Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) way.p####.com:80
- TCP(HTTP/1.1) d####.g####.p####.com:80
- TCP(HTTP/1.1) recom####.p####.com:80
- TCP(HTTP/1.1) t####.p####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) res.su####.cn.####.com:80
- TCP(HTTP/1.1) w####.p####.com.####.com:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) recom####.p####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) api.pass####.p####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) s####.tc.qq.com:443
Запросы DNS:
- a####.u####.com
- ac####.d####.pp####.com
- api####.a####.com
- api.pass####.p####.com
- api.usergr####.p####.com
- cld####.mo####.p####.com
- epg.api.p####.com
- hm.b####.com
- i####.pp####.cn
- i####.pp####.cn
- ios.syna####.com
- m####.api.p####.com
- mt####.go####.com
- ppi.api.p####.com
- r####.wx.qq.com
- recom####.p####.com
- res.su####.cn
- s1.pp####.cn
- sr1.pp####.cn
- sr1.pp####.com
- sr2.pp####.cn
- sr2.pp####.com
- sr3.pp####.cn
- sr3.pp####.com
- sr4.pp####.cn
- sr4.pp####.com
- ssl.gst####.com
- sta####.pp####.cn
- t####.p####.com
- v.img.pp####.cn
- vip.p####.com
- way.p####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
Запросы HTTP GET:
- d####.g####.p####.com/1.html?sdPg0uX####
- d####.g####.p####.com/1.html?sdPg0uXTraCSqrOWlrKpmpyoraSSrKeioJawpqmapqW...
- d####.g####.p####.com/1.html?sdPg0uXTraCSqrOWoJaupqeLs62gj7mWraCSrbOYpaa...
- hm.b####.com/hm.js?7adaa44####
- recom####.p####.com/recTopic?uid=####&extraFields=####&rmTopicIds=####&s...
- recom####.p####.com/recommend?uid=####&ppi=####&vipUser=####&num=####&re...
- res.su####.cn.####.com/project/ssa/script/2aaef4fe-a99f-49a3-9fc3-fbc9d0...
- t####.p####.com/
- t####.p####.com/activity/2017/xchb/h5/?aid=####&plt=####
- t####.p####.com/check_update?platform=####&appplt=####&osv=####&appid=##...
- t####.p####.com/cms/10/06/c0fbe43b9d512134becfbba8d5790ec8.jpg
- t####.p####.com/cms/12/68/fe683f319b14dd65c7e5d11258232948.jpg
- t####.p####.com/cms/14/16/bf91f7c36fa4cc3c32ccb8043809b39a.png
- t####.p####.com/cms/16/35/c66c61fda8eb103aaf86bdf565afa2bc.png
- t####.p####.com/cms/16/76/016f42a428d841b7c41d0219558c7187.jpg
- t####.p####.com/cms/18/10/fa7426723f7614bf947f30f8659c1260.png
- t####.p####.com/cms/18/30/75cc336bd82b394486525f1263f59d04.jpg
- t####.p####.com/cms/19/50/8be57d72356269ba350f6c22180ba113.png
- t####.p####.com/cms/23/81/ae04f46e429e4a961b5d58c4da0cd195.jpg
- t####.p####.com/cms/23/85/aee791dc696c8e4cb3a6da03554a709b.png
- t####.p####.com/cms/25/93/d48a6496c881c86e90796b53e92f7a3d.jpg
- t####.p####.com/cms/26/81/11325d0347f8277a0b7e98be8ed21ef2.png
- t####.p####.com/cms/30/55/cb9e5e68aa72a94ca163d62f3dd51969.jpg
- t####.p####.com/cms/32/01/908807de82450bcf791fac2bd1d124d6.gif
- t####.p####.com/cms/33/18/803d9717c2538b9b4a81e91bd62adc2a.jpg
- t####.p####.com/cms/38/51/6c505fcfc594ae3a304a142bdefa4fa2.gif
- t####.p####.com/cms/40/74/3c060e5c53663a33ea5a921581c6f27c.jpg
- t####.p####.com/cms/41/40/b72f78b5fdff8d2f80f039d5e30d42ba.png
- t####.p####.com/cms/42/40/1360f77a120c7ba4794f48904c22d743.jpg
- t####.p####.com/cms/94/19/7c337d33441c23288d225f26c8484ef7.jpg
- t####.p####.com/control?ver=####&userLevel=####&platform=####&osv=####&s...
