Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.248.origin
- Android.Triada.309
- Android.Triada.373.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) l.ace####.com:80
- TCP(HTTP/1.1) cl.mo####.u####.com:80
- TCP(HTTP/1.1) cf.gdata####.net:80
- TCP(HTTP/1.1) 1####.196.40.71:9600
- TCP(HTTP/1.1) 1####.196.40.71:9500
Запросы DNS:
- a####.u####.com
- cf.gdata####.net
- cl.mo####.u####.com
- img.ace####.com
- l.ace####.com
- rd.gdata####.net
Запросы HTTP POST:
- a####.u####.com/app_logs
- cf.gdata####.net/config/update
- cf.gdata####.net/dc/sync_adr
- cl.mo####.u####.com/show.aspx?Key=####
- l.ace####.com/ando/v2/ap?app_id=####&r=####
- l.ace####.com/ando/v2/lv?app_id=####&r=####
- l.ace####.com/ando/v2/qa?app_id=####&r=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/code-1332540/d6MKH1EMfV8e-Yaj
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_-mH...TQEQ==
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_-mH...ournal
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_AlX...ournal
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_GyD...ZPAA==
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_GyD...ournal
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_S1k...mUCiQ=
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_S1k...ournal
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_szR...UbjJMZ
- <Package Folder>/databases/N_NqI7Nk9pzo2mILpPZRhBJMKiFZdPXS_szR...ournal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/dataeye_database_06E1A41177A63932F72...F96.db
- <Package Folder>/databases/dataeye_database_06E1A41177A63932F72...ournal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/vi_db_pay-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/1.png
- <Package Folder>/files/####/11.png
- <Package Folder>/files/####/14rX9ubvEM-I-rEy0Ha77YJBXw7TG-7k.new
- <Package Folder>/files/####/2.png
- <Package Folder>/files/####/20.1.png
- <Package Folder>/files/####/2sQNkYvgxVe4G0z__Q2gxIKKNNOqTrtoLgp...I=.new
- <Package Folder>/files/####/3.png
- <Package Folder>/files/####/67f5xe2kCXhy8cCUavYztv_oVpo=
- <Package Folder>/files/####/67f5xe2kCXhy8cCUavYztv_oVpo=.new
- <Package Folder>/files/####/7Ub4H-i667ysZoFCngpjJ4APBEg=.new
- <Package Folder>/files/####/BChx9C_P0hXxCTp5.zip
- <Package Folder>/files/####/DRwSDalnTthGzoom1KFAxYNSEK8=.new
- <Package Folder>/files/####/EX_hui.plist
- <Package Folder>/files/####/EX_hui.png
- <Package Folder>/files/####/EX_huojiantong.plist
- <Package Folder>/files/####/EX_huojiantong.png
- <Package Folder>/files/####/EX_konglong.plist
- <Package Folder>/files/####/EX_konglong.png
- <Package Folder>/files/####/EX_normal.plist
- <Package Folder>/files/####/EX_normal.png
- <Package Folder>/files/####/EX_paopao.plist
- <Package Folder>/files/####/EX_paopao.png
- <Package Folder>/files/####/EX_shuiqiang.plist
- <Package Folder>/files/####/EX_shuiqiang.png
- <Package Folder>/files/####/F4e05YdtzkVRlhiR2B9CQo2hAGk=
- <Package Folder>/files/####/G6mCgk-Pj24A61_HtTNnC4NKe0rtEnCTqPYWEA==.new
- <Package Folder>/files/####/GHPwbefFuNDD1BAljScnuDSd7-qqkc1S.new
- <Package Folder>/files/####/HFFpE-8DDtu59JsoVodf3o-eIBs=.new
- <Package Folder>/files/####/HIICr_g_D6hNSym8VF7o_XCFvanzOfnge0h...M=.new
- <Package Folder>/files/####/LRyHLHlngnWwB5k2Joy2Hw==.new
- <Package Folder>/files/####/L_yCm49SAWTGE0qnLg7n2NTAQ4SNnykE.new
- <Package Folder>/files/####/M0WcLvA_G6knNQap30x65pPwSil59gK8.new
