Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.84.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) log.mm####.com:80
- TCP(HTTP/1.1) g.al####.com:80
- TCP(HTTP/1.1) 1####.205.135.204:80
- TCP(HTTP/1.1) www.fan####.com:80
- TCP(HTTP/1.1) 1####.205.220.99:80
- TCP(HTTP/1.1) zhg.ali####.com:80
- TCP(HTTP/1.1) 1####.205.143.143:80
- TCP(HTTP/1.1) st####.fan####.com.####.com:80
- TCP(HTTP/1.1) wb.110.ta####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) err.ta####.com:80
- TCP(HTTP/1.1) sh.wagbr####.ta####.com:80
- TCP(HTTP/1.1) pco####.ta####.com:80
- TCP(HTTP/1.1) gt####.al####.com:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) wild####.al####.com.####.net:80
- TCP(TLS/1.0) log.mm####.com:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
Запросы DNS:
- a####.m.ta####.com
- a####.u####.com
- a.t####.cn
- err.ta####.com
- g.al####.com
- gt####.al####.com
- img.al####.com
- l####.m.ta####.com
- log.mm####.com
- mt####.go####.com
- pco####.ta####.com
- st####.fan####.com
- wb.110.ta####.com
- www.fan####.com
- y####.al####.com
Запросы HTTP GET:
- a####.m.ta####.com/rest/abtest?logid=####&ak=####&av=####&c=####&v=####&...
- err.ta####.com/error1.html
- g.al####.com/cm/havana-bridge/0.1.5/index.css
- g.al####.com/cm/havana-bridge/0.1.5/index.js
- g.al####.com/cm/havana-bridge/0.1.5/zepto.js
- g.al####.com/cm/havana-bridge/0.1.8/havanabridge.js
- g.al####.com/s/aplus_wap.js
- g.al####.com/secdev/entry/index.js
- g.al####.com/secdev/sufei_data/3.3.3/index.js
- gt####.al####.com/tps/i3/TB1HgYqFVXXXXayXpXXMqSxTXXX-200-800.png
- log.mm####.com/m.gif?logtype=1&title=%u767B %u5F55&cache=281d3f2&scr=800...
- pco####.ta####.com/app.gif?&cna=####
- sh.wagbr####.ta####.com/h0.1337560259271413
- sh.wagbr####.ta####.com/h0.1693258942104876
- sh.wagbr####.ta####.com/h0.6918942925985903
- sh.wagbr####.ta####.com/h0.7356369907502085
- sh.wagbr####.ta####.com/h0.7988773775286973
- sh.wagbr####.ta####.com/oauth_native.htm?appKey=####&ttid=####
- st####.fan####.com.####.com/images/app/event/home_task_66x66.png?v=####
- st####.fan####.com.####.com/images/app/event/invite_71x71.png?v=####
- st####.fan####.com.####.com/images/app/event/taojinbi_140x140.png?v=####
- st####.fan####.com.####.com/images/app/resource/icon_1.png?v=####
- st####.fan####.com.####.com/images/app/resource/icon_2.png?v=####
- st####.fan####.com.####.com/images/app/resource/icon_4.png?v=####
- st####.fan####.com.####.com/images/app/resource/icon_5.png?v=####
- st####.fan####.com.####.com/images/app/resource/icon_6.png?v=####
- st####.fan####.com.####.com/images/upload/byby_temai_banner_201801171444...
- st####.fan####.com.####.com/images/upload/byby_temai_banner_201801171920...
- st####.fan####.com.####.com/images/upload/byby_temai_banner_201801172143...
- st####.fan####.com.####.com/images/upload/byby_temai_banner_201801191615...
- wild####.al####.com.####.net/imgextra/i1/3518866829/TB2Ql0ua49YBuNjy0FfX...
- wild####.al####.com.####.net/imgextra/i3/2911755693/TB2fe8RceuSBuNjSsplX...
- www.fan####.com/images/app/event/search_reward_71x71.png?v=####
- zhg.ali####.com/m/um.htm?c={"ser####
Запросы HTTP POST:
- a####.m.ta####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=##...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- a####.u####.com/app_logs
- wb.110.ta####.com/api/update.do
- www.fan####.com/?ct=####&ac=####
- zhg.ali####.com/saveWb.json
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_alisdk_plugin_list/1510835190772.pluginlist
- <Package Folder>/app_cache/ApplicationCache.db-journal
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/xm4399CB.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/.jiagu.ls
- <Package Folder>/files/0a231bd8575dcf72.txt
- <Package Folder>/files/1d77ea041509fe06.lock
- <Package Folder>/files/49814c4f5ac2f2f9.lock
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/libsecuritysdkx-3.1.27.so.tmp
- <Package Folder>/files/mobclick_agent_cached_<Package>18
- <Package Folder>/files/sp.lock
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/ALIBABA_SDK_DYNAMIC_CONFIG.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/SGMANAGER_DATA.xml
- <Package Folder>/shared_prefs/UTCommon.xml
- <Package Folder>/shared_prefs/UTMCConf-1426728695.xml
- <Package Folder>/shared_prefs/UTMCConf-314808628.xml
- <Package Folder>/shared_prefs/UTMCLog-1426728695.xml
- <Package Folder>/shared_prefs/UTMCLog-314808628.xml
- <Package Folder>/shared_prefs/imei.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/onesdk_device.xml
- <Package Folder>/shared_prefs/onesdk_hotpatch.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.com.taobao.dp/6c709c11d2d46a7b
- <SD-Card>/.com.taobao.dp/dd7893586a493dc3
- <SD-Card>/.com.taobao.dp/hid.dat
- <SD-Card>/<Package>/asdklog_a
- <SD-Card>/<Package>/asdklog_s
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/176a5jg4y6a6nmhr0ky2j9hqj.tmp
- <SD-Card>/Android/####/1kuvizqr24x63yp390bfun1j.tmp
- <SD-Card>/Android/####/1ww0bj7drn9acyd1szy928lh8.tmp
- <SD-Card>/Android/####/2gg6szca8hv3l1vd4xt6uu180.tmp
- <SD-Card>/Android/####/3rlkb25nu6z44b8nec7cs4b65.tmp
- <SD-Card>/Android/####/450tmdghqqdg7e4gnd7bu74rj.tmp
- <SD-Card>/Android/####/4hft1lu8dyzgbjft230hljypj.tmp
- <SD-Card>/Android/####/5kon6selrzwktvpmbbraycuck.tmp
- <SD-Card>/Android/####/5us7w4enqqx1fmi4rogjl38b4.tmp
- <SD-Card>/Android/####/61ak27xv5el041aeh7r1l151c.tmp
- <SD-Card>/Android/####/64qricd9xct18n2v13eufk212.tmp
- <SD-Card>/Android/####/740wdty9vtnavel5kovdjvlmn.tmp
- <SD-Card>/Android/####/9z25dudh5yv635yib7xthf27.tmp
- <SD-Card>/Android/####/iqhlfq28g2m8xpegctzfbxc1.tmp
- <SD-Card>/Android/####/ro6kebjmdx88s5k62diou3el.tmp
- <SD-Card>/Android/####/stmulwe77avuyvyhk105221j.tmp
Другие:
Запускает следующие shell-скрипты:
- cat /proc/cpuinfo | grep Serial
- getprop ro.product.cpu.abi
- ls -l /system/xbin/su
Загружает динамические библиотеки:
- libjiagu
- securitysdk-3.1
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
