Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) statson####.pu####.b####.com:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) 4####.h####.com.####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) l####.chunzhe####.cn:80
- TCP(HTTP/1.1) api.tui####.b####.com:80
- TCP(HTTP/1.1) cdn.app.kac####.####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP 2####.108.23.105:5287
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 4####.h####.com
- a####.tui####.b####.com
- a####.u####.com
- api####.a####.com
- api.tui####.b####.com
- au.u####.co
- au.u####.com
- b.scoreca####.com
- cdn.app.h####.top
- cdn.app.kac####.cn
- cdn.img.h####.top
- i5.hun####.com
- l####.chunzhe####.cn
- mo####.api.hun####.com
- mo####.log.hun####.com
- mt####.go####.com
- oc.u####.com
- sa9.tui####.b####.com
- statson####.pu####.b####.com
- x.da.hun####.com
Запросы HTTP GET:
- 1####.h####.i####.tv/preview/cms_icon/2018/02/20180223110317277.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180301105520096.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180301105530378.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180301105539697.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180302160317011.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180307163720927.gif
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180307195454292.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180307202428842.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201117984.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201141262.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201204849.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180310205944212.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180310224324819.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180310234641859.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180311121120815.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180312154749516.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180313114957072.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180313204248210.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180314205826627.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180314205902212.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180314210009063.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180314215931554.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180315095210490.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180315231743210.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180316094532846.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180316105853597.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180316114243853.jpg
- 1####.h####.i####.tv/preview/sp_images/2017/dianying/318236/4208002/2017...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/313552/4315345/201...
- 1####.h####.i####.tv/preview/sp_images/2018/dianying/315780/4301859/2018...
- 1####.h####.i####.tv/preview/sp_images/2018/xinwen/320379/4314825/201803...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322712/4314905/201803...
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/mianfeibo.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/vipmian.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/yugao.png
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180301105507697.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180308154424030.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180309201226271.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180311121757869.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180313114842409.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/03/20180314115721593.jpg
- b.scoreca####.com.####.net/p2?c1=####&c2=####&ns_ap_an=####&ns_ap_pn=###...
- cdn.app.kac####.####.com/sfile/201711/16/all/cp_V2.7.4.1.txt
- cdn.app.kac####.####.com/upload/201802/6/app/20180206153530165.apk
- cdn.app.kac####.####.com/upload/201802/6/img/20180206153521627.png
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/p2pSwitch?userId=####&osVersion=####&devic...
Запросы HTTP POST:
- a####.u####.com/app_logs
- api.tui####.b####.com/rest/2.0/channel/3753792061047729739
- api.tui####.b####.com/rest/2.0/channel/channel
- apilo####.a####.com/v3/log/init
- l####.chunzhe####.cn/hadat/iwplc/ygla
- l####.chunzhe####.cn/hadat/u/scx
