Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.3.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) pcvid####.t####.m####.####.COm:80
- TCP(HTTP/1.1) pcvid####.m####.com.####.net:80
- TCP(HTTP/1.1) pcvid####.t####.m####.####.COM:80
- TCP(HTTP/1.1) d####.t####.m####.com:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) ta.tt.031####.com:80
- TCP(HTTP/1.1) geo.gridsum####.com:80
- TCP(HTTP/1.1) 4####.h####.com.####.com:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) com####.hun####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) s.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) 3####.h####.i####.tv:80
- TCP(HTTP/1.1) 0####.h####.i####.tv:80
- TCP(HTTP/1.1) apilo####.a####.com:80
- TCP(HTTP/1.1) secure####.imrworl####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) e####.h####.com.####.com:80
- TCP(HTTP/1.1) rc.mpp.hun####.com:80
- TCP(HTTP/1.1) y.da.hun####.com:80
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 4####.h####.com
- PCVId####.t####.M####.COm
- PcVID####.T####.m####.CoM
- a####.u####.com
- api####.a####.com
- au.u####.co
- au.u####.com
- av####.h####.com
- com####.hun####.com
- d####.t####.m####.com
- e####.h####.com
- geo.gridsum####.com
- i1.hun####.com
- i2.hun####.com
- i5.hun####.com
- imgal####.res.m####.com
- log.v2.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- oc.u####.com
- pCVID####.t####.M####.Com
- pCVId####.t####.M####.coM
- pCvID####.T####.M####.COM
- pcViD####.T####.M####.CoM
- pcvID####.T####.M####.CoM
- rc.mpp.hun####.com
- s####.t####.i####.tv
- secure####.imrworl####.com
- ta.tt.031####.com
- x.da.hun####.com
- y.da.hun####.com
Запросы HTTP GET:
- 0####.h####.i####.tv/preview/cms_icon/2018/02/20180214131543772.jpg
- 0####.h####.i####.tv/preview/cms_icon/2018/04/20180419162707986.jpg
- 0####.h####.i####.tv/preview/cms_icon/2018/05/20180518233621776.jpg
- 0####.h####.i####.tv/preview/cms_icon/2018/05/20180519224239575.jpg
- 0####.h####.i####.tv/preview/sp_images/2017/zongyi/316387/4094151/201709...
- 0####.h####.i####.tv/preview/sp_images/2018/dianshiju/318353/4402803/201...
- 0####.h####.i####.tv/preview/sp_images/2018/dianying/322759/4399397/2018...
- 0####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4334034/201803...
- 0####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4348944/201804...
- 0####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4375199/201805...
- 1####.h####.i####.tv/preview/cms_icon/2018/04/20180419162932620.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/05/20180502105516320.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/05/20180516154155030.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/05/20180518113748077.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/05/20180521100453351.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/05/20180523153946435.jpg
- 1####.h####.i####.tv/preview/sp_images/2017/zongyi/317650/4231169/201712...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/318353/4402754/201...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4358204/201804...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4367889/201804...
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/lianzai.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/teji.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/vipmian.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/yugao.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/vip_v_icon.png
- 3####.h####.i####.tv/p1/20161111/161659711C.png
- 3####.h####.i####.tv/p1/20161216/1508155487C.png
- 3####.h####.i####.tv/preview/cms_icon/2018/04/20180419162952479.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180515150145888.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180518160739243.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180521114540027.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180521171610316.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180522100951986.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180522182327784.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180523001049358.jpg
- 3####.h####.i####.tv/preview/cms_icon/2018/05/20180523154945944.jpg
- 3####.h####.i####.tv/preview/sp_images/2017/dianying/317416/4181832/2017...
- 3####.h####.i####.tv/preview/sp_images/2018/dianshiju/318353/4402753/201...
- 3####.h####.i####.tv/preview/sp_images/2018/dianshiju/318353/4402814/201...
- 3####.h####.i####.tv/preview/sp_images/2018/dianshiju/322425/4400888/201...
