Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.3394
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) com####.505####.com.####.com:80
- TCP(HTTP/1.1) i####.c####.com:80
- TCP(HTTP/1.1) dispat####.v####.q####.com:80
- TCP(HTTP/1.1) mo####.b####.com:80
- TCP(HTTP/1.1) t7z.c####.i####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) secu####.i####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) m####.71.am:80
- TCP(HTTP/1.1) qiy####.com.edg####.net:80
- TCP(HTTP/1.1) d####.b####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.s####.com.cn:80
- TCP(HTTP/1.1) m.439####.com.####.com:80
- TCP(HTTP/1.1) www.s####.net:80
- TCP(HTTP/1.1) i####.i####.com:80
- TCP(HTTP/1.1) i####.com.edg####.net:80
- TCP(TLS/1.0) mobads-####.b####.com:443
- TCP(TLS/1.0) c####.i####.com:443
- TCP(TLS/1.0) h####.b####.com.####.com:443
- TCP(TLS/1.0) secu####.i####.com:443
- TCP(TLS/1.0) hm.b####.com:443
Запросы DNS:
- 4####.i####.com
- a####.u####.com
- a.appj####.com
- a.img####.com
- b####.s####.com.cn
- b.scoreca####.com
- c####.i####.com
- c.c####.com
- com####.505####.com
- d####.505####.com
- d####.b####.com
- dispat####.v####.q####.com
- h####.b####.com
- h####.c####.com
- hm.b####.com
- i####.c####.com
- i####.i####.com
- m####.71.am
- m.439####.com
- m.i####.com
- mo####.b####.com
- mobads-####.b####.com
- msg.i####.com
- msg.v####.q####.com
- pub.m.i####.com
- s16.c####.com
- secu####.i####.com
- st####.i####.com
- t7z.c####.i####.com
- www.439####.com
- www.qiy####.com
- www.s####.net
Запросы HTTP GET:
- b####.s####.com.cn/s/blog_8cd7636a0102w5uq.html
- b.scoreca####.com.####.net/b2?c1=####&c2=####&ns__t=####&ns_c=####&cv=##...
- b.scoreca####.com.####.net/b?c1=####&c2=####&ns__t=####&ns_c=####&cv=###...
- b.scoreca####.com.####.net/beacon.js
- c.c####.com/core.php?web_id=####&show=####&t=####
- c.c####.com/stat.php?id=####&web_id=####&show=####
- com####.505####.com.####.com/0/small
- com####.505####.com.####.com/1452754049/small
- com####.505####.com.####.com/1842840682/small
- com####.505####.com.####.com/2154631436/small
- com####.505####.com.####.com/2384931755/small
- com####.505####.com.####.com/comic/1265/11265_1_js.html
- com####.505####.com.####.com/comic/1494/11494_1_js.html
- com####.505####.com.####.com/images/04.gif
- com####.505####.com.####.com/images/06.gif
- com####.505####.com.####.com/images/09.gif
- d####.b####.com/x.gif?he=[mag####&prot_ver=####&app_id=####&rnd=####&log...
- d####.b####.com/x.js?si=####&dm=####
- dispat####.v####.q####.com/common/shareplayer.html?tvId=####&vid=####&co...
- hm.b####.com/h.js?6bed68d####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- i####.c####.com/img/pic.gif
- i####.com.edg####.net/css/201705261414/h5-outsitePlay.css
- i####.com.edg####.net/js/common/7d183edd03bc4414b315e8964fb41826.js
- i####.com.edg####.net/js/common/ares-4-1-3-5736cc10d013836c38f6.min.js?
- i####.com.edg####.net/js/html5/js/lib/lib.2.0.5.min.js?sea1.2.####
- i####.com.edg####.net/js/html5/js/page/newShareplay/688dda0a4d!app.js
- i####.com.edg####.net/js/pingback/iwt.js
- i####.com.edg####.net/js/pingback/qa.js
- i####.com.edg####.net/shareplay.html?tvId=####&vid=####&coop=####&cid=##...
- i####.i####.com/irt?_iwt_id=####&_iwt_UA=####&jsonp=####&_iwt_p1=####&_i...
- m####.71.am/b?t=####&p=####&p1=####&pf=####&block=####&rt=####&r=####&rl...
- m####.71.am/cp2.gif?p=####&rd=####&rc=####&t=####&e=####&y=####&u=####&a...
- m####.71.am/cp2.gif?p=####&t=####&oi=####&ri=####&di=####&e=####&y=####&...
- m####.71.am/cp2.gif?p=####&t=####&rc=####&rd=####&ai=####&e=####&y=####&...
- m####.71.am/cp2.gif?p=v&t=s&lc=http://m.iqiyi.com/shareplay.html?tvId=##...
