Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) o####.map.b####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) 1####.14.152.16:8082
- TCP(HTTP/1.1) 1####.14.152.16:8081
- TCP(HTTP/1.1) o####.jd.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) gw.al####.com:80
- TCP(HTTP/1.1) wild####.al####.com.####.net:80
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) ke####.jd.com:443
- TCP(TLS/1.0) www.j####.com:443
- TCP(TLS/1.0) m####.m.jd.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) d####.k.jd.com:443
- TCP(TLS/1.0) a####.m.jd.com:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
Запросы DNS:
- a####.m.jd.com
- a####.u####.com
- api.map.b####.com
- d####.k.jd.com
- dgst####.jd.com
- gw.al####.com
- img.al####.com
- ke####.jd.com
- loc.map.b####.com
- log.u####.com
- m####.m.jd.com
- o####.jd.com
- o####.map.b####.com
- s####.u####.com
Запросы HTTP GET:
- gw.al####.com/bao/uploaded/i1/1602592567/O1CN01hB1HUt1UpjBfFWOUg_!!0-ite...
- gw.al####.com/bao/uploaded/i1/2155710635/TB1yYt7h0bJ8KJjy1zjXXaqapXa_!!0...
- gw.al####.com/bao/uploaded/i1/3025944237/O1CN011hAab0nkGRTFyGT_!!3025944...
- gw.al####.com/bao/uploaded/i1/684159013/O1CN012GS0CIAmX6IMLOz_!!68415901...
- gw.al####.com/bao/uploaded/i2/2468261592/O1CN01cv1Vab1NdB1VJf3D8_!!0-ite...
- gw.al####.com/bao/uploaded/i2/3337491929/TB214oitFuWBuNjSszbXXcS7FXa_!!3...
- gw.al####.com/bao/uploaded/i2/3878095908/TB2OJpsgXooBKNjSZPhXXc2CXXa_!!3...
- gw.al####.com/bao/uploaded/i2/4129957066/O1CN01feQhU7224H5LcTwFK_!!0-ite...
- gw.al####.com/bao/uploaded/i3/1026004778/O1CN01eyoH701lAMt4ABFUa_!!10260...
- gw.al####.com/bao/uploaded/i3/2098612402/TB1VXf3aqagSKJjy0FcXXcZeVXa_!!0...
- gw.al####.com/bao/uploaded/i3/3025944237/O1CN011hAaatqs9NIA7ko_!!3025944...
- gw.al####.com/bao/uploaded/i3/3025944237/TB2n_kUqtknBKNjSZKPXXX6OFXa_!!3...
- gw.al####.com/bao/uploaded/i3/3231278589/O1CN01dzJHWp2DJoHhTnQ0v_!!0-ite...
- gw.al####.com/bao/uploaded/i3/509381905/O1CN018GuYjR1PwWynOCFlA_!!509381...
- gw.al####.com/bao/uploaded/i3/67256071/O1CN011uiYyfEsfP1JmZc_!!67256071....
- gw.al####.com/bao/uploaded/i4/1643782076/TB2.g_pE7yWBuNjy0FpXXassXXa_!!1...
- gw.al####.com/bao/uploaded/i4/1667331464/TB2cal1uCMmBKNjSZTEXXasKpXa_!!1...
- gw.al####.com/bao/uploaded/i4/2261983067/O1CN01MC2c621YWjDAn5MzJ_!!0-ite...
- gw.al####.com/bao/uploaded/i4/2966975435/O1CN011q1H5VPdmJIA2jf_!!0-item_...
- gw.al####.com/bao/uploaded/i4/3863036593/O1CN011yZdjSFfGr0zmkj_!!0-item_...
- wild####.al####.com.####.net/bao/uploaded/i1/2178845234/O1CN01RsPYq91oXD...
- wild####.al####.com.####.net/bao/uploaded/i1/2794890945/O1CN01rtQAdS1Iqq...
- wild####.al####.com.####.net/bao/uploaded/i1/908483460/O1CN01tt9M8D1bQis...
