Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.627.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sdk.o####.lbs.####.com:80
- TCP(HTTP/1.1) s3a.ps####.com:80
- TCP(HTTP/1.1) magic####.com.cn:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) plg.abcdse####.com:7901
- TCP(HTTP/1.1) api.map.b####.com:80
- TCP(HTTP/1.1) o####.tou####.com:80
- TCP(HTTP/1.1) t####.qq.com:443
- TCP(HTTP/1.1) lmp.abe####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) q.q####.cn:80
- TCP(HTTP/1.1) www.googlet####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) p####.ou####.com:9230
- TCP(HTTP/1.1) p1.ps####.com:80
- TCP(HTTP/1.1) m.didida####.com.####.com:80
- TCP(HTTP/1.1) sf1-ttc####.ps####.com:80
- TCP(HTTP/1.1) p3.ps####.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.net:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) o####.sn####.com.####.net:80
- TCP(HTTP/1.1) abc.abcdse####.com:7901
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(HTTP/1.1) sf6-ttc####.ps####.com.####.com:80
- TCP(HTTP/1.1) 1####.254.116.117:80
- TCP(HTTP/1.1) p9.ps####.com.####.com:80
- TCP(TLS/1.0) m.didida####.com.####.com:443
- TCP(TLS/1.0) o####.tou####.com:443
- TCP(TLS/1.0) lmp.abe####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5226
- TCP t####.qq.com:8080
- TCP t####.qq.com:80
- TCP t####.qq.com:443
- TCP t####.qq.com:14000
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.u####.com
- abc.abcdse####.com
- api.map.b####.com
- c####.g####.ig####.com
- c-h####.g####.com
- cgi.con####.qq.com
- i.ps####.com
- lf.sn####.com
- lmp.abe####.com
- m.didida####.com
- m.tou####.com
- magic####.com.cn
- o####.sn####.com
- o####.tou####.com
- p####.ou####.com
- p1.ps####.com
- p3.ps####.com
- p9.ps####.com
- pi####.qq.com
- plg.abcdse####.com
- q.q####.cn
- r.didida####.com
- s3.ps####.com
- s3a.ps####.com
- s3b.ps####.com
- sdk.c####.ig####.com
- sdk.o####.i####.####.com
- sdk.o####.lbs.####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sf1-ttc####.ps####.com
- sf3-ttc####.ps####.com
- sf6-ttc####.ps####.com
- t####.qq.com
- www.googlet####.com
- www.h####.com.cn
Запросы HTTP GET:
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- o####.sn####.com.####.net/auth/access/device?signature=####×tamp=##...
- o####.sn####.com.####.net/data/stream/v3?signature=####×tamp=####&n...
- o####.sn####.com.####.net/list/a604000a7f303b0c6da9
- o####.sn####.com.####.net/list/a6050007c9484cca8a41
- o####.sn####.com.####.net/list/a60b0002996dd944a700
- o####.sn####.com.####.net/log/app_log_for_partner/v1/?signature=####&tim...
- o####.sn####.com.####.net/log/app_log_for_partner/v1?signature=####&time...
- o####.sn####.com.####.net/log/app_log_for_partner/v2/?signature=####&tim...
- o####.sn####.com.####.net/log/app_log_for_partner/v2?signature=####&time...
- o####.tou####.com/a6564350291586580750/?utm_campaign=####&utm_medium=###...
- o####.tou####.com/api/ad/union/show_event/?req_id=####&extra=####&source...
- o####.tou####.com/group/article/6564350291586580750/6564350291586580750/...
- o####.tou####.com/list/pgc-image/153275741112298d615cc2b
- o####.tou####.com/list/pgc-image/1533879680713a62526ef13
- o####.tou####.com/list/pgc-image/15341229430503405cce326
- o####.tou####.com/mercury/resource/mercury/go_mobile_detail/common/rende...
- o####.tou####.com/mercury/resource/mercury/go_mobile_detail/pagelet/asyn...
- o####.tou####.com/mercury/resource/mercury/go_mobile_detail/static/pkg/p...
- o####.tou####.com/obj/web.business.image/201808175d0d586313cb128c4759a00a
- o####.tou####.com/obj/web.business.image/201808225d0d15d82f0ac1dd4720b50c
- o####.tou####.com/union/ad/i6564350291586580750/?utm_campaign=####&utm_m...
