Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Xiny.20
- Android.Xiny.224.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) v.adma####.com.cn:80
- TCP(HTTP/1.1) q####.c####.l####.####.com:80
- TCP(HTTP/1.1) g.cn.miao####.com:80
- TCP(HTTP/1.1) mg####.pcon####.com.cn:80
- TCP(HTTP/1.1) i####.com:80
- TCP(HTTP/1.1) i####.pcon####.fas####.com:80
- TCP(HTTP/1.1) go.1mi####.cn:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) ivy.pcon####.com.cn:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) adm.t####.com.####.com:80
- TCP(HTTP/1.1) t.moo####.cn:80
- TCP(HTTP/1.1) www.czheng####.cn:8073
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) w####.fun.tv:80
- TCP(HTTP/1.1) img.cool####.cn.####.com:80
- TCP(HTTP/1.1) js.3con####.com.####.com:80
- TCP(HTTP/1.1) dup.baidust####.com:80
- TCP(HTTP/1.1) c####.pc####.com.cn:80
- TCP(HTTP/1.1) abc.so####.net:80
- TCP(HTTP/1.1) tc.c####.com:80
- TCP(HTTP/1.1) idu####.qini####.com:80
- TCP(HTTP/1.1) 2####.187.226.25:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) p####.pc####.com.cn:80
- TCP(HTTP/1.1) www.pc####.com.####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) 1####.26.76.154:80
- TCP(HTTP/1.1) cdn.abs.yunduan####.com:80
- TCP(HTTP/1.1) c####.dns.yunduan####.com:80
- TCP(HTTP/1.1) i####.51.la:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) vas.fun.tv.####.com:80
- TCP(HTTP/1.1) ip.ch####.com:80
- TCP(HTTP/1.1) cc.151####.net:80
- TCP(HTTP/1.1) s####.x####.com.cn:80
- TCP(HTTP/1.1) a####.do####.mobi:80
- TCP(HTTP/1.1) w####.c####.com:80
- TCP(HTTP/1.1) s####.funs####.net:80
- TCP(HTTP/1.1) d0.x####.com.cn:80
- TCP(HTTP/1.1) m.o####.com:80
- TCP(HTTP/1.1) ba####.c####.com.####.com:80
- TCP(HTTP/1.1) m.qy####.com:80
- TCP(HTTP/1.1) c####.x####.com.cn:80
- TCP(HTTP/1.1) ztp####.v.bs####.cn:80
- TCP(HTTP/1.1) pc####.i####.com:80
- TCP(HTTP/1.1) e.zhuy####.club:80
- TCP(HTTP/1.1) v####.funs####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) v.no####.net:80
- TCP(HTTP/1.1) m1.laogeda####.com:80
- TCP(HTTP/1.1) cd.kw####.com:80
- TCP(HTTP/1.1) trk.m####.com:80
- TCP(HTTP/1.1) 1####.40.20.155:80
- TCP(TLS/1.0) www.ta####.com:443
- TCP(TLS/1.0) m.reac####.cn:443
- TCP(TLS/1.0) dup.baidust####.com:443
- TCP(TLS/1.0) js.u####.51.la:443
- TCP(TLS/1.0) v.adma####.com.cn:443
- TCP(TLS/1.0) ec####.b####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) i.gridsum####.com:443
- TCP(TLS/1.0) w####.ta####.com:443
Запросы DNS:
- a####.do####.mobi
- abc.so####.net
- adm.t####.com
- ba####.c####.com
- c####.dns.yunduan####.com
- c####.mm####.com
- c####.pc####.com.cn
- c####.x####.com.cn
- c.appj####.com
- c.c####.com
- cc.151####.net
- cd.kw####.com
- cdn.abs.yunduan####.com
- d0.x####.com.cn
- dup.baidust####.com
- e.zhuy####.club
- ec####.b####.com
- g####.c####.com
- g.cn.miao####.com
- go.1mi####.cn
- h####.c####.com
- hm.b####.com
- i####.51.la
- i####.com
- i####.pcon####.com.cn
- i####.x####.com.cn
- i####.xca####.com
- i.gridsum####.com
- img.cool####.cn
- img.pc####.com.cn
- img.pcon####.com.cn
- ip.ch####.com
- ivy.pcon####.com.cn
- js.3con####.com
