Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.570.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) api####.i####.com:80
- TCP(HTTP/1.1) www.36####.com:80
- TCP(HTTP/1.1) pa####.i####.com:80
- TCP(HTTP/1.1) s2.q####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t7z.c####.i####.com:80
- TCP(HTTP/1.1) c####.v####.i####.com:80
- TCP(HTTP/1.1) pages-j####.me####.com:80
- TCP(HTTP/1.1) secu####.i####.com:80
- TCP(HTTP/1.1) subscri####.i####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) ff.t####.com.####.com:80
- TCP(HTTP/1.1) p1.q####.com:80
- TCP(HTTP/1.1) contr####.i####.com:80
- TCP(HTTP/1.1) d####.v####.i####.com:80
- TCP(HTTP/1.1) m.36####.com:80
- TCP(HTTP/1.1) d####.b####.com:80
- TCP(HTTP/1.1) p4.q####.com:80
- TCP(HTTP/1.1) a####.i####.com:80
- TCP(HTTP/1.1) c####.m.i####.com:80
- TCP(HTTP/1.1) i####.com.edg####.net:80
- TCP(SSL/3.0) s5.ssl.q####.com:443
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) i####.com.edg####.net:443
- TCP(TLS/1.0) s5.ssl.q####.com:443
- TCP(TLS/1.0) g####.com:443
- TCP(TLS/1.0) sh####.me####.com:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) secu####.i####.com:443
- TCP(TLS/1.0) id.go####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) pages-j####.me####.com:443
- TCP y1.ey####.com:7072
- TCP y1.ey####.com:7073
- TCP y1.ey####.com:7071
Запросы DNS:
- a####.i####.com
- adser####.go####.com
- api####.i####.com
- b.scoreca####.com
- c####.baidust####.com
- c####.m.i####.com
- c####.v####.i####.com
- contr####.i####.com
- d####.b####.com
- d####.v####.i####.com
- ff.t####.com
- g####.com
- hm.b####.com
- id.go####.com
- l####.tbs.qq.com
- m.36####.com
- m.i####.com
- p0.q####.com
- p1.q####.com
- p2.q####.com
- p3.q####.com
- p4.q####.com
- p5.q####.com
- p6.q####.com
- p7.q####.com
- p8.q####.com
- p9.q####.com
- pa####.i####.com
- pages-j####.me####.com
- pos.b####.com
- pub.m.i####.com
- s2.q####.com
- s3m.me####.com
- s4.ssl.q####.com
- s5.ssl.q####.com
- secu####.i####.com
- sh####.me####.com
- ssl.gst####.com
- st####.i####.com
- subscri####.i####.com
- t7z.c####.i####.com
- www.36####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
- www.i####.com
- y1.ey####.com
- y2.ey####.com
- y3.ey####.com
Запросы HTTP GET:
- a####.i####.com/feed/outline?hasRecomFeed=####&feedTypes=####&circleid=#...
- api####.i####.com/index/top?utype=####&cid=####&dim=####&len=####&area=#...
- b.scoreca####.com.####.net/beacon.js
- c####.m.i####.com/jp/tmts/1269902800/25993a68f0c33afb215793be5363ed77/?u...
- c####.v####.i####.com/jp/pc/207834001,206556801,204796401,202053601/?qyi...
- contr####.i####.com/control/content_config?business=####&is_iqiyi=####&i...
- d####.b####.com/x.js?si=####&dm=####
- d####.v####.i####.com/v.mp4?_=####&callback=####
- ff.t####.com.####.com/d/43ff.png
- hm.b####.com/hm.js?5df871a####
- i####.com.edg####.net/api/cloud/code?_tv_id_=####&vfm=####&_=####&callba...
- i####.com.edg####.net/css/20180710/h5-paopao-play-aura.css
- i####.com.edg####.net/css/2018080717/h5-play-aura.css
- i####.com.edg####.net/ext/common/auraIcon/iconfont.ttf
- i####.com.edg####.net/ext/common/auraIcon20180622/iconfont.ttf
- i####.com.edg####.net/favicon.ico
- i####.com.edg####.net/js/common/7d183edd03bc4414b315e8964fb41826.js
- i####.com.edg####.net/js/common/ares4-h5.min.js
- i####.com.edg####.net/js/html5/js/lib/clipboard.min.js
- i####.com.edg####.net/js/html5/js/lib/lib.2.0.8.min.js?sea1.2.####
- i####.com.edg####.net/js/html5/js/lib/qoe.3.0.3.min.js?v=####
- i####.com.edg####.net/js/html5/js/page/playLong/14b0effce6!app.js
- i####.com.edg####.net/v_19rqytdwho.html?vfm=####
- m.36####.com/
- p1.q####.com/d/dy_11dad05a5e63017f892bf691bf61cdc5.jpg
- p1.q####.com/d/dy_2b2869dc4ea60a63b81975213b2d6bd6.jpg
- p1.q####.com/d/dy_5a282193070e2f5b987a6fa008a432bb.jpg
- p1.q####.com/d/dy_5c1ee4c8ac21d12d9353a27a4f81d62a.
