Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.248.origin
- Android.Triada.309
- Android.Triada.373.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) l.ace####.com:80
- TCP(HTTP/1.1) cl.mo####.u####.com:80
- TCP(HTTP/1.1) pg.x####.com:80
- TCP(HTTP/1.1) cf.gdata####.net:80
- TCP(HTTP/1.1) 1####.196.40.71:9600
- TCP(HTTP/1.1) 1####.196.40.71:9500
Запросы DNS:
- a####.u####.com
- cf.gdata####.net
- cl.mo####.u####.com
- gv1.x####.com
- i####.cn.com
- l.ace####.com
- pg.x####.com
- rd.gdata####.net
Запросы HTTP POST:
- a####.u####.com/app_logs
- cf.gdata####.net/config/update
- cf.gdata####.net/dc/sync_adr
- cl.mo####.u####.com/show.aspx?Key=####
- l.ace####.com/ando/v2/lv?app_id=####&r=####
- pg.x####.com/api/q/a/3cff577985556567209c8fa8131303f63
- pg.x####.com/api/statis/3cff577985556567209c8fa8131303f63/game-67A1BB6E0...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/code-5925813/md6pAMAMli349YgO
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/dataeye_database_91CA71A216538CBCACA...147.db
- <Package Folder>/databases/dataeye_database_91CA71A216538CBCACA...ournal
- <Package Folder>/databases/talkingdata_app.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_1Ch...9ZEg==
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_1Ch...ournal
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_LTH...CA2g==
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_LTH...ournal
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_M8R...f8CuI=
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_M8R...ournal
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_lzV...g9YEbv
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_lzV...ournal
- <Package Folder>/databases/uyeK7_duIO9lDDNyQ7mtHzh2Mj9ECScS_rZB...ournal
- <Package Folder>/databases/vi_db_pay-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/000..png
- <Package Folder>/files/####/0000.png
- <Package Folder>/files/####/2Rp1G6oQDvQ9w4bdqV4ykqJ-iMEn8ZCb.new
- <Package Folder>/files/####/810P8U_VheyOGOlx
- <Package Folder>/files/####/BS4rdsZzm7Lspu9mS5NpzCapdyU3vqct.new
- <Package Folder>/files/####/BUmtGvlZF8wvPiw_IvOmjuEifcJIwPe5.new
- <Package Folder>/files/####/BackGRound.png
- <Package Folder>/files/####/BianKuang.mp3
- <Package Folder>/files/####/BpK62nLQdUGPyfL-.new
- <Package Folder>/files/####/EH6N4EJ57bJoBlnI15TiEQ==
- <Package Folder>/files/####/EQeqVGDsu5Pplvj6u-em_vJ3Cos=.new
- <Package Folder>/files/####/FenLie.mp3
- <Package Folder>/files/####/GetDaoju.mp3
- <Package Folder>/files/####/GrYM50DbYzwnBf0IB1y_7TQJCZY=
- <Package Folder>/files/####/Hebing.mp3
- <Package Folder>/files/####/HunDun.mp3
- <Package Folder>/files/####/K4r2UXD6I9c9RI5DWS_TsB5ZrEiax_RnP-I...U=.new
- <Package Folder>/files/####/KeXPysc8gOoEdqI3y1njfw==.new
- <Package Folder>/files/####/L1i5EKPdcvJgBinLHKGHI0SfpVCRVksG7f2Etw==.new
- <Package Folder>/files/####/LtrcLPWub4gIl21Ash3n27ubhYvTj6puNMtgHQ==.new
- <Package Folder>/files/####/Lv8ijZ_A487zW5sPKP1mrA==
- <Package Folder>/files/####/Marker Felt.ttf
- <Package Folder>/files/####/Menuback.jpg
- <Package Folder>/files/####/OkDjAUDSiZsRj9TKbfC6d_PpaZFmlST2zFf...U=.new
- <Package Folder>/files/####/PQKwOMoldQVPIOVs.zip
- <Package Folder>/files/####/PaiMing.png
- <Package Folder>/files/####/PrPDS_7TvM1gTg7Tu92BRfDgNUQ=.new
- <Package Folder>/files/####/Putno.png
