Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Panda.2.origin
- Adware.Panda.3.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) st####.p####.net####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.163.com:80
- TCP(HTTP/1.1) 5hru182####.wsclou####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) m.l####.net####.com:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(TLS/1.0) r####.163.com:443
- TCP and####.p####.126.net:6002
- TCP h02.b####.163.com:16163
Запросы DNS:
- a####.u####.com
- a.appj####.com
- and####.p####.126.net
- b####.163.com
- bobo-pu####.n####.127.net
- cgi.con####.qq.com
- h02.b####.163.com
- l####.b####.163.com
- m.l####.net####.com
- mr.da.net####.com
- pr.da.net####.com
- r####.163.com
- st####.p####.net####.com
- www.b####.com
Запросы HTTP GET:
- 5hru182####.wsclou####.com/anchor_1458698163416_35678755.jpg
- 5hru182####.wsclou####.com/anchor_1460327129733_61381093.jpg
- 5hru182####.wsclou####.com/anchor_1461414183732_88869939.jpg
- 5hru182####.wsclou####.com/anchor_1466651112606_61213528.jpg
- 5hru182####.wsclou####.com/anchor_1471910437604_63531527.jpg
- 5hru182####.wsclou####.com/anchor_1472654311335_52977312.jpg
- 5hru182####.wsclou####.com/anchor_1472800094873_82264602.jpg
- 5hru182####.wsclou####.com/anchor_1475332657404_85080499.jpg
- 5hru182####.wsclou####.com/anchor_1476721031856_91855741.jpg
- 5hru182####.wsclou####.com/anchor_1476793455372_58076626.jpg
- 5hru182####.wsclou####.com/anchor_1477535706304_45217256.jpg
- 5hru182####.wsclou####.com/anchor_1481613382299_94497014.jpg
- 5hru182####.wsclou####.com/anchor_1487812959759_36990649.jpg
- 5hru182####.wsclou####.com/anchor_1492613757269_74498082.jpg
- 5hru182####.wsclou####.com/anchor_1493199008568_55111070.jpg
- 5hru182####.wsclou####.com/anchor_1495557432505_58770920.jpg
- 5hru182####.wsclou####.com/anchor_1497484228634_79663305.jpg
- 5hru182####.wsclou####.com/anchor_1497930507511_89947967.jpg
- 5hru182####.wsclou####.com/anchor_1497967234082_51441638.jpg
- 5hru182####.wsclou####.com/anchor_1498477391528_70838057.jpg
- 5hru182####.wsclou####.com/anchor_1501042995023_34322903.jpg
- 5hru182####.wsclou####.com/anchor_1502977222399_20041040.jpg
- 5hru182####.wsclou####.com/anchor_1506179299017_60022255.jpg
- 5hru182####.wsclou####.com/anchor_1524415641934_16037887.jpg
- 5hru182####.wsclou####.com/bobo_1481167156229_65158755.jpg
- 5hru182####.wsclou####.com/bobo_1500082801350_24880699.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1500536581908_67314819.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1500897063738_50551274.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1500905750709_40929067.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1503056609511_90334524.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1506167433735_89076335.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1509030400332_65615935.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1510910717418_36655710.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1514944519881_55676412.jpeg
- 5hru182####.wsclou####.com/bobo_1521599743324_51216314.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1521603257235_63338473.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1521646884081_30339070.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1521800846887_57039504.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1522756461835_47886806.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1524499576902_19395802.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1524564964256_97885216.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1524740283164_45123532.jpeg
- 5hru182####.wsclou####.com/bobo_1524744678937_47417484.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1524753826198_76352631.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1524961414661_84113972.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1525800891592_76045409.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1525920661161_47127807.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1527345014342_37909592.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1527601290192_36923559.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1528615406873_41691691.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1528885861506_31715481.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1529295189843_19452853.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1529640574432_99158404.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1529662204303_70133469.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530496063616_88884175.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530500234050_52877359.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530526644607_49882061.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530589508297_18470892.jpg
- 5hru182####.wsclou####.com/bobo_1530600730854_66254342.jpg
- 5hru182####.wsclou####.com/bobo_1530705602635_13992776.jpeg
- 5hru182####.wsclou####.com/bobo_1530889842631_54688023.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530893821892_70664541.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530969926219_34546474.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1530975427453_98589913.jpg?image####&qua...
