Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ads.ku####.cn:80
- TCP(HTTP/1.1) la####.m####.com:80
- TCP(HTTP/1.1) log####.suishe####.cn:80
- TCP(HTTP/1.1) 5b0988e####.cdn.so####.####.com:80
- TCP(HTTP/1.1) t####.dmp.y####.net:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) bd.a.yx####.####.com:80
- TCP(HTTP/1.1) mvi####.meitu####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) syy-ima####.b0.upa####.com:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) idu####.qini####.com:80
- TCP(HTTP/1.1) acti####.qyw####.com:80
- TCP(HTTP/1.1) gs.g####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) client####.suishe####.cn:80
- TCP(HTTP/1.1) api.ku####.cn.####.com:80
- TCP(HTTP/1.1) marke####.et####.cn:80
- TCP(HTTP/1.1) c####.g####.com:80
- TCP(HTTP/1.1) bro####.ku####.cn.####.com:80
- TCP(HTTP/1.1) tx2.a.yx####.####.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.net:80
- TCP(HTTP/1.1) i####.gua####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) b####.g####.com:80
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) ssy-ima####.b0.upa####.com:80
- TCP(HTTP/1.1) im####.nic####.cn:80
- TCP(HTTP/1.1) c.isds####.qq.com:80
- TCP(HTTP/1.1) i####.g####.com.####.net:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) s.y####.net:80
- TCP(HTTP/1.1) oth.up####.mdt.####.com:8080
- TCP(TLS/1.0) zk####.myz####.com.####.cn:443
- TCP(TLS/1.0) bro####.ku####.cn.####.com:443
- TCP(TLS/1.0) s####.ml####.cc:443
- TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) api.nic####.cn:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) publish####.b####.com.####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5225
Запросы DNS:
- 2####.nd####.y####.com
- 5####.nd####.y####.com
- 5b0988e####.cdn.so####.com
- 7j####.c####.z0.####.com
- a####.u####.com
- acti####.qyw####.com
- ads.ku####.cn
- amap####.cn-hang####.oss####.####.com
- api.ku####.cn
- api.nic####.cn
- b####.g####.com
- bd.a.yx####.com
- bro####.ku####.cn
- c####.g####.com
- c####.g####.ig####.com
- c-h####.g####.com
- c.isds####.qq.com
- client####.suishe####.cn
- gs.g####.com
- hm.b####.com
- i####.g####.com
- i####.gua####.com
- i####.gua####.com
- im####.nic####.cn
- im####.st####.suishe####.net
- img####.st####.suishe####.net
- imgc####.qq.com
- l####.tbs.qq.com
- la####.m####.com
- log####.suishe####.cn
- log.u####.com
- marke####.et####.cn
- mi.g####.qq.com
- mvi####.meitu####.com
- oth.up####.mdt.####.com
- p####.ugd####.com
- pc.suishe####.net
- pub-####.qin####.com
- publish####.b####.com
- qn.a.yx####.com
- res####.a####.com
- s####.e.qq.com
- s####.gw.y####.net
- s####.ml####.cc
- s####.u####.com
- s.y####.net
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- st####.et####.cn
- t####.dmp.y####.net
- tx2.a.yx####.com
- zk####.myz####.com
Запросы HTTP GET:
- 5b0988e####.cdn.so####.####.com/c_fill,w_150,h_100,g_faces,q_70/images/2...
- acti####.qyw####.com/huodong/Production/20180716/node_modules/fastclick/...
- acti####.qyw####.com/huodong/Production/20180716/node_modules/iscroll/bu...
- acti####.qyw####.com/huodong/Production/20180716/pkg/Common.js
- acti####.qyw####.com/huodong/Production/20180716/pkg/Vendor.js
- acti####.qyw####.com/huodong/Production/20180716/projects/page/SmashGold...
- acti####.qyw####.com/huodong/Production/20180716/projects/widget/PrizeMo...
- api.ku####.cn.####.com/km_task/api/v1/ads?city_key=####&ver_code=####&ma...
- api.ku####.cn.####.com/km_task/api/v1/articles/3?city_key=####&ver_code=...
- api.ku####.cn.####.com/km_task/api/v1/category/all?city_key=####&app_key...
- api.ku####.cn.####.com/km_task/api/v1/continue_check_in/setting?city_key...
