Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Moplus.1
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) app.s####.auto####.####.cn:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) ba####.qich####.com.####.com:80
- TCP(HTTP/1.1) api.appj####.com:80
- TCP(TLS/1.0) rep####.crashly####.com:443
- TCP(TLS/1.0) c####.aut####.cn.####.com:443
- TCP(TLS/1.0) sett####.crashly####.com:443
- TCP(TLS/1.0) ope####.b####.com:443
- TCP c####.g####.ig####.com:5224
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- a####.aut####.cn
- a####.u####.com
- api.appj####.com
- app.s####.auto####.####.cn
- au.u####.co
- au.u####.com
- ba####.qich####.com
- bao####.aut####.cn
- c####.aut####.cn
- c####.aut####.cn
- c####.aut####.cn
- c####.g####.ig####.com
- loc.map.b####.com
- m.b####.com
- ope####.b####.com
- rep####.crashly####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sett####.crashly####.com
- w####.aut####.cn
- x.aut####.cn
Запросы HTTP GET:
- ba####.qich####.com.####.com/app/image/brands/1.png
- ba####.qich####.com.####.com/app/image/brands/12.png
- ba####.qich####.com.####.com/app/image/brands/14.png
- ba####.qich####.com.####.com/app/image/brands/221.png
- ba####.qich####.com.####.com/app/image/brands/3.png
- ba####.qich####.com.####.com/app/image/brands/33.png
- ba####.qich####.com.####.com/app/image/brands/35.png
- ba####.qich####.com.####.com/app/image/brands/38.png?r=####
- ba####.qich####.com.####.com/app/image/brands/62.png
- ba####.qich####.com.####.com/app/image/brands/71.png
- ba####.qich####.com.####.com/app/image/brands/76.png
- ba####.qich####.com.####.com/app/image/brands/8.png
- ba####.qich####.com.####.com/app/image/price/240x160_2871_1433753654000....
- ba####.qich####.com.####.com/app/image/price/240x160_3068_1433753654000....
- ba####.qich####.com.####.com/app/image/price/240x160_834_1433753654000.png
- ba####.qich####.com.####.com/appdfs/g11/M03/72/FD/autohomecar__wKgH0lcsO...
- ba####.qich####.com.####.com/appdfs/g14/M05/73/7C/autohomecar__wKgH5FcsO...
- ba####.qich####.com.####.com/appdfs/g15/M08/70/6A/autohomecar__wKgH5VcsO...
- ba####.qich####.com.####.com/appdfs/g22/M0B/55/5D/autohomecar__wKgFVlcsO...
- ba####.qich####.com.####.com/bj/2015052513/1175436162_1432531433950.jpg
- ba####.qich####.com.####.com/priceapi3.9.2/services/appStart/get?app=###...
- ba####.qich####.com.####.com/priceapi3.9.2/services/cars/brands?ts=####&...
- ba####.qich####.com.####.com/priceapi3.9.2/services/focuspictures/get?ve...
- ba####.qich####.com.####.com/priceapi3.9.2/services/promotiondetail/get?...
- ba####.qich####.com.####.com/priceapi3.9.2/services/promotionlist/get?pr...
- ba####.qich####.com.####.com/priceapi3.9.2/services/seriesprice/get?bran...
- ba####.qich####.com.####.com/priceapi3.9.2/services/seriessummary/get?se...
- ba####.qich####.com.####.com/priceapi3.9.2/services/specsummary/get?spec...
- ba####.qich####.com.####.com/priceapi3.9.2/services/user/getseriesspec?u...
- ba####.qich####.com.####.com/zx/newspic/2015/6/9/2015060910543572144.jpg
- ba####.qich####.com.####.com/zx/newspic/2015/6/9/2015060910560353093.jpg
Запросы HTTP POST:
- a####.u####.com/app_logs
- api.appj####.com/appjiagu
- app.s####.auto####.####.cn/pv_activity.php
- app.s####.auto####.####.cn/pv_clientdata.php
- app.s####.auto####.####.cn/pv_event.php
- app.s####.auto####.####.cn/pv_upload.php
- ba####.qich####.com.####.com/priceapi3.9.2/services/push/reg
- ba####.qich####.com.####.com/priceapi3.9.2/services/user/setfavcity
- s.wagbr####.alibaba####.com/api/check_app_update
- sdk.o####.p####.####.com/api.php?action=####&format=####
- sdk.o####.p####.####.com/api.php?action=####&session_last=####&format=##...
