Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Plague.1.origin
- Android.MulDrop.1026
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) me####.effecti####.net:80
- TCP(HTTP/1.1) log.apk.v-####.mobi:80
- TCP(HTTP/1.1) pozif####.p####.com:80
- TCP(HTTP/1.1) i4.y####.com:80
- TCP(HTTP/1.1) www.you####.com:80
- TCP(HTTP/1.1) m####.ad####.org:80
- TCP(HTTP/1.1) adma####.u####.u####.com:80
- TCP(HTTP/1.1) x####.apk.v-####.mobi:80
- TCP(HTTP/1.1) sb.scoreca####.com.####.net:80
- TCP(HTTP/1.1) sta####.d####.net:80
- TCP(HTTP/1.1) adadv####.net:80
- TCP(HTTP/1.1) aa.a####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) video####.mobi:80
- TCP(HTTP/1.1) www.dailymo####.com:80
- TCP(HTTP/1.1) dm####.dailymo####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) api.apk.v-####.mobi:80
- TCP(HTTP/1.1) gj.ap####.uc.cn:80
- TCP(HTTP/1.1) js.a####.com:80
- TCP(HTTP/1.1) d####.a####.com:80
- TCP(HTTP/1.1) p####.mat####.com.####.net:80
- TCP(HTTP/1.1) dailymo####.com:80
- TCP(SSL/3.0) s####.tubem####.com:443
- TCP(TLS/1.0) l2.visible####.com:443
- TCP(TLS/1.0) a####.tribalf####.com.####.net:443
- TCP(TLS/1.0) g####.insta####.com:443
- TCP(TLS/1.0) gra####.api.dailymo####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) r16---s####.googlev####.com:443
- TCP(TLS/1.0) m.face####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) dsp.adf####.adi####.com:443
- TCP(TLS/1.0) log-####.a####.tv:443
- TCP(TLS/1.0) s####.mat####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) face####.com:443
- TCP(TLS/1.0) d5p.d####.com:443
- TCP(TLS/1.0) stickya####.com.edg####.net:443
- TCP(TLS/1.0) s####.g.doublec####.net:443
- TCP(TLS/1.0) s####.tubem####.com:443
- TCP(TLS/1.0) gu.dy####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) i4.y####.com:443
- TCP(TLS/1.0) f####.net:443
- TCP(TLS/1.0) 168lo####.com:443
- TCP(TLS/1.0) cm.g.doublec####.net:443
- TCP(TLS/1.0) m####.p####.b####.io:443
- TCP(TLS/1.0) s####.ado####.com:443
- TCP(TLS/1.0) public-####.dm####.com:443
- TCP(TLS/1.0) a####.google####.com:443
- TCP(TLS/1.0) w####.dm.gg:443
- TCP(TLS/1.0) dmx.s####.y####.com:443
- TCP(TLS/1.0) m####.ad####.org:443
- TCP(TLS/1.0) st####.xx.f####.net:443
- TCP(TLS/1.0) p####.ybp.y####.com:443
- TCP(TLS/1.0) stat####.face####.com:443
- TCP(TLS/1.0) s####.search####.spotxch####.####.net:443
- TCP(TLS/1.0) s####.tid####.com:443
- TCP(TLS/1.0) g.geo####.com:443
- TCP(TLS/1.0) dm####.dailymo####.com:443
- TCP(TLS/1.0) www.insta####.com:443
- TCP(TLS/1.0) s####.ipredic####.com:443
- TCP(TLS/1.0) sta####.d####.net:443