- api.ku####.cn.####.com/km_task/api/v1/search/keyword/box?city_key=####&a...
- api.ku####.cn.####.com/km_task/api/v1/search/keyword/hot?city_key=####&a...
- api.ku####.cn.####.com/km_task/api/v1/system/configs?city_key=####&ver_c...
- api.ku####.cn.####.com/km_task/api/v1/tag/all?city_key=####&ver_code=###...
- api.ku####.cn.####.com/km_task/api/v1/timeline/recommend?city_key=####&v...
- api.ku####.cn.####.com/km_task/api/v1/user/setTags?city_key=####&ver_cod...
- api.ku####.cn.####.com/km_task/api/v2/getLoginMode?city_key=####&app_key...
- bd.a.yx####.####.com/upic/2018/07/15/20/BMjAxODA3MTUyMDMwNDRfMTI3NzE5NjE...
- bro####.ku####.cn.####.com/apps/peacock/v89/suishen_exitpage.zip
- bro####.ku####.cn.####.com/imgs/upload/1531841780.8214.jpg
- bro####.ku####.cn.####.com/imgs/upload/1531841791.2465.png
- bro####.ku####.cn.####.com/km_task/api/v1/articles/3?city_key=####&ver_c...
- bro####.ku####.cn.####.com/km_task/api/v1/category/all?city_key=####&app...
- bro####.ku####.cn.####.com/km_task/api/v1/continue_check_in/setting?city...
- bro####.ku####.cn.####.com/km_task/api/v1/popup?city_key=####&ver_code=#...
- bro####.ku####.cn.####.com/km_task/api/v1/system/configs?city_key=####&v...
- bro####.ku####.cn.####.com/km_task/api/v1/timeline/recommend?city_key=##...
- bro####.ku####.cn.####.com/km_task/api/v2/getLoginMode?city_key=####&app...
- bro####.ku####.cn.####.com/peacock/api/adspool?&appid=####&publisher=###...
- bro####.ku####.cn.####.com/peacock/api/gate?&pkg=####&appid=####&dex=###...
- bro####.ku####.cn.####.com/tdata_EDT356
- bro####.ku####.cn.####.com/tongji/4qianDao.html?url=####
- c.isds####.qq.com/code.cgi?domain=####&time=####&rate=####&code=####&typ...
- i####.g####.com.####.net/newsapp_bt/0/4441556515/641
- i####.gua####.com/images/2018/06/14/3661f155ee8b9c1d35a1b0cbc2c40763.jpeg
- i####.gua####.com/images/2018/06/14/52c50c44cf7bcfe919eaa0545cd729d9.jpeg
- i####.gua####.com/images/2018/06/14/8a09211473b99475ac95247f7b1040b3.jpeg
- idu####.qini####.com/upic/2018/07/15/19/BMjAxODA3MTUxOTA4NTNfMzE1MDgxODh...
- im####.nic####.cn/group1/M00/00/80/ezkLZ1sXcFOAa64HAAFZ2WfTq7g535.jpg
- im####.nic####.cn/h5-mami/activity/smashg/1.0/images/N11mK1472645269925....
- im####.nic####.cn/h5-mami/activity/smashg/1.0/images/bi9is1472645269943....
- im####.nic####.cn/h5-mami/activity/smashg/1.0/images/fynXq1472645269907....
- im####.nic####.cn/h5-mami/activity/smashg/1.0/images/rule.png
- im####.nic####.cn/h5-mami/couponPrize/1.22/bg-back.png
- im####.nic####.cn/h5-mami/couponPrize/1.22/redpacks.png
- im####.nic####.cn/h5-mami/couponPrize/1.27/bodybg.png
- im####.nic####.cn/h5-mami/couponPrize/1.27/btn1.png
- im####.nic####.cn/h5-mami/couponPrize/1.27/coupon.png
- im####.nic####.cn/h5-mami/couponPrize/close.png
- im####.nic####.cn/h5/showCouponPrize/4.0.0/assets/light.png
- im####.nic####.cn/images/activity/prize/615iul9s7b.png
- im####.nic####.cn/images/activity/prize/99e625si9e.png
- im####.nic####.cn/images/activity/prize/c4r9vskn15.png
- im####.nic####.cn/images/activity/prize/dfi97i1tcg.png
- im####.nic####.cn/images/activity/prize/lef96ho04h.png
- im####.nic####.cn/mami-media/img/4rzzzain24.png
- im####.nic####.cn/mami-media/img/5wzb2zg8sj.png
- im####.nic####.cn/mami-media/img/quk2ly1fxy.jpg
- im####.nic####.cn/mami-media/img/s8ykiaj8lz.png
- im####.nic####.cn/mami-media/img/tsmm3y3jtw.png
- la####.m####.com/km/v2/recommend
- marke####.et####.cn/api/ckver?pkg=####&dev=####&epid=####
- mi.g####.qq.com/gdt_mview.fcg?datatype=####&posid=####&count=####&r=####...
