Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.14.origin
- Adware.Plague.1.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) g.1####.com:80
- TCP(HTTP/1.1) l####.b####.com:80
- TCP(HTTP/1.1) dd.bst.126.####.com:80
- TCP(HTTP/1.1) i####.c####.net####.####.com:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) l.bst.126.####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) 5hru182####.wsclou####.com:80
- TCP(HTTP/1.1) www.lo####.com:80
- TCP(HTTP/1.1) dl.r####.163.com:80
- TCP(HTTP/1.1) gi.xi.g####.com:80
- TCP(HTTP/1.1) youxixi####.b####.163.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.163.com:80
- TCP(HTTP/1.1) i####.g.163.com:80
- TCP(HTTP/1.1) analy####.163.com:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) i####.g.163.com:443
- TCP(TLS/1.0) analy####.163.com:443
- TCP(TLS/1.0) 5hru182####.wsclou####.com:443
- TCP(TLS/1.0) gy3b74i####.wsclou####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) adser####.go####.com:443
Запросы DNS:
- a####.u####.com
- a.appj####.com
- adser####.go####.com
- an.ite####.com
- an1.ite####.com
- an2.ite####.com
- analy####.163.com
- b####.163.com
- b.b####.126.net
- bobo-pu####.n####.127.net
- dl.r####.163.com
- g.1####.com
- gi.xi.g####.com
- i####.126.net
- i####.126.net
- i####.126.net
- i####.c####.net####.com
- i####.c####.net####.com
- i####.c####.net####.com
- i####.c####.net####.com
- i####.c####.net####.com
- i####.c####.net####.com
- i####.g.163.com
- i####.ph.126.net
- ia####.n####.127.net
- im####.n####.127.net
- im####.n####.127.net
- img####.ph.126.net
- l####.b####.com
- l.b####.126.net
- os.b####.163.com
- ssl.gst####.com
- ursdo####.n####.127.net
- www.b####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
- www.lo####.com
- youxixi####.b####.163.com
- yt####.n####.127.net
Запросы HTTP GET:
- 5hru182####.wsclou####.com/?enlarge=####&imgurl=####
- 5hru182####.wsclou####.com/?imgurl=####
- 5hru182####.wsclou####.com/anchor_1471910437604_63531527.jpg
- 5hru182####.wsclou####.com/anchor_1501665043059_16112061.jpg
- 5hru182####.wsclou####.com/anchor_1524364538968_40269822.jpg
- 5hru182####.wsclou####.com/bobo_1512198603685_98138991.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1522401771582_42557014.jpg?image####&qua...
- 5hru182####.wsclou####.com/channel14/650100_jith_20171016.jpg
- 5hru182####.wsclou####.com/xoimages/default/2017/news/300x250.jpg
- analy####.163.com/ntes.js
- analy####.163.com/ntes?_nacc=####&_nvid=####&_nvtm=####&_nvsf=####&_nvfi...
- analy####.163.com/ntes?_nacc=iad&_nvid=d5d935f51279cfc8a97a49119333c34b&...