- p1.ps####.com/list/3c7100032d6d5ab858ba
- p1.ps####.com/list/6c4d0004ed220260f212
- p1.ps####.com/list/83b800046e4353d882fd
- p1.ps####.com/list/pgc-image/1531960646872af31bdd28d
- p1.ps####.com/list/pgc-image/153448828872418b9dcc288
- p1.ps####.com/list/pgc-image/1534856717957e8f8fd521e
- p1.ps####.com/list/pgc-image/15349529292325cdb8206ef
- p1.ps####.com/video1609/pgc-image/1534776816205a54aa0166f
- p3.ps####.com/list/3c6f00034144f23bfcb3
- p3.ps####.com/list/3c70000377cdcc5b9b70
- p3.ps####.com/list/3c720001975c7815abe1
- p3.ps####.com/list/4a340000e43e17423705
- p3.ps####.com/list/4a340000e43f3e412458
- p3.ps####.com/list/50400010e95e9c6dc4da
- p3.ps####.com/list/640x480/3f290003db23bcbe8eed
- p3.ps####.com/list/640x480/pgc-image/15280743131204daa7f1c36
- p3.ps####.com/list/640x480/pgc-image/15285327688651a6e13a542
- p3.ps####.com/list/6ef10003d6d3efc0b470
- p3.ps####.com/list/83b600003fe18a49eec6
- p3.ps####.com/list/83b70006478fd8aa3c6b
- p3.ps####.com/list/83b7000874b769051696
- p3.ps####.com/list/a0ab0004358991100cde
- p3.ps####.com/list/a0ac00043371d9852b68
- p3.ps####.com/list/a66c000a3efe28779f9b
- p3.ps####.com/list/a66e00096dc3ab02603c
- p3.ps####.com/list/aadd00193d6840fb32e8
- p3.ps####.com/list/aae3000172111c01e3bd
- p3.ps####.com/list/pgc-image/15349495617051761307c3d
- p3.ps####.com/list/pgc-image/1534993619205a3207920b8
- p3.ps####.com/thumb/2c600001ef8f74177f5c
- p9.ps####.com.####.com/list/3c6e00035bd701117000
- p9.ps####.com.####.com/list/640x480/888f000237a423b52c2e
- p9.ps####.com.####.com/list/pgc-image/1534949601847d89520df60
- q.q####.cn/qqapp/100290348/BF1E1FD4B79F11C131432D716F1972A0/100
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/pagelet/async/v...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/image/to...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/pkg/comm...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/pkg/lib_...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/pkg/page...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/pkg/tea_...
- s3a.ps####.com/mercury/resource/mercury/go_mobile_detail/static/style/co...
- s3a.ps####.com/mercury/resource/mercury/open_uas/1.0.6/uas.min.js
- s3a.ps####.com/toutiao/monitor/sdk/slardar.js
- sf1-ttc####.ps####.com/obj/web.business.image/20180820fe697586d8cf88bd48...
- sf6-ttc####.ps####.com.####.com/obj/web.business.image/201807265d0d9c9e7...
- sni.c####.q####.####.net/config/hz-hzv3.conf
- sni.c####.q####.####.net/tdata_Dkq849
- sni.c####.q####.####.net/tdata_HCo893
- sni.c####.q####.####.net/tdata_PcJ569
- sni.c####.q####.####.net/tdata_qiz011
- www.googlet####.com/gtm.js?id=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- abc.abcdse####.com:7901/
- api.map.b####.com/location/ip?ak=####&coor=####
- c-h####.g####.com/api.php?format=####&t=####
- lmp.abe####.com/lmp/baseinfo/report
- m.didida####.com.####.com/p/magicwifi/queryGameInfo
- magic####.com.cn/b/ws/terminal/treasure/homepage/activityGoodsModule
- magic####.com.cn/ws/terminal/ad/getIndexAdList
- magic####.com.cn/ws/terminal/banner/bannerList
- magic####.com.cn/ws/terminal/beanparadise/getGameModelDetail
- magic####.com.cn/ws/terminal/cfg/configuration
- magic####.com.cn/ws/terminal/cfg/getTenantPicList
- magic####.com.cn/ws/terminal/homepage/channel/recommendList
- magic####.com.cn/ws/terminal/homepage/module/recommendList
- magic####.com.cn/ws/terminal/jobNote/getStatData
- magic####.com.cn/ws/terminal/programwall/gezhuangshow
- magic####.com.cn/ws/terminal/version/check_v2
- p####.ou####.com:9230/
- pi####.qq.com/mstat/report/?index=####
- plg.abcdse####.com:7901/pl/config
- sdk.o####.lbs.####.com/api.htm?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
- t####.qq.com:443/203.205.211.75:443/
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-498059340
- /data/data/####/-631358068
- /data/data/####/-756521708
- /data/data/####/.imprint
- /data/data/####/.tpns.service.xml.xml
- /data/data/####/.tpns.settings.xml.xml
- /data/data/####/.tpush_mta.xml
- /data/data/####/1357813431.jar
- /data/data/####/2078793401
- /data/data/####/960312673
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/MultiDex.lock
- /data/data/####/apkplugconfig.ini.xml
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cn.com.magicwifi_preferences.xml
- /data/data/####/com.tencent.open.config.json.1103858727
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/device_id.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/gdaemon_20161017
- /data/data/####/gjc.xml
- /data/data/####/gks_download.db-journal
- /data/data/####/gx_sp.xml
- /data/data/####/increment.db-journal