- <Package Folder>/files/####/RXqjO2OdFxqedEvfr_4xTA==.new
- <Package Folder>/files/####/UIButton.plist
- <Package Folder>/files/####/UIButton.png
- <Package Folder>/files/####/V3p_9VOKsgLZyKA1nkPLHw==
- <Package Folder>/files/####/VQesF03KR6xr793i.new
- <Package Folder>/files/####/ZJWe2u3JC78OzEXPuVMJQXLT1if3O3Ip.new
- <Package Folder>/files/####/anniu.png
- <Package Folder>/files/####/arrows.png
- <Package Folder>/files/####/attributeFont.png
- <Package Folder>/files/####/baishu.csb
- <Package Folder>/files/####/banma.csb
- <Package Folder>/files/####/bgm.mp3
- <Package Folder>/files/####/bloodBar.csb
- <Package Folder>/files/####/bloodFont.png
- <Package Folder>/files/####/bombFly.csb
- <Package Folder>/files/####/bulletPlist.plist
- <Package Folder>/files/####/bulletPlist.png
- <Package Folder>/files/####/cg.png
- <Package Folder>/files/####/cha.png
- <Package Folder>/files/####/cha_w.png
- <Package Folder>/files/####/changjinglu.csb
- <Package Folder>/files/####/chapter.xml
- <Package Folder>/files/####/chapter2.xml
- <Package Folder>/files/####/chapter3.xml
- <Package Folder>/files/####/chapterFont_close.png
- <Package Folder>/files/####/chapterFont_open.png
- <Package Folder>/files/####/chapterPopNode.csb
- <Package Folder>/files/####/chapter_mainNode.csb
- <Package Folder>/files/####/charactar.plist
- <Package Folder>/files/####/charactar.png
- <Package Folder>/files/####/charactar.xml
- <Package Folder>/files/####/cheng.png
- <Package Folder>/files/####/click.mp3
- <Package Folder>/files/####/close.png
- <Package Folder>/files/####/countFont.png
- <Package Folder>/files/####/cxks.png
- <Package Folder>/files/####/d.png
- <Package Folder>/files/####/dada.plist
- <Package Folder>/files/####/dada.png
- <Package Folder>/files/####/daodan-0.png
- <Package Folder>/files/####/daxiang.csb
- <Package Folder>/files/####/death.mp3
- <Package Folder>/files/####/defeat.csb
- <Package Folder>/files/####/defeat.mp3
- <Package Folder>/files/####/di.png
- <Package Folder>/files/####/double_bg.png
- <Package Folder>/files/####/dropGun.plist
- <Package Folder>/files/####/dropGun.png
- <Package Folder>/files/####/dropKnife.plist
- <Package Folder>/files/####/dropKnife.png
- <Package Folder>/files/####/enemyDeath.mp3
- <Package Folder>/files/####/enemyTip.png
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/facade.plist
- <Package Folder>/files/####/facade.png
- <Package Folder>/files/####/fanhui.png
- <Package Folder>/files/####/ffh.png
- <Package Folder>/files/####/fhgk.png
- <Package Folder>/files/####/fightBgm.mp3
- <Package Folder>/files/####/firework.plist
- <Package Folder>/files/####/firework.png
- <Package Folder>/files/####/gameBegin.csb
- <Package Folder>/files/####/gbvaa_f.zip
- <Package Folder>/files/####/gdMh5ucH_KFYJ0B5
- <Package Folder>/files/####/getHurt.mp3
- <Package Folder>/files/####/getWeapon.csb
- <Package Folder>/files/####/gm.png
- <Package Folder>/files/####/goChapter.png
- <Package Folder>/files/####/gou.csb
- <Package Folder>/files/####/grey.png
- <Package Folder>/files/####/guai.png
- <Package Folder>/files/####/guang.png
- <Package Folder>/files/####/guanka.png
- <Package Folder>/files/####/guanka1-1.png
- <Package Folder>/files/####/guanka1.png
- <Package Folder>/files/####/guankajiemian (2).png
- <Package Folder>/files/####/guankajiemian.png
- <Package Folder>/files/####/gunBtn.png
- <Package Folder>/files/####/gunHit.mp3
- <Package Folder>/files/####/guns.plist
