Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.165.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) i####.com:80
- TCP(HTTP/1.1) ssl.d####.g15.####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) d####.g5.le####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) hn####.cn:80
- TCP(HTTP/1.1) d####.so.le.com:80
- TCP(HTTP/1.1) d####.g11.le####.com:80
- TCP(HTTP/1.1) www.some####.com:80
- TCP(HTTP/1.1) www.qup####.com:80
- TCP(HTTP/1.1) for####.sf.c####.com:80
- TCP(HTTP/1.1) l####.axp.adma####.####.cn:80
- TCP(HTTP/1.1) e.t####.com:80
- TCP(HTTP/1.1) let####.sf.c####.com:80
- TCP(HTTP/1.1) api.wl####.com:80
- TCP(HTTP/1.1) ssl.d####.g7.####.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(TLS/1.0) for####.sf.c####.com:443
- TCP(TLS/1.0) www.w####.top:443
- TCP(TLS/1.0) api.gag####.com:443
- TCP(TLS/1.0) c.c####.com:443
Запросы DNS:
- api.gag####.com
- api.wl####.com
- apple####.le.com
- ba####.le.com
- c.c####.com
- cgi.con####.qq.com
- css.let####.com
- d####.so.le.com
- d.api.m.####.com
- e.t####.com
- f####.l####.com
- hn####.cn
- i####.com
- i0.let####.com
- i1.let####.com
- i2.let####.com
- i3.let####.com
- js.let####.com
- jst####.let####.com
- l####.axp.adma####.####.cn
- l####.i####.cn.####.com
- l####.tbs.qq.com
- m.l####.com
- s11.c####.com
- s22.c####.com
- st####.let####.com
- w####.le.com
- www.qup####.com
- www.some####.com
- www.w####.top
Запросы HTTP GET:
- api.wl####.com/favicon.ico
- api.wl####.com/sudu/?url=####
- api.wl####.com/yun/a1128-4.php?url=####
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- d####.g11.le####.com/detail/episode?&pid=####&platform=####
- d####.g5.le####.com/env/?mac=####&nt=####&uid=####&br=####&p1=####&p2=##...
- d####.g5.le####.com/op/?acode=####&ap=ch####&pg=####&bk=####&link=####&a...
- d####.g5.le####.com/op/?acode=####&ap=ch####&pg=####&bk=####&link=####&b...
- d####.g5.le####.com/op/?acode=####&ap=x=ms####&ar=####&cid=####&pid=####...
- d####.g5.le####.com/op/?acode=####&ap=x=ms####&bzinfo=####&ar=####&cid=#...
- d####.g5.le####.com/pgv/?cid=####&pid=####&vid=####&uid=####&lc=####&ref...
- d####.so.le.com/data_collect.so?from=####&imei=####&module=####&action_c...
- d####.so.le.com/data_collect.so?from=####&imei=####&module=####&click_ar...
- d####.so.le.com/data_collect.so?from=####&imei=####&position=####&experi...
- e.t####.com/8759
- for####.sf.c####.com/favicon.ico
- for####.sf.c####.com/img/201207/30/tx70.png
- for####.sf.c####.com/lc02_iscms/201703/24/16/40/4b15695a800d4baa98f2f181...
- for####.sf.c####.com/lc02_iscms/201803/05/23/51/dbdd307361664655b4a5b7ea...
- for####.sf.c####.com/lc02_isvrs/201704/17/13/42/70f4b555-68af-4d77-b21b-...
- for####.sf.c####.com/lc03_img/201803/06/10/58/logo_en.png
- for####.sf.c####.com/lc03_iscms/201712/13/14/32/3bf13201aa6c456c9140d65a...
- for####.sf.c####.com/lc03_iscms/201802/28/17/11/9cdca6f5e0fd4157aa6e2cdf...
- for####.sf.c####.com/lc03_iscms/201803/09/13/58/f878217b7f884a2dabaf792f...
- for####.sf.c####.com/lc03_iscms/201803/21/09/52/3cfd25ccd3264e6383bcefad...
