Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
- Android.Xiny.226.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) zhg.ali####.com:80
- TCP(HTTP/1.1) 2####.243.193.48:80
- TCP(HTTP/1.1) d.weixu####.com.####.com:80
- TCP(HTTP/1.1) api.zhuishu####.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) r.eli####.cn:80
- TCP(HTTP/1.1) ad####.m.ta####.com:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) ada####.m.ta####.com:80
- TCP(HTTP/1.1) w####.q####.s####.####.com:80
- TCP(TLS/1.0) h####.b####.com:443
Запросы DNS:
- ad####.m.ta####.com
- ada####.m.ta####.com
- api.zhuishu####.com
- c.appj####.com
- chap####.zhuishu####.com
- d.weixu####.com.cn
- h####.b####.com
- r.eli####.cn
- sta####.zhuishu####.com
- y####.al####.com
Запросы HTTP GET:
- ad####.m.ta####.com/rest/gc2?ak=####&av=####&c=####&d=####&sv=####&t=###...
- api.zhuishu####.com/book-list/5aa242f00166d40f48639a4d
- api.zhuishu####.com/book-list/tagType
- api.zhuishu####.com/book-list?duration=####&sort=####&start=####&limit=#...
- api.zhuishu####.com/book/auto-complete?query=####
- api.zhuishu####.com/book/fuzzy-search?query=####
- api.zhuishu####.com/book/hot-word
- api.zhuishu####.com/book/recommend?gender=####
- api.zhuishu####.com/cats/lv2/statistics
- api.zhuishu####.com/mix-atoc/5a1fe108c6fc8dda02ec682f?view=####
- api.zhuishu####.com/ranking/gender
- d.weixu####.com.####.com/2011/gou.jar
- up####.v.qin####.com/chapter/http://www.cmread.com/www/readView?bid=####...
- w####.q####.s####.####.com/agent//img.17k.com/images/bookcover/2015/6823...
- w####.q####.s####.####.com/agent/http://img.1391.com/api/v1/bookcenter/c...
- w####.q####.s####.####.com/avatar/74/09/7409c2f47f372f65c5f27b43978a02ea
- w####.q####.s####.####.com/ranking-cover/142319144267827
- w####.q####.s####.####.com/ranking-cover/142319166399949
- w####.q####.s####.####.com/ranking-cover/142319314350435
- w####.q####.s####.####.com/ranking-cover/142319383473238
- w####.q####.s####.####.com/ranking-cover/144738093413066
- w####.q####.s####.####.com/ranking-cover/144738102858782
- w####.q####.s####.####.com/ranking-cover/144799960841612
- w####.q####.s####.####.com/ranking-cover/144799965747841
- w####.q####.s####.####.com/ranking-cover/14750532964058
- w####.q####.s####.####.com/ranking-cover/147505705336267
Запросы HTTP POST:
- ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
- c.appj####.com/ad/splash/stats.html
- r.eli####.cn/k1?requestId=####&g=####&ua=####
- r.eli####.cn/k2?protocol=####&version=####&cid=####
- zhg.ali####.com/saveWb.json
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_SGLib/libsgmainso-5.1.81.so.tmp
- <Package Folder>/app_SGLib/lock.lock
- <Package Folder>/cache/####/061e59f8ffadf0f68a2d2e9015fbd0dbfb6....0.tmp
- <Package Folder>/cache/####/0cbdd454b60ff70d5a4815c8c8e12b23000....0.tmp
- <Package Folder>/cache/####/1c2a5871fa0ceb59f241d5b1887ce8a0572....0.tmp
- <Package Folder>/cache/####/1df690f30ec42f7e9ea02224413a0f0c189....0.tmp
- <Package Folder>/cache/####/1fab029050c6eacf1cb95c1103f429ee9f4....0.tmp
- <Package Folder>/cache/####/239a0d51ff3a261cec8daab866f1bd8c718....0.tmp
- <Package Folder>/cache/####/26e9f49a44b67a93dd10887a092fc2940a8....0.tmp
- <Package Folder>/cache/####/2a226a084f4d457849c6fd538b47b690857....0.tmp
- <Package Folder>/cache/####/35f0ba7235765474c295281fb5a609c4364....0.tmp
- <Package Folder>/cache/####/3d734cb7d898cd8f871e3177d34dde269e2....0.tmp
- <Package Folder>/cache/####/4202c90702faa8c91d94c68aac08cdc6ca1....0.tmp
- <Package Folder>/cache/####/44dd45b77fb73b7a5adadf93d84bd1c9c08....0.tmp
- <Package Folder>/cache/####/49c5a7f21c0dbf698ce2514da5839b25e1b....0.tmp
- <Package Folder>/cache/####/5552430e9af3d1a9808a17d330668fa0d78....0.tmp
- <Package Folder>/cache/####/560009d3a43135cdb5c236aa1c70dfef7f1....0.tmp
- <Package Folder>/cache/####/5ebf25411120338362466227e97de9e26c1....0.tmp
- <Package Folder>/cache/####/60c68a955d53a408cb18290b3c199151630....0.tmp
- <Package Folder>/cache/####/64253207f61933f6d4c0b57b8a5d1dff50d....0.tmp
