Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) et2-na6####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.cc:80
- TCP(HTTP/1.1) 4####.95.95.131:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) rs.eas####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(TLS/1.0) mal####.im####.cn:443
- TCP(TLS/1.0) d####.c####.l####.####.com:443
- TCP(TLS/1.0) foru####.im####.cn:443
- TCP c####.g####.ig####.com:5224
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- 7j####.c####.z0.####.com
- c####.g####.ig####.com
- c-h####.g####.com
- foru####.im####.cn
- l####.cc
- log.u####.com
- mal####.im####.cn
- pi####.qq.com
- pic.im####.cn
- pub-####.qin####.com
- rs.eas####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
Запросы HTTP GET:
- d####.c####.l####.####.com/1525774569754mall_orderComment_1525774569558....
- d####.c####.l####.####.com/1525774684232mall_orderComment_1525774684065....
- d####.c####.l####.####.com/20.jpg
- d####.c####.l####.####.com/21.jpg
- d####.c####.l####.####.com/37.jpg
- d####.c####.l####.####.com/38.jpg
- d####.c####.l####.####.com/49.jpg
- d####.c####.l####.####.com/59.jpg
- d####.c####.l####.####.com/68.jpg
- d####.c####.l####.####.com/69.jpg
- d####.c####.l####.####.com/74.jpg
- d####.c####.l####.####.com/test.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_01.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_02.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_03.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_04.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_05.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_06.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_07.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_08.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_09.jpg
- d####.c####.l####.####.com/upload/170823_S/17082902/01_10.jpg
- d####.c####.l####.####.com/upload/170823_S/Public_PIC/mxl_01.jpg
- d####.c####.l####.####.com/upload/advert/7101c224-ebab-4b1b-b122-ec3c627...
- d####.c####.l####.####.com/upload/class_icon/1d082b8c-5c48-4f14-8df3-821...
- d####.c####.l####.####.com/upload/class_icon/31dfeb35-aa36-45c2-8d2d-1de...
- d####.c####.l####.####.com/upload/class_icon/aff80747-3922-496c-89cc-229...
- d####.c####.l####.####.com/upload/common/2900f99d-3d71-4b38-809f-50e706e...
- d####.c####.l####.####.com/upload/common/492be8b6-0725-40ed-ad43-51cac55...
- d####.c####.l####.####.com/upload/common/6335c2de-749c-4086-b152-85bad77...
- d####.c####.l####.####.com/upload/common/69d128ea-b568-4d9c-b3f2-8e6fd79...
- d####.c####.l####.####.com/upload/common/9eab8708-8c37-4e7f-85a2-1177a0d...
- d####.c####.l####.####.com/upload/common/b8fe03ce-99e6-4287-8b04-c003e64...
- d####.c####.l####.####.com/upload/common/c53ac36e-91dc-4f8a-8c79-f59d3f0...
- d####.c####.l####.####.com/upload/common/d64587fd-41f1-4147-8a77-c28822a...
- d####.c####.l####.####.com/upload/common/f1a55ca1-4101-48ee-aad3-cfd8101...
- d####.c####.l####.####.com/upload/common/f7859734-26d1-43e1-bac4-b29bcf0...
- d####.c####.l####.####.com/upload/common/fe46c8a2-674b-46c8-b77c-ac6fc99...
- d####.c####.l####.####.com/upload/store/1/2017/08/28/c1f4a201-544e-4f5c-...
- d####.c####.l####.####.com/upload/store/1/2017/08/31/55262a37-1d3c-4a78-...
- d####.c####.l####.####.com/upload/store/1/2017/08/31/a83f0ca9-76a7-48e4-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/20d6ebdd-a7a8-4d9e-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/23f887d3-dd7b-4020-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/42fa7502-dbc7-4e7c-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/50f58719-2844-40ed-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/537e5190-9742-448a-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/6321b529-5092-4e40-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/cd1e1fed-d824-47fa-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/dd4ba882-db7d-4738-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/de477e5a-299d-47d9-...
- d####.c####.l####.####.com/upload/store/1/2017/09/03/e3c964a7-dc96-4864-...
- d####.c####.l####.####.com/upload/store/1/2017/09/28/073c4cd3-f5c3-4309-...
- d####.c####.l####.####.com/upload/store/1/2017/09/28/6555277e-f86b-43ab-...
- d####.c####.l####.####.com/upload/store/1/2017/09/28/8fecb0b6-e729-4c69-...
- d####.c####.l####.####.com/upload/store/1/2017/09/28/91412358-373b-4c88-...