- t####.p####.com/detail.api?auth=####&canal=####&ppi=####&appid=####&appv...
- t####.p####.com/generalConfig?platform=####&appplt=####&configType=####&...
- t####.p####.com/generalConfig?platform=####&configkey=####&appplt=####&c...
- t####.p####.com/getConfig?ZGV2aWNlaWQ9MzU2NTA3MDU5MzUxODk1JmRldmljZXR5cG...
- t####.p####.com/globalConfig?platform=####&appplt=####&osv=####&appid=##...
- t####.p####.com/manual_update?platform=####&appplt=####&osv=####&appid=#...
- t####.p####.com/treelefts.api?auth=####&userLevel=####&ppi=####&treeleft...
- t####.p####.com/v4/module?lang=####&platform=####&appid=####&appver=####...
- w####.p####.com.####.com/2018/01/08/16054323538_230X306.jpg.webp
- w####.p####.com.####.com/2018/01/22/16081700626_230X306.jpg.webp
- w####.p####.com.####.com/cms/14/24/d2b37f1e306938e9e0bf1ade235e24f3.png
- w####.p####.com.####.com/cms/19/13/de5f123f0eea25fd412227ae7e36c196.png
- w####.p####.com.####.com/cms/20/48/3ca7889db8b07c62dc914a2201694f8e.png
- w####.p####.com.####.com/cms/39/35/f5e255e4cbf8c6ace832ba82d318d983.png
- w####.p####.com.####.com/cms/40/08/420462a279acbe7b942cfe917564f7bb.png
- w####.p####.com.####.com/cp308/2a/0b/2a0b71de79f9de3ccb64f54ca26d54cd/15...
- w####.p####.com.####.com/oth/2012/10/jssdk/v_20150408155209/jsbridge.js
- w####.p####.com.####.com/pc_client/v_20171011162401/clt.js
- w####.p####.com.####.com/pptv/main/v_20141015100259/seajs/2.2.1/sea.js
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/lib/jque...
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/main.js
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/pub.js
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/ui.js
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/util/jso...
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/util/loa...
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/util/log...
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/util/pct...
- w####.p####.com.####.com/pptv/main/v_20180305173702_3b5412/dist/util/use...
- w####.p####.com.####.com/pub/weixin/v_20170602145855/wxajax.js
- w####.p####.com.####.com/sp342/2017/10/27/11064369150.jpg.webp
- w####.p####.com.####.com/sp342/2017/12/29/11400057780.jpg.webp
- w####.p####.com.####.com/sp342/2018/02/12/17372872745.jpg.webp
- w####.p####.com.####.com/sp342/2018/02/13/15592543234.jpg.webp
- w####.p####.com.####.com/sp342/2018/03/01/15501939838.jpg.webp
- w####.p####.com.####.com/sta.js?debug=####
- w####.p####.com.####.com/vip/activity/2017/h5/xchb/v_20180131151933/css/...
- w####.p####.com.####.com/vip/activity/js/src/v_20170628150049/lottery.js
- w####.p####.com.####.com/vip/h5/2017/12year/v_20170512164346/js/fontsize...
- w####.p####.com.####.com/vip/h5/v_20170525151539/js/ppsdk.js
- w####.p####.com.####.com/vip/js/mui/v_20160805114725/mui.min.js
- w####.p####.com.####.com/website/web/common/v_20180110182523_f06ff0/dist...
- way.p####.com/get/aphone?index=####&appplt=####&dstr=3y####&md5=####&app...
- way.p####.com/getUserCreditDoublePolicy?appid=####&from=####&format=####...
- way.p####.com/public/ppi?appid=####&appplt=####&cc=####&appver=####&devi...