- wap.n.sh####.com/xcloudboss?r=####&pkgname=####&ver=####&pu=####
- wap.n.sh####.com/xcloudboss?r=####&type=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/databases/ah_price.db-journal
- <Package Folder>/databases/gxdbapp.db-journal
- <Package Folder>/databases/gxsdkdb.db
- <Package Folder>/databases/gxsdkdb.db-journal
- <Package Folder>/databases/moplus_server_config.db-journal
- <Package Folder>/files/####/5A0D7D4D016B-0001-080F-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D4E0314-0002-080F-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D4E03A0-0001-0833-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D52007D-0001-085F-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D560120-0001-089C-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D560120-0001-089C-97A1E5846828.cls_temp
- <Package Folder>/files/####/5A0D7D6500E7-0003-080F-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D6500E7-0003-080F-97A1E5846828.cls_temp
- <Package Folder>/files/####/5A0D7D66019B-0001-08E4-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D660366-0001-08F9-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D660366-0001-08F9-97A1E5846828.cls_temp
- <Package Folder>/files/####/5A0D7D6603A0-0002-08F9-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D68007A-0001-0914-97A1E5846828...s_temp
- <Package Folder>/files/####/5A0D7D6C01DA-0001-093E-97A1E5846828...s_temp
- <Package Folder>/files/####/com.crashlytics.settings.json
- <Package Folder>/files/####/crash_marker
- <Package Folder>/files/####/firll.dat
- <Package Folder>/files/####/initialization_marker
- <Package Folder>/files/####/offinfo.dat
- <Package Folder>/files/####/sa_605d158c-5aad-4af1-8f72-eecf3632...05.tap
- <Package Folder>/files/####/session_analytics.tap
- <Package Folder>/files/####/session_analytics.tap (deleted)
- <Package Folder>/files/####/session_analytics.tap.tmp
- <Package Folder>/files/.imprint
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/mobclick_agent_cached_<Package>56
- <Package Folder>/files/stop.lock
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/jiagu.lock
- <Package Folder>/shared_prefs/<Package>.push_sync.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/UMS_BuyDetailBuyDetail_pv.xml
- <Package Folder>/shared_prefs/UMS_CarCar_pv.xml
- <Package Folder>/shared_prefs/UMS_Device_ID.xml
- <Package Folder>/shared_prefs/UMS_Online_Setting.xml
- <Package Folder>/shared_prefs/UMS_OrderformOrderform_pv.xml
- <Package Folder>/shared_prefs/UMS_SeriesDrawerSeriesDrawer_pv.xml
- <Package Folder>/shared_prefs/UMS_SeriesHomeSeriesHome_pv.xml
- <Package Folder>/shared_prefs/UMS_Session_ID.xml
- <Package Folder>/shared_prefs/UMS_Session_ID_Save_Time.xml
- <Package Folder>/shared_prefs/UMS_SpecBuySpecBuy_pv.xml
- <Package Folder>/shared_prefs/UMS_SpecHomeSpecHome_pv.xml
- <Package Folder>/shared_prefs/ahprice.xml
- <Package Folder>/shared_prefs/ahpricead.xml
- <Package Folder>/shared_prefs/ahpriceconfig.xml
- <Package Folder>/shared_prefs/com.crashlytics.android.internal.D.xml
- <Package Folder>/shared_prefs/com.crashlytics.prefs.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/moplus_psetting.xml
- <Package Folder>/shared_prefs/pst.xml
- <Package Folder>/shared_prefs/tj.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_socialize_qq.xml
- <SD-Card>/ahprice/####/-1168033122.tmp
- <SD-Card>/ahprice/####/-1380273991.tmp
- <SD-Card>/ahprice/####/-1384891596.tmp
- <SD-Card>/ahprice/####/-1412597226.tmp
- <SD-Card>/ahprice/####/-1459152685.tmp
- <SD-Card>/ahprice/####/-1495714116.tmp
- <SD-Card>/ahprice/####/-1497561158.tmp
- <SD-Card>/ahprice/####/-1553895939.tmp
- <SD-Card>/ahprice/####/-1555742981.tmp
- <SD-Card>/ahprice/####/-1605132774.tmp
- <SD-Card>/ahprice/####/-1623598393.tmp
- <SD-Card>/ahprice/####/-166428355.tmp
- <SD-Card>/ahprice/####/-1830842065.tmp
- <SD-Card>/ahprice/####/-228886804.tmp
- <SD-Card>/ahprice/####/-27371173.tmp
- <SD-Card>/ahprice/####/-3114864.tmp
- <SD-Card>/ahprice/####/-95081875.tmp
- <SD-Card>/ahprice/####/1371801834.tmp
- <SD-Card>/ahprice/####/1381413602.tmp
- <SD-Card>/ahprice/####/1415728305.tmp
- <SD-Card>/ahprice/####/1571501375.tmp
- <SD-Card>/ahprice/####/1805891039.tmp
- <SD-Card>/ahprice/####/2102087224.tmp
- <SD-Card>/ahprice/####/2119832557.tmp
- <SD-Card>/ahprice/####/466224271.tmp
- <SD-Card>/ahprice/####/497261707.tmp
- <SD-Card>/ahprice/####/559336579.tmp
- <SD-Card>/ahprice/####/751086975.tmp
- <SD-Card>/ahprice/####/774320432.tmp
- <SD-Card>/ahprice/####/781042925.tmp
- <SD-Card>/ahprice/####/782889967.tmp
- <SD-Card>/ahprice/####/787507572.tmp
- <SD-Card>/ahprice/####/896516625.tmp
- <SD-Card>/autohome/autoshare.sub.data
- <SD-Card>/baidu/####/ls.db
- <SD-Card>/baidu/####/ls.db-journal
- <SD-Card>/baidu/####/yoh.dat
- <SD-Card>/baidu/####/yol.dat
- <SD-Card>/baidu/####/yom.dat
- <SD-Card>/baidu/.cuid
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/libs/imsi.db
- <SD-Card>/mobclick_agent_cached_<Package>
Другие:
Загружает динамические библиотеки:
- BaiduMapSDK_v2_4_1
- bspatch
- encrypt
- jiagu
- libjiagu
- locSDK5
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- desede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