- b####.163.com/api/show/channel/www/5.json?callback=####
- dd.bst.126.####.com/pub/newIndex/bloghome/m-121.css?v=####
- dd.bst.126.####.com/style/common/error/404.css
- dd.bst.126.####.com/style/common/error/images/sprite-404.png
- dl.r####.163.com/getConf?callback=####&pkid=####&pd=####&mode=####
- g.1####.com/r?site=####&affiliate=####&cat=####&type=####&location=####
- i####.c####.net####.####.com/?imgurl=####
- i####.c####.net####.####.com/auto/2015/4/8/20150408101640df5be.jpg
- i####.c####.net####.####.com/auto/2015/6/19/20150619095448ce8b7.jpg
- i####.c####.net####.####.com/auto/2015/6/19/201506190956174c3dd.jpg
- i####.c####.net####.####.com/blog/2010/8/25/20100825112528b74c9.jpg
- i####.c####.net####.####.com/blog/2011/11/14/20111114124810fbd66.jpg
- i####.c####.net####.####.com/blog/2012/12/18/20121218143608acc09.jpg
- i####.c####.net####.####.com/blog/2013/4/18/20130418190435a886f.jpg
- i####.c####.net####.####.com/blog/2013/4/18/20130418191208303e8.jpg
- i####.c####.net####.####.com/blog/2013/5/8/201305081558152b3a1.jpg
- i####.c####.net####.####.com/blog/2013/5/8/20130508160024b3311.jpg
- i####.c####.net####.####.com/blog/2013/6/13/2013061315263044fe6.jpg
- i####.c####.net####.####.com/blog/2013/6/19/20130619182002c99b6.jpg
- i####.c####.net####.####.com/blog/2013/6/26/201306261319312e8b1.jpg
- i####.c####.net####.####.com/blog/2013/7/3/201307031640462212d.jpg
- i####.c####.net####.####.com/blog/2014/1/24/20140124152615aa31f.jpg
- i####.c####.net####.####.com/blog/2014/1/24/20140124152825eaa27.jpg
- i####.c####.net####.####.com/blog/2014/1/24/2014012415444113a5e.jpg
- i####.c####.net####.####.com/blog/2014/12/1/20141201143608f9486.jpg
- i####.c####.net####.####.com/blog/2014/2/24/2014022415164422759.jpg
- i####.c####.net####.####.com/blog/2014/2/24/20140224151931cf5a7.jpg
- i####.c####.net####.####.com/blog/2014/2/24/2014022415231441f7b.jpg
- i####.c####.net####.####.com/blog/2014/4/29/20140429024945b9246.jpg
- i####.c####.net####.####.com/blog/2014/5/7/2014050711400662428.jpg
- i####.c####.net####.####.com/blog/2014/6/15/20140615233524ebdf5.jpg
- i####.c####.net####.####.com/blog/2014/6/19/2014061916265039a1c.jpg
- i####.c####.net####.####.com/blog/2014/7/24/20140724170921f5ce3.jpg
- i####.c####.net####.####.com/blog/2014/7/7/201407071429474b529.jpg
- i####.c####.net####.####.com/blog/2014/7/7/20140707143532534d0.jpg
- i####.c####.net####.####.com/blog/2014/7/7/20140707151403ea5e5.jpg
- i####.c####.net####.####.com/blog/2015/12/18/20151218005625d11fb.jpg
- i####.c####.net####.####.com/blog/2015/12/18/20151218124927cbe54.jpg
- i####.c####.net####.####.com/blog/2015/12/18/20151218142349cb455.jpg
- i####.c####.net####.####.com/blog/2015/12/21/20151221123236cfc7d.jpg
- i####.c####.net####.####.com/blog/2015/12/3/20151203230350e1b5b.jpg
- i####.c####.net####.####.com/blog/2015/12/30/20151230150026291c2.jpg
- i####.c####.net####.####.com/blog/2015/2/13/201502132003135e5f1.png
- i####.c####.net####.####.com/blog/2015/3/25/2015032510541247714.jpg
- i####.c####.net####.####.com/blog/2015/6/5/2015060515031339c5e.jpg
- i####.c####.net####.####.com/blog/2016/1/21/201601211618352ba47.jpg