- 3####.h####.i####.tv/preview/sp_images/2018/dianying/316999/4282929/2018...
- 3####.h####.i####.tv/preview/sp_images/2018/zongyi/321331/4246160/201801...
- 3####.h####.i####.tv/preview/sp_images/2018/zongyi/322562/4341637/201804...
- 4####.h####.com.####.com/preview/cms_icon/2018/04/20180419163004223.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/05/20180502143332414.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/05/20180504154136152.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/05/20180518221247841.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/05/20180523100311591.jpg
- 4####.h####.com.####.com/preview/cms_icon/2018/05/20180523145523448.jpg
- com####.hun####.com/mobile_comment/top?userId=####&osVersion=####&subjec...
- d####.t####.m####.com/vod.do?pm=####&fid=####&gsid=####
- e####.h####.com.####.com/0/8c5a31e7/b6tpo1n6jlt7t174jptg?x-oss-process=#...
- e####.h####.com.####.com/2/mava2_ks3GJDjicK77mBxuVuR7t5wGvlF34Tnx.jpg
- e####.h####.com.####.com/2/mava2_pkkcCwcv3hcpPuAGBcrU5fl0Y6d0pDHA.jpg
- e####.h####.com.####.com/2/mava2_zYO744Wjz7EslZLS5VZ8CxxU9CxhmUzb.jpg
- e####.h####.com.####.com/5/24402b24/b6tvanun9l2094gmbsi0?x-oss-process=#...
- e####.h####.com.####.com/5/4b35b24b/WOUqXpzZyWKe0qLx?x-oss-process=####
- e####.h####.com.####.com/5/7c4b9c6f/bbl7g26n9l258vjlkmf0?x-oss-process=#...
- e####.h####.com.####.com/5/8aa95057/b75rjftmugg6e6p1t3i0?x-oss-process=#...
- e####.h####.com.####.com/5/c955c8e6/b87a60un9l258vigr2jg?x-oss-process=#...
- e####.h####.com.####.com/5/d8430779/b3v9uc6n9l22ma4sh0dg?x-oss-process=#...
- e####.h####.com.####.com/5/ed2fa6bc/b5rhpalmugg8nvtvg2e0?x-oss-process=#...
- e####.h####.com.####.com/5/f6402f9e/WOT-_pzZyWKesMuF?x-oss-process=####
- e####.h####.com.####.com/6/18af8fc7/b454i9en9l22ma4ut3ag?x-oss-process=#...
- e####.h####.com.####.com/6/58c7fd3f/WOUm65zZyWKe0A8C?x-oss-process=####
- e####.h####.com.####.com/6/72b2603f/bbms8ntmugg6k8m2cf1g?x-oss-process=#...
- e####.h####.com.####.com/6/788c95a8/b95alj5mugg6e6pmrfn0?x-oss-process=#...
- e####.h####.com.####.com/6/82593d76/b8nopttmugg6e6pho6k0?x-oss-process=#...
- e####.h####.com.####.com/6/ca539899/b5qtb5lmugg8pblouns0?x-oss-process=#...
- e####.h####.com.####.com/IiBLPEhEJXVcSxja9kJiG5lpp9AqVC.jpg?x-oss-proces...
- e####.h####.com.####.com/N1EAs1EMR87bI0IiGW0MKES3oZHfn2.jpg?x-oss-proces...
- geo.gridsum####.com/v2/g.aspx
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/channel/getWPDetail?userId=####&osVersion=####&de...
- mo####.api.hun####.com/comment/read?userId=####&osVersion=####&device=##...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/loadimage?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/search/hotWords
- mo####.api.hun####.com/user/getActivity?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/user/payConfig
- mo####.api.hun####.com/v2/video/getDownloadList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getMultiplyList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getShortList?userId=####&osVersion=####&...
- mo####.api.hun####.com/v2/video/getVideoInfo?userId=####&osVersion=####&...
- mo####.api.hun####.com/v3/video/getSource?userId=####&osVersion=####&dev...