- 5hru182####.wsclou####.com/bobo_1531101433454_85163021.jpg?image####&qua...
- b####.163.com/spe-data/api/validateToken.htm?timestamp=####&token=####&r...
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- m.l####.net####.com/api/accessToken?type=####
- m.l####.net####.com/chat/message/count.htm?userId=####&token=####&random...
- m.l####.net####.com/loginserver/distribute.do?data=####
- m.l####.net####.com/spe-data/api/anchor_online_count.htm
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRandomRecommendMess...
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRecommendGiftList.h...
- m.l####.net####.com/spe-data/api/appRecommendUtil/getRecommendSendGiftDe...
- m.l####.net####.com/spe-data/api/banner.htm
- m.l####.net####.com/spe-data/api/common-config/get.htm?key=####
- m.l####.net####.com/spe-data/api/index/2.5/anchorList.htm?pageNo=####&pa...
- m.l####.net####.com/spe-data/api/index/2.5/tab_list.htm
- m.l####.net####.com/spe-data/api/punchedCard/getSignSwitchPunchCardValue...
- m.l####.net####.com/spe-data/api/room/getAnchorAndRoomInfo.htm?roomId=####
- m.l####.net####.com/spe-data/api/skin/getPics.htm?source=####&module=####
- m.l####.net####.com/spe-data/api/switch/getStatus.htm?codes=####
- m.l####.net####.com/spe-data/api/timer_game/get_timer.htm?userId=####
- m.l####.net####.com/special/boboandroidyeseversion
- m.l####.net####.com/special/boboandroidyeseversion/
- st####.p####.net####.com/dns/publicIps?domain=####
- st####.p####.net####.com/receiver/?action=####&data=NN####
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- b####.163.com/logic/data/log/openApp.htm
- cgi.con####.qq.com/qqconnectutil/sdk
- st####.p####.net####.com/receiver
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/NELoginConfig.xml
- /data/data/####/NetEasePushService.xml
- /data/data/####/com.netease.vshow.android.yesen_preferences.xml
- /data/data/####/com.tencent.open.config.json.1102364892
- /data/data/####/exchangeIdentity.json
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/location.db
- /data/data/####/location_zh_hant.db
- /data/data/####/mobidroid.sqlite-journal
- /data/data/####/plugin.apk
- /data/data/####/tencent_analysis.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/vshow.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal (deleted)
- /data/media/####/.mid.txt
- /data/media/####/.nomedia
- /data/media/####/158uasel316kscdupeexbgpbb0.tmp
- /data/media/####/16d8dwspkk7hb2htoan4s3m670.tmp
- /data/media/####/17xqqx92s9b7aohx4olrygzqt0.tmp
- /data/media/####/1askms2bh7aqllrivv55brxir0.tmp
- /data/media/####/1ow9nfdqy8z5fvh8vp0l6x2uu0.tmp
- /data/media/####/1pcb15yv4cjl6qppeojnvtkrr0.tmp
- /data/media/####/20glq2fhzw35l8j1xwqcblxd40.tmp
- /data/media/####/25jdnv9sid1o7laeg3orkmrrc0.tmp
- /data/media/####/2f7ugo059gsybgfcesmbz48nl0.tmp
- /data/media/####/2igxnbckd0kvcdfvu0qyen5ji0.tmp
- /data/media/####/2in9cei3k35r7y2ocakaito6t0.tmp
- /data/media/####/2jf1s82fmykjjosl5qfv44dga0.tmp
