Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Gexin.1.origin
- Android.DownLoader.683.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) app.onetwo####.top.####.com:80
- TCP(HTTP/1.1) tq.18t####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) res-lay####.b0.a####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) nsc####.b####.com:80
- TCP(HTTP/1.1) mzst####.com.edg####.net:80
- TCP(HTTP/1.1) tinyqi####.b0.a####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(HTTP/1.1) st####.an####.org:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(TLS/1.0) h####.b####.com.####.com:443
- TCP(TLS/1.0) k####.onetwo####.top:443
Запросы DNS:
- a####.u####.com
- a2.mzst####.com
- a3.mzst####.com
- a5.mzst####.com
- api.18t####.com
- api.s####.b####.com
- app.onetwo####.top
- b####.s####.b####.com
- bbs.18t####.com
- c.c####.com
- cdn.game####.org
- cdn.static####.org
- g####.18t####.com
- h####.b####.com
- h####.c####.com
- hm.b####.com
- is1.mzst####.com
- is3.mzst####.com
- is4.mzst####.com
- is5.mzst####.com
- k####.onetwo####.top
- m.18t####.com
- nsc####.b####.com
- old.18t####.com
- pass####.18t####.com
- qn.18t####.com
- r####.wx.qq.com
- res.l####.com
- s11.c####.com
- st####.an####.org
- tq.18t####.com
- www.18t####.com
- www.go####.com
Запросы HTTP GET:
- app.onetwo####.top.####.com/
- app.onetwo####.top.####.com/?dk=####&ak=####&from=####&pa=####&pc=####
- app.onetwo####.top.####.com/?dk=####&ak=####&from=####&pa=####&pc=####&o...
- app.onetwo####.top.####.com/?os=####
- app.onetwo####.top.####.com/?platform=####&bundle=####
- app.onetwo####.top.####.com/Public/Mobile/css/index.css?t=####
- app.onetwo####.top.####.com/Public/Mobile/images/gametest8.png
- app.onetwo####.top.####.com/Public/Mobile/images/home_play.png
- app.onetwo####.top.####.com/Public/Mobile/images/logo.png?t=####
- app.onetwo####.top.####.com/Public/Mobile/images/m18touch.png
- app.onetwo####.top.####.com/Public/Mobile/images/menuButton2.png
- app.onetwo####.top.####.com/Public/Mobile/images/searchButton2.png
- app.onetwo####.top.####.com/Public/Mobile/images/share-icon/QQ.png
- app.onetwo####.top.####.com/Public/Mobile/images/share-icon/kj.png
- app.onetwo####.top.####.com/Public/Mobile/images/share-icon/wb.png
- app.onetwo####.top.####.com/Public/Mobile/images/share-icon/wx.png
- app.onetwo####.top.####.com/Public/Mobile/images/web_content_loading.png
- app.onetwo####.top.####.com/Public/Mobile/js/chw-photoview-mobile.js
- app.onetwo####.top.####.com/Public/Mobile/js/com.js?t=####
- app.onetwo####.top.####.com/Public/Mobile/js/mobile-detail.js?v=####
- app.onetwo####.top.####.com/Public/Mobile/js/touch.js
- app.onetwo####.top.####.com/Public/Mobile/js/touchLoad.js
- app.onetwo####.top.####.com/Public/Mobile/js/zepto.min.js
- app.onetwo####.top.####.com/Public/Mobile/js/zeptoModules/fx.js
- app.onetwo####.top.####.com/Public/Mobile/js/zeptoModules/fx_methods.js
- app.onetwo####.top.####.com/Public/Mobile/js/zeptoModules/selector.js
- app.onetwo####.top.####.com/Public/Mobile/js/zeptoModules/zepto.lazyload...