- js.u####.51.la
- js.x####.com.cn
- m.e####.com
- m.o####.com
- m.qy####.com
- m.reac####.cn
- m1.laogeda####.com
- mg####.pcon####.com.cn
- mt####.go####.com
- p####.pc####.com.cn
- p####.x####.com.cn
- pc####.i####.com
- pic.xca####.com
- pos.b####.com
- q.funs####.com
- s####.funs####.net
- s####.x####.com.cn
- s11.c####.com
- s19.c####.com
- s20.c####.com
- s22.c####.com
- s23.c####.com
- s4.c####.com
- s95.c####.com
- st####.funs####.com
- t.moo####.cn
- tc.c####.com
- trk.m####.com
- v####.fun.tv
- v####.fun.tv
- v.adma####.com.cn
- v.no####.net
- v1.c####.com
- w####.c####.com
- w####.fun.tv
- w####.pc####.com.cn
- w####.pcon####.com.cn
- w####.ta####.com
- www.czheng####.cn
- www.pc####.com.cn
- www.pcon####.com.cn
- www.ta####.com
- z1.c####.com
- z11.c####.com
- z13.c####.com
- z4.c####.com
- z5.c####.com
- z6.c####.com
- z8.c####.com
Запросы HTTP GET:
- a####.do####.mobi/AD/WAIBAOSDK/FMSD_OUT_AD_HOTFIX_SDK_DEX.jar
- a####.do####.mobi/AD/WAIBAOSDK/FMSD_WAIBAO_AD.json
- abc.so####.net/PClick.aspx?AID=####&KEY=####
- adm.t####.com.####.com/bbs/1364/20130815094643421733.jpg.webp
- adm.t####.com.####.com/bbs/1364/20130815094643753735.jpg.webp
- adm.t####.com.####.com/bbs/1364/m_20130815094641576466.jpg
- adm.t####.com.####.com/bbs/1364/m_20130815094642936697.jpg
- adm.t####.com.####.com/bbs/1364/m_20130815094643421733.jpg
- adm.t####.com.####.com/bbs/1364/m_20130815094643753735.jpg
- adm.t####.com.####.com/bbs/1364/m_20130815094644126886.jpg
- adm.t####.com.####.com/unet/static/udc.js
- ba####.c####.com.####.com/checkImage/89.png?time=####
- ba####.c####.com.####.com/d/posts/show/9338
- ba####.c####.com.####.com/img/jindex.png
- ba####.c####.com.####.com/img/logo-baobao.gif
- ba####.c####.com.####.com/img/qindex.png
- ba####.c####.com.####.com/img/windex.png
- ba####.c####.com.####.com/img/yindex.png
- ba####.c####.com.####.com/js/jquery-1.2.6.min.js
- ba####.c####.com.####.com/letter/letter.css
- ba####.c####.com.####.com/style/images/blogo_s.gif
- ba####.c####.com.####.com/style/images/headerbg-64.jpg
- ba####.c####.com.####.com/style/images/topbg.gif
- ba####.c####.com.####.com/style/layout_old.css?t=####
- ba####.c####.com.####.com/templates/oldblue/bg.css?4####
- ba####.c####.com.####.com/templates/oldblue/images/bg-baobao.jpg
- ba####.c####.com.####.com/templates/oldblue/images/bg-space-nav.gif
- ba####.c####.com.####.com/templates/oldblue/images/bg-split-li.gif
- ba####.c####.com.####.com/templates/oldblue/images/blue_line.gif
- ba####.c####.com.####.com/templates/oldblue/images/blueheader.jpg
- ba####.c####.com.####.com/templates/oldblue/images/footer-img.jpg
- ba####.c####.com.####.com/templates/oldblue/images/ico-pink-16x16.gif
- ba####.c####.com.####.com/templates/oldblue/layout.css?4####
- c####.dns.yunduan####.com/pp2.html
- c####.pc####.com.cn/count.php?autox=1&channel=1411&screen=600*800&refer=...
- c####.x####.com.cn/push/adv.php?pid=####&id=####&oid=####&m=####&pv=####...
- c####.x####.com.cn/push/adv.php?pid=420&id=70944&oid=52906&m=1&pv=400000...
- c####.x####.com.cn/push/adv.php?pid=881&id=70723&oid=53107&m=1&pv=120000...