- <Package Folder>/cache/####/7040363a4204600218adecfa792e634da4f....0.tmp
- <Package Folder>/cache/####/70b33cd84024820c1daef3bb1571c64219f....0.tmp
- <Package Folder>/cache/####/70cbbeb1b8e978d8fc8eab452255bac2466....0.tmp
- <Package Folder>/cache/####/76c948d58f09850f02cb975e0d3a8202f11....0.tmp
- <Package Folder>/cache/####/7f192b1481497de29e5ae609cd5b03ac32f....0.tmp
- <Package Folder>/cache/####/83ed8cb6de77f525dfea0e2d3dd3b2e3b74....0.tmp
- <Package Folder>/cache/####/8c6d62784813687ac0ff36f33e50a14ebc4....0.tmp
- <Package Folder>/cache/####/9e01462cd431e36f74b0d03cb3a94c3ade4....0.tmp
- <Package Folder>/cache/####/a5aeb623db5d76d08dabca79451f3c37ce9....0.tmp
- <Package Folder>/cache/####/a6fc6d008a7a507b61feb3e5ef7b389645b....0.tmp
- <Package Folder>/cache/####/afe15d6e8382774cef44712842e8586411f....0.tmp
- <Package Folder>/cache/####/b60eed7deb1f809d05ed8419a6cfef66235....0.tmp
- <Package Folder>/cache/####/b6f3cbde7cc403956bf478e527cb590d4b8....0.tmp
- <Package Folder>/cache/####/c8d95dd3422d56a051345a5278511a00a66....0.tmp
- <Package Folder>/cache/####/cd11fb5fd5ea41f358dcd92d8d9b3717c84....0.tmp
- <Package Folder>/cache/####/d43a8dd70858e4464da24cb0b2ce0d880a7....0.tmp
- <Package Folder>/cache/####/d84a41b4fbf703760762437c753330bacc7....0.tmp
- <Package Folder>/cache/####/dad8edf556fde48b3f5c5e0c06434ebdd82....0.tmp
- <Package Folder>/cache/####/dee397bc188a484a75c1c22ea87600b7276....0.tmp
- <Package Folder>/cache/####/e3d4a012365d16b97dfacf768a74cf71e26....0.tmp
- <Package Folder>/cache/####/e6223e0d27038ada2fe8cfdc06ab4427cce....0.tmp
- <Package Folder>/cache/####/e823c975615a44393ae8cb7453eb227e518....0.tmp
- <Package Folder>/cache/####/eb272588f65c1efdd78f0e39f1b472a75ef....0.tmp
- <Package Folder>/cache/####/f58004fcc648d165dad4def3f6dcc2d69fe....0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/downloadswc
- <Package Folder>/databases/downloadswc-journal
- <Package Folder>/databases/ut.db
- <Package Folder>/databases/ut.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/0a231bd8575dcf72.txt
- <Package Folder>/files/1d77ea041509fe06.lock
- <Package Folder>/files/21c22f492aba3de8.lock
- <Package Folder>/files/930a31b34bd52c08.lock
- <Package Folder>/files/SGMANAGER_DATA2.tmp
- <Package Folder>/files/__local_ap_info_cache.json
- <Package Folder>/files/__local_last_session.json
- <Package Folder>/files/__local_stat_cache.json
- <Package Folder>/files/__send_data_1510833287446
- <Package Folder>/files/ap.Lock
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/sp.lock
- <Package Folder>/shared_prefs/<Package>_preference.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/UTCommon.xml
- <Package Folder>/shared_prefs/UTCommon.xml.bak (deleted)
- <Package Folder>/shared_prefs/W_Key.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/a.xml
- <Package Folder>/shared_prefs/ad_show_time.xml
- <Package Folder>/shared_prefs/baidu_mtj_sdk_record.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/st.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.com.taobao.dp/6c709c11d2d46a7b
- <SD-Card>/.com.taobao.dp/dd7893586a493dc3
- <SD-Card>/.com.taobao.dp/hid.dat
- <SD-Card>/Download/####/4.8_gou.jar.tmp
- <SD-Card>/backups/####/.confd
- <SD-Card>/backups/####/.confd-journal
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/backups/####/.timestamp
- <SD-Card>/cache/####/-1289005946
- <SD-Card>/cache/####/-249715954
- <SD-Card>/cache/####/-703259647
- <SD-Card>/cache/####/-892738503
- <SD-Card>/cache/####/-943431157
- <SD-Card>/cache/####/1.txt
- <SD-Card>/cache/####/1084234404
- <SD-Card>/cache/####/1541366825
- <SD-Card>/cache/####/2.txt
- <SD-Card>/cache/####/3.txt
- <SD-Card>/cache/####/4.txt
- <SD-Card>/cache/####/411477508
- <SD-Card>/cache/####/511371249
- <SD-Card>/collect/-1741312354
- <SD-Card>/dt/restime.dat
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.build.display.id
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
Загружает динамические библиотеки:
- crash_analysis
- libjiagu
- lnhq
- sgmainso-5.1
- ut_c_api
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
