Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.BackDoor.89
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) u.k####.com:80
- TCP(HTTP/1.1) k####.b0.upa####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) api.k####.com:8080
- TCP(HTTP/1.1) a####.k####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) apk.k####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) www.k####.com.####.com:80
- TCP c####.g####.ig####.com:5225
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.k####.com
- a.appj####.com
- api.k####.com
- apk.k####.com
- c####.g####.ig####.com
- sdk.o####.i####.####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- u####.k####.com
- u.k####.com
- www.k####.com
Запросы HTTP GET:
- a####.k####.com/kktv/kkopp/product/part/icon/101_1509604228845.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599716400.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599759183.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599769673.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599828215.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599862884.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599897885.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599984773.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504599999529.png
- a####.k####.com/kktv/kkopp/product/part/icon/93_1504600110675.png
- a####.k####.com/kktv/picture/2017/01/10/21/114868277_3822.jpg!272
- a####.k####.com/kktv/poster/20160525/12/102950202_5946.jpg!272
- a####.k####.com/kktv/poster/20170327/16/115069331_335427.png!272
- a####.k####.com/kktv/poster/20170418/17/123311246_4843438.png!272
- a####.k####.com/kktv/poster/20170516/19/100803678_568970.png!272
- a####.k####.com/kktv/poster/20170705/17/724002_3355825.png!272
- a####.k####.com/kktv/poster/20170705/17/724004_3739984.png!272
- a####.k####.com/kktv/poster/20170728/16/36992837_642500.png!272
- a####.k####.com/kktv/poster/20171128/20/127790440_400361.png!272
- a####.k####.com/kktv/poster/20180117/11/121560147_21058.jpg!272
- a####.k####.com/kktv/poster/20180118/23/113591690_3441441.jpg!272
- a####.k####.com/kktv/poster/20180120/23/115386192_5114953.jpg!272
- a####.k####.com/kktv/poster/20180127/16/106870737_13730.jpg!272
- a####.k####.com/kktv/poster/2018118/11/724014_567244.jpg!272
- a####.k####.com/kktv/poster/2018118/11/724018_1323546.jpg!272
- a####.k####.com/kktv/poster/2018118/13/724010_91105.jpg!272
- api.k####.com:8080/meShow/entrance?parameter=####
- apk.k####.com/kkgame/mobile/config/config_a_zh_CN3.json
- apk.k####.com/kkgame/mobile/guide/android/2017cj.jpg
- apk.k####.com/share/mobile/config/config_a_zh_CN.json
- k####.b0.upa####.com/kktv/activity/image/2049/20161021142533_367.jpg
- k####.b0.upa####.com/kktv/activity/image/4158/20161102180022_530.jpg
- t####.c####.q####.####.com/tdata_Cyl001
- t####.c####.q####.####.com/tdata_KtX382
- u.k####.com/md/LS
- www.k####.com.####.com/CDN/output/M/1/I/20010302/P/a-1_c-4008_cataId-172...
- www.k####.com.####.com/CDN/output/M/1/I/55000003/P/a-1_c-4008_start-0_of...
- www.k####.com.####.com/CDN/output/M/1/I/55000003/P/a-1_c-4008_start-20_o...
- www.k####.com.####.com/CDN/output/M/1/I/55000004/P/a-1_c-4008_platform-2...
- www.k####.com.####.com/CDN/output/M/1440/I/10002006/P/a-1_c-4008_platfor...
Запросы HTTP POST:
- a.appj####.com/ad-service/ad/mark
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/####/0b11aea3a6b182deccd920d058dd261e507....0.tmp
- <Package Folder>/cache/####/1988e9900eb034a9785318a2a2c2720a7f3....0.tmp
- <Package Folder>/cache/####/373007d298971e11e030fd9ca4503a7aec4....0.tmp
- <Package Folder>/cache/####/40b19a2f7c4134d7aa1d276895bc731c065....0.tmp
- <Package Folder>/cache/####/472528570abafac286d35c38bbf09867f52....0.tmp
- <Package Folder>/cache/####/535f8aecb96211bf33ca6de4d54f7af4b8f....0.tmp
- <Package Folder>/cache/####/8283136216427d5c2387388f5cf0eac4ef4....0.tmp
- <Package Folder>/cache/####/84032608d6621db9a3968e15d22b1cd2859....0.tmp
- <Package Folder>/cache/####/95644ebd8a875b673fd3e58ecb6277a18c8....0.tmp
- <Package Folder>/cache/####/a8de70b0209894aa768d2fac1e4461d64cb....0.tmp
- <Package Folder>/cache/####/adaf8d064ad667b1a1c17e9ce6b1893fcf5....0.tmp
- <Package Folder>/cache/####/afa43d976b96abea4da15faf22e76420e82....0.tmp
- <Package Folder>/cache/####/bf054ec482478b1ce93082a5fab58df4897....0.tmp
- <Package Folder>/cache/####/c01c33d596b6a7a50e5a9fa872235034800....0.tmp
- <Package Folder>/cache/####/cd07a1274bd80e855be9a102ce682bbdf49....0.tmp
- <Package Folder>/cache/####/cd7a7749fcdc3ba4d54be8f19be7e697ea3....0.tmp
- <Package Folder>/cache/####/ce71810e9b496e6f97e94339c15d5abbd31....0.tmp
- <Package Folder>/cache/####/db874b5006bb9d1525f9202eb9c71652bba....0.tmp
- <Package Folder>/cache/####/de6ad207d15c005557e81623f1f41ed51b2....0.tmp
- <Package Folder>/cache/####/df8d6b604489de441530eea3f1be262c099....0.tmp
- <Package Folder>/cache/####/dfec334dae9f6a2a01adeea76181d5ca759....0.tmp
- <Package Folder>/cache/####/e71e64947bd228c4c6c3bed9f1288ef3689....0.tmp
- <Package Folder>/cache/####/fbc8d50c29dcc947a8b5f88d994bee068ef....0.tmp
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/cache/game_config.txt
- <Package Folder>/cache/meshow_config.txt
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/galhttprequest_database-journal
- <Package Folder>/databases/increment.db-journal
- <Package Folder>/databases/msp.db
- <Package Folder>/databases/msp.db-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/user_statistics.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/gdaemon_20151105
- <Package Folder>/files/init.pid
- <Package Folder>/files/mobclick_agent_cached_<Package>79
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/shared_prefs/StatService.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/setting.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/Android/####/100803678_568970.png!272
- <SD-Card>/Android/####/113591690_3441441.jpg!272
- <SD-Card>/Android/####/114868277_3822.jpg!272
- <SD-Card>/Android/####/36992837_642500.png!272
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/meShow/####/.nomedia
- <SD-Card>/meShow/####/5859499
- <SD-Card>/meShow/####/muc.log
- <SD-Card>/meShow/####/new_share_pic.jpg
- <SD-Card>/meShow/####/notification.aac
- <SD-Card>/system/####/tdata_Cyl001
- <SD-Card>/system/####/tdata_Cyl001.jar
- <SD-Card>/system/####/tdata_Cyl001.tmp
- <SD-Card>/system/####/tdata_KtX382
- <SD-Card>/system/####/tdata_KtX382.jar
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20151105 0 <Package>/com.igexin.sdk.PushService 24775 300 0
- chmod 700 <Package Folder>/files/gdaemon_20151105
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/files/gdaemon_20151105 0 <Package>/com.igexin.sdk.PushService 24775 300 0
Загружает динамические библиотеки:
- anw
- encode
- game
- iomx
- libjiagu
- vlcjni
Использует следующие алгоритмы для расшифровки данных:
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