- d####.c####.l####.####.com/upload/store/1/2017/10/11/22fb3831-99af-40b1-...
- d####.c####.l####.####.com/upload/store/1/2017/10/11/cf672263-e1bc-4af0-...
- d####.c####.l####.####.com/upload/store/1/2017/11/22/d21414fd-0e9a-4a25-...
- d####.c####.l####.####.com/upload/store/1/2018/01/29/09eee15c-8827-444c-...
- d####.c####.l####.####.com/upload/store/1/2018/01/29/189779fb-5445-4438-...
- et2-na6####.wagbr####.ali####.####.com/bar/get/594105e97666130c8100087a/...
- l####.cc/i/sdk/is_gal?sign=####&android_id=####&retry_times=####&linkedm...
- rs.eas####.com/easemob/server.json?sdk_version=####&app_key=####&file_ve...
- t####.c####.q####.####.com/tdata_EDT356
- t####.c####.q####.####.com/tdata_MkX219
- t####.c####.q####.####.com/tdata_iGj879
Запросы HTTP POST:
- c-h####.g####.com/api.php?format=####&t=####
- l####.cc/i/sdk/install
- pi####.qq.com/mstat/report/?index=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/6959e62b65bf
- /data/data/####/LKME_Server_Request_Queue.xml
- /data/data/####/MultiDex.lock
- /data/data/####/applicationId
- /data/data/####/com.imugou.android.mid.world.ro.xml
- /data/data/####/com.imugou.android_preferences.xml
- /data/data/####/config.json
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/date.xml
- /data/data/####/device_id.xml.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gx_sp.xml
- /data/data/####/imugou-journal
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/libjiagu.so
- /data/data/####/linkedme_referral_shared_pref.xml
- /data/data/####/mugou.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pri_tencent_analysis.db_com.imugou.android-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/server.json
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_iGj879
- /data/data/####/tdata_iGj879.jar
- /data/data/####/tencent_analysis.db_com.imugou.android-journal
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.lm_device_id
- /data/media/####/0c0ea9ae912c74126e7a02abb36c5c284e890e467554e7....0.tmp
- /data/media/####/1adce0198799fecbc63f784f66b7a148b9836800d9918a....0.tmp
- /data/media/####/1e8ff0d60a976e9ef1d13c9d7be86735129d4088e9dd71....0.tmp
- /data/media/####/1fe11e83943f5ef7c7381360d2df3c768e413db15c20c2....0.tmp
- /data/media/####/21cc4270c00c3ed37a188fae9ef2b92b3b7ac3baabb743....0.tmp
- /data/media/####/22ae30dd34bc1e1f9cdeb6a8e9c88ebb02531c02bb370a....0.tmp
- /data/media/####/22b69f0e10bbab49dc1cb1056fe188552679ad3da7a6f2....0.tmp
- /data/media/####/22bca417df1e4e90a4f90a275c266f114ebb9ac3048dbd....0.tmp
- /data/media/####/2566a7c77127f49a2c9f566a6a16b625ec28cf61949735....0.tmp
- /data/media/####/288714d64e40f80763daea75b912be21df6cc378d6b6bf....0.tmp
- /data/media/####/2b1aa137d7f2b7a1183574e7946cee4443a3ba0ff24416....0.tmp
- /data/media/####/30aa09e8229fd911e4531877547b81a3bd6742c59f5083....0.tmp
- /data/media/####/338f2ff83c26387c4189d7f2213c464c1713b55a8f34be....0.tmp
- /data/media/####/37cba8bff58bf7d626b79aa14138d9fd3657cd271d1352....0.tmp
- /data/media/####/381209e8058b114b7a062be4e05e760aca477d955955a3....0.tmp
- /data/media/####/3d8e1dfb865f489f4a898ae715617160725a55051d874e....0.tmp
- /data/media/####/413dcc7c523310b56674c41d01a20f2d6af11fd9dbb463....0.tmp
- /data/media/####/429e0933a9b9e288645587e35709b4d170e8f37c355965....0.tmp
- /data/media/####/521b06a3e7319af1891e8ae07c6001c33e87d14efbd48f....0.tmp
- /data/media/####/5377d343eff8eae979284543e3b087e64602a16d57713f....0.tmp
