Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.657.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.55.28.235:80
- TCP(HTTP/1.1) 1####.62.77.111:80
- TCP(HTTP/1.1) app.mijia####.com:80
- TCP(HTTP/1.1) ap####.adi####.com:80
- TCP(HTTP/1.1) ga####.lotu####.com:80
- TCP(HTTP/1.1) w####.x.jd.com:80
- TCP(HTTP/1.1) api.voic####.cn:80
- TCP(HTTP/1.1) rtb.voic####.cn:80
- TCP(HTTP/1.1) pic.e####.cn:80
- TCP(HTTP/1.1) ic####.o####.net:8800
- TCP(HTTP/1.1) u####.bfsspad####.8l####.com:80
- TCP(HTTP/1.1) rcv.a####.com:80
- TCP(HTTP/1.1) ads.voic####.cn:80
- TCP(HTTP/1.1) 4####.95.95.184:8081
- TCP(HTTP/1.1) api.e####.cn:80
- TCP(HTTP/1.1) 1####.26.247.23:80
- TCP(HTTP/1.1) 1####.31.213.162:80
- TCP(HTTP/1.1) pic.ange####.cn:80
- TCP(HTTP/1.1) ga####.lotu####.com:88
- TCP(HTTP/1.1) if####.bj.opensto####.cn:80
- TCP(HTTP/1.1) dsp.tou####.com:80
- TCP(HTTP/1.1) i####.jd.com:80
- TCP(HTTP/1.1) 47.97.2####.214:80
- TCP(HTTP/1.1) api.map.b####.com:80
- TCP(HTTP/1.1) bj.imp.voic####.cn:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
Запросы DNS:
- ads.voic####.cn
- ag####.m.ta####.com
- amdc####.m.ta####.com
- ap####.adi####.com
- api.e####.cn
- api.map.b####.com
- api.voic####.cn
- app.mijia####.com
- bj.imp.voic####.cn
- dsp.tou####.com
- ga####.lotu####.com
- i####.jd.com
- ic####.o####.net
- if####.bj.opensto####.cn
- on####.lotu####.com
- pic.ange####.cn
- pic.e####.cn
- plb####.u####.com
- rcv.a####.com
- regi####.xm####.xi####.com
- rtb.voic####.cn
- ssl.google-####.com
- u####.bfsspad####.8l####.com
- u####.u####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- w####.x.jd.com
Запросы HTTP GET:
- ap####.adi####.com/tj?key=####&rd=####&req=####&token=####
- api.e####.cn/public/getSecondaryHomeData.shtml?machine=####&version=####...
- api.voic####.cn/hotUpdate/?ver=####
- app.mijia####.com/ad/show?adtype=####&uid=####&adid=####&adclass=####&os...
- bj.imp.voic####.cn/a/impress?impressId=####&inAId=####&wPltId=####&wPltA...
- dsp.tou####.com/api/ruangao/ads/show?extra=####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=4####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=Q####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=X####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=l####&price=####
- i####.jd.com/dsp/np?log=####&v=####&seq=####
- ic####.o####.net:8800/106001?enc=####
- if####.bj.opensto####.cn/gnometest/beer/1dc7db6fbb2f90405221b870c82dbd3e...
- pic.ange####.cn/web/13965353.jpg!s4
- pic.ange####.cn/web/15556933.jpg!m3
- pic.ange####.cn/web/226119601.jpg!m3
- pic.ange####.cn/web/240729241.jpg!m3
- pic.ange####.cn/web/240729443.jpg!m720
- pic.ange####.cn/web/240729511.jpg!m720
- pic.ange####.cn/web/240729562.jpg!m720
- pic.ange####.cn/web/240729607.jpg!m720
- pic.ange####.cn/web/240729679.jpg
- pic.ange####.cn/web/240729679.jpg!m720
- pic.ange####.cn/web/240729749.jpg!m720
- pic.ange####.cn/web/240729779.jpg!m720
- pic.ange####.cn/web/240729812.jpg!m720
- pic.ange####.cn/web/240730099.jpg!m720
- pic.ange####.cn/web/240730143.jpg!m720
- pic.ange####.cn/web/240730165.jpg!m720
- pic.ange####.cn/web/240730217.jpg!m720
- pic.ange####.cn/web/240730252.jpg!m720
- pic.ange####.cn/web/240730269.jpg!m720
- pic.ange####.cn/web/240730312.jpg!m720
- pic.ange####.cn/web/240730497.jpg!m720
- pic.ange####.cn/web/240730560.jpg!m720
- pic.ange####.cn/web/242758029.jpg!s4
- pic.ange####.cn/web/243477350.jpg!m3
- pic.ange####.cn/web/244936308.jpg!s4
- pic.ange####.cn/web/245530682.jpg!s4
- pic.ange####.cn/web/246336791.jpg!s4
- pic.ange####.cn/web/247522848.jpg!m3
- pic.ange####.cn/web/247534681.jpg!m3
- pic.ange####.cn/web/247666026.jpg!m3
- pic.ange####.cn/web/248831774.jpg!s1
- pic.ange####.cn/web/248924257.jpg!s4
