Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.192.origin
- Android.DownLoader.652
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony).
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) f####.gst####.com:80
- TCP(HTTP/1.1) 0.grav####.com:80
- TCP(HTTP/1.1) wild####.q####.cn.####.net:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) s1.9####.com.cn:8081
- TCP(HTTP/1.1) s2.9####.com.cn:8081
- TCP(HTTP/1.1) isds####.qq.com:80
- TCP(HTTP/1.1) www.1####.com:80
- TCP(HTTP/1.1) api.appj####.com:80
- TCP(HTTP/1.1) mp.we####.qq.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) mp.we####.qq.com:443
- TCP(TLS/1.0) wild####.q####.cn.####.net:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) 1####.217.17.78:443
Запросы DNS:
- 0.grav####.com
- api.appj####.com
- b####.s####.b####.com
- f####.google####.com
- f####.gst####.com
- hm.b####.com
- isds####.qq.com
- m####.q####.cn
- mp.we####.qq.com
- r####.wx.qq.com
- s1.9####.com.cn
- s2.9####.com.cn
- w1.9####.com.cn
- w2.9####.com.cn
- www.1####.com
Запросы HTTP GET:
- 0.grav####.com/avatar/9bd432a847f468e5449cd8080799fd91?s=####&d=####&r=#...
- f####.google####.com/css?family=####&ver=####
- f####.gst####.com/s/opensans/v15/mem5YaGs126MiZpBA-UN7rgOUuhsKKSTjw.ttf
- f####.gst####.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0ef8pkAg.ttf
- isds####.qq.com/cgi-bin/r.cgi?flag1=####&flag2=####&flag3=####&1=####&2=...
- isds####.qq.com/cgi-bin/r.cgi?flag1=####&flag2=####&flag3=####&3=####&4=...
- mp.we####.qq.com/mp/report?action=####&hid=####&biz=MzA####&uin=####&key...
- mp.we####.qq.com/s?__biz=M####&mid=####&idx=####&sn=####&chksm=####&scen...
- mp.we####.qq.com/s?__biz=M####&mid=####&idx=####&sn=####&scene=####
- s####.jom####.com/static/api/js/share.js?v=89860593.js?cdnversion=####
- s####.jom####.com/static/api/js/share/slide_api.js?v=####
- s####.jom####.com/static/api/js/view/slide_view.js?v=####
- s1.9####.com.cn:8081/?ref=####
- s2.9####.com.cn:8081/?ref=####
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq78icNGkEWLzr4bo89D0DTWPFt9wYm6...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq78icbFr8LUHic16wicZptCiaKlq5hj...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq78syVgxsf3jFXUg8OwLeFV3BKm0Gwr...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq78vT7h69l95kaOp3c7V2cpgnQCYFYk...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq79CPRt0Q5b7WWiawwl8s6umZWNq77R...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq79PjTbde0MDkXI66pNNYtBLc8cqZaj...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq79ekS8hh7NTp7XW4nX4D7XlLYjzw5T...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq79nP0mzSrrwWOy4oXmBibyicl6VCDg...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq79wpGCdxshPwCCxDecLYk0rUqboiaR...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq7ibS0iah4GM8zicLlr6mTBCvAVuZE2...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq7ibg3wBxZl83KquAL1MicCmJdYoAN9...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq7ic4lyQmGjbM4s5uCGsvlPxugL3YnW...
- wild####.q####.cn.####.net/mmbiz/YrdDdGMqq7icIaW8YUKQwPFg0J7NQPqkiaibIaN...
- wild####.q####.cn.####.net/mmbiz_gif/YrdDdGMqq78wggct7Fm0ibznDaDctgO20UH...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq784ibgibgwuXgKiblksciazD7K...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq78rJcP0zicwfaqL6XjvticgDzL...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq79Cx2NMlb487CQ17qSgaH9pwg9...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq79ekS8hh7NTp7XW4nX4D7XlicP...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq79sWaWPP2WluWpib8SXHfuia1C...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7ibNETH6In6ibWrGjOEVzZvedZ...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7ibQIsMvGYZQ4eESXEabS3NsLG...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7ibp5ia2HI8TOoNZRrYo1pYv7Z...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icGWf0BjAHibdr5Q0E6EYhgmm...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icKE2wGwwK6xOznV6vyUCDa99...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icQsNGFhb5cuBFmYcwiaae04F...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icREr8xCbPJjqmJ2U40Jwtl0i...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icREr8xCbPJjqmJ2U40Jwtl9h...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icREr8xCbPJjqmJ2U40JwtlB8...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icREr8xCbPJjqmJ2U40Jwtlu2...