- <Package Folder>/files/####/Putno2.png
- <Package Folder>/files/####/QQ_EFFECT.ExportJson
- <Package Folder>/files/####/QQ_EFFECT0.plist
- <Package Folder>/files/####/QQ_EFFECT0.png
- <Package Folder>/files/####/Red_ling.png
- <Package Folder>/files/####/SPeed1.png
- <Package Folder>/files/####/SanHua.mp3
- <Package Folder>/files/####/Setup.png
- <Package Folder>/files/####/SjlEVpoZgKHZwKWoEZGWl3LnFh6w3gSu.new
- <Package Folder>/files/####/SkyPayInfo.xml
- <Package Folder>/files/####/Speed.mp3
- <Package Folder>/files/####/SpeedUp.png
- <Package Folder>/files/####/Start.mp3
- <Package Folder>/files/####/Start.png
- <Package Folder>/files/####/StartGame.png
- <Package Folder>/files/####/StartMusic.mp3
- <Package Folder>/files/####/TUchu.mp3
- <Package Folder>/files/####/TunShi.mp3
- <Package Folder>/files/####/UvyYV4bkag_BM42_Jp2k-vAteMk=.new
- <Package Folder>/files/####/VZxfpgUXtTsSOwildfpElDZtR-c=.new
- <Package Folder>/files/####/Vtfi8D8DWmwWOIujkfkX4oLykLKLA2hqRPP...U=.new
- <Package Folder>/files/####/WIN.mp3
- <Package Folder>/files/####/XsLLA_eJkaGPV5EAWTJcmIHh17E=.new
- <Package Folder>/files/####/ZsVVRq6Nq-gDVwWxdtiNxGTTxUBRDLZT.new
- <Package Folder>/files/####/base.png
- <Package Folder>/files/####/bean.plist
- <Package Folder>/files/####/bean.png
- <Package Folder>/files/####/bei_tun.mp3
- <Package Folder>/files/####/bg_main.mp3
- <Package Folder>/files/####/coinNUm.png
- <Package Folder>/files/####/dGf553VI_JwQ9-8kiSutydIqVvd-Vo6I.new
- <Package Folder>/files/####/dahui.png
- <Package Folder>/files/####/dianji.mp3
- <Package Folder>/files/####/enter.plist
- <Package Folder>/files/####/enter.png
- <Package Folder>/files/####/envelope.png
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/fenshu.png
- <Package Folder>/files/####/game_again.png
- <Package Folder>/files/####/game_back.png
- <Package Folder>/files/####/game_kuang.png
- <Package Folder>/files/####/game_over1.mp3
- <Package Folder>/files/####/game_over2.mp3
- <Package Folder>/files/####/game_over3.mp3
- <Package Folder>/files/####/game_rank.png
- <Package Folder>/files/####/game_scale.png
- <Package Folder>/files/####/gbvaa_f.zip
- <Package Folder>/files/####/goumai.png
- <Package Folder>/files/####/grieshoch.png
- <Package Folder>/files/####/guangsu.png
- <Package Folder>/files/####/hTS8dSORr1C3TVeLiv0nlr1bZj7xAnX6.new
- <Package Folder>/files/####/hundun_1.png
- <Package Folder>/files/####/install.png
- <Package Folder>/files/####/joystick.png
- <Package Folder>/files/####/l_pDIMBzVuKfeEAKvUFbQf3q8zrCMtB7wu2...A=.new
- <Package Folder>/files/####/ling.png
- <Package Folder>/files/####/list.png
- <Package Folder>/files/####/lrKCT6wEA2DRQcmdNGuUWg==.new
- <Package Folder>/files/####/miss1.mp3
- <Package Folder>/files/####/nT0CobcKkdiJ22OxNy9EVVLsj1zwp2oc.new
- <Package Folder>/files/####/npGqsUssIcsb6MZv1mdxbB9LHrE=.new
- <Package Folder>/files/####/onLJ-v5P2gRJ3RTav_1XPg==.new
- <Package Folder>/files/####/pingmu.png
- <Package Folder>/files/####/prick.png
- <Package Folder>/files/####/pz1.png
- <Package Folder>/files/####/q1.png
- <Package Folder>/files/####/q2.png
- <Package Folder>/files/####/q3.png
- <Package Folder>/files/####/q4.png
- <Package Folder>/files/####/qWTY0UMiCdxdYg7xx7VbqyhrfYKsWvFfsMosWQ==.new
- <Package Folder>/files/####/qian.png
- <Package Folder>/files/####/qian_days.png
