Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Adware.Dowgin.3.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) com####.hun####.com:80
- TCP(HTTP/1.1) 1####.h####.i####.tv:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) 4####.h####.i####.tv:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) geo.gridsum####.com:80
- TCP(HTTP/1.1) use####.api.max.####.com:80
- TCP(HTTP/1.1) av####.h####.com:80
- TCP(HTTP/1.1) rc.mpp.hun####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) a.m.15####.cn:80
- TCP(TLS/1.0) 1####.217.17.78:443
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 4####.h####.com
- a####.u####.com
- a.m.15####.cn
- api####.a####.com
- au.u####.co
- au.u####.com
- av####.h####.com
- com####.hun####.com
- e####.h####.com
- geo.gridsum####.com
- i5.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- mpp.s####.hun####.com
- oc.u####.com
- rc.mpp.hun####.com
- use####.api.max.####.com
- x.da.hun####.com
Запросы HTTP GET:
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181024232825932.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181025171255143.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181026112155218.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181026112400081.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181026163317530.jpg
- 1####.h####.i####.tv/preview/cms_icon/2018/10/20181027123903687.jpg
- 1####.h####.i####.tv/preview/sp_images/2017/zongyi/316387/4094151/201709...
- 1####.h####.i####.tv/preview/sp_images/2017/zongyi/317650/4231169/201712...
- 1####.h####.i####.tv/preview/sp_images/2018/dianshiju/324601/4664260/201...
- 1####.h####.i####.tv/preview/sp_images/2018/dianying/324332/4665499/2018...
- 1####.h####.i####.tv/preview/sp_images/2018/yuanchuang/321475/4668657/20...
- 1####.h####.i####.tv/preview/sp_images/2018/yuanchuang/322466/4663207/20...
- 1####.h####.i####.tv/preview/sp_images/2018/yuanchuang/323165/4667557/20...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4243196/201801...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4252155/201801...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4260613/201801...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4268783/201802...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4278049/201802...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4283559/201802...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4284872/201802...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4296671/201803...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/319641/4305251/201803...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/321331/4246160/201801...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/326658/4667728/201810...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/326658/4670453/201810...
- 1####.h####.i####.tv/preview/sp_images/2018/zongyi/326658/4670454/201810...
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/dubo.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/huodong.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/mianfeibo.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/soufa.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/vipmian.png
- 1####.h####.i####.tv/s1/2016/yuanxiao/icon/yugao.png
- 4####.h####.i####.tv/preview/cms_icon/2018/10/20181004162415385.jpg
- 4####.h####.i####.tv/preview/cms_icon/2018/10/20181020224801110.jpg
- 4####.h####.i####.tv/preview/cms_icon/2018/10/20181026235456782.jpg
- av####.h####.com/1RcpXJO1iZug3mH6mMn8C6lCQ9KTyy.jpg?x-oss-process=####
- av####.h####.com/2/mava2_7QzTfQvUcnf9zCoMxrhqkEc16UICneIN.jpg
- av####.h####.com/2/mava2_FdRIbvrCb5DfE0KRSy0TYZcsAMQRs8dc.jpg
- av####.h####.com/2/mava2_UfJo2N01Tq3uLmTM8kv8V4GEKyXHi6aC.jpg
- av####.h####.com/5/08aeb<SMS Address>/b9o5f2en9l25e9m616o0?x-oss-process...