- m####.71.am/jpb.gif?rdm=####&qtcurl=####&rfr=####&lrfr=####&jsuid=####&q...
- m####.71.am/jpb.gif?rdm=488705322&qtcurl=http://m.iqiyi.com/shareplay.ht...
- m####.71.am/tmpstats.gif?type=####&pf=####&p=####&p1=####&u=####&pu=####...
- m####.71.am/v5/aqy/secsdk?sdk=####&s_v=####&sys=####&s_d=####&s_e=####&s...
- m.439####.com.####.com//dh/htbbxjzzxd/list-11494-2.html?version=####&cal...
- m.439####.com.####.com//dh/xyxbzqmts/list-11265-2.html?version=####&call...
- m.439####.com.####.com//dh/xyxbzqmts/list-11265-3.html?version=####&call...
- m.439####.com.####.com/allimg/141030/6_141030095830_3.jpg
- m.439####.com.####.com/allimg/141030/6_141030101728_3.jpg
- m.439####.com.####.com/allimg/150414/32_150414155424_1.jpg
- m.439####.com.####.com/allimg/150427/32_150427111410_1.jpg
- m.439####.com.####.com/allimg/150427/32_150427111531_1.jpg
- m.439####.com.####.com/allimg/160310/15_160310150657_1.jpg
- m.439####.com.####.com/allimg/160912/32_160912172814_1.jpg
- m.439####.com.####.com/allimg/161003/31_161003113841_1.jpg
- m.439####.com.####.com/allimg/161011/32_161011151003_1.jpg
- m.439####.com.####.com/allimg/161020/32_161020171949_1.jpg
- m.439####.com.####.com/allimg/170115/29_170115102213_1.jpg
- m.439####.com.####.com/allimg/170115/29_170115102213_2.jpg
- m.439####.com.####.com/allimg/170315/32_170315095848_1.jpg
- m.439####.com.####.com/allimg/170327/32_170327104258_1.jpg
- m.439####.com.####.com/allimg/170415/41_170415122306_1.jpg
- m.439####.com.####.com/allimg/170418/29_170418173530_1.jpg
- m.439####.com.####.com/allimg/170419/32_170419150317_1.jpg
- m.439####.com.####.com/allimg/170426/41_170426164139_1.jpg
- m.439####.com.####.com/allimg/170509/42_170509103858_1.jpg
- m.439####.com.####.com/allimg/170510/42_170510104454_1.jpg
- m.439####.com.####.com/allimg/170518/41_170518094716_1.jpg
- m.439####.com.####.com/allimg/170519/41_170519140807_1.jpg
- m.439####.com.####.com/allimg/170523/42_170523142018_1.jpg
- m.439####.com.####.com/allimg/170606/42_170606095708_1.jpg
- m.439####.com.####.com/allimg/170606/42_170606100904_1.jpg
- m.439####.com.####.com/allimg/170621/42_170621142012_1.jpg
- m.439####.com.####.com/allimg/170626/41_170626125926_1.jpg
- m.439####.com.####.com/allimg/170626/42_170626151938_1.jpg
- m.439####.com.####.com/allimg/170627/42_170627143652_1.jpg
- m.439####.com.####.com/allimg/170628/29_170628102510_1.jpg
- m.439####.com.####.com/allimg/170628/6_170628142411_1.jpg
- m.439####.com.####.com/allimg/170704/41_170704140604_1.jpg
- m.439####.com.####.com/allimg/170707/41_170707155317_1.jpg
- m.439####.com.####.com/allimg/170713/41_170713114700_1.jpg
- m.439####.com.####.com/allimg/170722/28_170722110812_1.jpg
- m.439####.com.####.com/allimg/170726/41_170726100612_1.jpg
- m.439####.com.####.com/allimg/170801/41_170801092840_1.jpg
- m.439####.com.####.com/allimg/170802/41_170802103312_1.jpg
- m.439####.com.####.com/allimg/170807/42_170807152532_1.jpg
- m.439####.com.####.com/allimg/170808/42_170808093153_1.jpg
- m.439####.com.####.com/allimg/170821/42_170821155732_1.jpg
- m.439####.com.####.com/allimg/170825/41_170825173037_1.jpg
- m.439####.com.####.com/allimg/170829/41_170829143821_4.jpg
- m.439####.com.####.com/allimg/170905/41_170905152714_7.jpg
- m.439####.com.####.com/allimg/170905/42_170905143807_1.jpg
- m.439####.com.####.com/allimg/170906/41_170906135704_1.jpg
- m.439####.com.####.com/allimg/170907/41_170907181816_1.jpg
- m.439####.com.####.com/allimg/170911/42_170911164157_1.jpg
- m.439####.com.####.com/allimg/170914/41_170914095500_1.jpg
- m.439####.com.####.com/allimg/170915/41_170915095041_1.jpg
- m.439####.com.####.com/allimg/170918/41_170918135525_1.jpg
- m.439####.com.####.com/allimg/170918/41_170918140351_1.jpg
- m.439####.com.####.com/allimg/170929/42_170929152517_1.jpg
- m.439####.com.####.com/allimg/171009/28_171009105734_2.jpg
- m.439####.com.####.com/allimg/171013/41_171013144114_1.jpg