- <Package Folder>/files/####/qq1.png
- <Package Folder>/files/####/qq10.png
- <Package Folder>/files/####/qq5.png
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/s1.png
- <Package Folder>/files/####/s2.png
- <Package Folder>/files/####/setBox.png
- <Package Folder>/files/####/shield.png
- <Package Folder>/files/####/shijian.png
- <Package Folder>/files/####/shop.png
- <Package Folder>/files/####/shop_dao11.png
- <Package Folder>/files/####/shop_jinbi.png
- <Package Folder>/files/####/shop_lingqu.png
- <Package Folder>/files/####/shop_pao13.png
- <Package Folder>/files/####/shop_paozi1.png
- <Package Folder>/files/####/shop_paozi2.png
- <Package Folder>/files/####/shop_paozi3.png
- <Package Folder>/files/####/shop_paozi4.png
- <Package Folder>/files/####/store_return_btn0.png
- <Package Folder>/files/####/switch.png
- <Package Folder>/files/####/touming.png
- <Package Folder>/files/####/vsRJkeyjNWCp8J4zooo3HOAdOemdoa_Q.new
- <Package Folder>/files/####/yh1.png
- <Package Folder>/files/####/yinxiaoOFF.png
- <Package Folder>/files/####/yinxiaoON.png
- <Package Folder>/files/####/yinyueOFF.png
- <Package Folder>/files/####/yinyueON.png
- <Package Folder>/files/####/yuan.png
- <Package Folder>/files/.imprint
- <Package Folder>/files/123.xml
- <Package Folder>/files/MainScene.csb
- <Package Folder>/files/MontR.plist
- <Package Folder>/files/MontR.png
- <Package Folder>/files/baohu.plist
- <Package Folder>/files/baohu.png
- <Package Folder>/files/daoju.plist
- <Package Folder>/files/daoju.png
- <Package Folder>/files/exid.dat
- <Package Folder>/files/paylib.jar
- <Package Folder>/files/rdata_comiuxvfwez.new
- <Package Folder>/files/s.xml
- <Package Folder>/files/s1.xml
- <Package Folder>/files/sanguang.plist
- <Package Folder>/files/sanguang.png
- <Package Folder>/files/speed.plist
- <Package Folder>/files/speed.png
- <Package Folder>/files/sushen.plist
- <Package Folder>/files/sushen.png
- <Package Folder>/files/talkingdata_app_process_preferences_file
- <Package Folder>/files/talkingdata_app_version_preferences_file
- <Package Folder>/files/temp.zip
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/3cff577985556567209c8fa8131303f63...le.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/Cocos2dxPrefsFile.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/SP_REPLACE_CLASSLOADER_CLASS_NAME.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
- <Package Folder>/shared_prefs/dc.91CA71A216538CBCACA6CE1DDC2881...es.xml
- <Package Folder>/shared_prefs/pref_file.xml
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/td_pefercen_profile.xml
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/unknown.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.SystemService/####/uid
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.system_temp/.cfg
- <SD-Card>/.tcookieid
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh
- <Package Folder>/code-5925813/md6pAMAMli349YgO -p <Package> -c com.iuxv.fwez.afvkaq.pv.pv.qf.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- cat /sys/block/mmcblk0/device/cid
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- ls -l /sbin/su
- ls -l /system/bin/su
- ls -l /system/sbin/su
- ls -l /system/xbin/su
- ls -l /vendor/bin/su
Загружает динамические библиотеки:
- cocos2dcpp
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