- /data/media/####/2syhitrtldj9hq25aew98643e0.tmp
- /data/media/####/2wkmpufgm7mja4nx25kc59xfj0.tmp
- /data/media/####/2wnc8x06qb987xscq3jenaam10.tmp
- /data/media/####/2xi47dqvbntrg8wwx1lfe9kun0.tmp
- /data/media/####/2z4tsajj5v3q1wqwoe32lx73s0.tmp
- /data/media/####/30c9w2qsyzomqlzf9qinhwk8o0.tmp
- /data/media/####/39k2pg3b3f9vkoxd31gqhw5kq0.tmp
- /data/media/####/39vz4ckcom8vp13uo07os0mk40.tmp
- /data/media/####/3cukzbfgt4z3jj029n2u37z2f0.tmp
- /data/media/####/3fx5e2p0of4wbhztvmiahasxx0.tmp
- /data/media/####/3ifeloa33xxz3gxx1vucsh14s0.tmp
- /data/media/####/3n1a1ymxterl8sy8d9wbem6bn0.tmp
- /data/media/####/3wcwh9y8sf8v0ayoogdaylxd0.tmp
- /data/media/####/3x7wp7di8ntaaec7erw57l27q0.tmp
- /data/media/####/3zjao5vuvv1xpdjk07ktz76gg0.tmp
- /data/media/####/41tieksyhosuhgx0af6ku101h0.tmp
- /data/media/####/42605ja7wklotj7k835jx2i9b0.tmp
- /data/media/####/484smsmstr4lf6n2gtsd0yz5n0.tmp
- /data/media/####/4dlofgrdlyw8zjes0bl094not0.tmp
- /data/media/####/4gvydvhfxhp3g02repr7kyqy10.tmp
- /data/media/####/4juhh2pqws9wyet4e1og0jh240.tmp
- /data/media/####/4sdyaw28t5u4m8pr2nz5fn7r80.tmp
- /data/media/####/4w8c772h6x27aasl3e0mjlb3r0.tmp
- /data/media/####/4z6qgytx2xa06e1e3ml9u47cr0.tmp
- /data/media/####/4zyrpnizs635wssi3nnvegoa80.tmp
- /data/media/####/566x9ei6xoi7f034gxdag8z7h0.tmp
- /data/media/####/567hqu7lk26hgfdq0nwd9pzf60.tmp
- /data/media/####/5ahbh6ya1on5d1nv7grd3kqhu0.tmp
- /data/media/####/5bgankg5foggbzra56sxw2gz0.tmp
- /data/media/####/5bvtfwelmyodam6z0tt3ew3o90.tmp
- /data/media/####/5jpjwg9zfxqhfrgab6tjz29t60.tmp
- /data/media/####/5kfc1im3c0u0jk6xvt0m3i1zv0.tmp
- /data/media/####/5m8oge5dzmlj1jjj9pojerbxp0.tmp
- /data/media/####/5nvokg1d2cqh8zh5ncjeht9v70.tmp
- /data/media/####/5o3gi9741ob5je7kzvj9yacp10.tmp
- /data/media/####/5rhhdyr2bqcqhnewryxargbft0.tmp
- /data/media/####/60qxplfqwdqdxjiuktnqa6y4o0.tmp
- /data/media/####/615g36wzogq4udqteghukhex80.tmp
- /data/media/####/68vyxqxaj8soeltjqky4ul48u0.tmp
- /data/media/####/6eyo13ovtghl84ylxnx66ww5w0.tmp
- /data/media/####/6l76mgrp51gvthp7x614cg3iw0.tmp
- /data/media/####/6pxdbfn731tclrljzu2qtoc3k0.tmp
- /data/media/####/72o86c6d410lof82o6e6e5tzu0.tmp
- /data/media/####/76kbo46jxudnfpalv1s8eqtr50.tmp
- /data/media/####/79woxqunjmkx5fjdvr3w302o90.tmp
- /data/media/####/7eoaw1ot2wd511742t8fj0llw0.tmp
- /data/media/####/7f2oz6ydxbleiyzwp7zylm4wl0.tmp
- /data/media/####/7iffjpkvcw86jynj2llq9pp830.tmp
- /data/media/####/98c5nimg4rf01qbwdbedsdyj0.tmp
- /data/media/####/a7yh88n8bvpvn7s0uaj0y5ek0.tmp
- /data/media/####/bG9jYWxfaXAuZGF0
- /data/media/####/cmVnaXN0ZXJfZG9tYWluLmRhdA==
- /data/media/####/ie162t3gudvh5zscs0mztgbw0.tmp
- /data/media/####/journal.tmp
- /data/media/####/l8ejd9jv3okor5dd6lq8by860.tmp
- /data/media/####/skjow46v8tom2ca66ze5kzch0.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- MtaNativeCrash
- libjiagu
- nelogin
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA-None-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