- av####.h####.com/5/16f3e256/b5nf2m6n9l22g8e3qic0?x-oss-process=####
- av####.h####.com/5/3d1228af/b6t393un9l2095en40tg?x-oss-process=####
- av####.h####.com/5/3ebcb9ba/b71956un9l2095eortg0?x-oss-process=####
- av####.h####.com/5/65cb20b9/bdctig6n9l25ahd99u9g?x-oss-process=####
- av####.h####.com/5/71c07467/be8889a24e75p7lrnl80?x-oss-process=####
- av####.h####.com/5/9d952b4a/bbcvnk6n9l25cmpn98kg?x-oss-process=####
- av####.h####.com/6/46f3c411/b982nhun9l258vir5rpg?x-oss-process=####
- av####.h####.com/6/5bf6966c/b3p327dmugg8r6kenigg?x-oss-process=####
- av####.h####.com/6/88b3a7e4/bc42oamn9l25e9mskmd0?x-oss-process=####
- av####.h####.com/6/effe08cb/b9d4fsdmugg6k8lbc51g?x-oss-process=####
- av####.h####.com/YAFRDBzYmqBH8shjXM5vqeEMz4P4x8.jpg?x-oss-process=####
- av####.h####.com/iT4FqEJ4sIVv9cm6yLI8fogRE1CIqU.jpg?x-oss-process=####
- com####.hun####.com/mobile_comment/top?userId=####&osVersion=####&subjec...
- geo.gridsum####.com/v2/g.aspx
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/channel/getWPDetail?userId=####&osVersion=####&de...
- mo####.api.hun####.com/comment/read?userId=####&osVersion=####&device=##...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/loadimage?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/search/hotWords
- mo####.api.hun####.com/v2/video/getDownloadList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getMultiplyList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getShortList?userId=####&osVersion=####&...
- mo####.api.hun####.com/v2/video/getVideoInfo?userId=####&osVersion=####&...
- mo####.api.hun####.com/v3/video/getSource?userId=####&osVersion=####&dev...
- mo####.api.hun####.com/video/getSupport?userId=####&osVersion=####&devic...
- rc.mpp.hun####.com/mobile/v1/cms/alike?userId=####&osVersion=####&device...
- rc.mpp.hun####.com/mobile/v1/cms?userId=####&collectionid=####&osVersion...
- use####.api.max.####.com/AOC14717925283446354ed32f6c90e3a3c3315410970e53...
Запросы HTTP POST:
- a####.u####.com/app_logs
- a.m.15####.cn/869419/7etelpmoc/ba
- a.m.15####.cn/869419/7etelpmoc/bb
- a.m.15####.cn/869419/7etelpmoc/ia
- a.m.15####.cn/869419/7etelpmoc/ib
- a.m.15####.cn/869419/7etelpmoc/ie
- mo####.log.hun####.com/data.cgi
- oc.u####.com/check_config_update
- res####.a####.com/v3/log/init
- x.da.hun####.com/json/app/boot
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jiagu.ls
- /data/data/####/GridsumCommon.xml
- /data/data/####/ImgoPad-journal
- /data/data/####/MGTVCommon.xml
- /data/data/####/MGTVCommon.xml.bak
- /data/data/####/MV3Plugin.ini
- /data/data/####/_gcomplete_r.xml
- /data/data/####/com.txj.play.complete.push_sync.xml
- /data/data/####/com.txj.play.complete.xml
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_online_setting_com.txj.play.complete.xml
- /data/data/####/pcom.txj.play.complete.jar
- /data/data/####/plugin-deploy.jar
- /data/data/####/plugin-deploy.key
- /data/data/####/pst.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/.nomedia
- /data/media/####/14ftw5yzf1gmihmski336hwsq.tmp
- /data/media/####/18jmh5xpd428kbgstnjeahl6g.tmp
