Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.cc:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) xiaoyu-####.b0.upa####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(TLS/1.0) api.growi####.com:443
- TCP(TLS/1.0) j####.you####.me:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) lbs.net####.im:443
- TCP(TLS/1.0) nim.qi####.com:443
- TCP(TLS/1.0) qy-swa####.qi####.com:443
- TCP(TLS/1.0) t.growi####.com:443
- TCP c####.g####.ig####.com:5224
- TCP l####.net####.im:8080
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- 7j####.c####.z0.####.com
- api.growi####.com
- c####.g####.ig####.com
- c-h####.g####.com
- j####.you####.me
- l####.cc
- l####.net####.im
- lbs.net####.im
- nim.qi####.com
- plb####.u####.com
- qy-swa####.qi####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- t.growi####.com
- u####.u####.com
- wfd.net####.im
- xiaoyu-####.b0.upa####.com
Запросы HTTP GET:
- t####.c####.q####.####.com/tdata_MkX219
- t####.c####.q####.####.com/tdata_iGj879
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- xiaoyu-####.b0.upa####.com/uploads/
- xiaoyu-####.b0.upa####.com/uploads//user/avatar/avatar_3.png
- xiaoyu-####.b0.upa####.com/uploads/banner/20181127/6c5900416cbf456ea2aee...
- xiaoyu-####.b0.upa####.com/uploads/banner/20181127/74e4fb4c3f5f460bb00c7...
- xiaoyu-####.b0.upa####.com/uploads/banner/20181204/e54458c13a1446c6b0a05...
- xiaoyu-####.b0.upa####.com/uploads/banner/20181206/96e7128dda3d4b52a745c...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180524/1d91fdc37680471081b71b...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180524/29959ca0dc2848ae9861b8...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180524/3a19e33d0e3640aca73fa1...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180524/55e937e86bcc4ff29e6944...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180524/a6573ea5ac954e68ae53d8...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180529/2268463ca20e4e1e93b16d...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180724/fcb6c6fbbe724caca03885...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180903/9b3c2475db074c74bff1a0...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180904/8d1d7762d0124669b08b57...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180905/6b42699f780047cbb03550...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180906/760231ecce1742459cf402...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180912/3e3c2d3fe49c4775851e35...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180912/a7d7e86906c94f7cbfd2ac...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180913/b7ec4016783b4e0e8b20f2...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180914/c651350a25364ea9941269...
- xiaoyu-####.b0.upa####.com/uploads/goods/20180927/dea5bcaa70e74153afad3b...
- xiaoyu-####.b0.upa####.com/uploads/goods/20181011/7c2c62bb832c405499cc35...
- xiaoyu-####.b0.upa####.com/uploads/goods/20181022/dbe781156d094072a6ee27...
- xiaoyu-####.b0.upa####.com/uploads/goods/20181023/e4f638b5373042bd9c2de2...
- xiaoyu-####.b0.upa####.com/uploads/goods/20181024/e599a0ba04b6490689458e...
- xiaoyu-####.b0.upa####.com/uploads/home/jizu_V25.png
- xiaoyu-####.b0.upa####.com/uploads/home/use-bag_V25.png
- xiaoyu-####.b0.upa####.com/uploads/home/wash-bag_V25.png
- xiaoyu-####.b0.upa####.com/uploads/topic/20181101/468cb5ebfd5e4909981a5d...
- xiaoyu-####.b0.upa####.com/uploads/topic/20181101/4a89df0e360a476599bb79...
- xiaoyu-####.b0.upa####.com/uploads/topic/20181101/83153bdbdd0847d6af6519...
- xiaoyu-####.b0.upa####.com/uploads/topic/20181101/b767196b1acc4149a43a61...
- xiaoyu-####.b0.upa####.com/uploads/user/20180501/f7f6e2fa1442432281f3bcc...
- xiaoyu-####.b0.upa####.com/uploads/user/20180718/bed2752d30054a9b9a87b7d...
- xiaoyu-####.b0.upa####.com/uploads/user/20180809/9d9a6d2486c94fb3a22f507...
- xiaoyu-####.b0.upa####.com/uploads/user/20181006/b8323bd135034852a90d45c...
- xiaoyu-####.b0.upa####.com/uploads/user/20181008/8cc1c1b96293458ab791dd3...