- p1.q####.com/d/dy_8c68efc093ada05060405d97b11f022a.jpg
- p1.q####.com/d/dy_921026f70a452a0a9da36e72b5a84ec9.jpg
- p1.q####.com/d/dy_9b04f91997faf577a5bd7455a598296a.
- p1.q####.com/d/dy_a49ebedd6e302144dd6bf53a5008952b.jpg
- p1.q####.com/d/dy_a5084fc66eea1bc5a58c4ab80aee77c6.
- p1.q####.com/d/dy_c42f8f2d78926f3df6fbcbe3387a68ff.jpg
- p1.q####.com/d/dy_c5c12ee559107ff576a5ae92bda9b571.
- p1.q####.com/d/dy_d324f5036312ae1215be5df47696a830.
- p1.q####.com/d/dy_d3cf576b6c47dcfa31f7255ecbc4c8e6.jpg
- p1.q####.com/d/dy_da7d35c29cc8b929bfb25a056d476a5f.jpg
- p1.q####.com/d/dy_e26a8d266c6955affa3b9ab9b51843de.
- p1.q####.com/d/dy_fc7282fed5941d526340232701fe46ee.jpg
- p1.q####.com/t01095440ba58ef4a68.jpg
- p1.q####.com/t014c70d4043684a33a.jpg
- p1.q####.com/t016ac3d4c9b6a0be35.jpg
- p1.q####.com/t017cc748788eb1dd9e.jpg
- p1.q####.com/t0184ec7ae22fb1af71.jpg
- p1.q####.com/t01a02b0e9ac491628b.jpg
- p1.q####.com/t01d200108c908967b6.jpg
- p4.q####.com/d/dy_25ecc1feb760380d31037d4e38422ce0.jpg
- p4.q####.com/d/dy_27ae531523fd0a8053c5429a303a2a34.jpg
- p4.q####.com/d/dy_85a581e74d65180df3159ea2573134e3.jpg
- p4.q####.com/d/dy_8fdd467c33252d862b13755ffa0000bb.jpg
- p4.q####.com/d/dy_bddea1a0172b2cd96a8c43fed49a7de1.jpg
- p4.q####.com/d/dy_dea96fe323ced4f29e91ed023bd82385.
- p4.q####.com/d/dy_f5856989aced270d3303fc3d3f5d4b68.
- p4.q####.com/t012bf0d1d9e281e32c.jpg
- p4.q####.com/t016d389e50ad5d462d.jpg
- p4.q####.com/t018727adf7f230cb7c.jpg
- p4.q####.com/t01ba1b1e43ef11b171.jpg
- p4.q####.com/t01bc1622155c619909.jpg
- p4.q####.com/t01c2a7403001a21919.jpg
- p4.q####.com/t01d3c783f5f384d82c.jpg
- p4.q####.com/t01ef1cee4c3e5a5139.jpg
- p4.q####.com/t01fbc5111ad81744c6.jpg
- pa####.i####.com/apis/e/paopao/list.action?authcookie=####&m_device_id=#...
- pa####.i####.com/apis/e/starwall/basic_wall.action?wallId=####&qypid=###...
- pages-j####.me####.com/ad/360kan/showcase-1180x150-1.html
- pages-j####.me####.com/ad/common/scripts/ad-utility.js
- s2.q####.com/static/74c37d815a0f2e9a,1227bc46dba9ed04,f422446daac39150,2...
- s2.q####.com/static/996a64e60ce4c065,d82da2f77e00e697,aec9ec75605277d3,5...
- s2.q####.com/static/b3d85ce81abb962d,3c41ea429f5be108,6e8349293f3dfca9,d...
- s2.q####.com/static/b6c7963030d89b0f,2284d2a080a4b2ad,5b85f4fb64699355,7...
- secu####.i####.com/jp/h5/albums/227402801?callback=####
- secu####.i####.com/jp/h5/count/play/227402801?_=####&callback=####
- subscri####.i####.com/dingyue/api/isSubscribed.action?agent_type=####&su...
- t7z.c####.i####.com/show2?e=AF48R####&h=####&a=####&u=####&p=####&s=####...
- t7z.c####.i####.com/track2?w=####&dts=####&nr=####&c=####&f=####&g=####&...