- app.onetwo####.top.####.com/Public/css/bootstrap.min.css
- app.onetwo####.top.####.com/Public/css/common.css
- app.onetwo####.top.####.com/Public/css/css.css?v=####
- app.onetwo####.top.####.com/Public/css/index-mod/index-top-gallery.css
- app.onetwo####.top.####.com/Public/css/index-mod/nav-game.css?_n=####
- app.onetwo####.top.####.com/Public/css/index-mod/zhuanqu-mod.css?v=####
- app.onetwo####.top.####.com/Public/css/nprogress.css?t=####
- app.onetwo####.top.####.com/Public/css/part.css
- app.onetwo####.top.####.com/Public/css/topBar.css?v=####
- app.onetwo####.top.####.com/Public/images/18touch-lazy-img.png
- app.onetwo####.top.####.com/Public/images/logo-transparent.png?t=####
- app.onetwo####.top.####.com/Public/images/qqkj.png
- app.onetwo####.top.####.com/Public/images/txwb.png
- app.onetwo####.top.####.com/Public/images/xlwb.png
- app.onetwo####.top.####.com/Public/js/index-mod/nav-game.js
- app.onetwo####.top.####.com/Public/js/index-mod/zhuan-mod.js
- app.onetwo####.top.####.com/Public/js/jquery.lazyload.min.js?t=####
- app.onetwo####.top.####.com/Public/js/jquery.min.js
- app.onetwo####.top.####.com/Public/js/layer/skin/layer.css
- app.onetwo####.top.####.com/Public/js/mobile/common/iscroll.min-5.1.3.js
- app.onetwo####.top.####.com/Public/js/sea.js
- app.onetwo####.top.####.com/Public/js/seajs-widget/topBar_new.js?v=####
- app.onetwo####.top.####.com/api/gg/cat/?g=####&id=####&pkg=####&os=####&...
- app.onetwo####.top.####.com/api/gg/index/?g=####&pkg=####&os=####&suppor...
- app.onetwo####.top.####.com/api/l/helpers/?pkg=####&os=####&support=####...
- app.onetwo####.top.####.com/favicon.ico
- app.onetwo####.top.####.com/qycnlzz-003.html
- app.onetwo####.top.####.com/swenjian/ac
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####&web_id=####
- cdn.game####.org/strategy/UnknownDev
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/dev_root
- cdn.game####.org/strategy/dev_root2
- cdn.game####.org/strategy/larger4.3
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- cdn.game####.org/strategy/symlink-adbd
- hm.b####.com/h.js?50d28fd####
- hm.b####.com/h.js?6b0d092####
- hm.b####.com/h.js?ff598de####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=793&et=0&ja=0&ln=e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=883&ep=7400,7401&e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=883&ep=7434,7434&e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=883&ep={"netAll":0...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=883&et=0&ja=0&ln=e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=923&ep=7002,7002&e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=923&ep={"netAll":0...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=923&et=0&ja=0&ln=e...
- hm.b####.com/hm.js?6b0d092####
- mzst####.com.edg####.net/us/r30/Purple60/v4/dd/01/9c/dd019cec-7bd3-880d-...
- nsc####.b####.com/v.gif?pid=####&type=####&sign=####&desturl=####&linkid...
- nsc####.b####.com/v.gif?pid=307&type=3075&l=3037&t=0&s=1011&v=883&f=3000...
- res-lay####.b0.a####.com/lay/lib/layer/1.8.5/layer.min.js
- s####.jom####.com/static/api/css/share_style1_24.css
- s####.jom####.com/static/api/img/share/icons_1_24.png?v=####
- s####.jom####.com/static/api/js/base/tangram.js?v=####
- s####.jom####.com/static/api/js/component/partners.js?v=####
- s####.jom####.com/static/api/js/share.js?v=89860593.js?cdnversion=####
- s####.jom####.com/static/api/js/share/api_base.js
- s####.jom####.com/static/api/js/share/share_api.js?v=####
- s####.jom####.com/static/api/js/trans/logger.js?v=####
- s####.jom####.com/static/api/js/view/share_view.js?v=####
- s####.jom####.com/static/api/js/view/view_base.js
- s####.jom####.com/v.gif
- s####.tc.qq.com/open/js/jweixin-1.0.0.js
- st####.an####.org/static/outer/js/aq_auth.js
- t####.c####.q####.####.com/images/v4/logo.png
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-11-20/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-12-12/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-09-25/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-11-13/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-11-15/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-12-25/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-12-28/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2018-01-08/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2018-01-26/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2018-02-01/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2018-02-02/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2018-05-15/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_snap/2018-01-26/5...