Запросы DNS:
- 168lo####.com
- a####.google####.com
- a.appj####.com
- a.tribalf####.com
- aa.a####.com
- adadv####.net
- adma####.u####.u####.com
- ads.stickya####.com
- an.ite####.com
- an1.ite####.com
- an2.ite####.com
- api.apk.v-####.mobi
- api.d####.net
- b.scoreca####.com
- cm.g.doublec####.net
- con####.face####.net
- d.a####.com
- d5p.d####.com
- dailymo####.com
- dm####.dailymo####.com
- dmx.s####.y####.com
- dsp.adf####.adi####.com
- f####.com
- f####.net
- face####.com
- g####.insta####.com
- gj.ap####.uc.cn
- gra####.api.dailymo####.com
- gu.dy####.com
- i4.y####.com
- ib.a####.com
- js.a####.com
- l2.visible####.com
- log.apk.v-####.mobi
- m####.ad####.org
- m####.p####.b####.io
- m.face####.com
- me####.effecti####.net
- mt####.go####.com
- p####.mat####.com
- p####.ybp.y####.com
- pozif####.p####.com
- public-####.dm####.com
- r16---s####.googlev####.com
- recom####.apk.v-####.mobi
- s####.ad####.adverti####.com
- s####.ado####.com
- s####.g.doublec####.net
- s####.ipredic####.com
- s####.mat####.com
- s####.se####.spotxch####.com
- s####.tid####.com
- s.effecti####.net
- s1####.d####.net
- s2####.d####.net
- sb.scoreca####.com
- st####.xx.f####.net
- sta####.d####.net
- stat####.face####.com
- syn####.everest####.net
- v####.apk.v-####.mobi
- v####.apk.vid####.net
- video####.mobi
- w####.dm.gg
- www.dailymo####.com
- www.face####.com
- www.go####.com
- www.go####.nl
- www.google-####.com
- www.googlet####.com
- www.gst####.com
- www.insta####.com
- www.you####.com
- x####.apk.v-####.mobi
Запросы HTTP GET:
- aa.a####.com/adscores/g.pixel?sid=####
- aa.a####.com/adscores/g.pixel?sid=####&mt=####
- aa.a####.com/adscores/g.pixel?sid=####&tdid=####&&bounced=####
- adadv####.net/adscores/g.pixel?sid=####&tdid=####
- api.apk.v-####.mobi/images/icon3/dailymotion-2.png
- api.apk.v-####.mobi/images/icon3/dailytube-2.png
- api.apk.v-####.mobi/images/icon3/facebook-2.png
- api.apk.v-####.mobi/images/icon3/freeappstore-2.png
- api.apk.v-####.mobi/images/icon3/instagram-2.png
- api.apk.v-####.mobi/images/icon3/mobango-2.png
- api.apk.v-####.mobi/images/icon3/mp3jugaad-2.png
- api.apk.v-####.mobi/images/icon3/mrvideo-2.png
- api.apk.v-####.mobi/images/icon3/whatsappdaily-2.png
- api.apk.v-####.mobi/images/icon3/youtube-2.png
- b.scoreca####.com.####.net/b2?c1=####&c2=####&c3=####&c4=####&c5=####&c6...
- b.scoreca####.com.####.net/b?c1=####&c2=####&c3=####&c4=####&c5=####&c6=...
- d####.a####.com/iframe/8613/?che=####&c=####
- d####.a####.com/pixel/2610/?sk=####&pd=####&puid=####&ex=####&exc=####&a...
