Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) x####.tc.qq.com:80
- TCP(HTTP/1.1) analy####.ray####.com:80
- TCP(HTTP/1.1) c.isds####.qq.com:80
- TCP(HTTP/1.1) c.g####.qq.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) e.q####.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) re####.hu####.qq.com:80
- TCP(HTTP/1.1) ping####.qq.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) ui.ptlo####.qq.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) v.g####.qq.com:80
- TCP(HTTP/1.1) t####.qq.com:80
- TCP(HTTP/1.1) d.g####.qq.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.net:80
- TCP(HTTP/1.1) cap####.qq.com:80
- TCP(HTTP/1.1) t.g####.qq.com:80
- TCP(HTTP/1.1) set####.ray####.com:80
- TCP(HTTP/1.1) m####.e.qq.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) ty.cap####.qq.com:80
- TCP(HTTP/1.1) a.g####.qq.com:80
- TCP(TLS/1.0) ty.cap####.qq.com:443
- TCP(TLS/1.0) app.ul####.net:443
- TCP(TLS/1.0) qy-swa####.qi####.com:443
- TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
- TCP(TLS/1.0) api.growi####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5227
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.exc.mob.com
- a.g####.qq.com
- analy####.ray####.com
- api.growi####.com
- app.ul####.net
- c####.g####.ig####.com
- c-h####.g####.com
- c.g####.qq.com
- c.isds####.qq.com
- cap####.g####.com
- cap####.qq.com
- d.g####.qq.com
- e.q####.com
- i.g####.cn
- imgc####.qq.com
- log.u####.com
- m####.e.qq.com
- mi.g####.qq.com
- p####.ugd####.com
- pi####.qq.com
- pin####.qq.com
- ping####.qq.com
- plb####.u####.com
- pub-####.qin####.com
- q####.qq.com
- qy-swa####.qi####.com
- qzones####.g####.cn
- re####.hu####.qq.com
- s####.e.qq.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- set####.ray####.com
- t####.growi####.com
- t####.qq.com
- t.g####.qq.com
- ty.cap####.qq.com
- u####.u####.com
- ui.ptlo####.qq.com
- v.g####.qq.com
Запросы HTTP GET:
- a.g####.qq.com/pixel?user_action_set_id=####&url=####&js_version=####&is...
- c.g####.qq.com/gdt_mclick.fcg?viewid=####&jtype=####&i=####&os=####&asi=...
- c.isds####.qq.com/code.cgi?key=domain,cgi,type,code,time,rate&r=0.751574...
- cap####.qq.com/template/TCapIframeApi.js?aid=####&rand=####&clientype=##...
- d.g####.qq.com/fcg-bin/gdt_appdetail.fcg?ico=####&op_appid=####
- e.q####.com/
- e.q####.com/mo/index.html
- m####.e.qq.com/abc/account/signin?code=####
- m####.e.qq.com/abc/assets/caca5942839afe137e09d7de970d601a-register.bund...
- m####.e.qq.com/abc/assets/f11ad52fc66c1cbf42967be56f2d97e7-commons.bundl...
- m####.e.qq.com/abc/assets/images/a02fa094360312bc0e3dcb72cd2f6701-logo-p...
- m####.e.qq.com/abc/assets/javascripts/8643b0e11f219f16eeca8566473404a1-f...
- m####.e.qq.com/abc/assets/lib/jquery/c3d3a0b713e6c70640e085f48304ab7e-jq...
- m####.e.qq.com/abc/assets/lib/lodash/ae82a6e49d72ce2e21b5a30d0fc3e864-lo...
- m####.e.qq.com/abc/assets/lib/react/16e6fa68d3545c50bb358887e4c4c3c4-rea...
- m####.e.qq.com/abc/assets/lib/react/2bb9d3335dd7a77ab291c23eb62ccba1-rea...
- m####.e.qq.com/abc/assets/mobile-site/css/ee4df8026f6b55775a1d1743abd4ba...
- m####.e.qq.com/abc/assets/mobile-site/js/d86411de391e58d443dabf70baa507c...
- m####.e.qq.com/abc/jsRoutes?version=####
- m####.e.qq.com/abc/messages?version=####
- m####.e.qq.com/abc/mo/account/update
- m####.e.qq.com/adv/account/signin?code=####
- mi.g####.qq.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&data...
- p####.tc.qq.com/1/TCapIframe_m.js?v=####
- p####.tc.qq.com/1/TCapMsg.js
- p####.tc.qq.com/ac/qzfl/release/qzfl_for_qzone.js
- p####.tc.qq.com/gdt_ui_proj/dist/lib-common/css/base-bts.css
- p####.tc.qq.com/gdt_ui_proj/dist/lib-common/css/module-v1.css
- p####.tc.qq.com/gdt_ui_proj/dist/lib-common/images/sprites/module-v1.png...
- p####.tc.qq.com/ptlogin/ac/v9/js/area_chs.js
- p####.tc.qq.com/ptlogin/v4/style/42/images/loading.gif
- p####.tc.qq.com/ptlogin/v4/style/42/images/search.png
- p####.tc.qq.com/ptlogin/v4/style/mobile_common.css
- p####.tc.qq.com/ptlogin/ver/10276/js/login_10.js
- p####.tc.qq.com/qzone/biz/ac/comm/copyright.js
- p####.tc.qq.com/qzone/biz/comm/qbl/core.js
- p####.tc.qq.com/qzone/biz/gdt/dmp/user-action/gdtevent.min.js
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android02/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- p####.tc.qq.com/qzone/biz/res/gt.js
- ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=####&ty=####...
- ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=cod####&ty=#...
- ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=sty####&appi...
- re####.hu####.qq.com/code.cgi?appid=####&platform=####&domain=####&cgi=#...
- s####.tc.qq.com/gdt/0/transformer_14862517704951522510_1531940461_80.jpg...
- s####.tc.qq.com/h5/stats.js?v2####
- set####.ray####.com/setting?app_id=####&sign=####&channel=####&platform=...
- sni.c####.q####.####.net/config/hz-hzv3.conf
- sni.c####.q####.####.net/tdata_MkX219
- sni.c####.q####.####.net/tdata_iGj879
- t####.c####.q####.####.com/tdata_EDT356
- t####.qq.com/gdt.php?sId=####
- t####.qq.com/stats?sId=####
- t.g####.qq.com/conv/brand/34881843/script?url=####
- t.g####.qq.com/conv/web/79936/conv?url=####&conv_time=####&datatype=####...
- ty.cap####.qq.com/code?siteKey=####&Action=####
- ui.ptlo####.qq.com/cgi-bin/login?style=####&appid=####&pt_no_onekey=####...
- ui.ptlo####.qq.com/cgi-bin/report?id=####&t=####
- ui.ptlo####.qq.com/ptui_ver.js?ptui_identifier=####&v=####
- ui.ptlo####.qq.com/style/8/images/android_logo_v1.png
- ui.ptlo####.qq.com/style/8/images/info.png
- v.g####.qq.com/gdt_stats.fcg?viewid=####&i=####&os=####&xp=####&gap=####
- x####.tc.qq.com/ac/qzfl/stat.js?max_age=####
- x####.tc.qq.com/qzone/biz/gdt/mportal/css/style.css
- x####.tc.qq.com/qzone/biz/gdt/mportal/css/swiper_min.css
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/arrow_right.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/icon/icon-apply.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/icon/icon-top.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/58-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/beiqishenbao-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/lining-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/mailegou-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/shilijia-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/weipinhui-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/case/ximalayaFM-1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/focus-picture.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/focus-picture1.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/focus-picture2.jpg
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-app.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-browser.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-news.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-qq.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-qzone.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-ttkb.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-union.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-video.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/index/icon-weixin.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/images/logo.png
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/config/main.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/count/dmCookie.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/count/tracking.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/count/utils/cookie.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/count/utils/json2param.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/count/utils/uriparams.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/jquery/min/1.11.1/jquery.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/jquery/min/3.2.0/swiper.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/jquery/min/mCustomScrollba...
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/jquery/min/mousewheel.js
- x####.tc.qq.com/qzone/biz/gdt/mportal/js/libs/require/require.js
- x####.tc.qq.com/qzone/biz/gdt/portal/js/libs/growingio/vds.js
- x####.tc.qq.com/qzone/biz/gdt/portal/js/pages/stat.js
- x####.tc.qq.com/qzone/biz/gdt/spalib/spa-monitor-0.0.1.min.js
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- analy####.ray####.com/
- c-h####.g####.com/api.php?format=####&t=####
- s####.e.qq.com/activate
- s####.e.qq.com/click
- s####.e.qq.com/msg
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.duid
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.vpl_lock
- /data/data/####/42d95b5058a9e73f8aa992ff05f1d411.temp
- /data/data/####/5ead7c1916e321af3ee0d7d6aa595238.temp
- /data/data/####/7d661530fa3ba3b7dc185df1aa5b223d.0.tmp
- /data/data/####/7d661530fa3ba3b7dc185df1aa5b223d.1.tmp
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/ULiBaoData.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/b8a0481e4662
- /data/data/####/com.qiyukf.analytics.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/gdaemon_20161017
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/gdt_plugin.tmp
- /data/data/####/gdt_plugin.tmp.sig
- /data/data/####/gdt_suid
- /data/data/####/getui_sp.xml
- /data/data/####/gx_sp.xml
- /data/data/####/http_e.qq.com_0.localstorage-journal
- /data/data/####/http_ui.ptlogin2.qq.com_0.localstorage-journal
- /data/data/####/i==1.2.0&&4.8.0_1531968309445_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libjiagu-1548841000.so
- /data/data/####/m_cvnull
- /data/data/####/m_cvnull-journal
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/mobvista.msdk.db-journal
- /data/data/####/mobvista.xml
- /data/data/####/multidex.version.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/qiyu_save_df33db3edd89f3223f60db068d820a98.xml
- /data/data/####/run.pid
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/share.db-journal
- /data/data/####/share_date.xml
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_iGj879
- /data/data/####/tdata_iGj879.jar
- /data/data/####/trans-db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/unicorn#cheese#
- /data/data/####/update_lc
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.artc_lock
- /data/media/####/.cca.dat
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.im_lock
- /data/media/####/.lecd
- /data/media/####/.lesd_lock
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.pkg_lock
- /data/media/####/.pkgs_lock
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/.ss_lock
- /data/media/####/.umm.dat
- /data/media/####/app.db
- /data/media/####/com.example.wzrylibaozhushou.bin
- /data/media/####/com.example.wzrylibaozhushou.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/tdata_MkX219
- /data/media/####/tdata_iGj879
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GeTuiPushService 25944 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu-1548841000.so
- ls /
- ls /sys/class/thermal
- mount
- ps
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GeTuiPushService 25944 300 0
Загружает динамические библиотеки:
- getuiext2
- libjiagu-1548841000
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS7Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