- i####.c####.net####.####.com/blog/2016/1/21/2016012123194070f66.jpg
- i####.c####.net####.####.com/blog/2016/1/21/2016012123203651c1f.jpg
- i####.c####.net####.####.com/blog/2016/1/28/2016012809085549f1f.jpg
- i####.c####.net####.####.com/blog/2016/1/28/20160128105206ac94f.jpg
- i####.c####.net####.####.com/blog/2016/1/7/20160107232907c5da9.jpg
- i####.c####.net####.####.com/blog/2016/1/8/20160108101342ba461.jpg
- i####.c####.net####.####.com/blog/2016/1/8/2016010810220226ebf.jpg
- i####.c####.net####.####.com/blog/2016/2/14/20160214093438c3f84.jpg
- i####.c####.net####.####.com/blog/2016/2/23/2016022315185195060.jpg
- i####.c####.net####.####.com/blog/2016/2/25/201602250901526094a.jpg
- i####.c####.net####.####.com/blog/2016/3/22/20160322104710a5697.jpg
- i####.c####.net####.####.com/blog/2016/3/9/2016030910055886211.gif
- i####.c####.net####.####.com/blog/2016/4/1/20160401110148e1d18.jpg
- i####.c####.net####.####.com/blog/2016/4/5/201604051221573aabd.jpg
- i####.c####.net####.####.com/blog/2016/4/6/2016040610262709154.gif
- i####.c####.net####.####.com/blog/2016/4/8/20160408134321cf024.jpg
- i####.c####.net####.####.com/blog/img13/index/blog-attitude.png
- i####.c####.net####.####.com/blog/img13/index/date-box-bg.png
- i####.c####.net####.####.com/blog/img13/index/head-current-ctrl.png
- i####.c####.net####.####.com/blog/img13/index/logo_215.png
- i####.c####.net####.####.com/channel14/hongcai0628/960x1005.jpg
- i####.c####.net####.####.com/channel14/kanke0628/300-100.jpg
- i####.c####.net####.####.com/channel14/renjian0628/960-100.jpg
- i####.c####.net####.####.com/channel14/shudu/960-130.jpg
- i####.c####.net####.####.com/channel14/xinwen/960-100.jpg
- i####.c####.net####.####.com/channel9/030796/480300_1203.jpg
- i####.c####.net####.####.com/cnews/2014/2/bobo_ad/bobo_logo1.png
- i####.c####.net####.####.com/cnews/2014/2/bobo_ad/medal-bobo.png
- i####.c####.net####.####.com/cnews/2014/2/bobo_ad/v_btn.png
- i####.c####.net####.####.com/cnews/js/ntes_jslib_1.x.js
- i####.c####.net####.####.com/cnews/js/ntes_ui/ntes_ui_slide_0.3.0_min.js
- i####.c####.net####.####.com/cnews/newimg/ne_foot_icon_v2.png
- i####.c####.net####.####.com/cnews/news2012/img/b_line.gif
- i####.c####.net####.####.com/cnews/news2012/img/calendar-icons.png
- i####.c####.net####.####.com/cnews/news2012/img/icons-new-v2.png
- i####.c####.net####.####.com/cnews/news2012/img/icons-sprites.png
- i####.c####.net####.####.com/cnews/news2012/img/search-logo.png
- i####.c####.net####.####.com/eU8CPpxM43UM2WsQLDbhiQ==/663165930295614656...
- i####.c####.net####.####.com/f2e/ent/common/css/ent.fiDN0EwfhR0v.30.css
- i####.c####.net####.####.com/f2e/include/2013/cnav2013.1222779.min.js
- i####.c####.net####.####.com/f2e/include/common_nav/images/nav_sprite_v4...
- i####.c####.net####.####.com/f2e/include/common_nav/images/topapp.jpg
- i####.c####.net####.####.com/f2e/lib/js/ne.js
- i####.c####.net####.####.com/f2e/news/index2015/img/newsapp.png
- i####.c####.net####.####.com/f2e/news/res/img/cloudapp1.png
- i####.c####.net####.####.com/img/N1RMTURHbkMyMXhKbnFJWTFnM2pGZllESkVKSVo...
- i####.c####.net####.####.com/img/N1RMTURHbkMyMXltaStCODRlUGd0K3BYUk5nQ3l...