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/jks.db-journal
- /data/data/####/magic_DianZanData.xml
- /data/data/####/magicwifi.xml
- /data/data/####/multidex.version.xml
- /data/data/####/mw_count.db-journal
- /data/data/####/mw_news_db
- /data/data/####/mw_news_db-journal
- /data/data/####/okgo.db-journal
- /data/data/####/ot2.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/shop3.9.3.01.jar
- /data/data/####/sy.db-journal
- /data/data/####/tdata_Dkq849.jar
- /data/data/####/tdata_Dkq849.tmp
- /data/data/####/tdata_HCo893.jar
- /data/data/####/tdata_HCo893.tmp
- /data/data/####/tdata_PcJ569.jar
- /data/data/####/tdata_PcJ569.tmp
- /data/data/####/tdata_qiz011.jar
- /data/data/####/tdata_qiz011.tmp
- /data/data/####/tmp-cn.com.magicwifi-1.apk.classes-629919620.zip
- /data/data/####/tpush.shareprefs.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/web1.jar
- /data/data/####/web2114.temp
- /data/data/####/web2114.temp (deleted)
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/-1109977546.tmp
- /data/media/####/-1137100042.tmp
- /data/media/####/-1137855494.tmp
- /data/media/####/-1152551664.tmp
- /data/media/####/-1187815515.tmp
- /data/media/####/-1250943165.tmp
- /data/media/####/-1313601956.tmp
- /data/media/####/-1330724689.tmp
- /data/media/####/-1367245158.tmp
- /data/media/####/-1422841273.tmp
- /data/media/####/-1460065701.tmp
- /data/media/####/-1468408800.tmp
- /data/media/####/-1597064471.tmp
- /data/media/####/-1680266714.tmp
- /data/media/####/-1763487219.tmp
- /data/media/####/-1820104363.tmp
- /data/media/####/-1844140367.tmp
- /data/media/####/-1904104230.tmp
- /data/media/####/-1974556975.tmp
- /data/media/####/-2035907767.tmp
- /data/media/####/-2100133217.tmp
- /data/media/####/-235009941.tmp
- /data/media/####/-49670210.tmp
- /data/media/####/-681389426.tmp
- /data/media/####/-694858141.tmp
- /data/media/####/-857110576.tmp
- /data/media/####/-918861358.tmp
- /data/media/####/1256382206.tmp
- /data/media/####/1366709092.tmp
- /data/media/####/1478829310.tmp
- /data/media/####/1494524.tmp
- /data/media/####/1751464525.tmp
- /data/media/####/1826134361.tmp
- /data/media/####/1865735538.tmp
- /data/media/####/1886051626.tmp
- /data/media/####/1926122774.tmp
- /data/media/####/1943440887.tmp
- /data/media/####/20180823-070539_cn.com.magicwifi;xg_service_v3_Thread-144
- /data/media/####/20180823-070539_cn.com.magicwifi;xg_service_v3_Thread-145
- /data/media/####/20180823-070553_cn.com.magicwifi;xg_service_v3_Thread-143
- /data/media/####/20180823-070553_cn.com.magicwifi;xg_service_v3_Thread-144
- /data/media/####/20180823-070604_cn.com.magicwifi;xg_service_v3_Thread-146
- /data/media/####/20180823-070604_cn.com.magicwifi;xg_service_v3_Thread-147
- /data/media/####/20180823-070616_cn.com.magicwifi;xg_service_v3_Thread-149
- /data/media/####/20180823-070629_cn.com.magicwifi;xg_service_v3_Thread-152
- /data/media/####/566554641.tmp
- /data/media/####/676081726.tmp
- /data/media/####/739864628.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/app.db
- /data/media/####/cfg.xml
- /data/media/####/cn.com.magicwifi.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.tencent.mobileqq_connectSdk.18.08.23.07.log
- /data/media/####/data.mw
- /data/media/####/f01d8c3f0a498f90ad5cac2201a11cc4_1.f0
- /data/media/####/global.xml
- /data/media/####/log.txt
- /data/media/####/magicWifiVideo.db
- /data/media/####/magicWifiVideo.db-journal
- /data/media/####/pkg_cn.com.magicwifi
- /data/media/####/plcfg.xml
- /data/media/####/tdata_Dkq849
- /data/media/####/tdata_HCo893
- /data/media/####/tdata_PcJ569
- /data/media/####/tdata_qiz011
- /data/media/####/test.log
- /data/media/####/webadlist.cache
- /data/media/####/webadlist.xml
- /data/media/####/webadlist_last.cache
- /data/media/####/webinfo.xml
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 24564 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 24564 300 0
- sh <Package Folder>/lib/libxguardian.so <Package>,2100268820; 55613 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : 0 , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.2 , mf : unknown , apn : %s }}] 0 18
Загружает динамические библиотеки:
- MagicWifiJni_v1.0
- tpnsSecurity
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-CFB-NoPadding
- AES-CFB8-NoPadding
- AES-ECB-PKCS5Padding
- DES-ECB-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-CFB-NoPadding
- AES-CFB8-NoPadding
- AES-ECB-PKCS5Padding
- DES-ECB-NoPadding
- DES-ECB-PKCS5Padding
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации о настроках APN.
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
