Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.14.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) w####.q####.dn.####.com:80
- TCP(HTTP/1.1) d2.ireader####.com:80
- TCP(HTTP/1.1) a####.you####.com:80
- TCP(HTTP/1.1) d1.ireader####.com:80
- TCP(TLS/1.0) www.ireader####.com:443
Запросы DNS:
- a####.you####.com
- d1.ireader####.com
- d2.ireader####.com
- fb.u####.com
- t####.qin####.com
- www.ireader####.com
Запросы HTTP GET:
- a####.you####.com/sx/GetConfigInfo.aspx?ver=####&passID=####&ver=####&cl...
- d1.ireader####.com/GoodBooks/Books/cover/2015-03-23/91ccb6b3-1d47-41b9-8...
- d1.ireader####.com/GoodBooks/Books/cover/2015-03-23/bd4fee55-f0a2-4558-9...
- d1.ireader####.com/GoodBooks/Books/cover/2015-05-21/54a06eda-4142-447d-a...
- d1.ireader####.com/GoodBooks/Books/cover/2015-06-18/0229230a-d913-43b2-9...
- d1.ireader####.com/GoodBooks/Books/cover/2015-11-12/3aaf7a4b-3e07-474a-b...
- d1.ireader####.com/GoodBooks/Books/cover/2016-06-03/d82b82f5-9ef1-427d-9...
- d1.ireader####.com/GoodBooks/Books/cover/2017-02-14/dac87072-7608-4802-8...
- d1.ireader####.com/GoodBooks/Books/cover/2017-05-15/bb8e084a-6c5d-49d0-8...
- d1.ireader####.com/GoodBooks/Books/cover/2017-11-15/a3f86a34-5aef-4d93-a...
- d1.ireader####.com/GoodBooks/Books/cover/2017-12-12/85a395b8-d288-49a9-b...
- d1.ireader####.com/GoodBooks/Books/cover/2018-04-03/a943667c-1fed-465d-9...
- d1.ireader####.com/GoodBooks/Books/cover/2018-04-11/6ffd0d3d-4e72-49eb-b...
- d1.ireader####.com/GoodBooks/Books/cover/2018-04-11/d8f6878b-205f-42d7-b...
- d1.ireader####.com/GoodBooks/Books/cover/2018-04-11/e4734d88-d06e-48f9-a...
- d1.ireader####.com/GoodBooks/images/RankImg/23bd1bc9-0e01-4c92-8a45-628a...
- d1.ireader####.com/GoodBooks/images/RankImg/5dc91728-903c-4ebf-85cd-ee78...
- d1.ireader####.com/GoodBooks/images/c100/f101.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f104.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f107.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f108.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f110.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f112.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f114.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f117.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f120.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f123.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f125.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f126.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f143.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f144.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f148.png?id=####
- d1.ireader####.com/GoodBooks/images/c100/f149.png?id=####
- d2.ireader####.com/GoodBooks/Books/cover/2014-07-02/30b1b1ad-9312-4ca7-9...
- d2.ireader####.com/GoodBooks/Books/cover/2015-01-06/5902a6a0-7402-4952-a...
- d2.ireader####.com/GoodBooks/Books/cover/2015-04-18/f4ab4e56-681b-461f-b...
- d2.ireader####.com/GoodBooks/Books/cover/2015-06-18/b4c82ec2-0fa6-4f43-a...
- d2.ireader####.com/GoodBooks/Books/cover/2015-06-25/e6dc7ac4-2215-49ae-8...
- d2.ireader####.com/GoodBooks/Books/cover/2015-08-05/f53843a9-4e97-4e4a-a...
- d2.ireader####.com/GoodBooks/Books/cover/2015-08-27/392f0590-b8db-46a1-9...
- d2.ireader####.com/GoodBooks/Books/cover/2015-10-14/a1f2c72f-1388-4058-a...
- d2.ireader####.com/GoodBooks/Books/cover/2015-11-03/ff8545ea-e91c-461e-a...
- d2.ireader####.com/GoodBooks/Books/cover/2015-11-27/32efcb2f-821b-4be0-9...
- d2.ireader####.com/GoodBooks/Books/cover/2017-05-26/689c3f29-5d7e-4d51-8...
- d2.ireader####.com/GoodBooks/Books/cover/2017-06-12/6e75b679-baf6-4247-9...