- wild####.q####.cn.####.net/mmbiz_jpg/YrdDdGMqq7icXia89NdDH828Z9CbicdYeay...
- www.1####.com/
- www.1####.com/2018/10/26/令人惊喜又迷人的《无双》/
- www.1####.com/wp-admin/admin-ajax.php?postviews_id=####&action=####&_=####
- www.1####.com/wp-content/plugins/wp-gif-player/inc/jquery.spin.js?ver=####
- www.1####.com/wp-content/plugins/wp-gif-player/inc/spin.js?ver=####
- www.1####.com/wp-content/plugins/wp-gif-player/js/play_gif.js?ver=####
- www.1####.com/wp-content/plugins/wp-gif-player/style.css?ver=####
- www.1####.com/wp-content/plugins/wp-postviews/postviews-cache.js?ver=####
- www.1####.com/wp-content/plugins/wp-ulike/assets/css/wp-ulike.min.css?ve...
- www.1####.com/wp-content/plugins/wp-ulike/assets/js/wp-ulike.min.js?ver=...
- www.1####.com/wp-content/themes/doo/assets/bootstrap/css/bootstrap-theme...
- www.1####.com/wp-content/themes/doo/assets/bootstrap/css/bootstrap.min.c...
- www.1####.com/wp-content/themes/doo/assets/bootstrap/js/bootstrap.min.js...
- www.1####.com/wp-content/themes/doo/assets/css/ie10-viewport-bug-workaro...
- www.1####.com/wp-content/themes/doo/assets/font-awesome/css/font-awesome...
- www.1####.com/wp-content/themes/doo/assets/font-awesome/fonts/fontawesom...
- www.1####.com/wp-content/themes/doo/assets/js/ie10-viewport-bug-workarou...
- www.1####.com/wp-content/themes/doo/assets/js/theme.js?ver=####
- www.1####.com/wp-content/themes/doo/style.css?ver=####
- www.1####.com/wp-content/uploads/2018/04/qrcode_for_gh_5fccc921a945_258....
- www.1####.com/wp-content/uploads/2018/05/WX20180502-002200@2x.png
- www.1####.com/wp-content/uploads/2018/06/WX20180612-111823@2x.png
- www.1####.com/wp-content/uploads/2018/06/WX20180614-102513@2x_meitu_1.jpg
- www.1####.com/wp-content/uploads/2018/06/p2279424634.png
- www.1####.com/wp-content/uploads/2018/06/p969001252_meitu_1.jpg
- www.1####.com/wp-content/uploads/2018/07/p2526147573-1_meitu_1.jpg
- www.1####.com/wp-content/uploads/2018/10/p2533998189_meitu_2.jpg
- www.1####.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=####
- www.1####.com/wp-includes/js/jquery/jquery.js?ver=####
- www.1####.com/wp-includes/js/wp-embed.min.js?ver=####
- www.1####.com/wp-includes/js/wp-emoji-release.min.js?ver=####
Запросы HTTP POST:
- api.appj####.com/appjiagu
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/Download-journal
- /data/data/####/Downloado
- /data/data/####/Downloado-journal
- /data/data/####/Log-journal
- /data/data/####/Logo
- /data/data/####/Logo-journal
- /data/data/####/config.xml
- /data/data/####/configo.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/f_000029
- /data/data/####/f_00002a
- /data/data/####/f_00002b
- /data/data/####/f_00002c
- /data/data/####/f_00002d
- /data/data/####/f_00002e
- /data/data/####/f_00002f
- /data/data/####/f_000030
- /data/data/####/index
- /data/data/####/jiagu.lock
- /data/data/####/libjiagu.so
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.android.dat
- /data/media/####/.android.dat-journal
- /data/media/####/biz.ueskkz.tshinhe.dex
- /data/media/####/biz.ueskkz.tshinhk.dex
- /data/media/####/id
- /data/media/####/logo.png
Другие:
Загружает динамические библиотеки:
- jiagu
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CFB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байткода.
Осуществляет доступ к информации о геолокации.
Осуществляет доступ к информации о сети.
Осуществляет доступ к информации о телефоне (номер, IMEI и т. д.).
Осуществляет доступ к информации об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