- mo####.api.hun####.com/video/getSupport?userId=####&osVersion=####&devic...
- pcvid####.m####.com.####.net/pb/2018/03/20/1080/AEA66B288D3765FDE01E5DB7...
- pcvid####.t####.m####.####.COM/c1/2018/05/21_0/455DD54F9B4B4E80ABE52810E...
- pcvid####.t####.m####.####.COm/c1/2018/05/21_0/455DD54F9B4B4E80ABE52810E...
- rc.mpp.hun####.com/mobile/v1/cms/alike?userId=####&osVersion=####&device...
- rc.mpp.hun####.com/mobile/v1/cms?userId=####&collectionid=####&osVersion...
- secure####.imrworl####.com/cgi-bin/gn?prd=####&ci=####&am=####&at=####&r...
- y.da.hun####.com/app/impression?adid=####&adtotal=####&appver=####&b=###...
Запросы HTTP POST:
- a####.u####.com/app_logs
- apilo####.a####.com/v3/log/init
- mo####.log.hun####.com/data.cgi
- mo####.log.hun####.com/dispatcher.do
- oc.u####.com/check_config_update
- s.wagbr####.alibaba####.com/api/check_app_update
- ta.tt.031####.com/5naknak/e630/p76
- ta.tt.031####.com/5naknak/e630/q76
- x.da.hun####.com/json/app/boot
- x.da.hun####.com/video/player
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jiagu.ls
- /data/data/####/GVD-200054--GSD-200054.xml
- /data/data/####/GridsumCommon.xml
- /data/data/####/ImgoPad-journal
- /data/data/####/MGTVCommon.xml
- /data/data/####/MGTVCommon.xml.bak
- /data/data/####/MV3Plugin.ini
- /data/data/####/_mskankan_r.xml
- /data/data/####/com.hjz.play.kankan.push_sync.xml
- /data/data/####/com.hjz.play.kankan.xml
- /data/data/####/com.urjj.kied.gkv.jar
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.hjz.play.kankan620
- /data/data/####/mobclick_agent_online_setting_com.hjz.play.kankan.xml
- /data/data/####/playinfo.db-journal
- /data/data/####/plugin-deploy.jar
- /data/data/####/plugin-deploy.key
- /data/data/####/pst.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/.nomedia
- /data/media/####/12xtsfm9buxlenlmhngfepcni.tmp
- /data/media/####/137gs1g2yy10viecezehaskce.tmp
- /data/media/####/184ggaejlk2ykpudk4vs9hrwd.tmp
- /data/media/####/1ajsbp67str0xkbhzp4ws5djk.tmp
- /data/media/####/21qlmryv8rdt3rekkpw57sicx.tmp
- /data/media/####/22zgpki8bz402qbxiraf0e1m1.tmp
- /data/media/####/26efynr491a897dxtdcralgxz.tmp
- /data/media/####/2abyzxhetggx9n0jtbl3zen4l.tmp
- /data/media/####/2h8uja6n9xz9fvzm7yex512gx.tmp
- /data/media/####/2i5afn92e9p762nfphd73a7yl.tmp
- /data/media/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- /data/media/####/2p0ixet20a1n0bzbi61julgij.tmp
- /data/media/####/2ttoymp5mf05v3tp3hp4pxp54.tmp
- /data/media/####/2zqnry7do0ook6j548ho7mirl.tmp
- /data/media/####/34e6tdtyl7i6opkbez8c9mqn.tmp
- /data/media/####/39dbll9i34u007qgoacvjmqnx.tmp
- /data/media/####/3a1c0b166ef1v3t26p3xtodva.tmp
- /data/media/####/3eznw0c7j3j547nqdedqv07e7.tmp
