Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.shoujid####.com.####.com:80
- TCP(HTTP/1.1) k####.ks####.com.####.com:80
- TCP(HTTP/1.1) www.so####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) cdnb####.shoujid####.com.####.com:80
- TCP(HTTP/1.1) mo####.b####.com:80
- TCP(HTTP/1.1) mfs.y####.com:80
- TCP(HTTP/1.1) bo####.shoujid####.com.####.com:80
- TCP(TLS/1.0) mfs.y####.com:443
- TCP(TLS/1.0) aserver####.m.ta####.com:443
Запросы DNS:
- a####.u####.com
- a.appj####.com
- api.y####.com
- b####.shoujid####.com
- babyv####.k####.ks####.com
- bo####.shoujid####.com
- cdnb####.shoujid####.com
- mo####.b####.com
- r1.y####.com
- r2.y####.com
- r3.y####.com
- www.so####.com
Запросы HTTP GET:
- b####.shoujid####.com.####.com/bb/video/pic/10000029.jpg
- b####.shoujid####.com.####.com/bb/video/pic/10000035.jpg
- bo####.shoujid####.com.####.com/json-api/v1/duoduo-ring/pic/20000081.jpg
- bo####.shoujid####.com.####.com/json-api/v1/duoduo-ring/pic/20000174.jpg
- bo####.shoujid####.com.####.com/json-api/v1/duoduo-ring/pic/20000212.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20001837/20001837_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20001933/20001933_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002209/20002209_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002210/20002210_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002212/20002212_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002213/20002213_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002215/20002215_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002218/20002218_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002232/20002232_s.jpg
- cdnb####.shoujid####.com.####.com/bb/book/20002234/20002234_s.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478122411691.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478125904776.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478140231788.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478170275471.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478176161666.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478179802098.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478180363188.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478185168395.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478276674046.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478315489429.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478332732366.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478334893776.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478408728032.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478409479956.jpg
- k####.ks####.com.####.com/NewAdmin/screnshot/20151118/14478410268833.jpg
- k####.ks####.com.####.com/NewAdmin/video/images/20150814/97913f7c9e0c2bf...
- k####.ks####.com.####.com/NewAdmin/video/images/20150922/c36f28e56913b58...
- k####.ks####.com.####.com/video/image/62d7a63ccb554ad2c5efc6a7fde49b6a.jpg
- k####.ks####.com.####.com/video/image/a9b25fc24a9a41610815c131d190a715.png
- k####.ks####.com.####.com/video/image/c5c02c238ee2a9691101083cfa01f18d.png
- k####.ks####.com.####.com/video/image/fe80fd376a588f4b26cec2770bfdddcd.jpg
- k####.ks####.com.####.com/video/image/fenshuajiang.png
- k####.ks####.com.####.com/video/image/liangzhilaohu.png
- k####.ks####.com.####.com/video/image/shuyazi.png
- k####.ks####.com.####.com/video/image/wangxianshengyoukuaidi.png
- k####.ks####.com.####.com/video/image/xiaoxingxing.png
- k####.ks####.com.####.com/video/image/xiaoyanzi.png
- k####.ks####.com.####.com/video/image/xinnianhao.png
- k####.ks####.com.####.com/video/image/yangwawahexiaoxiongtiaowu.png
- k####.ks####.com.####.com/video/image/yaolanqu.png
- k####.ks####.com.####.com/video/image/zhunishengrikuaile.png
- mfs.y####.com/050C000051B6F7296758396FB001AEE2
- mfs.y####.com/050C000051B6FB1767583975320CA91B
- mfs.y####.com/050C000051B7017C67583972EF0940C6
- mfs.y####.com/050C00005201ADB267583904EF0AA2CC
- mfs.y####.com/050C000052131F926758396B37003A48
- mfs.y####.com/050C00005257738F675839102A0B3D86
- mfs.y####.com/050C0000530EF71D675839766604D34F
- mfs.y####.com/050C000054F9733D67379F1DDE0AB185
- mfs.y####.com/050C0000556FC5D467BC3C12E002BF0A
- mo####.b####.com/ads/pa/__pasys_remote_banner.jar
- mo####.b####.com/ads/pa/__pasys_remote_banner.php?v=####&tp=####&os=####...
- www.so####.com/dync/baidusdkv2.jar
- www.so####.com/factory/appadsdk.php?pkg=####&v=####
- www.so####.com/factory/appplaylist.php?p=####&pl=####&kw=####&v=####&pag...
- www.so####.com/factory/appupgrade.php?pkg=####&v=####
- www.so####.com/factory/box-playlink.php?vid=####&type=####&chan=####&vc=...
- www.so####.com/factory/box-playlistItemData.php?p=####&pl=####&kw=####&v...
- www.so####.com/factory/mobile_erge.php?pkg=####&v=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- a.appj####.com/jiagu/check/upgrade
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-469817336
- /data/data/####/.jg.ic
- /data/data/####/1876306498
- /data/data/####/1981964500
- /data/data/####/452866246
- /data/data/####/561284716
- /data/data/####/98404
- /data/data/####/PlayerUIApk.apk
- /data/data/####/__pasys_remote_banner.jar.beforesign.tm
- /data/data/####/analytics_agent_header_.xml
- /data/data/####/baidusdkv2.jar
- /data/data/####/bebehttp.db-journal
- /data/data/####/com.dotdot.song.mobile.xml
- /data/data/####/com.dotdot.song.mobile_preferences.xml
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.dotdot.song.mobile
- /data/data/####/mobclick_agent_header_com.dotdot.song.mobile.xml
- /data/data/####/mobclick_agent_state_com.dotdot.song.mobile.xml
- /data/data/####/platform.xml
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/media/####/-1151559805.tmp
- /data/media/####/-1343247873.tmp
- /data/media/####/-1412014985.tmp
- /data/media/####/-1720217377.tmp
- /data/media/####/-589308865.tmp
- /data/media/####/-698133252.tmp
- /data/media/####/-839370721.tmp
- /data/media/####/-856808257.tmp
- /data/media/####/-883204574.tmp
- /data/media/####/1363337606.tmp
- /data/media/####/177055391.tmp
- /data/media/####/180861852.tmp
- /data/media/####/1820810911.tmp
- /data/media/####/2021307218.tmp
- /data/media/####/2094949263.tmp
- /data/media/####/2117416415.tmp
- /data/media/####/2119884330.tmp
- /data/media/####/224424224.tmp
- /data/media/####/254003923.tmp
- /data/media/####/274190393.tmp
- /data/media/####/497701248.tmp
- /data/media/####/541599647.tmp
- /data/media/####/822407425.tmp
- /data/media/####/930994399.tmp
- /data/media/####/998300788.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/files/libjiagu.so
- mount
Загружает динамические библиотеки:
- cyberplayer-core
- libjiagu
- luajava
- sunpake
Использует следующие алгоритмы для расшифровки данных:
- RSA-ECB-PKCS1Padding
- desede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