- <Package Folder>/files/####/guns.png
- <Package Folder>/files/####/gunsFrame.plist
- <Package Folder>/files/####/gunsFrame.png
- <Package Folder>/files/####/guns_feibiao.mp3
- <Package Folder>/files/####/guns_huoqiu.mp3
- <Package Folder>/files/####/guns_jiguang.mp3
- <Package Folder>/files/####/guns_shuiqiang.mp3
- <Package Folder>/files/####/haidao.csb
- <Package Folder>/files/####/headShot.plist
- <Package Folder>/files/####/headShot.png
- <Package Folder>/files/####/hit.mp3
- <Package Folder>/files/####/hzii2.png
- <Package Folder>/files/####/iBj7sOd5u_qS1yJ4p_Ovmg==.new
- <Package Folder>/files/####/iUQp7btyWma1RyOrJms9wzi9EUxzvPOAkRirdw==.new
- <Package Folder>/files/####/idfFd7E6F3X058nQQrocXw==
- <Package Folder>/files/####/jb.png
- <Package Folder>/files/####/jia.png
- <Package Folder>/files/####/jiguangqiang-1.png
- <Package Folder>/files/####/jt.png
- <Package Folder>/files/####/jumpBtn.png
- <Package Folder>/files/####/jxyx.png
- <Package Folder>/files/####/k1.png
- <Package Folder>/files/####/k2.png
- <Package Folder>/files/####/knife.plist
- <Package Folder>/files/####/knife.png
- <Package Folder>/files/####/knifeBtn.png
- <Package Folder>/files/####/knifeFrame.plist
- <Package Folder>/files/####/knifeFrame.png
- <Package Folder>/files/####/knifeHit.mp3
- <Package Folder>/files/####/knifeHit.plist
- <Package Folder>/files/####/knifeHit.png
- <Package Folder>/files/####/knifeLight_blue.png
- <Package Folder>/files/####/knifeLight_purple.png
- <Package Folder>/files/####/knifeLight_yellow.png
- <Package Folder>/files/####/knife_fazhang.mp3
- <Package Folder>/files/####/knife_jiguang.mp3
- <Package Folder>/files/####/kuang.png
- <Package Folder>/files/####/leadBtn.png
- <Package Folder>/files/####/leader.plist
- <Package Folder>/files/####/leader.png
- <Package Folder>/files/####/leaderNode.csb
- <Package Folder>/files/####/leavePopNode.csb
- <Package Folder>/files/####/lingbao.plist
- <Package Folder>/files/####/lingbao.png
- <Package Folder>/files/####/logo.png
- <Package Folder>/files/####/lq.png
- <Package Folder>/files/####/lukasi.plist
- <Package Folder>/files/####/lukasi.png
- <Package Folder>/files/####/mao.csb
- <Package Folder>/files/####/maozi_1.png
- <Package Folder>/files/####/maozi_2.png
- <Package Folder>/files/####/meat.png
- <Package Folder>/files/####/meatNum.png
- <Package Folder>/files/####/meatPop.csb
- <Package Folder>/files/####/meatPop2.csb
- <Package Folder>/files/####/moshuji-1.png
- <Package Folder>/files/####/n9ZqSDdjhvSWWoO2eLRWuoKT-myRadTM.new
- <Package Folder>/files/####/niaodan-1.png
- <Package Folder>/files/####/noMeat.png
- <Package Folder>/files/####/number.plist
- <Package Folder>/files/####/number.png
- <Package Folder>/files/####/pLaQs1vzusUwdV3grHoEamiB0-w=.new
- <Package Folder>/files/####/paopaoExplode.mp3
- <Package Folder>/files/####/petBoard.plist
- <Package Folder>/files/####/petBoard.png
- <Package Folder>/files/####/pop_chapter.csb
- <Package Folder>/files/####/poswrUp1.png
- <Package Folder>/files/####/powerUp.csb
- <Package Folder>/files/####/qd.png
- <Package Folder>/files/####/qkQeMhgkTlR0LTKtocegJmq1QvIuXygPth8...U=.new
- <Package Folder>/files/####/raUCHECkOoJsT-8aCYvRPnbABB7lGr7t.new
- <Package Folder>/files/####/rankFont.png
- <Package Folder>/files/####/reborn.plist
- <Package Folder>/files/####/reborn.png
- <Package Folder>/files/####/rebornBtn.png
- <Package Folder>/files/####/ren.plist