- pic.ange####.cn/web/256886224.jpg!m3
- pic.ange####.cn/web/257137252.jpg!s1
- pic.ange####.cn/web/258905750.jpg
- pic.ange####.cn/web/260005140.jpg
- pic.ange####.cn/web/261122862.jpg
- pic.ange####.cn/web/3121901.jpg!s4
- pic.ange####.cn/web/4649319.jpg!m3
- pic.ange####.cn/web/46565273.jpg!m3
- pic.ange####.cn/web/46886268.jpg!s4
- pic.ange####.cn/web/7662023.jpg!s4
- pic.e####.cn/web/240729241.jpg!m3
- pic.e####.cn/web/240729443.jpg!m720
- pic.e####.cn/web/240729511.jpg!m720
- pic.e####.cn/web/240729562.jpg!m720
- pic.e####.cn/web/240729607.jpg!m720
- pic.e####.cn/web/240729679.jpg!m720
- pic.e####.cn/web/240729749.jpg!m720
- pic.e####.cn/web/240729779.jpg!m720
- pic.e####.cn/web/240729812.jpg!m720
- pic.e####.cn/web/240730099.jpg!m720
- pic.e####.cn/web/240730143.jpg!m720
- pic.e####.cn/web/240730165.jpg!m720
- pic.e####.cn/web/240730217.jpg!m720
- pic.e####.cn/web/240730252.jpg!m720
- pic.e####.cn/web/240730269.jpg!m720
- pic.e####.cn/web/240730312.jpg!m720
- pic.e####.cn/web/240730497.jpg!m720
- pic.e####.cn/web/240730560.jpg!m720
- rcv.a####.com/show?CAAQLQ.####
- rtb.voic####.cn/view?info=####&wp=####
- u####.bfsspad####.8l####.com/adShow?v=####&b=####&i=####&r=####&bid=####...
- w####.x.jd.com/adx/nurl/rgyun?price=####&v=####&ad=####&info=####
Запросы HTTP POST:
- ads.voic####.cn/ad/request
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- api.map.b####.com/location/ip?ak=####&coor=####
- ga####.lotu####.com/?st=####&sv=####&tm=####&sid=GyA####&apn=####&ct=###...
- ga####.lotu####.com:88/?mid=####&st=####&sv=####&tm=####&sid=GyA####&apn...
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AdDex.3.1.0.dex
- /data/data/####/AdloadStore.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/Ji.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a==7.4.4&&4.31.37_1531258365260_envelope.log
- /data/data/####/accs.db-journal
- /data/data/####/adsp.xml
- /data/data/####/agoo.pid
- /data/data/####/cn.ecook.xml
- /data/data/####/collectiondatabase
- /data/data/####/collectiondatabase-journal
- /data/data/####/com.google.android.gms.analytics.prefs.xml
- /data/data/####/d==7.4.4&&4.31.37_1531258365391_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258370823_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258374660_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258378010_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258382706_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258383710_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258389809_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258391381_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258418920_envelope.log
- /data/data/####/d==7.4.4&&4.31.37_1531258420078_envelope.log
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/ecookdatabase
- /data/data/####/ecookdatabase-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f57b56985d588bf43514c11bb5fe59b8.xml
- /data/data/####/gaClientId
- /data/data/####/geofencing.db
- /data/data/####/geofencing.db-journal
- /data/data/####/google_analytics_v4.db-journal
- /data/data/####/i==1.2.0&&4.31.37_1531258364180_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/libjiagu2063946030.so
- /data/data/####/log.android.library.xml
- /data/data/####/lonLat.xml
- /data/data/####/lotuseed.apps
- /data/data/####/lotuseed.s
- /data/data/####/lotuseed.task
- /data/data/####/lotuseed_global.xml
- /data/data/####/material.db-journal
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mipush.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/mipush_region
- /data/data/####/mipush_region.lock
- /data/data/####/multidex.version.xml
- /data/data/####/recipe.db-journal