- /data/media/####/53e1a3f68ac4e0b5f527a103f72a609ab55e5b8d48ce68....0.tmp
- /data/media/####/5432f5e15b7ef92225167e9bc37808a2f901acd1396d8c....0.tmp
- /data/media/####/5b7826aafdcc3cd497557c1ae35a301e036e8d8e5821ac....0.tmp
- /data/media/####/63a0be4157af585189b38d61e77e6584d5c30c99d65bf5....0.tmp
- /data/media/####/64a9d7568fca67e8d9044ff01a781a0c79252645e63f8e....0.tmp
- /data/media/####/671a8c5e4d6c64b239d0d5f648f805a3d24e6d3a8461e8....0.tmp
- /data/media/####/6b273993d586819af2ca80e534a398f50ea93c82829adb....0.tmp
- /data/media/####/7201c819119f67baecdaa30b179ed29321aea3dec18198....0.tmp
- /data/media/####/75da5568c47f2966c4317301c8bd5b33078fecdf3f6e4b....0.tmp
- /data/media/####/77e5cb95ecf9523a2426f3dcd4fbe450b548ca4fb1b245....0.tmp
- /data/media/####/7a074dfd20691df0da74dcf6750b960daba5885685d8ae....0.tmp
- /data/media/####/7c26eade21d825fe238def65ce242f0f113a5926edc04b....0.tmp
- /data/media/####/7e3a4b3c4f46a04cbd5e5388863f038915762a98e1a11e....0.tmp
- /data/media/####/86b08d2738f1d85669411cab5c5d79deb146cf4166cfea....0.tmp
- /data/media/####/8a65497e9fed07c5947f770f4f4910718ccf6a863785e2....0.tmp
- /data/media/####/8a6bdaf6e1a4df74c6ca3d143fc28f4c1ce8fd7fc16478....0.tmp
- /data/media/####/8b3c3022b66d4c459d41acaa0eb118cf46744f75ecfdac....0.tmp
- /data/media/####/927e59be0077ea4c22bc4639956569473d25adb9fb7085....0.tmp
- /data/media/####/93dd65c4eabd3118381f2b3711224c07aae8c62a0dddb8....0.tmp
- /data/media/####/95a2e1c77eef64fb303456ebab9949ccbe715b6a476d18....0.tmp
- /data/media/####/96e89367019f75b0302ab4405bd83f7e3e498d15d6c877....0.tmp
- /data/media/####/994a4821dec4510d11426bd521fd62f80370b481f2319f....0.tmp
- /data/media/####/9e1cf4867df4eaecea225ae9342e253c41cf9d457cd097....0.tmp
- /data/media/####/a813aa14cefe23dde5c230c52aeb9e38a7d0144cee2b5c....0.tmp
- /data/media/####/aed0675cf38961e781896f0fb68125208b6e50baf0bf19....0.tmp
- /data/media/####/aff1780fe98e6083f81d016c27ab1a93015b40e65dd8ac....0.tmp
- /data/media/####/app.db
- /data/media/####/b205c3d98fe76b6b5955086f31cd5c1daf6e73e11acc03....0.tmp
- /data/media/####/b65804bd61c47cb2a2ba0ef09816b4af687f198996ac47....0.tmp
- /data/media/####/b84e0c734639a76c00b714e1c383f725fb7ea8bb9fa5db....0.tmp
- /data/media/####/b99cfd42dad139834badf4c02970980abb81461650ebca....0.tmp
- /data/media/####/ba59ce15f229849547933d758d4bc2f1d951e2ea0f8731....0.tmp
- /data/media/####/baec700e50aa461fc78bfe8e9a7c6ba9b2e35314ddfb10....0.tmp
- /data/media/####/bf5b74385d69e0264a5d8cfcc658a9551d607686ecb2a4....0.tmp
- /data/media/####/c10dce328f49294423a44745df71ff49b18115d17756d9....0.tmp
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.imugou.android.bin
- /data/media/####/com.imugou.android.db
- /data/media/####/da3f59351543c78e2a4c05eb1259fb96b36716cd3bb451....0.tmp
- /data/media/####/e65b79e697c15e69ff0e6fd3e65f0df3659696d5906453....0.tmp
- /data/media/####/f16afba57edb982cda43ccafed2e4eb90d4907dd9a9ab0....0.tmp
- /data/media/####/f7178f82c6e3a890ed290e3c65cbe8ae8bf3754f35639a....0.tmp
- /data/media/####/ff2a49555f30fa07937777f341565634cc8b62d4f5a3b5....0.tmp
- /data/media/####/journal.tmp
- /data/media/####/tdata_MkX219
- /data/media/####/tdata_iGj879
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.DemoPushService 24810 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- mount
Загружает динамические библиотеки:
- MtaNativeCrash_v2
- getuiext2
- hyphenate
- hyphenate_av
- hyphenate_av_recorder
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