- <Package Folder>/files/####/ren.png
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sHLeeycZ-qvPXKrLDXYkDLD1CJhgqtRN8eXIVw==.new
- <Package Folder>/files/####/sTVikz11BNKT7Nam4PuGJ69waFs=.new
- <Package Folder>/files/####/sb.png
- <Package Folder>/files/####/scene1.plist
- <Package Folder>/files/####/scene1.png
- <Package Folder>/files/####/scene2.plist
- <Package Folder>/files/####/scene2.png
- <Package Folder>/files/####/scene3.plist
- <Package Folder>/files/####/scene3.png
- <Package Folder>/files/####/secondPopNode.csb
- <Package Folder>/files/####/shayuqiang-1.png
- <Package Folder>/files/####/siN9kg2PzA2YhZomMoFC_S3aLrGwoQ9U.new
- <Package Folder>/files/####/sj.png
- <Package Folder>/files/####/star.plist
- <Package Folder>/files/####/star.png
- <Package Folder>/files/####/stop.png
- <Package Folder>/files/####/stopPopNode.csb
- <Package Folder>/files/####/tfoEGMIdJzCRaOtck0KV4rDX_6HKfNdM.new
- <Package Folder>/files/####/tip_10.png
- <Package Folder>/files/####/tip_20.png
- <Package Folder>/files/####/tip_28.png
- <Package Folder>/files/####/tip_30.png
- <Package Folder>/files/####/tip_40.png
- <Package Folder>/files/####/tips_second_20.png
- <Package Folder>/files/####/tishengbtn.png
- <Package Folder>/files/####/toolsRoom.plist
- <Package Folder>/files/####/toolsRoom.png
- <Package Folder>/files/####/tuzi.csb
- <Package Folder>/files/####/uZvUPVr4niBPDm5SpiAdxEWD8oF2lngd45X...s=.new
- <Package Folder>/files/####/weaponBoard.plist
- <Package Folder>/files/####/weaponBoard.png
- <Package Folder>/files/####/weaponSellNode.csb
- <Package Folder>/files/####/weapons.xml
- <Package Folder>/files/####/win.csb
- <Package Folder>/files/####/win.mp3
- <Package Folder>/files/####/xue1.png
- <Package Folder>/files/####/xue2.png
- <Package Folder>/files/####/xue3.png
- <Package Folder>/files/####/xue5.png
- <Package Folder>/files/####/xyg.png
- <Package Folder>/files/####/xyg1.png
- <Package Folder>/files/####/zc.png
- <Package Folder>/files/####/zd.png
- <Package Folder>/files/####/zhi.png
- <Package Folder>/files/####/zi(1).png
- <Package Folder>/files/####/zi.png
- <Package Folder>/files/####/zj.csb
- <Package Folder>/files/####/zj_attack.csb
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/paylib.jar
- <Package Folder>/files/rdata_comiuxvfwez.new
- <Package Folder>/files/temp.zip
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/Cocos2dxPrefsFile.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/SP_REPLACE_CLASSLOADER_CLASS_NAME.xml
- <Package Folder>/shared_prefs/dc.06E1A41177A63932F724DB5882BD4F...es.xml
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/unknown.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.SystemService/####/2D7F07BB6125DEB407E92A22DC4AC550
- <SD-Card>/.SystemService/####/uid
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.system_temp/.cfg
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh
- <Package Folder>/code-1332540/d6MKH1EMfV8e-Yaj -p <Package> -c com.iuxv.fwez.afvkaq.pv.pv.qf.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- cat /sys/block/mmcblk0/device/cid
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- ls -l /sbin/su
- ls -l /system/bin/su
- ls -l /system/sbin/su
- ls -l /system/xbin/su
- ls -l /vendor/bin/su
Загружает динамические библиотеки:
- MyGame
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Осуществляет доступ к информации об отправленых/принятых смс.
