Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.405.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) fc####.b####.com:80
- TCP(HTTP/1.1) you####.b####.com:80
- TCP(HTTP/1.1) c####.tv.itc.cn:80
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) j####.kb####.cn:80
- TCP(HTTP/1.1) se####.b####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) ch####.jom####.com:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) sta####.itc.cn.####.com:80
- TCP(HTTP/1.1) g####.bdst####.com:80
- TCP(HTTP/1.1) f.hiph####.b####.com:80
- TCP(HTTP/1.1) js.tv.i####.cn:80
- TCP(HTTP/1.1) t####.jom####.com:80
- TCP(HTTP/1.1) gs.a.s####.com:80
- TCP(TLS/1.0) c####.tv.itc.cn:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) sb.scoreca####.com.####.net:443
- TCP(TLS/1.0) g####.b####.com:443
- TCP(TLS/1.0) 001.img.pu.####.cn:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) z2.m.tv.####.com:443
- TCP(TLS/1.0) fex.bdst####.com:443
- TCP(TLS/1.0) gs.a.s####.com:443
- TCP(TLS/1.0) s####.i####.com:443
- TCP(TLS/1.0) moun####.zh####.b####.com:443
- TCP(TLS/1.0) c####.b####.com:443
- TCP(TLS/1.0) t####.jom####.com:443
- TCP(TLS/1.0) ikno####.b####.com:443
- TCP(TLS/1.0) rc.vrs.s####.com:443
- TCP(TLS/1.0) js.tv.i####.cn:443
- TCP(TLS/1.0) gv.a.s####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) r####.zh####.b####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) g####.bdst####.com:443
- TCP(TLS/1.0) 39d0825####.cdn.so####.####.com:443
- TCP(TLS/1.0) gd.a.s####.com:443
- TCP(TLS/1.0) cambria####.cdn.bc####.####.com:443
- TCP(TLS/1.0) i####.b####.com:443
Запросы DNS:
- 001.img.pu.####.cn
- 39d0825####.cdn.so####.com
- 5b0988e####.cdn.so####.com
- a.appj####.com
- a1.i####.cn
- api.k.s####.com
- api.tv.s####.com
- c####.b####.com
- c####.baidu####.cn
- c####.baidust####.com
- c####.tv.itc.cn
- cambria####.cdn.bc####.com
- f.hiph####.b####.com
- fc####.b####.com
- fex.bdst####.com
- g####.b####.com
- g####.bdst####.com
- g####.bdst####.com
- hm.b####.com
- ikno####.b####.com
- j####.kb####.cn
- js.s####.com
- js.tv.i####.cn
- k.s####.com
- m.b####.com
- m.s####.com
- m.tv.s####.com
- moun####.zh####.b####.com
- phot####.tv.s####.com
- pl.hd.s####.com
- pos.b####.com
- pv.s####.com
- r####.zh####.b####.com
- rc.vrs.s####.com
- s####.i####.com
- s####.my.tv.####.com
- s.bdst####.com
- sb.scoreca####.com
- se####.b####.com
- sp1.b####.com
- sta####.itc.cn
- t10.b####.com
- t11.b####.com
- t12.b####.com
- t7.b####.com
- t8.b####.com
- t9.b####.com
- ti####.b####.com
- tv.s####.com
- www.b####.com
- you####.b####.com
- z.m.tv.####.com
- z2.m.tv.####.com
- zh####.b####.com
Запросы HTTP GET:
- c####.tv.itc.cn/m/player.css
- ch####.jom####.com/it/u=1076006532,2138038038&fm=190&app=7&size=r3,2&n=0...
- ch####.jom####.com/it/u=4093228604,3818431005&fm=190&app=7&size=r3,2&n=0...
- ch####.jom####.com/it/u=865741344,3335459078&fm=190&app=7&size=r3,2&n=0&...
- ch####.jom####.com/it/u=999826741,2311884715&fm=190&app=7&size=r3,2&n=0&...
- f.hiph####.b####.com/baike/whfpf=400,225,0/sign=d3b83cbcc41b9d168a92c921...
- fc####.b####.com/w.gif?baiduid=####&query=####&queryUtf8=####&searchid=#...
- g####.bdst####.com/5foUcz3n1MgCo2Kml5_Y_D3/graph/static/resource/sdk/mob...
- g####.bdst####.com/5foUcz3n1MgCo2Kml5_Y_D3/graph/static/resource/sdk/v1....