- m.439####.com.####.com/allimg/171013/42_171013154755_1.jpg
- m.439####.com.####.com/allimg/171019/32_171019092025_1.jpg
- m.439####.com.####.com/allimg/171029/29_171029110047_1.jpg
- m.439####.com.####.com/allimg/171101/42_171101160948_1.jpg
- m.439####.com.####.com/allimg/171102/42_171102173248_1.jpg
- m.439####.com.####.com/allimg/171109/42_171109163937_1.jpg
- m.439####.com.####.com/allimg/171110/42_171110143930_1.jpg
- m.439####.com.####.com/allimg/171113/42_171113150853_1.jpg
- m.439####.com.####.com/allimg/171113/42_171113152707_1.jpg
- m.439####.com.####.com/allimg/171128/41_171128115319_1.jpg
- m.439####.com.####.com/allimg/171130/41_171130100803_1.jpg
- m.439####.com.####.com/allimg/171201/28_171201160427_1.jpg
- m.439####.com.####.com/allimg/171201/29_171201095413_1.jpg
- m.439####.com.####.com/allimg/171201/41_171201173606_1.jpg
- m.439####.com.####.com/allimg/171201/42_171201163303_1.jpg
- m.439####.com.####.com/allimg/171212/29_171212093329_1.jpg
- m.439####.com.####.com/allimg/171228/28_171228104145_1.jpg
- m.439####.com.####.com/allimg/180102/29_180102092813_1.jpg
- m.439####.com.####.com/allimg/180104/32_180104143327_1.jpg
- m.439####.com.####.com/allimg/180104/42_180104142030_1.jpg
- m.439####.com.####.com/allimg/180105/42_180105115625_1.jpg
- m.439####.com.####.com/allimg/180110/29_180110091615_1.jpg
- m.439####.com.####.com/allimg/180111/29_180111092435_1.jpg
- m.439####.com.####.com/allimg/180111/32_180111111750_1.jpg
- m.439####.com.####.com/allimg/180111/41_180111141508_1.jpg
- m.439####.com.####.com/allimg/180111/41_180111142136_1.jpg
- m.439####.com.####.com/allimg/180112/29_180112181646_1.jpg
- m.439####.com.####.com/allimg/180113/29_180113101135_1.jpg
- m.439####.com.####.com/allimg/180113/29_180113103742_1.jpg
- m.439####.com.####.com/allimg/180115/28_180115111441_1.jpg
- m.439####.com.####.com/allimg/180115/32_180115102401_1.jpg
- m.439####.com.####.com/allimg/180115/32_180115103541_1.jpg
- m.439####.com.####.com/allimg/180115/41_180115180953_1.jpg
- m.439####.com.####.com/allimg/180115/42_180115143836_1.jpg
- m.439####.com.####.com/allimg/180118/41_180118113401_1.jpg
- m.439####.com.####.com/allimg/180123/29_180123093314_1.jpg
- m.439####.com.####.com/allimg/180123/32_180123174249_1.jpg
- m.439####.com.####.com/allimg/180123/41_180123182626_1.jpg
- m.439####.com.####.com/allimg/180129/32_180129153614_1.jpg
- m.439####.com.####.com/allimg/180129/32_180129155707_1.jpg
- m.439####.com.####.com/allimg/180130/32_180130154047_1.jpg
- m.439####.com.####.com/allimg/180203/41_180203104558_1.jpg
- m.439####.com.####.com/allimg/180206/29_180206093522_1.jpg
- m.439####.com.####.com/allimg/180208/32_180208103134_1.jpg
- m.439####.com.####.com/allimg/180210/29_180210103847_1.jpg
- m.439####.com.####.com/allimg/180211/29_180211161703_1.jpg
- m.439####.com.####.com/allimg/180211/29_180211161703_2.jpg
- m.439####.com.####.com/allimg/180223/32_180223113414_1.jpg
- m.439####.com.####.com/allimg/180223/32_180223135914_1.jpg
- m.439####.com.####.com/allimg/180226/32_180226100208_1.jpg
- m.439####.com.####.com/allimg/180226/41_180226095051_1.jpg
- m.439####.com.####.com/allimg/180227/32_180227100104_1.jpg
- m.439####.com.####.com/allimg/180228/32_180228100507_1.jpg
- m.439####.com.####.com/allimg/180228/32_180228103521_1.jpg
- m.439####.com.####.com/allimg/180228/41_180228111503_1.jpg
- m.439####.com.####.com/allimg/180301/41_180301170231_1.jpg
- m.439####.com.####.com/allimg/180307/42_180307093329_1.jpg
- m.439####.com.####.com/allimg/180309/29_180309095129_1.jpg
- m.439####.com.####.com/allimg/180316/29_180316171107_1.jpg
- m.439####.com.####.com/allimg/180316/42_180316173850_1.jpg
- m.439####.com.####.com/allimg/180316/42_180316174047_1.jpg
- m.439####.com.####.com/allimg/180317/29_180317101536_1.jpg
- m.439####.com.####.com/category/guochan/
- m.439####.com.####.com/cookies/setdmcookies.php?title=####&url=####&time...