- t####.c####.q####.####.com/uploads/20180105/v1_1-8_1515119500603149.jpg?...
- t####.c####.q####.####.com/uploads/20180109/v1_1-8_1515495070124281.jpg?...
- t####.c####.q####.####.com/uploads/20180503/1525340073223460.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180516/1526465565589472.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180521/1526873721210250.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180522/1526971269444265.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180523/1527046485783305.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180529/1527565166831938.jpg
- t####.c####.q####.####.com/uploads/20180529/1527565178823992.jpg
- t####.c####.q####.####.com/uploads/20180529/1527565185326051.jpg
- t####.c####.q####.####.com/uploads/20180529/1527565196997310.jpg
- t####.c####.q####.####.com/uploads/20180529/1527565201959901.jpg
- t####.c####.q####.####.com/uploads/20180529/1527565201959901.jpg?imageVi...
- t####.c####.q####.####.com/uploads/20180529/v1_1-8_1527565170842781.jpg?...
- t####.c####.q####.####.com/uploads/20180529/v1_1-8_1527566148146283.jpg?...
- t####.c####.q####.####.com/uploads/20180529/v1_1-8_1527582717706900.jpg?...
- t####.c####.q####.####.com/uploads/20180529/v1_1-8_1527583810797363.jpg?...
- tinyqi####.b0.a####.com/jquery/1.11.1/jquery.min.js
- tinyqi####.b0.a####.com/nprogress/0.1.6/nprogress.min.js
- tinyqi####.b0.a####.com/seajs/2.3.0/sea.js
- tinyqi####.b0.a####.com/underscore.js/1.7.0/underscore-min.js
- tq.18t####.com/?dk=####&ak=####&from=####&pa=####&pc=####
- tq.18t####.com/Proxy.html
- tq.18t####.com/game/10319292.html
- tq.18t####.com/index.php?c=####&a=####&all=####&g=####&pkg=####&os=####&...
- tq.18t####.com/index.php?c=####&a=####&all=####&isgg=####&g=####&id=####...
- tq.18t####.com/m/gdetail/10319292.html
- tq.18t####.com/public/css/box2/box-allpage.css?v=####
- tq.18t####.com/public/css/box2/box-public.css?v=####
- tq.18t####.com/public/css/v3/game-detail.css
- tq.18t####.com/public/css/v3/game-lists.css?v=####
- tq.18t####.com/public/css/v3/game-zhuan.css
- tq.18t####.com/public/css/v3/idangerous.swiper.css
- tq.18t####.com/public/css/v3/m/common.css?v=####
- tq.18t####.com/public/css/v3/m/detail.css?v=####
- tq.18t####.com/public/css/v3/m/public.css?v=####
- tq.18t####.com/public/css/v3/m/swiper-3.3.1.min.css
- tq.18t####.com/public/css/v3/reset.css
- tq.18t####.com/public/css/v3/xiaopi.css
- tq.18t####.com/public/images/v3/m/bg_Fix_sand_blur.png
- tq.18t####.com/public/images/v3/m/bg_apha_black_2_36x36.jpg
- tq.18t####.com/public/images/v3/m/btn_comment_float.png
- tq.18t####.com/public/images/v3/m/btn_topbar_back.png
- tq.18t####.com/public/images/v3/m/icon_app_wanju.png
- tq.18t####.com/public/images/v3/m/icon_down_48x48.png
- tq.18t####.com/public/images/v3/m/icon_like_normal.png
- tq.18t####.com/public/images/v3/m/icon_topbar_user.png
- tq.18t####.com/public/js/box_v2/lightbox.js
- tq.18t####.com/public/js/v3/idangerous.swiper.js
- tq.18t####.com/public/js/v3/jquery-1.7.2.min.js
- tq.18t####.com/public/js/v3/jquery.scrollbar.js
- tq.18t####.com/public/js/v3/jquery.slider.js
- tq.18t####.com/public/js/v3/m/detail.js?v=####
- tq.18t####.com/public/js/v3/m/lib/handlebars.js
- tq.18t####.com/public/js/v3/m/lib/iscroll.js
- tq.18t####.com/public/js/v3/m/lib/jquery-1.8.3.min.js
- tq.18t####.com/public/js/v3/m/lib/swiper-3.3.1.jquery.min.js
- tq.18t####.com/public/js/v3/m/lib/touch-0.2.14.min.js
- tq.18t####.com/public/js/v3/m/popupJs.js
- tq.18t####.com/public/js/v3/m/util.js
- tq.18t####.com/public/js/v3/public.js
- tq.18t####.com/public/js/v3/sea.js
- tq.18t####.com/public/js/v3/xiaopi.js
- tq.18t####.com/roomapi/TalkRoom?platform=####&bundle=####
- tq.18t####.com/static/js/loginWidget/login.js
- tq.18t####.com/static/js/public/jquery.min.js
- tq.18t####.com/user/my?t=####
- www.go####.com/complete/search?hl=####&client=####&q=####
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- z.c####.com/stat.htm?id=4570889&r=http://m.18touch.com/?dk=####&ak=####&...