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####
- c.c####.com/stat.php?id=####&web_id=####
- c.c####.com/z_stat.php?id=####
- c.c####.com/z_stat.php?id=####&web_id=####
- cc.151####.net/pclick.aspx?AID=####&key=####
- cdn.abs.yunduan####.com/chou2.html
- cdn.abs.yunduan####.com/pp.html
- cdn.abs.yunduan####.com/r3.html
- d0.x####.com.cn/pvlog/ad_count.php?t=####
- dup.baidust####.com/js/os.js
- e.zhuy####.club/1279/7924539
- g.cn.miao####.com/x/k=2079963&p=7Epep&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2080054&p=7EphA&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2080054&p=7EphC&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2080899&p=7F59A&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2080899&p=7F59C&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2081121&p=7FD03&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2081121&p=7FD04&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- g.cn.miao####.com/x/k=2081494&p=7FGoK&dx=__IPDX__&rt=2&ns=__IP__&ni=__IE...
- gm.mm####.com/9.gif?abc=####&rnd=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?1b2a81d####
- i####.51.la/go1?id=####&rt=####&rl=####&lang=####&ct=####&pf=####&ins=##...
- i####.com/irt?_iwt_UA=####&jsonp=####
- i####.com/irt?_iwt_UA=####&ref=####&jsonp=####
- i####.com/irt?_iwt_UA=UA-xcar-000001&ref=/photo.xcar.com.cn/group/view_a...
- i####.pcon####.fas####.com/blank.gif
- i####.pcon####.fas####.com/images/upload/upc/tx/auto5/1609/01/c5/2635744...
- idu####.qini####.com/2009/images/t0512_pics_arr.gif
- idu####.qini####.com/2009/images/zutupp.gif
- idu####.qini####.com/cms/group/r_map.gif
- idu####.qini####.com/img/news_photo/2013/08/15/WHHYcWx5OW1311.jpg
- img.cool####.cn.####.com/201805/yro.jar
- ip.ch####.com/getip.aspx
- ivy.pcon####.com.cn/adpuba/show?id=####&media=####&channel=####&trace=####
- ivy.pcon####.com.cn/click?id=####&adid=####&watch=####
- js.3con####.com.####.com/2013/usercenter/images/icolist.jpg
- js.3con####.com.####.com/2013/usercenter/images/icolku.jpg
- js.3con####.com.####.com/2013/usercenter/images/sharels.jpg
- js.3con####.com.####.com/_hux_/auto/price/detail.js
- js.3con####.com.####.com/iresearch/iwt-min.js
- js.3con####.com.####.com/min/temp/v1/dpl-jquery.slide.js
- js.3con####.com.####.com/min/temp/v1/lib-jquery1.10.2.js
- js.3con####.com.####.com/min2/temp/v2/plugin-locate,plugin-locate_auto.js
- js.3con####.com.####.com/pcauto/2017/price/css/photos2.css
- js.3con####.com.####.com/zt/gz20170412/price/jbian.png
- m.o####.com/chaoliujiepai/08/7336.html
- m.o####.com/pntmvTpzmMWM19.php?o=####&i=####&s=####
- m.qy####.com/meirongzhishi/16/2571.html
- m.qy####.com/yu7n7csYA39S19.php?o=####&i=####&s=####
- m1.laogeda####.com/ads/admaster24.php?o=####
- m1.laogeda####.com/ads/admaster240.php?o=####
- m1.laogeda####.com/templets/tui/js/jquery-1.8.3.min.js
- mg####.pcon####.com.cn/auto.airui.test15./
- p####.pc####.com.cn/cars/image/1472200-1-sg9291-o1.html?ad=####
- p####.pc####.com.cn/dealer/interface/price/getLowestModelPrice4All.jsp?c...
- p####.pc####.com.cn/interface/cms/region_ipArea.jsp?m=####&encode=####&c...
- pc####.i####.com/irt?_iwt_UA=####&ref=####&jsonp=####
- pos.b####.com/bfp/snippetcacher.php?dpv=####&di=####
- pos.b####.com/nclm?conwid=####&conhei=####&rtbid=####&rdid=####&dc=####&...
- pos.b####.com/nclm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
- pos.b####.com/scem?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
- q####.c####.l####.####.com/group/20180509092318764.jpg
- q####.c####.l####.####.com/group/images/s_l.cur
- q####.c####.l####.####.com/group/js/changspeed.js
- q####.c####.l####.####.com/group/js/picLoad.js
- q####.c####.l####.####.com/group/view_ab.php?pid=####
- s####.funs####.net/ecom-ad/ifar_all/?oc=####
- s####.funs####.net/ecom-ad/ifar_duration/?rprotocol=####&fck=####&mick=#...