- d2.ireader####.com/GoodBooks/Books/cover/2017-06-30/4637950c-6811-42cf-a...
- d2.ireader####.com/GoodBooks/Books/cover/2017-07-17/ee7ed7ab-1734-4a6a-9...
- d2.ireader####.com/GoodBooks/Books/cover/2017-08-18/51642350-d17b-4982-9...
- d2.ireader####.com/GoodBooks/Books/cover/2017-12-12/8d03d8fb-3a57-4300-b...
- d2.ireader####.com/GoodBooks/Books/cover/2018-04-11/1921c114-7b06-4977-9...
- d2.ireader####.com/GoodBooks/Books/cover/2018-04-11/621d3432-cc9a-4e96-b...
- d2.ireader####.com/GoodBooks/Books/cover/2018-04-11/bb4a88fb-9ebb-4d03-9...
- d2.ireader####.com/GoodBooks/images/RankImg/2bcb71bc-1763-47a0-a518-4a18...
- d2.ireader####.com/GoodBooks/images/c100/f103.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f105.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f106.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f109.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f111.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f113.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f115.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f118.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f119.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f121.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f122.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f124.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f127.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f128.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f129.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f142.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f145.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f146.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f147.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f150.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f151.png?id=####
- d2.ireader####.com/GoodBooks/images/c100/f152.png?id=####
- w####.q####.dn.####.com/sxsplash20160727_579817d469bca.jpg
- w####.q####.dn.####.com/sxsplash20160727_579817da499fb.jpg
- w####.q####.dn.####.com/sxsplash20160727_579817de0f457.jpg
- w####.q####.dn.####.com/sxsplash20160727_579817e1da72a.jpg
- w####.q####.dn.####.com/sxsplash20160727_57981808344f4.jpg
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/aireader_v2-journal
- /data/data/####/com_ireader_city_you_qi.xml
- /data/data/####/ffbf96d7759b08fee8a5c611fad89304x.jar
- /data/data/####/ireader.db-journal
- /data/data/####/libjiagu-1481378124.so
- /data/data/####/multidex.version.xml
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_feedback_user_info.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_message_state.xml
- /data/data/####/webview.db-journal
- /data/data/####/www.ireadercity.com.443
- /data/data/####/za5e05ed6.xml
- /data/media/####/.did
- /data/media/####/00180b85fb584e2b97a64f90d502f977jpgx.tmp
- /data/media/####/001f3f1c90764206bd08d39879e12371jpgx.tmp
- /data/media/####/002c6c10ca8742f1b41a7d2cda314f83jpgx.tmp
- /data/media/####/003593366c134990901351afaa06d1f7jpgx.tmp
- /data/media/####/003d3cda90444ac189acbb6555991cd6jpgx.tmp
- /data/media/####/00432e6b9b564d589825a7ff7563c933jpgx.tmp
- /data/media/####/0053878af73941be95a529167bc17201jpgx.tmp
- /data/media/####/00614aafc87a4d90904df12e1c6adda2jpgx.tmp
- /data/media/####/007b054fd2e1471a8076c13d2aa639a2jpgx.tmp
- /data/media/####/00a7959ec2b24185b46602cc9c47f205jpgx.tmp
- /data/media/####/00aa259815fd4b5981f9963b5aeffca6jpgx.tmp
- /data/media/####/02d746bfd91f44b1897fc5c55f5f117fjpgx.tmp
- /data/media/####/02f59604fb4841ab84e3014893aac035jpgx_bak
- /data/media/####/045ffab4fb1949a1b9ab36dbf083a45bjpgx.tmp
- /data/media/####/11c3ead32d50429397808d9510dc5e17jpgx.tmp
- /data/media/####/15794b92c43f44e2b86317298d381199jpgx.tmp