- z.c####.com/stat.htm?id=4570889&r=http://m.18touch.com/?os=####&lg=####&...
- z.c####.com/stat.htm?id=4570889&r=http://www.18touch.com/?dk=####&ak=###...
Запросы HTTP POST:
- a####.u####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/1740c449fc10be62df60ba0f18696c9f
- /data/data/####/1b327216-166f-4fba-88b6-c96e99f44c05
- /data/data/####/1e1ce7ab-8dcc-4cd2-8133-6ab6660ddba7
- /data/data/####/32edd79a240b5f1e461d069caab1ec3e
- /data/data/####/48bd2984-be02-4e89-91fc-06e9b79c8382
- /data/data/####/50269669-691b-4f02-97a0-cca986bd10d5
- /data/data/####/5222143a-6e9b-4724-bfe7-572d31b87d97.jar
- /data/data/####/7e7bde00-6789-48c5-810f-7a19adf0a8bd
- /data/data/####/80ac0a71-9645-402b-b1cb-b91cb1928751
- /data/data/####/8b6f263391259b7a8e5f58ee71852ca8
- /data/data/####/9ee010f2-6ae9-4137-a3a1-ec01a8855f36
- /data/data/####/JbkService.jar
- /data/data/####/JbkService.xml
- /data/data/####/Matrix
- /data/data/####/OcActivity.xml
- /data/data/####/SUBOXLOG_
- /data/data/####/b0141e478b25af7c40a8cca8de6c4708
- /data/data/####/b18a021d11a3004d25017230b681476b
- /data/data/####/banner.xml
- /data/data/####/c61913b615fb6224701377a119081f36
- /data/data/####/channel_10000.xml
- /data/data/####/channel_2.xml
- /data/data/####/com.wygs.ghob_preferences.xml
- /data/data/####/config.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/ddexe
- /data/data/####/debuggerd
- /data/data/####/device.db
- /data/data/####/ebn.xml
- /data/data/####/ed69dbd3-2a9e-4c0d-a80a-269b21bb389c
- /data/data/####/f632125b-4766-44a3-b28e-dc305d2e02e6
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/fileWork
- /data/data/####/index
- /data/data/####/install-recovery.sh
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_header_com.wygs.ghob.xml
- /data/data/####/mobclick_agent_state_com.wygs.ghob.xml
- /data/data/####/openudid_prefs.xml
- /data/data/####/pidof
- /data/data/####/pqwn.db-journal
- /data/data/####/root3
- /data/data/####/su
- /data/data/####/supolicy
- /data/data/####/toolbox
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wsroot.sh
- /data/media/####/.nomedia
- /data/media/####/app.css
- /data/media/####/app.js
- /data/media/####/d12a1e62ea121a6c3eeee739dcbc395d.temp
- /data/media/####/duoshuo.css
- /data/media/####/jquery-2.1.0.min.js
- /data/media/####/jquery.lazyload.min.js
- /data/media/####/loading.png
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 777 Matrix ddexe debuggerd device.db fileWork install-recovery.sh pidof root3 su supolicy toolbox wsroot.sh
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Загружает динамические библиотеки:
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