Запросы HTTP POST:
- a####.u####.com/app_logs
- apilo####.a####.com/v3/log/init
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/index
- <Package Folder>/cache/applog.log
- <Package Folder>/databases/_ire-journal
- <Package Folder>/databases/pptv.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/configcenter.txt
- <Package Folder>/files/exitadinfo
- <Package Folder>/files/globalConfig.txt
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/mobclick_agent_cached_<Package>999999999
- <Package Folder>/files/static_config
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/MATSharedPreferences.xml
- <Package Folder>/shared_prefs/USER_BILLING.xml
- <Package Folder>/shared_prefs/cn.com.mma.mobile.tracking.other.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/pptv.xml
- <Package Folder>/shared_prefs/speed_test.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/unicom.xml
- <Package Folder>/shared_prefs/view_from.xml
- <Package Folder>/shared_prefs/webp.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/PPTV/####/-1023432470
- <SD-Card>/PPTV/####/-1255581841.tmp
- <SD-Card>/PPTV/####/-1362455474.tmp
- <SD-Card>/PPTV/####/-1363525348.tmp
- <SD-Card>/PPTV/####/-1403916186
- <SD-Card>/PPTV/####/-1441151610.tmp
- <SD-Card>/PPTV/####/-1624000149
- <SD-Card>/PPTV/####/-1818098334.tmp
- <SD-Card>/PPTV/####/-1954288220
- <SD-Card>/PPTV/####/-2094691186.tmp
- <SD-Card>/PPTV/####/-2106605619.tmp
- <SD-Card>/PPTV/####/-372115487.tmp
- <SD-Card>/PPTV/####/-434886813.tmp
- <SD-Card>/PPTV/####/-50650037.tmp
- <SD-Card>/PPTV/####/-571539623
- <SD-Card>/PPTV/####/-604839425
- <SD-Card>/PPTV/####/-605511031.tmp
- <SD-Card>/PPTV/####/-61492529
- <SD-Card>/PPTV/####/-645134678.tmp
- <SD-Card>/PPTV/####/-682194916.tmp
- <SD-Card>/PPTV/####/-922110423
- <SD-Card>/PPTV/####/-922272615
- <SD-Card>/PPTV/####/1075085015.tmp
- <SD-Card>/PPTV/####/1373161737.tmp
- <SD-Card>/PPTV/####/1457266301.tmp
- <SD-Card>/PPTV/####/150767664
- <SD-Card>/PPTV/####/1553521954.tmp
- <SD-Card>/PPTV/####/1563429010.tmp
- <SD-Card>/PPTV/####/1599532657
- <SD-Card>/PPTV/####/1729388643.tmp
- <SD-Card>/PPTV/####/1749775815.tmp
- <SD-Card>/PPTV/####/1775006297
- <SD-Card>/PPTV/####/181374413.tmp
- <SD-Card>/PPTV/####/1943559261
- <SD-Card>/PPTV/####/1962979179
- <SD-Card>/PPTV/####/224443801.tmp
- <SD-Card>/PPTV/####/242693036.tmp
- <SD-Card>/PPTV/####/382492932.tmp
- <SD-Card>/PPTV/####/404390849.tmp
- <SD-Card>/PPTV/####/460567684.tmp
- <SD-Card>/PPTV/####/493852074
- <SD-Card>/PPTV/####/524939934.tmp
- <SD-Card>/PPTV/####/54939787.tmp
- <SD-Card>/PPTV/####/561934565.tmp
- <SD-Card>/PPTV/####/603337748.tmp
- <SD-Card>/PPTV/####/771733332.tmp
- <SD-Card>/PPTV/####/801551763
- <SD-Card>/PPTV/####/844546058.tmp
- <SD-Card>/PPTV/####/957188160
- <SD-Card>/PPTV/####/971348396
- <SD-Card>/PPTV/####/982130736.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/files/libjiagu.so
Загружает динамические библиотеки:
- audioeffect_jni
- breakpad_util_jni
- libjiagu
- libppbox_jni-android-x86-gcc44-mt-1.1.0
- meet
- mresearch
- ppbox_jni-android-x86-gcc44-mt-1.1
- subtitle-jni
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Отрисовывает собственные окна поверх других приложений.