- /data/media/####/34d798a6a45d4ca4ae1208fa565b0a29jpgx.tmp
- /data/media/####/3f09c362ae7140f6947a98197ad96362jpgx.tmp
- /data/media/####/40d70a2475434795bbd3b0d62355397ejpgx.tmp
- /data/media/####/41d204bb17b5488482c253addae1a375jpgx_bak
- /data/media/####/51034a10ebaa4c96a8d9179a91680175jpgx.tmp
- /data/media/####/53ab334310044ae6ae5e9bc6726858dejpgx_bak
- /data/media/####/58c0f7a298524f3fa6bd1015e8eb1003jpgx.tmp
- /data/media/####/598217d8f30a4b93a7823cae2ce0162d.dat
- /data/media/####/5af4135f8dbe4c248aecd4705b3cdbfa.dat
- /data/media/####/621ec283e9fe404d976cb55bd8b6a1df.dat
- /data/media/####/6d610fde4c344d96bd664b70a239dda3jpgx.tmp
- /data/media/####/6e78cc6aec794f11b8d42bc0aa72d6a1jpgx.tmp
- /data/media/####/744e634b119e4de08f4a9cc2250f110bjpgx.tmp
- /data/media/####/760094a0e0b948d5b2dad5691d17b34fjpgx.tmp
- /data/media/####/76babb5d48414427a8e0a3fb8997571c.dat
- /data/media/####/7ac2c1833e684a8896389be10f3a4a0ejpgx.tmp
- /data/media/####/7fff515c99dc43d583c4403023215b54.dat
- /data/media/####/84e90ad622374671858ae3202182d58bjpgx.tmp
- /data/media/####/89d159a9ed7746cdba7f5c4ec56edb03jpgx.tmp
- /data/media/####/9e891a3ed9124609b19070b35d8d01b9jpgx.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/adv_self_config.dat
- /data/media/####/aec0f74da7da4eecac327cd83f493196.dat
- /data/media/####/book_list_C123_free_1.dat
- /data/media/####/book_list_C123_new_1.dat
- /data/media/####/ca84bbe39a4745babc4ed227265450fejpgx.tmp
- /data/media/####/category_101.jpgx.tmp
- /data/media/####/category_103.jpgx.tmp
- /data/media/####/category_104.jpgx.tmp
- /data/media/####/category_105.jpgx.tmp
- /data/media/####/category_106.jpgx.tmp
- /data/media/####/category_107.jpgx.tmp
- /data/media/####/category_108.jpgx.tmp
- /data/media/####/category_109.jpgx.tmp
- /data/media/####/category_110.jpgx.tmp
- /data/media/####/category_111.jpgx.tmp
- /data/media/####/category_112.jpgx.tmp
- /data/media/####/category_113.jpgx.tmp
- /data/media/####/category_114.jpgx.tmp
- /data/media/####/category_115.jpgx.tmp
- /data/media/####/category_117.jpgx.tmp
- /data/media/####/category_118.jpgx.tmp
- /data/media/####/category_119.jpgx.tmp
- /data/media/####/category_120.jpgx.tmp
- /data/media/####/category_121.jpgx.tmp
- /data/media/####/category_122.jpgx.tmp
- /data/media/####/category_123.jpgx.tmp
- /data/media/####/category_124.jpgx.tmp
- /data/media/####/category_125.jpgx.tmp
- /data/media/####/category_126.jpgx.tmp
- /data/media/####/category_127.jpgx.tmp
- /data/media/####/category_128.jpgx.tmp
- /data/media/####/category_129.jpgx.tmp
- /data/media/####/cfg_rank.data
- /data/media/####/chapter_info_list.online
- /data/media/####/config.data
- /data/media/####/d75293dd2e9641f18cb8cdc4beaca700jpgx.tmp
- /data/media/####/free.jpgx.tmp
- /data/media/####/home_infos_2.dat
- /data/media/####/home_infos_22.dat
- /data/media/####/import.dat
- /data/media/####/new.jpgx.tmp
- /data/media/####/realfree.jpgx.tmp
- /data/media/####/releated_list_02f59604fb4841ab84e3014893aac035.dat
- /data/media/####/releated_list_41d204bb17b5488482c253addae1a375.dat
- /data/media/####/releated_list_53ab334310044ae6ae5e9bc6726858de.dat
- /data/media/####/sxsplash20160727_579817d469bca.jpgx_bak
- /data/media/####/sxsplash20160727_579817da499fb.jpgx_bak
- /data/media/####/sxsplash20160727_579817de0f457.jpgx_bak
- /data/media/####/sxsplash20160727_579817e1da72a.jpgx_bak
- /data/media/####/sxsplash20160727_57981808344f4.jpgx_bak
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu-1481378124.so
Загружает динамические библиотеки:
- libjiagu-1481378124
- smssdk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.).
Отрисовывает собственные окна поверх других приложений.