- mvi####.meitu####.com/5b43769ec1bb95412.jpg!cover16_9_960
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- s####.tc.qq.com/gdt/0/DAAc1rgAUAALQABjBbLG5TBgKk1XgD.jpg/0?ck=####
- s####.tc.qq.com/gdt/0/DAAd4dsAUAALQABZBbTqswA8Acv62S.jpg/0?ck=####
- s.y####.net/aos/v3/initf?s=####
- s.y####.net/stat/aos/v3/pkc?s=####
- s.y####.net/stat/aos/v3/pku?s=####
- s.y####.net/stat/v3/udt2?appid=####&s=####
- sh.wagbr####.aliyun####.com/sdkcoor/android/x86/libJni_wgs2gcj.so
- sni.c####.q####.####.net/config/hz-hzv3.conf
- sni.c####.q####.####.net/tdata_rRG322
- sni.c####.q####.####.net/tdata_vHH584
- ssy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/5e66bf79d5b9...
- ssy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/8ecaafe0cd02...
- ssy-ima####.b0.upa####.com/crawl/background/2e0dea4d-f7c5-4944-9bbb-c93d...
- syy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/1e8437ceded8...
- syy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/2e20200e29ce...
- syy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/7b4a94fcfd78...
- syy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/9830f7711852...
- syy-ima####.b0.upa####.com/2e52e1dc5ac9d868e9983bd3fd8ced1c/adfd7f39a6ec...
- tx2.a.yx####.####.com/upic/2018/07/15/14/BMjAxODA3MTUxNDE5MDZfNzg2NDY1Mj...
- tx2.a.yx####.####.com/upic/2018/07/15/17/BMjAxODA3MTUxNzIxMDNfMzI3MzgxOD...
Запросы HTTP POST:
- a####.u####.com/app_logs
- acti####.qyw####.com/niceapi/getactivity
- acti####.qyw####.com/niceapi/getadvertorder
- acti####.qyw####.com/niceapi/orderdatainfo
- ads.ku####.cn/kuaima_ads/api/ad/get
- b####.g####.com/api.php?format=####&t=####
- c####.g####.com/api.php?format=####&t=####
- client####.suishe####.cn/ssy-dmp/api/app/feedback?
- gs.g####.com/encryption/key/fetch
- gs.g####.com/geshu/sdkStatistics/bindInfo
- gs.g####.com/geshu/sdkStatistics/uploadBI
- l####.tbs.qq.com/ajax?c=####&k=####
- log####.suishe####.cn/collect/ce/log?
- log####.suishe####.cn/collect/event/log?
