Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.570.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) d.zxl####.com:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) n.youle####.com.####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) statson####.pu####.b####.com:80
- TCP(HTTP/1.1) geo.gridsum####.com:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) com####.hun####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) api.tui####.b####.com:80
- TCP(HTTP/1.1) e####.h####.com.####.com:80
- TCP(HTTP/1.1) rc.mpp.hun####.com:80
- TCP(HTTP/1.1) av####.h####.com.####.com:80
- TCP 2####.108.23.105:5287
- TCP y1.ey####.com:7071
- TCP y1.ey####.com:7073
- TCP y1.ey####.com:7072
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- a####.tui####.b####.com
- a####.u####.com
- api####.a####.com
- api.tui####.b####.com
- au.u####.co
- au.u####.com
- av####.h####.com
- b.scoreca####.com
- com####.hun####.com
- d.zxl####.com
- e####.h####.com
- geo.gridsum####.com
- i5.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- n.youle####.com
- oc.u####.com
- rc.mpp.hun####.com
- sa1.tui####.b####.com
- statson####.pu####.b####.com
- x.da.hun####.com
- y1.ey####.com
- y2.ey####.com
- y3.ey####.com
Запросы HTTP GET:
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201117984.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201141262.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/03/20180309201204849.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180404170604575.gif
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180407111038414.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180407114434593.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180407223245169.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180409111700947.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180410105352006.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180410110539803.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180410114559712.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180410115037229.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180410200350563.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180411090032821.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180411100040436.jpg
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/303114/4347864/201...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/303114/4347911/201...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/303114/4348073/201...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/303114/4348083/201...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4322288/201803...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4334034/201803...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4341637/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4342078/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4344142/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4346806/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4346865/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4346893/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4346904/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4347467/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4348104/201804...
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/caidan.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/teji.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/vipmian.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/yugao.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/zhizhi.png
- av####.h####.com.####.com/0/8c5a31e7/b6tpo1n6jlt7t174jptg?x-oss-process=...
- av####.h####.com.####.com/5/145e5480/b4ldtulmugg8r6kofru0?x-oss-process=...
- av####.h####.com.####.com/5/5be7dffe/b9ebe06n9l25cmp1vhag?x-oss-process=...
- av####.h####.com.####.com/5/6e7d6e0e/WOTsFpzZyWKeoIPi?x-oss-process=####
- av####.h####.com.####.com/5/80f0f0f2/bb2ueflmugg6i6b2mucg?x-oss-process=...
- av####.h####.com.####.com/6/59c84c23/baku2clmugg6brie7f1g?x-oss-process=...
- av####.h####.com.####.com/6/782207cb/WOTmwpzZyWKem7ct?x-oss-process=####
- av####.h####.com.####.com/6/9d78e90b/b5qc5l6n9l22phfl82c0?x-oss-process=...
- b.scoreca####.com.####.net/p2?c1=####&c2=####&ns_ap_an=####&ns_ap_pn=###...
- com####.hun####.com/mobile_comment/top?userId=####&osVersion=####&subjec...
- d.zxl####.com/d/42pb.apk
- d.zxl####.com/d/42pc.png
- d.zxl####.com/d/42pf.jpg
- e####.h####.com.####.com/2/mava2_N6NTTzRACGvJd1ZjuTIYi738w7tiShOS.jpg
- e####.h####.com.####.com/2/mava2_VIPqUD0eFBiK9EXzIWMrW38vw2ipUSiM.jpg
- e####.h####.com.####.com/2/mava2_XZSYxpLDWRXuN5YZ0QmMyALor9fm9onU.jpg
- geo.gridsum####.com/v2/g.aspx
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/comment/read?userId=####&osVersion=####&device=##...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/p2pSwitch?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/v2/video/getDownloadList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getMultiplyList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getShortList?userId=####&osVersion=####&...
- mo####.api.hun####.com/v2/video/getSource?userId=####&osVersion=####&dev...
- mo####.api.hun####.com/v2/video/getVideoInfo?userId=####&osVersion=####&...
- mo####.api.hun####.com/video/getSupport?userId=####&osVersion=####&devic...
- n.youle####.com.####.com/d/42pb.apk
- n.youle####.com.####.com/d/42pc.png
- n.youle####.com.####.com/d/42pf.jpg
- rc.mpp.hun####.com/mobile/v1/cms/alike?userId=####&osVersion=####&device...
- rc.mpp.hun####.com/mobile/v1/cms?userId=####&collectionid=####&osVersion...
