UyTKP8zjYWYghQ__...
- d####.cdn.k####.####.com/images/vbrJv1VNF-EyiWyOeJd98NL8FJ-RHRTGw3dCVw__...
- d####.cdn.k####.####.com/stream/1cV0a8hSf41yvoszofDuqkDIlY9xgU2PsmjG3A__...
- d####.cdn.k####.####.com/stream/3h6h4LiDATLb~KiQJ7qXxrVFK73-J-56ro1w9g__...
- d####.cdn.k####.####.com/stream/4nBFkVk5hxEKZt6-s0LlFnw6kbMlaVmgIL1hvA__...
- d####.cdn.k####.####.com/stream/9yw5bsTXSn2792A9vjdjNJlTnCwHQImSqz4cwg__...
- d####.cdn.k####.####.com/stream/CTWH3bvqSpfrQm~4-yYZ4kxFZRG9Il3a12EcJg__...
- d####.cdn.k####.####.com/stream/K7RPJYhfjPY~cuRWwIDvDpTr3swUVgEQlYKIdg__...
- d####.cdn.k####.####.com/stream/OgoSc3vbEFdgX68tiQbI6mV5JfBD9gLJgDta8A__...
- d####.cdn.k####.####.com/stream/RcQAzdIkVmoa9n2rAqkE3EiS4yug1IXp~BAkjw__...
- d####.cdn.k####.####.com/stream/TmbHH8tU2TNBCM9GY8Tm1aRrMvPb0a7ktsG4pw__...
- d####.cdn.k####.####.com/stream/W-gET55JpvjuLzIfX3ffwwD9KMVPpyZ1S3ALkA__...
- d####.cdn.k####.####.com/stream/Xbt90vzA~QwQXB498SUznFPiBW7S2wYXKoF6BQ__...
- d####.cdn.k####.####.com/stream/bJ9Cq7lwLeRBbhzmGdRMhN1rU~mqtHnMV8Mg5Q__...
- d####.cdn.k####.####.com/stream/fDGJm8K2q3RBSK86qx4AY9g4cs1zWMfXXV85YA__...
- d####.cdn.k####.####.com/stream/fH-oUZoOlsy-WeUpbbXSyBulnm5dCx36OzpsrA__...
- d####.cdn.k####.####.com/stream/ionfUI2DpSB5zq6CpOtfkTBmI70GF761Ru06-g__...
- d####.cdn.k####.####.com/stream/lvZEAUITyABZgSwtjmzjzuK465e5K~EDGmJI2w__...
- d####.cdn.k####.####.com/stream/mZ0aZS~f0Cua8d6wURI3byvIKF3qbGhIoF4fQA__...
- d####.cdn.k####.####.com/stream/tOduCajwyQ4RidztVVqmV0V1uJNekTCI1AAJYw__...
- d####.cdn.k####.####.com/stream/uS28rOv0yK~0ftR4vuy6Yz4bV-oryBunoVsh6w__...
- d####.cdn.k####.####.com/stream/wDYosDpzyoeA73a7VNzflJy6zzqGnj5-GSL9LQ__...
- d####.cdn.k####.####.com/stream/xeFcA1XEszcdJEg~T4GB9AhEzpsqLOev5SeYfw__...
- idv####.qini####.com/images/gD7e8yh~qDnYGFyj1SMCXLkUdBxAtPqe_tmp_11_266_...
- lxq####.mia####.com/stream/tXymPC9R4zgAWq792q69cQ___m.jpg
- si####.us####.cdnetw####.net/orj480/736f0c7ejw1f01u762rz5j20no0dcq62.jpg
Запросы HTTP POST:
- v.11####.com/levideo/manage/ADURLs
- v.11####.com/levideo/manage/appVersion
- v.11####.com/v_video/playPercentage
- v.11####.com/v_video_vi/getPageHot
- v.11####.com/v_video_vi/getPageNew
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/Matrix
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/ddexe
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/debuggerd
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/device.db
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/fileWork
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/insta...ery.sh
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/pidof
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/root3
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/su
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/supolicy
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/toolbox
- <Package Folder>/app_378fac88-0b36-4678-9376-7b31cb41d509/wsroot.sh
- <Package Folder>/app_8de31452-f36d-4662-855e-b217f8360308/5b7fe...49.jar
- <Package Folder>/app_8de31452-f36d-4662-855e-b217f8360308/c2088...7b7783
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/Matrix
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/ddexe
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/debuggerd
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/fileWork
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/insta...ery.sh
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/pidof
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/su
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/supolicy
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/toolbox
- <Package Folder>/app_a95825f5-d0fd-41f2-b644-7694630b9d90/wsroot.sh
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/Matrix
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/ddexe
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/debuggerd
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/fileWork
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/insta...ery.sh
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/pidof
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/su
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/supolicy
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/toolbox
- <Package Folder>/app_a97a5d09-7d27-40ea-8e1d-8bce8656918d/wsroot.sh
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/Matrix
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/ddexe
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/debuggerd
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/fileWork
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/insta...ery.sh
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/pidof
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/su
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/supolicy
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/toolbox