- gd.a.s####.com/20180604/n600534388.shtml?src=####
- gd.a.s####.com/static/ui-open/3.1/js/open.min.js
- gs.a.s####.com/a/233967165_100165783
- gs.a.s####.com/promotion?posId=50010101&itemId=6680&link=/m.tv.sohu.com/...
- gs.a.s####.com/pv.js?_t=####
- js.tv.i####.cn/m/player/inc-all.js
- se####.b####.com/mwb.gif?type=####&fm=####&data=####&qid=####&did=####&q...
- si####.jom####.com/common/openjs/openBox.js?_v=####
- si####.jom####.com/it/u=1586871449,4006096584&fm=58
- si####.jom####.com/it/u=1969291302,3436839348&fm=58
- si####.jom####.com/it/u=2281275909,2540440941&fm=58
- si####.jom####.com/it/u=2694597484,521337985&fm=58
- si####.jom####.com/it/u=3991798261,1728313299&fm=58
- si####.jom####.com/it/u=4218045044,1692329411&fm=58
- sta####.itc.cn.####.com/a_auto,c_cut,x_3,y_3,w_636,h_636/images/20180502...
- sta####.itc.cn.####.com/mobile/css/images/sicon-2b31ed9b.ttf
- sta####.itc.cn.####.com/mobile/css/images/sohu_text-43560455.png
- sta####.itc.cn.####.com/mobile/css/main-cfb081e06b.css
- sta####.itc.cn.####.com/mobile/js/lib-84c5889aed.js
- sta####.itc.cn.####.com/mobile/js/main-d35f8171ec.js
- sta####.itc.cn.####.com/q_70,c_zoom,w_640/images/20180604/074a3212de924f...
- sta####.itc.cn.####.com/q_70,c_zoom,w_640/images/20180604/4072744afbd344...
- sta####.itc.cn.####.com/spm/prod/js/1.0.1/index.js
- t####.jom####.com/timg?wiseala####&size=####&quality=####&sec=####&di=##...
- t####.jom####.com/timg?wisealaddin&size=f593_395&quality=100&sec=1532966...
- wap.n.sh####.com/error.jsp?traceid=####
- wap.n.sh####.com/s?word=####
- wap.n.sh####.com/se/static/atom/search-ui/v2/core_1a43fb1.js
- wap.n.sh####.com/se/static/img/iphone/logo.png
- wap.n.sh####.com/se/static/js/fusion/b-scroll/b-scroll_e0b3634.js
- wap.n.sh####.com/se/static/js/fusion/b-share/b-share_4aecd60.js
- wap.n.sh####.com/se/static/js/fusion/deps/naboo_5b6a5d7.js
- wap.n.sh####.com/se/static/js/log/taiji_device_e2f4d3c.js
- wap.n.sh####.com/se/static/js/modules/baiduappFixedButton_4edbe08.js
- wap.n.sh####.com/se/static/js/modules/device_data_dep/murmur3_e901bf7.js
- wap.n.sh####.com/se/static/js/modules/feedback/feedback_15ec746.js
- wap.n.sh####.com/se/static/js/uiamd/bdbox/base_ebba34e.js
- wap.n.sh####.com/se/static/pmd/pmd/deps/detect_2a7ba24.js
- wap.n.sh####.com/se/static/wiseatom/pagenav/pack_6eaba35.js
- wap.n.sh####.com/tc?tcreq4log=####&ssid=####&from=####&bd_page_type=####...
- www.a.sh####.com/5b1ZeDe5KgQFm2e88IuM_a/wbcj.gif?pid=####&ts=####&lid=##...
- www.a.sh####.com/error
- www.a.sh####.com/error.jsp?traceid=####
- www.a.sh####.com/from=0/bd_page_type=1/ssid=0/uid=0/pu=usm@0,sz@1320_100...
- www.a.sh####.com/his?callback=####&type=####&ishome=####&islogin=####&pi...
- www.a.sh####.com/rec?platform=####&ms=####&lsAble=####&rset=####&word=##...
- www.a.sh####.com/s?word=####&rq=####&sa=####&rsf=####&pqid=####&rqid=####
- www.a.sh####.com/se/static/ala_atom/app/vid_hor/bundle_c4a76b0.js
- www.a.sh####.com/se/static/ala_atom/app/yl_music_lyrics/bundle_2d7f5fd.js
- www.a.sh####.com/se/static/aladdin/bk_polysemy/logo_big_94ece1f.png
- www.a.sh####.com/se/static/aladdin/bk_polysemy/miaodong-logo_d5aa8ae.png
- www.a.sh####.com/se/static/amd_modules/@baidu/better-scroll/better-scrol...