- i####.c####.net####.####.com/news/2016/11/17/20161117110123addda.jpg
- i####.c####.net####.####.com/news/2016/4/18/201604181630042a331.jpg
- i####.c####.net####.####.com/news/2016/6/24/201606240710067b32d.jpg
- i####.c####.net####.####.com/news/2016/7/22/2016072212232944308.jpg
- i####.c####.net####.####.com/news/2016/7/26/201607261556588f9bf.jpg
- i####.c####.net####.####.com/news/2016/8/24/20160824112940c1452.jpg
- i####.c####.net####.####.com/news/2016/8/25/2016082510252641367.jpg
- i####.c####.net####.####.com/news/2016/8/29/2016082918160032b5f.jpg
- i####.c####.net####.####.com/news/2016/8/29/2016082918265285bca.jpg
- i####.c####.net####.####.com/news/2016/8/29/20160829183053f7dc7.jpg
- i####.c####.net####.####.com/news/2016/9/12/2016091212571834863.jpg
- i####.c####.net####.####.com/news/2016/9/12/2016091212583658c56.jpg
- i####.c####.net####.####.com/news/2016/9/12/20160912125904d8f5b.jpg
- i####.c####.net####.####.com/news/2016/9/12/20160912130608b0bf5.jpg
- i####.c####.net####.####.com/news/2016/9/13/20160913122116569a2.jpg
- i####.c####.net####.####.com/news/2016/9/13/2016091312253488b15.jpg
- i####.c####.net####.####.com/news/2016/9/14/201609141137540cbf5.jpg
- i####.c####.net####.####.com/news/2016/9/14/2016091411380851baf.jpg
- i####.c####.net####.####.com/news/2016/9/2/201609021603052289a.jpg
- i####.c####.net####.####.com/news/2017/5/5/201705051347330efd8.jpg
- i####.c####.net####.####.com/news/2017/6/26/201706262259111a70d.jpg
- i####.c####.net####.####.com/news/2017/6/30/201706300108041d8ff.jpg
- i####.c####.net####.####.com/news/2017/6/7/2017060708311121378.jpg
- i####.c####.net####.####.com/news/2017/6/7/2017060708312646119.jpg
- i####.c####.net####.####.com/news/2017/6/7/20170607084003d451d.jpg
- i####.c####.net####.####.com/news/2017/6/7/201706070840237b947.jpg
- i####.c####.net####.####.com/news/2017/6/8/20170608102548fd797.jpg
- i####.c####.net####.####.com/news/2017/6/8/2017060810261119240.jpg
- i####.c####.net####.####.com/pub/newIndex/bloghome/nts.js?v=####
- i####.c####.net####.####.com/sports/2013/11/10/201311101351389b3e5.png
- i####.c####.net####.####.com/sports/2013/4/18/20130418162244718d5.png
- i####.c####.net####.####.com/sports/2013/4/18/20130418163032c7708.png
- i####.c####.net####.####.com/stock/2013/12/24/2013122414493285cd3.jpg
- i####.c####.net####.####.com/stock/2013/12/25/20131225161251e9c20.jpg
- i####.c####.net####.####.com/www/v2011/img/iconv0.0.9.png
- i####.g.163.com/wa/ad?affiliate=####&cat=####&location=####&site=####&ty...
- l####.b####.com/recommend/channel/rooms?channel=####&callback=####
- l.bst.126.####.com/rsc/img/ad/lofterlogo1.png?0####
- www.go####.com/complete/search?hl=####&client=####&q=####
- www.lo####.com/blogHomeEntry.do
- youxixi####.b####.163.com/
- youxixi####.b####.163.com/blog/static/19961203620126198570382/
- youxixi####.b####.163.com/common/ava.s?host=####&b=####
- youxixi####.b####.163.com/favicon.ico
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- gi.xi.g####.com/3d00/gae
- gi.xi.g####.com/3d00/h87
- gi.xi.g####.com/3d00/le6
- gi.xi.g####.com/3d00/z3d
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/1525701520986c.jar
- /data/data/####/classes.jar
- /data/data/####/com.androidemu.gba.EmulatorActivity2.xml
- /data/data/####/dbttg-journal
- /data/data/####/e66b4474.xml
- /data/data/####/game_config.txt
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_online_setting_com.androidemu.gb...ck.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/media/####/.nomedia
- /data/media/####/gba_bios.bin
- /data/media/####/kdygqhmy.zip
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/files/libjiagu.so
Загружает динамические библиотеки:
- gba2
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- DES
- DES-ECB-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