- <Package Folder>/app_d0f9f5f1-c6ad-4dd4-9c21-ebc135cba2ba/wsroot.sh
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/Matrix
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/ddexe
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/debuggerd
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/fileWork
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/insta...ery.sh
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/pidof
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/su
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/supolicy
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/toolbox
- <Package Folder>/app_d89f18f6-004b-418b-bf45-5dd408baab7b/wsroot.sh
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/Matrix
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/ddexe
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/debuggerd
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/fileWork
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/insta...ery.sh
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/pidof
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/su
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/supolicy
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/toolbox
- <Package Folder>/app_e6dbd3de-b7c3-4a5b-9516-f7f39f5f57e3/wsroot.sh
- <Package Folder>/app_subox/1740c449fc10be62df60ba0f18696c9f
- <Package Folder>/app_subox/32edd79a240b5f1e461d069caab1ec3e
- <Package Folder>/app_subox/8b6f263391259b7a8e5f58ee71852ca8
- <Package Folder>/app_subox/b0141e478b25af7c40a8cca8de6c4708
- <Package Folder>/app_subox/b18a021d11a3004d25017230b681476b
- <Package Folder>/app_subox/c61913b615fb6224701377a119081f36
- <Package Folder>/app_subox_download/03ab70b8-766b-428c-99cc-7adbb79bf8d5
- <Package Folder>/app_subox_download/2679ec32-f3a5-42ce-8b27-3addf8df3b2b
- <Package Folder>/app_subox_download/4d87fbbc-6e88-4999-9124-d959d2d8af65
- <Package Folder>/app_subox_download/7a16a32d-c32d-4582-bb9f-07fef8a5af49
- <Package Folder>/app_subox_download/8d98bbba-0b3f-444f-9003-9a08d2a7eb6e
- <Package Folder>/app_subox_download/a9d1da7b-725e-4c41-bd2d-ed0615eb494d
- <Package Folder>/app_subox_download/d2432380-e8fe-4354-9241-eaf9ba446f84
- <Package Folder>/app_subox_download/f59f9248-0d83-4bdc-a661-80c8f114c07e
- <Package Folder>/cache/####/05pIOc9Du8B0bdrLo9drcxhv1OY.-1699020771.tmp
- <Package Folder>/cache/####/0tfs2aFNhsH7u04rqnwi7oqdo58.-1768388779.tmp
- <Package Folder>/cache/####/7uYlWeHC6bd4bWVpdXe2dT6JOSM.-2074252966.tmp
- <Package Folder>/cache/####/9ut2H4IVzsuDm1UqUpYr2xIRzZ8.-529256923.tmp
- <Package Folder>/cache/####/A-douA--xOsg6lLWWcyIYd3A7e0.1552636513.tmp
- <Package Folder>/cache/####/EXqlTadDyqKYtbwHEEdDZhLEf-c.2016779969.tmp
- <Package Folder>/cache/####/GssOBpPD78qNWDfT3AxR77x-2h4.-1206490619.tmp
- <Package Folder>/cache/####/HR9WGF8X1I9x3LtshZugRzsxbv0.1015013568.tmp
- <Package Folder>/cache/####/J2MrC37tO1Q359Q8PGIDqlSNya0.-2047751389.tmp
- <Package Folder>/cache/####/K7OYl4EDwWIzy_Q3zzoSXsrU56I.1694722386.tmp
- <Package Folder>/cache/####/McI5OY_UrbSJF41Chze2czCJysg.889831425.tmp
- <Package Folder>/cache/####/NHLIL1MSRk6R0xjWuKF4sw2m0Gs.9324.tmp
- <Package Folder>/cache/####/PBA7IRrLacHkHp4KGVh7kSGTbcA.-1308628478.tmp
- <Package Folder>/cache/####/YfGBDk5pqF1fr9gmovVDY3vmtZU.1215715104.tmp
- <Package Folder>/cache/####/_amSw7jBJ2gniMM1QGb5NJzdYMs.-1406973685.tmp
- <Package Folder>/cache/####/l5oP6oTokD-yVAnspofJP4lm9Zk.-950127303.tmp
- <Package Folder>/cache/####/mv78bli4WvzjYTCnRLMF8O0aqEg.-1844991451.tmp
- <Package Folder>/cache/####/o6dpr5Ay9q35ujIIajg8SCizlFE.-186351351.tmp
- <Package Folder>/cache/####/p16Axez_YWFFD2dFYtq4yBWHOao.661752809.tmp
- <Package Folder>/cache/####/rJK7B9ysMJYNw6iWTeCGpk3NTGI.-200357751.tmp
- <Package Folder>/cache/####/sodhaPJaxLdqsUPxi_e9AKr063I.-102855823.tmp
- <Package Folder>/cache/####/uK3X8W0u6Z0Ty9lyxIXZziI-jTg.643868593.tmp
- <Package Folder>/cache/####/y5EznZ6d7-h3e1_y4kkrq4DplWA.-1182798725.tmp
- <Package Folder>/cache/####/zEbix_AEZXJPYaYTZmhuh2IeOD0.-1370851889.tmp
- <Package Folder>/cache/V3.0.0.txt
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/SUBOXLOG_
- <Package Folder>/files/eu.jar
- <Package Folder>/files/gk.jar
- <Package Folder>/files/mobclick_agent_cached_<Package>6
- <Package Folder>/shared_prefs/count.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/vbz.xml
- <SD-Card>/Android/####/39cffb7107866b3ec8dd36f9b0eaf6b8.apk
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/eb2d82c431253
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/39cffb7107866b3ec8dd36f9b0eaf6b8.apk
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Загружает динамические библиотеки:
- bitmaps
- libjiagu
- memchunk
Использует следующие алгоритмы для расшифровки данных:
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