- l####.chunzhe####.cn/hadat/wnxjs/uzy
- l####.chunzhe####.cn/jzbdt/mie/lmh
- l####.chunzhe####.cn/jzbdt/qe/rj
- l####.chunzhe####.cn/jzbdt/ts/c/sch
- mo####.log.hun####.com/data.cgi
- oc.u####.com/check_config_update
- s.wagbr####.alibaba####.com/api/check_app_update
- statson####.pu####.b####.com/pushlog
- x.da.hun####.com/json/app/boot
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/app_push_lib/plugin-deploy.jar
- <Package Folder>/app_push_lib/plugin-deploy.key
- <Package Folder>/databases/t_u.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/MV3Plugin.ini
- <Package Folder>/files/ad.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/yk.jar
- <Package Folder>/shared_prefs/<Package>.push_sync.xml
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/MGTVCommon.xml
- <Package Folder>/shared_prefs/cSPrefs.xml
- <Package Folder>/shared_prefs/dbVersion.xml
- <Package Folder>/shared_prefs/dsi.xml
- <Package Folder>/shared_prefs/kr.xml
- <Package Folder>/shared_prefs/kr.xml.bak
- <Package Folder>/shared_prefs/last_know_location.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/pst.xml
- <Package Folder>/shared_prefs/sfe.xml
- <Package Folder>/shared_prefs/sfe.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/wv.xml
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/0f5e8ff3754d7af7d7a3999f86f8a79f.apk
- <SD-Card>/Android/####/178sar5p74x8mxp8mvrrw319u.tmp
- <SD-Card>/Android/####/1dubddt21u8n3dmt734ul94b.tmp
- <SD-Card>/Android/####/1el5y4nhlgjgwjwshqxpx57jh.tmp
- <SD-Card>/Android/####/1jswjpn9pgy81wck7z5zhcda1.tmp
- <SD-Card>/Android/####/1r1lnqo0t5fiogkmfplst9ta0.tmp
- <SD-Card>/Android/####/1tn9dopnkqaf3lzwl9cuyp681.tmp
- <SD-Card>/Android/####/1xbxhu7shuhg019lkotj4g0er.tmp
- <SD-Card>/Android/####/21lkjglblv6c4eqmvs6vyfz26.tmp
- <SD-Card>/Android/####/26v6o0szwz66qz16nvu63d214.tmp
- <SD-Card>/Android/####/283944181e4a5
- <SD-Card>/Android/####/28hnb7o7sv1m7vn52m0elmmzv.tmp
- <SD-Card>/Android/####/28zuvyhue96zfg0j847893g5t.tmp
- <SD-Card>/Android/####/2bxq91pnhx32u4hww9lojpu8f
- <SD-Card>/Android/####/2jag0smp5m495c5vj0p82k1s9.tmp
- <SD-Card>/Android/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- <SD-Card>/Android/####/2ostkekbevpz9xe0f3vq8lad6.tmp
- <SD-Card>/Android/####/2umq6lui44v46pkob3sfuyxem.tmp
- <SD-Card>/Android/####/2xfz1f766ulb3ehn978groo11.tmp
- <SD-Card>/Android/####/317wwphly87swmcd1sjtiqdsn.tmp
- <SD-Card>/Android/####/31yhlxldjtifzzjl3wd0wdf80.tmp
- <SD-Card>/Android/####/3ek9oicnhrssl1evsi3mizh0b.tmp
- <SD-Card>/Android/####/3o69csx43db6k04o5skkogjbm.tmp
- <SD-Card>/Android/####/44mbp9unpmrdyr2y11j3xrow8.tmp
- <SD-Card>/Android/####/49jcau1unws6nvpon53wpn0u5.tmp
- <SD-Card>/Android/####/4fn1z8gf3v2nwyyznngvungmj.tmp
- <SD-Card>/Android/####/4jftloq2ym125p0lah3ogsi6n.tmp
- <SD-Card>/Android/####/519x0akaanpaxf2508ehksviv.tmp
- <SD-Card>/Android/####/5c8c4mt03qhjj69kht8ww8tg2.tmp
- <SD-Card>/Android/####/5dacv0b9jj9lp2rj8tvxj08ej.tmp
- <SD-Card>/Android/####/5iu8obzigg7cjdcun0hcrslo5.tmp
- <SD-Card>/Android/####/5pqv8obw2bdjnxauafrltegfw.tmp
- <SD-Card>/Android/####/5t9ohggu00dirpdvie20s0b82.tmp
- <SD-Card>/Android/####/5v9v7tr014zuiqu59q5jlwnmt.tmp
- <SD-Card>/Android/####/5wg1km8sbu1jhcpwpwmnm2vgy.tmp
- <SD-Card>/Android/####/682ddxqfgirejnzrji3q08opu.tmp
- <SD-Card>/Android/####/6czq83hg0e09tn6xec9k7lz4l.tmp
- <SD-Card>/Android/####/6ppcpt129e7p8o9wtojdy6xec.tmp
- <SD-Card>/Android/####/74tuuucb6aqtzs2ym850xqj9v.tmp
- <SD-Card>/Android/####/79jmmtgh0kh5b2vh7mafhoyxy.tmp
- <SD-Card>/Android/####/7c96anlr9nv6w88tn8ocqvhn9.tmp
- <SD-Card>/Android/####/7imuu8zcrspi1rtvzx6j21x00.tmp
- <SD-Card>/Android/####/V2.7.4.1.txt
- <SD-Card>/Android/####/b.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/lnb1lxmeayia2attaripd6a1.tmp
- <SD-Card>/baidu/####/apps
- <SD-Card>/baidu/####/lightapp_V4.db
- <SD-Card>/baidu/####/lightapp_V4.db-journal
- <SD-Card>/baidu/####/pushlappv2.db
- <SD-Card>/baidu/####/pushlappv2.db-journal
- <SD-Card>/baidu/####/pushstat_4.4.db
- <SD-Card>/baidu/####/pushstat_4.4.db-journal
- <SD-Card>/baidu/.cuid
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 /storage/emulated/0/Android/data/<Package>/files/Download/Android/azb/0f5e8ff3754d7af7d7a3999f86f8a79f.apk
Загружает динамические библиотеки:
- bdpush_V2_2
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
- yfnet_mongotv
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