- /data/media/####/3j6ej2hunnl986fdtnacmdr8q.tmp
- /data/media/####/3ky8j7c23fegki46dlx0h9vqs.tmp
- /data/media/####/3o4zrtgv5uiz1012er7uaf7j4.tmp
- /data/media/####/3qw01vjjoegf1gmlfwrkmk6pf.tmp
- /data/media/####/3t14ytzdn08tjjuls7h4q4hu0.tmp
- /data/media/####/3te88oypizfnnc014s7jka21o.tmp
- /data/media/####/40f9h6x35sotpy3axvcgetxbe.tmp
- /data/media/####/42bbl46krln92q2dfd77l3bxx.tmp
- /data/media/####/44wlj93rau0x5woahku3xkmrb.tmp
- /data/media/####/47zgajojvetaum1xih1qebffw.tmp
- /data/media/####/487wmg9vgnl502aeiy4vajuzw.tmp
- /data/media/####/4dlaabu4t9efm12ztph7r1hcp.tmp
- /data/media/####/4exgj5d1vytqgff3dagkj76d7.tmp
- /data/media/####/4nnwebtbo6xyj8l6v59g1rfw5.tmp
- /data/media/####/4pzew9avvnoe6m2phsl5uxnkb.tmp
- /data/media/####/4sc8ew6snnafaq4sb2s7pqhij.tmp
- /data/media/####/4tpze2wxwc7lok7o9p4ezd1cb.tmp
- /data/media/####/4v8skioiw0boqtepuvq8ljf6b.tmp
- /data/media/####/4yh7a885r9l39chbs654j3mdj.tmp
- /data/media/####/507np9inkavvm85nwoet0k36o.tmp
- /data/media/####/52tve34x41knie4pgvymd08pa.tmp
- /data/media/####/544a1efelny0ncsucj1k4997.tmp
- /data/media/####/5b1g1nmsix6gdp89a0wopxfww.tmp
- /data/media/####/5cp598bond37juqhx4v36zta4.tmp
- /data/media/####/5ern7dboy5nd2jkup799fqi1t.tmp
- /data/media/####/5hlwwobu07phq58j7gp19yqel.tmp
- /data/media/####/5qn6jas4yo0piml3g0ajljrtr.tmp
- /data/media/####/5v9v7tr014zuiqu59q5jlwnmt.tmp
- /data/media/####/603bztj77mpjmqnf0ofzvsbgj.tmp
- /data/media/####/6222ama7gjx4t0h87w10iirv4.tmp
- /data/media/####/6bsxw5n4qd173he0lp7vkqvfz.tmp
- /data/media/####/6bz5a3nx1pdawfpodnnyinrz2.tmp
- /data/media/####/6c4nkc98j9ptfpumbx9iwcag2.tmp
- /data/media/####/6ed2c8d99svjvtazxgce6pnms.tmp
- /data/media/####/6iks30tsn6vuny9n5zh6cz6zv.tmp
- /data/media/####/6k9v1h8fmtzppn3dvm7n4c4e6.tmp
- /data/media/####/6kuesicbql1x8yozpbzu8qrw9.tmp
- /data/media/####/6sf40xh7z714g54xu3g11et6y.tmp
- /data/media/####/6xt5kmr1vd4cwpssw60w784nk.tmp
- /data/media/####/77zqe4fg1atzb520sif1bvp9d.tmp
- /data/media/####/797u8xocjun403p8bmr0snc0z.tmp
- /data/media/####/79tsukqekd7pnf6a3jfrdnniu.tmp
- /data/media/####/7e4wrg1sj45hxoec8x5l0bk0d.tmp
- /data/media/####/7j5167irgxcldgj5q6e8s6oea.tmp
- /data/media/####/dl58eqbdfcqpvsunzbnlq2gn.tmp
- /data/media/####/fmx2sv8rc314u0rs9uxzi73c.tmp
- /data/media/####/journal.tmp
- /data/media/####/l7gfxt6hxxpky61nv6l7gn0u.tmp
- /data/media/####/oapacwyc1uxizwsp8npx2xkn.tmp
- /data/media/####/oq5c2p789fmkfuuv92fdw4kj.tmp
- /data/media/####/re6lp3k16kbcnlr76txy461u.tmp
- /data/media/####/tcbexj0akfwbr5buhtv18u96.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
Загружает динамические библиотеки:
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