Запросы HTTP POST:
- a####.u####.com/app_logs
- api.tui####.b####.com/rest/2.0/channel/3800264449000318401
- api.tui####.b####.com/rest/2.0/channel/channel
- apilo####.a####.com/v3/log/init
- mo####.log.hun####.com/data.cgi
- oc.u####.com/check_config_update
- s.wagbr####.alibaba####.com/api/check_app_update
- statson####.pu####.b####.com/pushlog
- x.da.hun####.com/json/app/boot
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/0.jar
- /data/data/####/356507059351895yd.db-journal
- /data/data/####/GridsumCommon.xml
- /data/data/####/ImgoPad-journal
- /data/data/####/MGTVCommon.xml
- /data/data/####/MV3Plugin.ini
- /data/data/####/aypa0000.xml
- /data/data/####/aypb0000.xml
- /data/data/####/aypc0000.xml
- /data/data/####/ayqa0000.xml
- /data/data/####/ayqb0000.xml
- /data/data/####/ayqd0000.xml
- /data/data/####/cSPrefs.xml
- /data/data/####/com.chuangyi.bite.movies.developed.push_sync.xml
- /data/data/####/com.chuangyi.bite.movies.developed.xml
- /data/data/####/com.chuangyi.bite.movies.developed_preferences.xml
- /data/data/####/dbVersion.xml
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_online_setting_com.chuangyi.bite...ed.xml
- /data/data/####/plugin-deploy.jar
- /data/data/####/plugin-deploy.key
- /data/data/####/pst.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/yysa.xml
- /data/data/####/yysa356507059351895.xml
- /data/data/####/yysb356507059351895.xml
- /data/data/####/yysc356507059351895.xml
- /data/data/####/yysd356507059351895.xml
- /data/data/####/yysf356507059351895.xml
- /data/media/####/.cuid
- /data/media/####/.nomedia
- /data/media/####/1083ia19v8576vl00cimu2awk.tmp
- /data/media/####/178uv4xj9z1mtf9a363gntwvm.tmp
- /data/media/####/19kck07adkli9wntvcan37bbv.tmp
- /data/media/####/1el5y4nhlgjgwjwshqxpx57jh.tmp
- /data/media/####/1gu523jw7aze9uei600ncc31c.tmp
- /data/media/####/1mymr8a8in7t91btyjbwdp0r2.tmp
- /data/media/####/1pw2ifb3dfc7az8k7ka9nodp8.tmp
- /data/media/####/1yc07e39kutgc3l6o6i0yozxc.tmp
- /data/media/####/25ha0ikpkb0qvdqm53mpz4u38.tmp
- /data/media/####/2ab00v9ovs9emrlqggx8cbpud.tmp
- /data/media/####/2e6fbk5a81q5akjtb3wfthp9n.tmp
- /data/media/####/2gn1rdrdyh96liyn77zpep21n.tmp
- /data/media/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- /data/media/####/2t1xw8uj5ykfrk7s21b45w89x.tmp
- /data/media/####/2zqnry7do0ook6j548ho7mirl.tmp
- /data/media/####/3k3oyz7gfbqlt3bb435ywnp3.tmp
- /data/media/####/3srum8qddsuzltmbsn9rx2auj.tmp
- /data/media/####/3te3musnv28sm65pyxd3agvwu.tmp
- /data/media/####/42pc.png.tmp
- /data/media/####/42pf.jpg.tmp
- /data/media/####/4qfasq35voaqqnxbzqzt6qgaq.tmp
- /data/media/####/4sjp1s5y4vk0wwgnv27npjj28.tmp
- /data/media/####/4tzj1b6wixc93axs1whuzl5z1.tmp
- /data/media/####/4yh7a885r9l39chbs654j3mdj.tmp
- /data/media/####/4z2ycrykgy3feczboux8eamr1.tmp
- /data/media/####/52tve34x41knie4pgvymd08pa.tmp
- /data/media/####/56ywzcg8lstrv7vxkyyvug53l.tmp
- /data/media/####/5dgn8pxc9ykp2groga0q4k7c4.tmp
- /data/media/####/5g9bty9sx884pqx85scpj885o.tmp
- /data/media/####/5lzahaz50dbd8x4yn9ksq154s.tmp
- /data/media/####/5v9v7tr014zuiqu59q5jlwnmt.tmp
- /data/media/####/5vse40gdunn9f77k4vbwalyhj.tmp
- /data/media/####/5wg1km8sbu1jhcpwpwmnm2vgy.tmp
- /data/media/####/5xw94tnnxc1qpqygzz1uow6x8.tmp
- /data/media/####/5yjw1byashvi60r5h79phww8u.tmp
- /data/media/####/67md6pom4lrwsswcv70f416y0.tmp
- /data/media/####/6czq83hg0e09tn6xec9k7lz4l.tmp
- /data/media/####/6ir7buh14xehbtsekzlys2em6.tmp
- /data/media/####/6naxlt4yyage8nvj06e3nbcy1.tmp
- /data/media/####/6o8s28o3na5g8wvy91cf21jj8.tmp
- /data/media/####/6r3w1uhj6cbuqe716du67ogq9.tmp
- /data/media/####/6r62pmibh2oe7s8vntp5vekxq.tmp
- /data/media/####/6zq84ej4d55aqb5kyjwjw4glu.tmp
- /data/media/####/7964kod24usnfoqgrcm98y59l.tmp
- /data/media/####/7hkta86abyki1a39ibbkiyh9p.tmp
- /data/media/####/89p39l81yt6j0f0nzcqoaqiw.tmp
- /data/media/####/a_42pb.apk.t
- /data/media/####/apps
- /data/media/####/i1qwxiklzh9pm3ubc8nu4uns.tmp
- /data/media/####/journal.tmp
- /data/media/####/lightapp_V4.db
- /data/media/####/lightapp_V4.db-journal
- /data/media/####/mjbtux9yo82xion2crc9r7nx.tmp
- /data/media/####/pushlappv2.db
- /data/media/####/pushlappv2.db-journal
- /data/media/####/pushstat_4.4.db
- /data/media/####/pushstat_4.4.db-journal
- /data/media/####/q7ufzy663dhe8wevhqt4wkek.tmp
- /data/media/####/re6lp3k16kbcnlr76txy461u.tmp
- /data/media/####/uuc1xucoimvdlq5d6rcs78zo.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- ag
- bdpush_V2_2
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
- yfnet_mongotv
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