- for####.sf.c####.com/lc03_isvrs/201711/14/10/55/8c7b5169-8367-41de-bcf5-...
- for####.sf.c####.com/lc04_isvrs/201612/28/10/06/ef56b8de-2afd-447a-adf0-...
- for####.sf.c####.com/lc04_isvrs/201706/02/10/37/b7e19e6e-1d10-4f60-b766-...
- for####.sf.c####.com/lc05_img/201610/08/18/51/lekansousuo.png
- for####.sf.c####.com/lc05_img/201702/13/11/10/shadow.png
- for####.sf.c####.com/lc05_iscms/201801/09/10/22/29b4e05cb5e74155969a85c2...
- for####.sf.c####.com/lc05_isvrs/201703/16/15/59/79367523-d8b3-4f36-be39-...
- for####.sf.c####.com/lc06_img/201803/01/15/21/220_122.png
- for####.sf.c####.com/lc06_img/201803/01/15/21/220_293.png
- for####.sf.c####.com/lc06_iscms/201801/26/10/13/ddbc82db15a7417cb0eea5a7...
- for####.sf.c####.com/lc06_isvrs/201702/16/14/36/2052de68-0797-43f5-9bc0-...
- for####.sf.c####.com/lc06_isvrs/201705/25/11/48/33c0c10e-03d1-4ef3-9d0f-...
- for####.sf.c####.com/lc06_js/201803/13/16/24/lem/search-leso_v2.js
- for####.sf.c####.com/lc07_isvrs/201701/04/15/25/e55816cd-ffdf-474f-867f-...
- for####.sf.c####.com/lc07_phone/201708/09/16/14/1600/icomoon.ttf
- for####.sf.c####.com/lc07_search/201701/09/02/30/tmp_8326097059964145690...
- for####.sf.c####.com/ptv/vplay/2088563.html
- for####.sf.c####.com/vrs/201207/21/df2a2305d8d94005bb2b0347106cba75.jpg
- for####.sf.c####.com/vrs/201305/15/31b4769ea75c4fe3abc58ea4ac2d80de.jpg
- for####.sf.c####.com/vrs/201308/15/6943313ad3844aad862b9839956cb240.jpg
- hn####.cn/yunapp/GetDataApi.Asp?Action=####&yz=####&sign=####&time=####
- hn####.cn/yunapp/Getdataapi.asp?Action=####&cpu=####&jx=####&yz=####&up=...
- i####.com/irt?_iwt_t=####&_iwt_id=####&_iwt_UA=####&r=####
- l####.axp.adma####.####.cn/adv?tid=####&uid=####&url=####&jsonp=####
- let####.sf.c####.com/lc03_css/201803/13/16/28/mcss/srh-newhome_v2.css
- let####.sf.c####.com/lc04_css/201803/13/16/28/mcss/m_new_index.css
- let####.sf.c####.com/lc05_js/201803/13/16/24/lem/base-base.js
- let####.sf.c####.com/lc05_js/201803/13/16/24/lem/homeChannel-channel.js
- let####.sf.c####.com/sdk/passport.js
- ssl.d####.g15.####.com/ds?pv=####&code=####&_=####
- ssl.d####.g7.####.com/movie/
- ssl.d####.g7.####.com/search
- www.qup####.com/img/9259
- www.some####.com/img/9259
- www.some####.com/type/T1RJMU9TWnBjRWx1Wm05elBTWjFhWEE5T1RVdU1qRXhMakU1TU...
Запросы HTTP HEAD:
- api.wl####.com/
Запросы HTTP POST:
- l####.tbs.qq.com/ajax?c=####&k=####
- l####.tbs.qq.com/ajax?c=####&v=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/WebpageIcons.db-journal
- /data/data/####/com.tencent.open.config.json.1106302316
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/debug.conf
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/index
- /data/data/####/libjiagu.so
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_load_stat_flag.xml
- /data/data/####/tbs_report_lock.txt
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/Tplistlog.txt
- /data/media/####/config.ini
- /data/media/####/listlog.txt
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- DESede-ECB-PKCS5Padding
- RSA-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