Запросы HTTP POST:
- c-h####.g####.com/api.php?format=####&t=####
- l####.cc/i/sdk/install
- l####.cc/i/sdk/open
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/LKME_Server_Request_Queue.xml
- /data/data/####/NIMSDK_Config_19bb266bc86cb2cfe0f6784867b55f45.xml
- /data/data/####/NIMSDK_Config_19bb266bc86cb2cfe0f6784867b55f45_...16.xml
- /data/data/####/Unicorn.19bb266bc86cb2cfe0f6784867b55f45.xml
- /data/data/####/Unicorn.19bb266bc86cb2cfe0f6784867b55f45.xml.bak
- /data/data/####/_nohttp_cache_db.db
- /data/data/####/_nohttp_cache_db.db-journal
- /data/data/####/_nohttp_cookies_db.db
- /data/data/####/_nohttp_cookies_db.db-journal
- /data/data/####/com.qiyukf.analytics.xml
- /data/data/####/com.xiaoyu.youmiao;core.growing.db
- /data/data/####/com.xiaoyu.youmiao;core.growing.db-journal
- /data/data/####/com.xiaoyu.youmiao;pushservice.growing.db
- /data/data/####/com.xiaoyu.youmiao;pushservice.growing.db-journal
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTM3OTgx;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTU1Mjcw;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTYyNDIx;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTc4NjMw;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTcwMjg4;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTcxOTI3;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTQ0NDMyMTg4NTUx;
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/growing.db-journal
- /data/data/####/growing_ecsid.xml
- /data/data/####/growing_persist_data.xml
- /data/data/####/growing_profile.xml
- /data/data/####/gx_sp.xml
- /data/data/####/i==1.2.0&&2.5.8_1544432137825_envelope.log
- /data/data/####/i==1.2.0&&2.5.8_1544432155275_envelope.log
- /data/data/####/info.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/libjiagu1570293535.so
- /data/data/####/linkedme_referral_shared_pref.xml
- /data/data/####/msg.db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/qiyu_save_19bb266bc86cb2cfe0f6784867b55f45.xml
- /data/data/####/run.pid
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_iGj879
- /data/data/####/tdata_iGj879.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/unicorn#cheese#
- /data/data/####/youmiao_cache_settings.xml
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.lm_device_id
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/09199838135d6b5733fc17c5634610b8af0d293631131e....0.tmp
- /data/media/####/0cb27dec0c1fce04e505e9e550f2c5e1ced691685e20f0....0.tmp
- /data/media/####/0d77ec66dd6ce0f7c1b1fa63a85b661085e5c4eedfa5f0....0.tmp
- /data/media/####/0de0badd3c9efd94181204b72ceee5dda0676d2dc891ce....0.tmp
- /data/media/####/12d2ed521f495d0df0280cd339fe2dac7ed64d5db09d23....0.tmp
- /data/media/####/189155b9634987e09e5a6896542b78c59a04865e1e3c89....0.tmp
- /data/media/####/1d89cb7c922b9e119f4303e42eefd10b57cd35567fefa4....0.tmp
- /data/media/####/2720bdcfeb2b91c8f36229b60bbc167d58608f7dff3d8e....0.tmp
- /data/media/####/37140212607014351850047b0293a3b172758130d9b4ef....0.tmp
- /data/media/####/3fd82ba9da96a5a84cc5b2c0d9014e260b9366db2c1376....0.tmp
- /data/media/####/5cc19a89956ed55fac328ffcfcec784d3175a7d275ecfc....0.tmp
- /data/media/####/5d9b59bc0304ffec2963ad0a775663d00e412ddabc6edc....0.tmp
- /data/media/####/6fee8a9d0a6077aad989cb8d8b64ac6570fb9c0e161560....0.tmp
- /data/media/####/79db65b1677ff419bff5391cbf18b9731a580a4e00d45e....0.tmp
- /data/media/####/837587ba3f4baa10ddcde61bee8b3fd0b7de3cd6dd9083....0.tmp
- /data/media/####/84d06bd2b7d51f32ad089d84256aa43c82ee5244be00ec....0.tmp
- /data/media/####/91268b34810cdc2a81b3706b3ebdb442d7c053767afe04....0.tmp
- /data/media/####/991ae2b2821783176ac84d89f2d5a356db557b46cdd860....0.tmp
- /data/media/####/9c6ad72621ce914b31571c39dd0e92459ac38001496576....0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/Alvin2.xml.bak (deleted)
- /data/media/####/ContextData.xml
- /data/media/####/aa2bd380ed98fe8b46f21044ca5925698dc76baed6f44e....0.tmp
- /data/media/####/ad993ef6f5293df79d11451fa391f42a5d12b7bb0ad142....0.tmp
- /data/media/####/app.db
- /data/media/####/b58d59fc288c5b1cb1e8bd1c134e6a2651de6b6a326bc9....0.tmp
- /data/media/####/c9ed001d2bc6a2c5d249981653c2c2727ee687d2412e19....0.tmp
- /data/media/####/c9f6e29146dc0a71475f9c169faf74dda0b156f33c5f5f....0.tmp
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.xiaoyu.youmiao.bin
- /data/media/####/com.xiaoyu.youmiao.db
- /data/media/####/crash.Log
- /data/media/####/d8ad51513a8928dc700aab6c377c5d7ae0d7fce517241f....0.tmp
- /data/media/####/db5b7bd188cc9f7b9d7d96b445a0a4103110dc98056b82....0.tmp
- /data/media/####/dfd946087cb744ebb826d4061dd9297bdf81e3cd96e334....0.tmp
- /data/media/####/e01b8ca5464aa6410e70b18117ed064888d9e1cf0b4ea8....0.tmp
- /data/media/####/e269304390a89a1f754af3f2091b4732b5b07d8cfb298e....0.tmp
- /data/media/####/eeaac9e2b4afd09ccd1f06c5bdb2ded0a92d683fed81dc....0.tmp
- /data/media/####/f0eef6a2a0d8c1626b188a1014a2edec5b419d8adb16b2....0.tmp
- /data/media/####/f1971c467784a571193dd4be9af14a2941987bb237eee0....0.tmp
- /data/media/####/f764b1232642c50a447066a83f622bc912702536463190....0.tmp
- /data/media/####/fc035922d63a836254ee6a0cfa3ea1c0cf1a000dfbec9e....0.tmp
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/sysid.dat
- /data/media/####/tdata_MkX219
- /data/media/####/tdata_iGj879
- /data/media/####/test.log
- /data/media/####/tmp_u_20181210
- /drw/cmds/10043.2835.d8fa4949-b56a-3ae6-92b9-5cbd79ee7ca0.stdout.txt
- /drw/crypto/10043.2835.decrypt.AES-ECB-NoPadding.b3a87a68-7d83-...3.dump
- /drw/crypto/10043.2835.decrypt.AES-ECB-NoPadding.b3a87a68-7d83-...ck.txt
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GetuiPushService 24853 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- ls /sys/class/thermal
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GetuiPushService 24853 300 0
Загружает динамические библиотеки:
- getuiext2
- libjiagu1570293535
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