- s####.funs####.net/ecom-ad/ifar_load/?rprotocol=1&fck=1527027519f31f1&mi...
- s####.funs####.net/website/play?rprotoc####
- s####.funs####.net/website/pv?rprotoc####
- s####.x####.com.cn/flow/flow.php?t=####
- t.moo####.cn/t/v2/imp?tagid=####&src.id=####&src.rand=####
- tc.c####.com/adscache/caches/161.js?n=####
- tc.c####.com/adscache/caches/195.js?n=####
- tc.c####.com/adscache/caches/566.js?n=####
- tc.c####.com/js/tcjs.php
- ti####.c####.l####.####.com/cms/iwt/iwt-min.js
- ti####.c####.l####.####.com/group/20180423092617956.jpg
- ti####.c####.l####.####.com/group/20180425093933357.jpg
- ti####.c####.l####.####.com/group/20180426092936664.jpg
- ti####.c####.l####.####.com/group/20180427154807201.jpg
- ti####.c####.l####.####.com/group/20180503092220939.jpg
- ti####.c####.l####.####.com/group/20180504095050539.jpg
- ti####.c####.l####.####.com/group/20180508094003855.jpg
- ti####.c####.l####.####.com/group/20180510094440442.jpg
- ti####.c####.l####.####.com/group/js/changspeed.js
- ti####.c####.l####.####.com/group/js/picLoad.js
- ti####.c####.l####.####.com/group/js/silder.js
- ti####.c####.l####.####.com/tools/jq/1.5.1.min.js
- trk.m####.com/p?ev=####&acid=####&on=####&at=####
- up####.v.qin####.com/main/new/js/v8/core-min.js
- up####.v.qin####.com/main/new/js/v8/html/statIwt_www_new-min.js?v=####
- up####.v.qin####.com/open/fis/js/v11/??plugin/####
- v####.funs####.com/vasd/pa/index?sid=####&ref=####&mick=####&cvid=####
- v.adma####.com.cn/i/a106476,b2477126,c150,i0,m202,8a1,8b2,h
- v.adma####.com.cn/i/a106476,b2477127,c150,i0,m202,8a1,8b2,h
- vas.fun.tv.####.com/market/ext/udc/c68908960.html?m####
- vas.fun.tv.####.com/market/vasd/reportVv.js?v=####
- w####.c####.com/abc/xyz/point/index_single.php
- w####.fun.tv/api/javascript?js=####
- w####.fun.tv/vplay/g-301972.v-876977
- w####.pcon####.com.cn/ipJson.jsp?defaultCity=####&sts=####&callback=####
- www.czheng####.cn:8073/
- www.pc####.com.####.com/autox/x2.html
- www.pc####.com.####.com/blank.gif
- www.ta####.com/
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- z.c####.com/stat.htm?id=4762020&r=http://222.187.226.25/pc.html?p####&lg...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c5/33380934_13980...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c5/33380948_13980...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c5/33380956_13980...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c5/33381083_13980...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c5/33381088_13980...
- ztp####.v.bs####.cn/images/upload/upc/tx/auto5/1404/21/c6/33381085_13980...
- ztp####.v.bs####.cn/market/ext/udc/c68908960.html?m####
Запросы HTTP POST:
- c.appj####.com/ad/splash/stats.html
- cd.kw####.com/d?requestId=####&g=####
- go.1mi####.cn/m2?protocol=####&version=####&cid=####
- v.no####.net/v/a/t
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/CachedGeoposition.db
- /data/data/####/CachedGeoposition.db-journal
- /data/data/####/JSON.xml
- /data/data/####/WAIBAOSDKVersion.xml
- /data/data/####/W_Key.xml
- /data/data/####/ad_show_time.xml
- /data/data/####/com.gameman.wang.jiemifangkuai_preferences.xml
- /data/data/####/countClickIP.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downloadswc
- /data/data/####/downloadswc-journal
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/file__0.localstorage-journal
- /data/data/####/fmsd_sdk_code.jar
- /data/data/####/http_vas.fun.tv_0.localstorage-journal
- /data/data/####/index
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/st.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/z.xml
- /data/media/####/4.9yro.jar
- /data/media/####/restime.dat
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- RSA
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