- www.36####.com/cover/switchsite?site=####&id=####&category=####
- www.36####.com/dianshi/list
- www.36####.com/dianying/list
- www.36####.com/dongman/list
- www.36####.com/tv/PrhocX7lRGLoNX.html
- www.36####.com/zongyi/list
Запросы HTTP POST:
- l####.tbs.qq.com/ajax?c=####&k=####
- l####.tbs.qq.com/ajax?c=####&v=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/001.jar
- /data/data/####/356507059351895yd.db-journal
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/WebpageIcons.db-journal
- /data/data/####/aypa0000.xml
- /data/data/####/aypb0000.xml
- /data/data/####/aypc0000.xml
- /data/data/####/ayqa0000.xml
- /data/data/####/ayqb0000.xml
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/debug.conf
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/http_m.iqiyi.com_0.localstorage-journal
- /data/data/####/http_www.360kan.com_0.localstorage-journal
- /data/data/####/index
- /data/data/####/libjiagu-833847884.so
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/xUtils.db-journal
- /data/data/####/yysa.xml
- /data/data/####/yysa356507059351895.xml
- /data/data/####/yysb356507059351895.xml
- /data/data/####/yysc356507059351895.xml
- /data/media/####/.nomedia
- /data/media/####/13sqg29nipw6dxieenrv7d1lz.tmp
- /data/media/####/15mogggsv53klzvysaen1okyd.tmp
- /data/media/####/1fexe62pw0z0n5uc4y3puq4cc.tmp
- /data/media/####/1qdlwvkmuxzyy07x3x12382q7.tmp
- /data/media/####/1s1ykz5l61rlt9k7p48n1o7yy.tmp
- /data/media/####/1xtgp21wsytz13buil0iwiwbc.tmp
- /data/media/####/22lwi74r9rwnfie6q9lb8dyvj.tmp
- /data/media/####/27i20qv1oscf16vb5cuvsdlwm.tmp
- /data/media/####/28iywk34y01dbee45im350yez.tmp
- /data/media/####/2amxocwvgyq8w8jzqpsfl106q.tmp
- /data/media/####/2irvjgdge3ggr3qursml8pspy.tmp
- /data/media/####/2lw7szh7tjlpyyqk45dam9p09.tmp
- /data/media/####/2stuusqd35pqs7bypjp9asmle.tmp
- /data/media/####/30kizs79hu6msn6xkxbok8be5.tmp
- /data/media/####/32h9l7epgcrae2yrppwkt931n.tmp
- /data/media/####/36rftepm69ulvvzq5vnc8kd3j.tmp
- /data/media/####/3fmf9m0rkb2in4hv6b188xbcg.tmp
- /data/media/####/3mbmimn5sc5ydpbk2ppk0jdyb.tmp
- /data/media/####/3q68zxihgo212hb6n93tbxnls.tmp
- /data/media/####/3uri1idi34e3bzgcxp0hiu7in.tmp
- /data/media/####/41ch9yzb9e6j3hmyruyvwo7zn.tmp
- /data/media/####/43ff.png.tmp
- /data/media/####/48yyctp0sozkf3b234ulgqi2q.tmp
- /data/media/####/4g2qfjj7ho254h1wonkuej1r6.tmp
- /data/media/####/4kpxav3qpdw3voxjfm2xqdot0.tmp
- /data/media/####/5i9spm3fsemve5vm7cz1d2xon.tmp
- /data/media/####/5t33j28ie5n5bgwwt8ehgx29q.tmp
- /data/media/####/63flmp92l68jzw7jiaujhfs60.tmp
- /data/media/####/65m5ndbf2er8ydc2bomb2lir2.tmp
- /data/media/####/6ebog7exsmva10kquitzhxu4s.tmp
- /data/media/####/6ieccqqlgjzdljnu7sp7zlf95.tmp
- /data/media/####/6q96y6w6gqsg0gf9f9ync5nl4.tmp
- /data/media/####/6rbxi9ro1mew05zfuykdorh1.tmp
- /data/media/####/6uhhxs3sdm4zd6dgafc1ofpv0.tmp
- /data/media/####/70g7w37ajxttp296jtrxzn7h.tmp
- /data/media/####/79qtzsj2s8w929sgr2br60lsr.tmp
- /data/media/####/Database.db
- /data/media/####/Database.db-journal
- /data/media/####/faqfgmoe36fg42fuwkw92yap.tmp
- /data/media/####/index.html
- /data/media/####/kyv6rfzyezkakdlzhk4s780c.tmp
- /data/media/####/xe8cjqppr8apc4vxku41ryxr.tmp
- /data/media/####/zoc6mtf3qa63b76bzggtweqc.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu-833847884.so
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- cstrw3450ypguiljkcgdue564
- libjiagu-833847884
Использует следующие алгоритмы для шифрования данных:
- DESede-ECB-PKCS5Padding
- RSA-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