- m.439####.com.####.com/css/wap/commons/m.comment.css
- m.439####.com.####.com/css/wap/wapdonghua/v2/style.css?v=####
- m.439####.com.####.com/donghua/
- m.439####.com.####.com/donghua/preview/
- m.439####.com.####.com/images/wap/wapdonghua/v2/ico-down.png?v=####
- m.439####.com.####.com/images/wap/wapdonghua/v2/icon.png
- m.439####.com.####.com/images/wap/wapdonghua/v2/share.png
- m.439####.com.####.com/js/dmcount.js
- m.439####.com.####.com/js/iqiyi/stat.js
- m.439####.com.####.com/js/wap/commons/baiduTemplate.js
- m.439####.com.####.com/js/wap/commons/m.comment.js
- m.439####.com.####.com/js/wap/commons/zepto.min.js?v=####
- m.439####.com.####.com/js/wap/wapdonghua/v1/m.dialog.js
- m.439####.com.####.com/js/wap/wapdonghua/v1/m.slidePager.js
- m.439####.com.####.com/js/wap/wapdonghua/v2/hammer.js
- m.439####.com.####.com/js/wap/wapdonghua/v2/iscroll.js
- m.439####.com.####.com/js/wap/wapdonghua/v2/m.slide.js
- m.439####.com.####.com/js/wap/wapdonghua/v3/mpage.js?v=####
- m.439####.com.####.com/js/wap/wapdonghua/v3/navigation.js?v=####
- m.439####.com.####.com/mobile/htbbxjzzxd/play.html
- m.439####.com.####.com/mobile/xyxbzqmts/play.html
- mo####.b####.com/ads/ads.appcache
- mo####.b####.com/ads/css/min/main.css
- mo####.b####.com/ads/index.htm
- mo####.b####.com/ads/js/ads.trunk.js
- mo####.b####.com/ads/js/c.js
- mo####.b####.com/ads/pa/__pasys.apk
- mo####.b####.com/ads/pa/__pasys.php
- mo####.b####.com/ads/pa/__pasys_remote_banner.jar
- mo####.b####.com/ads/pa/__pasys_remote_banner.php?v=####&tp=####&os=####...
- mo####.b####.com/cpro/ui/mads.php?code2=####
- mo####.b####.com/cpro/ui/mads.php?code2=####&b1510835494976=####
- mo####.b####.com/cpro/ui/mads.php?code2=####&b1510835525311=####
- qiy####.com.edg####.net/common/fix/h5-outsitePlay/logo110-36.png
- qiy####.com.edg####.net/common/fix/h5-outsitePlay/logo350-118.png
- qiy####.com.edg####.net/common/fix/h5-outsitePlay/outsitePlay-bg.png
- qiy####.com.edg####.net/common/fix/h5-v3/logoH5-play.png
- secu####.i####.com/jp/h5/videos/932248900?select=####&callback=####
- secu####.i####.com/jp/h5/videos/959660400?select=####&callback=####
- secu####.i####.com/static/cook/v1/cooksdk.js
- t7z.c####.i####.com/show2?e=####&h=####&a=####&u=####&p=####&s=####&_=##...
- t7z.c####.i####.com/track2?w=####&dts=####&nr=####&c=####&f=####&g=####&...
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- www.s####.net/Mini/niouy.action?key=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_database/####/http_4399.iqiyi.com_0.locals...ournal
- <Package Folder>/app_database/####/http_m.4399dmw.com_0.localst...ournal
- <Package Folder>/app_database/####/http_m.iqiyi.com_0.localstorage-journal
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.loca...leted)
- <Package Folder>/app_database/####/http_mobads.baidu.com_0.loca...ournal
- <Package Folder>/app_database/ApplicationCache.db-journal
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/.imprint
- <Package Folder>/files/__pasys.apk.beforesign.tm
- <Package Folder>/files/__pasys_remote_banner.jar.beforesign.tm
- <Package Folder>/files/__pasys_remote_banner.tmp.jar
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/WebViewSettings.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