- www.a.sh####.com/se/static/amd_modules/@baidu/better-scroll_3ccd1d2.js
- www.a.sh####.com/se/static/amd_modules/@baidu/web-animations-js/web-anim...
- www.a.sh####.com/se/static/amd_modules/@baidu/web-animations-js_8257915.js
- www.a.sh####.com/se/static/amd_modules/@baidu/webb_5c95663.js
- www.a.sh####.com/se/static/font/pmd/cicon_a5b2811.ttf
- www.a.sh####.com/se/static/img/iphone/input_bearicon.png
- www.a.sh####.com/se/static/img/iphone/logo.png
- www.a.sh####.com/se/static/js/base/ala/util_7874520.js
- www.a.sh####.com/se/static/js/base/atom/atomWrapper_a81161e.js
- www.a.sh####.com/se/static/js/dep/fingerprint2.min_c6eb516.js
- www.a.sh####.com/se/static/js/fusion/b-popup/b-popup_3e28331.js
- www.a.sh####.com/se/static/js/fusion/b-scroll/bdscroll_3c59879.js
- www.a.sh####.com/se/static/js/fusion/b-scroll/scroll_1b8ba32.js
- www.a.sh####.com/se/static/js/fusion/b-toast/b-toast_89597a6.js
- www.a.sh####.com/se/static/js/fusion/deps/aio_34bb973.js
- www.a.sh####.com/se/static/js/fusion/deps/detect_59e6096.js
- www.a.sh####.com/se/static/js/fusion/deps/fusion.best_a88de11.js
- www.a.sh####.com/se/static/js/fusion/deps/fusion_ad9ac7f.js
- www.a.sh####.com/se/static/js/fusion/deps/spark_e2da817.js
- www.a.sh####.com/se/static/js/log/exp_db2b53e.js
- www.a.sh####.com/se/static/js/log/taiji_behavior_84e8fa7.js
- www.a.sh####.com/se/static/js/modules/advanced_filter/advanced_filter_17...
- www.a.sh####.com/se/static/js/modules/device_data_dep/h5_support_info_4f...
- www.a.sh####.com/se/static/js/modules/device_data_dep/murmur3_e901bf7.js
- www.a.sh####.com/se/static/js/modules/device_data_dep/support_fonts_ac84...
- www.a.sh####.com/se/static/js/modules/device_data_dep/zoom_info_abaf8bb.js
- www.a.sh####.com/se/static/js/modules/safariicon/safariicon_d1dec0d.js
- www.a.sh####.com/se/static/js/modules/vsl/vslUtil_2bffe78.js
- www.a.sh####.com/se/static/js/uiamd/bdbox/follow_b1f1a38.js
- www.a.sh####.com/se/static/js/uiamd/bdbox/util_efa4068.js
- www.a.sh####.com/se/static/pmd/pmd/share/share_02e5b88.js
- www.a.sh####.com/se/static/wiseatom/relative/pack_e4f409a.js
- www.a.sh####.com/search/error.html
- www.a.sh####.com/speed/static/tj.gif?pagetype=####&logid=####&ta_net=###...
- www.a.sh####.com/static/search/clear.png
- www.a.sh####.com/static/search/image_default.png
- www.a.sh####.com/static/searchbox/openjs/share.js?v=####
- www.a.sh####.com/static/tj.gif?time=####
- www.a.sh####.com/tc?tcreq4log=####&ssid=####&from=####&bd_page_type=####...
- you####.b####.com/s?type=####&p=quer####&ppim=####&im=####&rs=####&from=...
Запросы HTTP POST:
- a.appj####.com/ad-service/ad/mark
- j####.kb####.cn/app/init
- j####.kb####.cn/ts/image
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/11697329721582758219
- /data/data/####/11697329721973813182
- /data/data/####/INITSP.xml
- /data/data/####/config.db4-journal
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downmodel.db-journal
- /data/data/####/dxt_yx_sdk-journal
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/f_000029
- /data/data/####/f_00002a
- /data/data/####/f_00002b
- /data/data/####/gmodel.db-journal
- /data/data/####/index
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/qsap.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/sanzijing.db
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/files/libjiagu.so
Загружает динамические библиотеки:
- libjiagu
Использует следующие алгоритмы для расшифровки данных:
- DES
- DESede-CBC-PKCS7Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Отрисовывает собственные окна поверх других приложений.