- dm####.dailymo####.com/cdn/manifest/video/xafxzoc.m3u8?auth=####&bs=####
- i4.y####.com/vi/1lPvUKtHBJA/mqdefault.jpg
- i4.y####.com/vi/1wXNKCHwZSM/hqdefault.jpg
- i4.y####.com/vi/5GRyr0noXrw/mqdefault.jpg
- i4.y####.com/vi/5sEaYB4rLFQ/mqdefault.jpg
- i4.y####.com/vi/E4wm4sGaEW4/mqdefault.jpg
- i4.y####.com/vi/FFsp5b4AUTE/mqdefault.jpg
- i4.y####.com/vi/FhwktRDG_aQ/mqdefault.jpg
- i4.y####.com/vi/G_KAnrRpjts/mqdefault.jpg
- i4.y####.com/vi/GwyRl35C9RA/mqdefault.jpg
- i4.y####.com/vi/JR06IhY4C2A/mqdefault.jpg
- i4.y####.com/vi/KyQyz2upSgY/mqdefault.jpg
- i4.y####.com/vi/SlFR2Bx4120/mqdefault.jpg
- i4.y####.com/vi/SuHVvSsNY2E/mqdefault.jpg
- i4.y####.com/vi/T_Tx4ZF-TkQ/mqdefault.jpg
- i4.y####.com/vi/XCrDBHjnvzM/mqdefault.jpg
- i4.y####.com/vi/dT5ALH3ICTc/mqdefault.jpg
- i4.y####.com/vi/ddOfQZO5tfU/mqdefault.jpg
- i4.y####.com/vi/iIkWk-LCpx8/mqdefault.jpg
- i4.y####.com/vi/kjC1zmZo30U/mqdefault.jpg
- i4.y####.com/vi/uni0gUepfrU/mqdefault.jpg
- i4.y####.com/vi/v0YeYBf0IA8/hqdefault.jpg
- i4.y####.com/vi/v0YeYBf0IA8/mqdefault.jpg
- i4.y####.com/vi/y8lFgF_IjPw/mqdefault.jpg
- js.a####.com/prod/v0/tag.js
- m####.ad####.org/track/cmb/generic?ttd_pid=####&ttd_tpi=####
- m####.ad####.org/track/cmf/generic?ttd_pid=####&ttd_tpi=####
- me####.effecti####.net/d/6/p?pu=####&ru=####&tz=####&fc=####&ii=####&ua=...
- me####.effecti####.net/em.js
- me####.effecti####.net/html/frame_2.3.7.html
- p####.mat####.com.####.net/sync/img/?mt_exid=####&mt_exuid=####
- p####.mat####.com.####.net/sync/img?redir=/aa.agkn.com/adscores/g.pixel?...
- pozif####.p####.com/2QSRpwqFzQSTowCVpQ2cdef
- sb.scoreca####.com.####.net/beacon.js
- sta####.d####.net/all.js
- sta####.d####.net/neon/prod/0.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/348.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/355.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/360.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/361.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/362.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/363.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/366.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/368.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/382.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/385.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/389.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/400.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/414.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/425.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/446.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/fonts/RetinaBold.cd747ac57dbad1301e9c9dd84cc...
- sta####.d####.net/neon/prod/fonts/RetinaBook.c4cccca9cea52aa384c20c23213...
- sta####.d####.net/neon/prod/fonts/RetinaMedium.23e7b277dc8317a3553ca1b2b...
- sta####.d####.net/neon/prod/img/hexagon1.e292b13de98319d7a75c6b73547f62e...
- sta####.d####.net/neon/prod/img/hexagon2.d26e698d7e5783e7b3b490dc7510e04...
- sta####.d####.net/neon/prod/img/logo.754e4ebaecad6bcdebb0d83ac8d66144.svg
- sta####.d####.net/neon/prod/mobile.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/mobile.6f63d93181306f80ee3d02dcb50f5538.css
- sta####.d####.net/neon/prod/vendor.084b6db0b4729b376a20.js
- sta####.d####.net/neon/prod/vendor.66bc4f798c3154d68878183c4709d1a8.css
- sta####.d####.net/playerv5/26c8cff60ebed41647bd.dmp.js
- sta####.d####.net/playerv5/dmp.c6d3efc99c84202cb39f.js
- sta####.d####.net/playerv5/dmpmanifest.9598fe3b19349304ab50.js
- sta####.d####.net/playerv5/dmpvendor.121e83069e6f969678f8.js
- www.dailymo####.com/in
- www.you####.com/get_video_info?video_id=####&asv=####&el=####&hl=####&st...
Запросы HTTP POST:
- a.appj####.com/ad-service/ad/mark
- adma####.u####.u####.com/usetting/v1/fetch_config
- api.apk.v-####.mobi/check_nav
- api.apk.v-####.mobi/gcm_conf_get
- api.apk.v-####.mobi/get_nav
- api.apk.v-####.mobi/pingv2
- api.apk.v-####.mobi/setup
- api.apk.v-####.mobi/signin
- api.apk.v-####.mobi/update_get
- api.apk.v-####.mobi/update_list
- api.apk.v-####.mobi/url_check
- api.apk.v-####.mobi/welcome_get2
- dailymo####.com/
- gj.ap####.uc.cn/collect?zip=####&pf=####&pn=####&ve=####&vc=####&sdk_ve=...