- /data/media/####/1avdbh2bkel7va22d9x74snb5.tmp
- /data/media/####/1bd0vt051gxtuc548ythd13gt.tmp
- /data/media/####/1edtypijmu4mwiyz8qi94y583.tmp
- /data/media/####/1fqzm3sajehk3frjr2a0dm7xr.tmp
- /data/media/####/1i1g7n285zzrejfonbzc8il9u.tmp
- /data/media/####/1l489g376g0q5q1tx83rct15r.tmp
- /data/media/####/1oz9roammmdoon605xonhfcfj.tmp
- /data/media/####/1qzrwtfgth1dmtucn42k4ran8.tmp
- /data/media/####/1smz4o3trl7qri5syhf8zwf9o.tmp
- /data/media/####/1wwpsdbkgrsaqtt5o3tzmvw8e.tmp
- /data/media/####/1yb87sknqtysfw4s0itsdetde.tmp
- /data/media/####/22f9z9kbd6fbam2z3fatysoqb.tmp
- /data/media/####/269axz02cgjphkx7lvfkj9rco.tmp
- /data/media/####/2hyuk215b1myiouqdyk1q2tqa.tmp
- /data/media/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- /data/media/####/395gyileoqqtz15one8y5cocb.tmp
- /data/media/####/3apxv5zqh8c5vkcwezh7dotid.tmp
- /data/media/####/3arua0ks91vyx270xqt5bn0zj.tmp
- /data/media/####/3brn3pnbdv196e59zyqory6zh.tmp
- /data/media/####/3ghjlm5jj97jciyuaj3qlv8wq.tmp
- /data/media/####/3hmaz4ih6eq1heozvwyff3d8r.tmp
- /data/media/####/3lmqe2llkzaioc0ursap869jc.tmp
- /data/media/####/45k9hguzynlxi1sa3mt907fdq.tmp
- /data/media/####/4av9zf6nwpmsbt8qgumzz45vs.tmp
- /data/media/####/4dlaabu4t9efm12ztph7r1hcp.tmp
- /data/media/####/4fjvy60jrkkqe2ddtpdjw4gmr.tmp
- /data/media/####/4fn1z8gf3v2nwyyznngvungmj.tmp
- /data/media/####/4j3kjy5yak4cro3ua47bsbkzw.tmp
- /data/media/####/4rkgi8xsphomn219tkg9s820b.tmp
- /data/media/####/4ugfrignoluco7z5l2kwhiva5.tmp
- /data/media/####/4ylga1vlj2qvy3sjwosb2r8pb.tmp
- /data/media/####/52acyokpaj3koubayo5886z4.tmp
- /data/media/####/56gqae5oo7dpc153fyzzws1yh.tmp
- /data/media/####/56jckvgfs8v60lesmnkzxuysp.tmp
- /data/media/####/58s7aafdae7j2j5e4n60g039n.tmp
- /data/media/####/5ec61fabcnehsjwab6w6xde1z.tmp
- /data/media/####/5g63o43w1s80q1mnpbn2muzb8.tmp
- /data/media/####/5hlwwobu07phq58j7gp19yqel.tmp
- /data/media/####/5nat4rtbzzhee8x43iqwt9acg.tmp
- /data/media/####/5r31lej7co5500l4lnybmii6y.tmp
- /data/media/####/5v9v7tr014zuiqu59q5jlwnmt.tmp
- /data/media/####/5vk01mmpfftib60kecc43t01e.tmp
- /data/media/####/5y7hr4nihri58j6xuv0xfmg32.tmp
- /data/media/####/60aykmdb38h6bb917licefyhq.tmp
- /data/media/####/64of28lh2jkmuxymbp2s7jxzm.tmp
- /data/media/####/66dojb2689xuee0y4rxxf030g.tmp
- /data/media/####/68ln803ikw5fq79fofbeb4lej.tmp
- /data/media/####/6d5ww8lfsdafeyn52zk4jvn1d.tmp
- /data/media/####/6ex9exq4gwhia02gxlug1y4va.tmp
- /data/media/####/6fek25zvc9cjtylo27ycl4uhh.tmp
- /data/media/####/6gn2hjt8qzlo8yhifecxyu5ia.tmp
- /data/media/####/6hc0fale79ayfb2z32a8pm9au.tmp
- /data/media/####/6iks30tsn6vuny9n5zh6cz6zv.tmp
- /data/media/####/6pb5350fqw8gm8jfgwcq8lfwn.tmp
- /data/media/####/7chpx6cphrng0g3nx8mojtlru.tmp
- /data/media/####/7heuy1g3ygze21zgnorwv7w9.tmp
- /data/media/####/7je877gc355e4tg7ikdv37kqn.tmp
- /data/media/####/journal.tmp
Другие:
Загружает динамические библиотеки:
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, imei и тд.).
Осуществляет доступ к информации об установленных приложениях.
Осуществляет доступ к информации о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