- /data/data/####/recipedatabase-journal
- /data/data/####/tiny_data.data
- /data/data/####/tiny_data.lock
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/16mtkuo1jttov2kesfnhozb3q.tmp
- /data/media/####/1c0muu6zpfmu60jz4bxzffmsa.tmp
- /data/media/####/1ihr0h5ggn7ksrk5pr8soe4ps.tmp
- /data/media/####/1jljjxyko01ohgw4jvfiammoq.tmp
- /data/media/####/1k4dyfz86lg1sawjrudswwpek.tmp
- /data/media/####/1l36uxyxxblaoaphp3pi9q70u.tmp
- /data/media/####/1l9v6uw2qwkkrjuf2nk1qn1oj.tmp
- /data/media/####/2botim1iqtec0360foe14o72c.tmp
- /data/media/####/2jyd47vrqbkqm5ksbd3lv0mw4.tmp
- /data/media/####/2of8oystwsowzmn9x5mdtat3v.tmp
- /data/media/####/2qkrqowu9zc523uqculrek03y.tmp
- /data/media/####/2sid6ttmicwd92idwmmcsn76e.tmp
- /data/media/####/2x4glk24vigtmi7vgmts6ehzx.tmp
- /data/media/####/32jc6pj31dncofc96t52n1vmy.tmp
- /data/media/####/360ikxavq4ow8quekpyeuyd6a.tmp
- /data/media/####/3a8gz1bvijn15yno1lclro410.tmp
- /data/media/####/3ah1ng3ucqynt3b7lrngd2ukh.tmp
- /data/media/####/3ikfqrql4s7dlvynbbbrz789p.tmp
- /data/media/####/3lhv67qpkx2unlx8nkafrxphk.tmp
- /data/media/####/3mftmrtmv30y1vxx2922w7ucx.tmp
- /data/media/####/3nltue3xcnmloivhpkr9wc7cs.tmp
- /data/media/####/3taix689lr0jhhohkqobr3v2u.tmp
- /data/media/####/41t9265qh7z3tb4jhh5k6opw1.tmp
- /data/media/####/43ccnqndoxqvgl6ikklxiv6pm.tmp
- /data/media/####/44xpmqw2yyvpxpxbgjnmqzoxg.tmp
- /data/media/####/46rto4gpojb9mer5p6pefd6la.tmp
- /data/media/####/48e3t1liu957j15anjxfzz4g.tmp
- /data/media/####/4b6z6qtsd7cobqf3s8l1mpy6t.tmp
- /data/media/####/4ebpk3rqa9hnvhpoo9mzufwfk.tmp
- /data/media/####/4havrv17orswzic2wpj30ya29.tmp
- /data/media/####/4jokdq1ybei91dhpohrtmeklr.tmp
- /data/media/####/4kb70b1zktgllxmbgm26lk547.tmp
- /data/media/####/4nufvwibo7uta1dr1dj4xsf2k.tmp
- /data/media/####/4outn2ewc01hx0w5ewm0kycrf.tmp
- /data/media/####/4zhmvmcpq2bp5plefmyyagbmv.tmp
- /data/media/####/512ftal8wkhy45m8odme987lv.tmp
- /data/media/####/54hi3qierbqexcrnzfsidwf89.tmp
- /data/media/####/56mpnp1rn398uhjaw7wr2xsky.tmp
- /data/media/####/5hgo7jmy8j3v52mfm4t7dzksy.tmp
- /data/media/####/5jo3ibxluya2lq5fz7t9v3qfx.tmp
- /data/media/####/5k6tj2y0x1ddbndx0uvafpbvx.tmp
- /data/media/####/5sgmuumvkiwxmwvso50o0cfj0.tmp
- /data/media/####/5uhdmkoqimwek2nnobkv59xyx.tmp
- /data/media/####/694x27b86p3xe87voi7m6ie2v.tmp
- /data/media/####/6h8x88n040knqkvh2aum2ftxr.tmp
- /data/media/####/6idjzyfh5r1srcbghlgeiocny.tmp
- /data/media/####/6ni8q4w1e0owg71rhdavt6883.tmp
- /data/media/####/6q84f0snt88pguzni87baojm5.tmp
- /data/media/####/70ccgdc02jpvmegxmabyobl7p.tmp
- /data/media/####/79xtbtwy0lzbvic59j27ztx5e.tmp
- /data/media/####/7euq558w9soyie0v25vvoyt5i.tmp
- /data/media/####/7j4fjvmxdofre1mchuoa6dici.tmp
- /data/media/####/8pk5h9vuff83tirlwuco8oxo.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/c68idmexgvcsiu3w5hpwn2vo.tmp
- /data/media/####/i1qhh8rqhhl11q1x4awtzcbp.tmp
- /data/media/####/l0mo99aqw2g7m1tc3f9p821h.tmp
- /data/media/####/log.lock
- /data/media/####/log1.txt
- /data/media/####/lotuseed.devid
- /data/media/####/qlfnhdldiz2c3ivkaq0bylna.tmp
- /data/media/####/quz0k4wba09f0bt6tjse1aba.tmp
- /data/media/####/wccwofjg2ck26zwasi2xiztd.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:5976e9333eae2526d4001388","utdid":"W0Ul+ybZrvYDAGdzx1Gs8dtW","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
- cat /sys/class/net/wlan0/address
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 755 <Package Folder>/.jiagu/libjiagu2063946030.so
- df
- ls /
- ls /sys/class/thermal
- ps
- sh
Загружает динамические библиотеки:
- libjiagu2063946030
- tnet-3.1
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к интерфейсу камеры.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