- log.apk.v-####.mobi/log
- video####.mobi/domain
- x####.apk.v-####.mobi/allhotkey
- x####.apk.v-####.mobi/home_recommend
- x####.apk.v-####.mobi/video_recommend_list
- x####.apk.v-####.mobi/video_similar
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_gkduz/classes.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/index
- <Package Folder>/databases/dbjwuf-journal
- <Package Folder>/databases/google_analytics_v2.db-journal
- <Package Folder>/databases/pushmessage-journal
- <Package Folder>/databases/vidmate.db
- <Package Folder>/databases/vidmate.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/ECPMD-2063-1510835233596
- <Package Folder>/files/####/PBUD-2063-1510835233596
- <Package Folder>/files/VMDataList.db
- <Package Folder>/files/dakml
- <Package Folder>/files/gaClientId
- <Package Folder>/files/history.db
- <Package Folder>/files/observedFile
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppD<Package>.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/SMD<Package>.xml
- <Package Folder>/shared_prefs/VidMate.xml
- <Package Folder>/shared_prefs/com.google.android.gcm.xml
- <Package Folder>/shared_prefs/jg_app_update_settings_random.xml
- <Package Folder>/shared_prefs/p_vidmate.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/Android/####/-10596584.tmp
- <SD-Card>/Android/####/-107228446.tmp
- <SD-Card>/Android/####/-1087226278.tmp
- <SD-Card>/Android/####/-1110065012.tmp
- <SD-Card>/Android/####/-1151017743.tmp
- <SD-Card>/Android/####/-1290451529.tmp
- <SD-Card>/Android/####/-1725509009.tmp
- <SD-Card>/Android/####/-2008801442.tmp
- <SD-Card>/Android/####/-601074560.tmp
- <SD-Card>/Android/####/-746815851.tmp
- <SD-Card>/Android/####/-76876551.tmp
- <SD-Card>/Android/####/-90060243.tmp
- <SD-Card>/Android/####/-948674819.tmp
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/1076347422.tmp
- <SD-Card>/Android/####/1110276008.tmp
- <SD-Card>/Android/####/1145940519.tmp
- <SD-Card>/Android/####/1311859226.tmp
- <SD-Card>/Android/####/1390306468.tmp
- <SD-Card>/Android/####/1410988884.tmp
- <SD-Card>/Android/####/1457446243.tmp
- <SD-Card>/Android/####/1621214789.tmp
- <SD-Card>/Android/####/1931313902.tmp
- <SD-Card>/Android/####/2028145440.tmp
- <SD-Card>/Android/####/2071397742.tmp
- <SD-Card>/Android/####/218350511.tmp
- <SD-Card>/Android/####/307282009.tmp
- <SD-Card>/Android/####/315997292.tmp
- <SD-Card>/Android/####/427830987.tmp
- <SD-Card>/Android/####/468699400.tmp
- <SD-Card>/Android/####/591414534.tmp
- <SD-Card>/Android/####/756309940.tmp
- <SD-Card>/Android/####/777385942.tmp
- <SD-Card>/Android/####/952570894.tmp
- <SD-Card>/VidMate/####/-1479197359
- <SD-Card>/VidMate/####/-1530624503
- <SD-Card>/VidMate/####/-1650110530
- <SD-Card>/VidMate/####/-2024732344
- <SD-Card>/VidMate/####/-2030218387
- <SD-Card>/VidMate/####/-2088103286
- <SD-Card>/VidMate/####/1480978988
- <SD-Card>/VidMate/####/1510835238056
- <SD-Card>/VidMate/####/1510835241502
- <SD-Card>/VidMate/####/1510835265309
- <SD-Card>/VidMate/####/597493799
- <SD-Card>/VidMate/####/921193472
- <SD-Card>/VidMate/####/bin.-1400338173
- <SD-Card>/VidMate/####/bin.1858799582
- <SD-Card>/VidMate/####/task-journal
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
- observer
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- DES-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CFB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