- oth.up####.mdt.####.com:8080/beacon/vercheck
- s####.e.qq.com/activate
- s####.e.qq.com/launch
- sdk.o####.p####.####.com/api.php?format=####&t=####
- t####.dmp.y####.net/v1/android/packages?rt=####&sign=####
- t####.dmp.y####.net/v2/android/pkgtime?rt=####&sign=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/1531983250719.log
- /data/data/####/1531983250719.log.bak
- /data/data/####/1531983250719.log.bak (deleted)
- /data/data/####/1531983265047.log
- /data/data/####/2601.yaqcookie
- /data/data/####/65716db50c22a880b6b254871748cfd6-journal
- /data/data/####/6bf36c4fc25f16f2492706c4201119ca
- /data/data/####/6bf36c4fc25f16f2492706c4201119ca-journal
- /data/data/####/Alvin2.xml
- /data/data/####/Articles.xml
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/C0XKJAO3JLZKJPDKJFXLINQCJIOAOD.xml
- /data/data/####/CE94557724F842149D690D0E8CBB1CBD.xml
- /data/data/####/ContextData.xml
- /data/data/####/DownloadMarket.db-journal
- /data/data/####/ECalendarPreferences.xml
- /data/data/####/ECalendarPreferences.xml.bak
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/KM_preference.xml
- /data/data/####/MultiDex.lock
- /data/data/####/Operations.xml
- /data/data/####/P15pKIjsm64m
- /data/data/####/P15pKIjsm64m-journal
- /data/data/####/SuishenAd_prf.xml
- /data/data/####/SuishenExitPageSDK_v72.apk
- /data/data/####/SuishenExitPageSDK_v89.apk
- /data/data/####/T1oX0rhhuXWt
- /data/data/####/T1oX0rhhuXWt-journal
- /data/data/####/Update.db.xml
- /data/data/####/UserInfo.xml
- /data/data/####/XKwVoK0huy3R
- /data/data/####/XKwVoK0huy3R-journal
- /data/data/####/a666ed17ac2f19017e5f069b5f86d2b9
- /data/data/####/a666ed17ac2f19017e5f069b5f86d2b9-journal
- /data/data/####/b8a2fecc5472
- /data/data/####/beacontsa_cover.xml
- /data/data/####/beacontsa_cover_check.lock
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/debug.conf
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/dexMethod.88615060.dat
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/gdaemon_20161017
- /data/data/####/gdt_plugin.dex (deleted)
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/gdt_plugin.tmp
- /data/data/####/gdt_plugin.tmp.sig
- /data/data/####/gdt_suid
- /data/data/####/getui_sp.xml
- /data/data/####/gtc.db-journal
- /data/data/####/gx_sp.xml
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/ias.db-journal
- /data/data/####/ias_sp.xml
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/jqIqJYOT3JpT
- /data/data/####/jqIqJYOT3JpT-journal
- /data/data/####/libjiagu-912781003.so
- /data/data/####/libyaqbasic.88615060.so
- /data/data/####/libyaqpro.88615060.so
- /data/data/####/loctemp.so
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/mwsdk_analytics.db-journal
- /data/data/####/persistent_data.xml
- /data/data/####/pref.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/run.pid
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/suishen_ad.db-journal
- /data/data/####/suishen_ad_pramas.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_rRG322
- /data/data/####/tdata_rRG322.jar
- /data/data/####/tdata_vHH584
- /data/data/####/tdata_vHH584.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/update_lc
- /data/data/####/wIU6pTyUBYWX
- /data/data/####/wIU6pTyUBYWX-journal
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wsUL1uCdKvjD
- /data/data/####/wsUL1uCdKvjD-journal
- /data/data/####/yaqsdkcookie
- /data/data/####/ymdex.jar
- /data/media/####/07d50128e32f818e203c163962ebd9db
- /data/media/####/0bd192162172b2409f99ebf49568c418e3b9acc95e51e7....0.tmp
- /data/media/####/0c17c1bfde192623ef35ab00ceff1662045abf00591723....0.tmp
- /data/media/####/0c36cc724607789f7cb00290415156a3d96224d94011aa....0.tmp
- /data/media/####/1531841780.8214.jpg
- /data/media/####/1531841791.2465.png
- /data/media/####/17facfe0bae2635c8fd783d2deb3fd451706cddfa65312....0.tmp
- /data/media/####/25dc7f34f4a6b377714584ae1b9e9028e3f3bd99548d18....0.tmp
- /data/media/####/33e668e5db632fb4ac22e6562e804330b06446eec0e802....0.tmp
- /data/media/####/41618177e092ebaff511ed5a2575be16fee10227ca7d70....0.tmp
- /data/media/####/59d779158831a3b0539b323fa17f7fa7093ab1d89be661....0.tmp
- /data/media/####/5c95998e038d18d9411730f12da30040e0c2ea60dab882....0.tmp
- /data/media/####/661cb08c3bd178526ff5e320d0d8ee01a0ecf6193924aa....0.tmp
- /data/media/####/67f94cfbe5e4cbddd51f1ecd8e11f70a986c5624a35ca5....0.tmp
- /data/media/####/683002389626d0f5d4daeb1b249b15cf00df0ad21bb649....0.tmp
- /data/media/####/755b61761810d899c6c3dca890d56a45f6f60dfa4471ff....0.tmp
- /data/media/####/773fea8a59e641e3c734b893e22db1489682f270783987....0.tmp
- /data/media/####/79ad5e2e9c4e472870aa05d7473021f5876ad360dfefdc....0.tmp
- /data/media/####/7e4172dcfe31454a83053027b501454025a6e3c07f8982....0.tmp
- /data/media/####/82efc7875517847f01b36ff719c5c5777ba8f3d64121e8....0.tmp
- /data/media/####/846481411332ccf6f19cdf3a9972abe0
- /data/media/####/85247963ee3711d1c110c03ca7ab090165873fe8feb3b4....0.tmp
- /data/media/####/97cc98acb12ae909ada889558daabf56a2774b12d49d27....0.tmp
- /data/media/####/9802a30af5610a6f420f34934194a8a6
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/als.db
- /data/media/####/als.db-journal
- /data/media/####/app.db
- /data/media/####/blank.png
- /data/media/####/btn_nav_bg.9.png
- /data/media/####/btn_nav_sel.9.png
- /data/media/####/c2e325063e01710406c1b499634f4557288cb9eb373baa....0.tmp
- /data/media/####/c3cec0168605d096ebde103526b53e71c3ee19d23eded1....0.tmp
- /data/media/####/cba294e8c2260f41dba8ca00ba865b67d3bcd4e6958d95....0.tmp
- /data/media/####/cd0ebc136a5751183f971bbf18bfebd6bebcb53e848dc2....0.tmp
- /data/media/####/cd36dd7d3b4832c56f74ab17ce3935e291811833792ad4....0.tmp
- /data/media/####/cf7d0b54b19af2f5d283c7faf858501c89e403c3b017aa....0.tmp
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.kuaima.browser.bin
- /data/media/####/com.kuaima.browser.db
- /data/media/####/com.kuaima.browser_.db
- /data/media/####/d080dec54242842b2c900323d7fbec1b98f3541006eae8....0.tmp
- /data/media/####/d1442f786bdda2bbf340f7b1b310b375b1dfe714e73e70....0.tmp
- /data/media/####/d14c1a22c513bb2f89ee2483459507b11fe48412913a47....0.tmp
- /data/media/####/d74e161cdd12ddc33a3c9fbbdf784ed70507706fc4690a....0.tmp
- /data/media/####/dialog_details_bg.9.png
- /data/media/####/dialog_dismiss.png
- /data/media/####/dialog_dismiss_sel.png
- /data/media/####/download_btn_normal.9.png
- /data/media/####/e01e543f91d9ebd5ecaaf0e254b577f4e0b0203ca96325....0.tmp
- /data/media/####/e4f2291d722cce44a4918e7fb62d254847572652d2e734....0.tmp
- /data/media/####/f3b8c8c2342373e1605d542ba009b30bf26171d845f4cf....0.tmp
- /data/media/####/fe02b24c355252f02f4925196e7eb6b90257ff0871a0b7....0.tmp
- /data/media/####/fes_type_sel.9.png
- /data/media/####/ff5b7e959183ed1cb923fb5056a255bccb1a1c8bc5b612....0.tmp
- /data/media/####/grid_bg.9.png
- /data/media/####/grid_sel.9.png
- /data/media/####/i42d45df023jnkdd93la483f9xGFKXI
- /data/media/####/ic_btn_down.png
- /data/media/####/ic_default.png
- /data/media/####/info
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/list_bg_sel.png
- /data/media/####/mac_imei.txt
- /data/media/####/s92TjjdfoP2n3o9dfji2l9s1olkjf0p
- /data/media/####/suishen_exitpage.zip
- /data/media/####/tbslog.txt
- /data/media/####/tdata_rRG322
- /data/media/####/tdata_vHH584
- /data/media/####/test.log
- /data/media/####/top_btn_normal.9.png
- /data/media/####/top_btn_selected.9.png
- /data/media/####/update_btn_normal.9.png
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/kernel_max
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.module.push.DemoPushService 24815 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu-912781003.so
- getprop ro.product.cpu.abi
- mount
- su -c id
Загружает динамические библиотеки:
- EcalendarLib
- abcdefgh
- getuiext2
- libjiagu-912781003
- libyaqbasic.88615060
- libyaqpro.88615060
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- DESede
- PBEWITHMD5andDES
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- PBEWITHMD5andDES
- RSA-ECB-PKCS1Padding
Использует повышенные привилегии.
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