- wild####.al####.com.####.net/bao/uploaded/i2/1029624918/O1CN01UoHysd1mCU...
- wild####.al####.com.####.net/bao/uploaded/i2/209957809/O1CN01PMVYj127YZM...
- wild####.al####.com.####.net/bao/uploaded/i2/2881206041/O1CN01F9GU5m1uUp...
- wild####.al####.com.####.net/bao/uploaded/i2/866450208/O1CN01FSLOf61DPIr...
- wild####.al####.com.####.net/bao/uploaded/i2/911232478/O1CN01MzDKGp1UAxw...
- wild####.al####.com.####.net/bao/uploaded/i3/3299034470/O1CN01ehq2wh1itI...
- wild####.al####.com.####.net/bao/uploaded/i3/843421904/O1CN01vCZi0c1Pw4a...
- wild####.al####.com.####.net/bao/uploaded/i4/1614619531/TB2K_aEtaAoBKNjS...
- wild####.al####.com.####.net/bao/uploaded/i4/1893327415/O1CN01pDPnCj24e7...
- wild####.al####.com.####.net/bao/uploaded/i4/3405808014/TB1.h2xd4naK1RjS...
- wild####.al####.com.####.net/bao/uploaded/i4/772376192/O1CN01B5EPrb1vbyv...
Запросы HTTP POST:
- a####.u####.com/app_logs
- loc.map.b####.com/sdk.php
- o####.jd.com/upload
- o####.map.b####.com/offline_loc
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/0b042936a8ef1cbbeafc443e2fa799ad1e742026adf9ca7....0.tmp
- /data/data/####/1545221261053.log
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/authStatus_com.puyue.www.jiankangtuishou;remote.xml
- /data/data/####/auth_shared.xml
- /data/data/####/c595448f9e702c828309f4b738a96834e5ecbc7bba4b90d....0.tmp
- /data/data/####/cac30e323893bb39eade360cffa4f6387930799cea3bf24....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cf5943e43a055c4031d1219a9bc39ea69a64e31d904f9b2....0.tmp
- /data/data/####/config.xml
- /data/data/####/config.xml (deleted)
- /data/data/####/config.xml.bak
- /data/data/####/cube_ptr_classic_last_update.xml
- /data/data/####/deviceid_prefs.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f6a476ac484f8520b8f2f32db24e896752cc828b3e7d1a2....0.tmp
- /data/data/####/firll.dat
- /data/data/####/gal.db
- /data/data/####/gal.db-journal
- /data/data/####/hst.db
- /data/data/####/hst.db-journal
- /data/data/####/http+106+14+152+16+8082+images+banner+4dce7996-...fc+jpg
- /data/data/####/http+106+14+152+16+8082+images+banner+a4d696fd-...3a+jpg
- /data/data/####/http+106+14+152+16+8082+images+banner+e4b47ac5-...c7+jpg
- /data/data/####/journal.tmp
- /data/data/####/kepler_public.xml
- /data/data/####/libcuid.so
- /data/data/####/libjiagu-2036463066.so
- /data/data/####/multidex.version.xml
- /data/data/####/ofl_location.db
- /data/data/####/ofl_location.db-journal
- /data/data/####/ofl_statistics.db
- /data/data/####/ofl_statistics.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/media/####/.cuid2
- /data/media/####/.nomedia
- /data/media/####/10dv2om760zrf38ownrw3wtv0.tmp
- /data/media/####/11i28yf9m1fmga2q3srofn8p6.tmp
- /data/media/####/11whqx8g43uacruwpyjagifez.tmp
- /data/media/####/178tkqgox7m1zoeiq3xr86snu.tmp
- /data/media/####/1f1jnv6ylsmqf404w6atjwnq5.tmp
- /data/media/####/1tpo11krlpwkqs5ejj6mvphcn.tmp
- /data/media/####/1wzuwemponpt6zd97lpps1mdk.tmp
- /data/media/####/1zd6nq60kw3vy1j5o72jt61u5.tmp
- /data/media/####/26yeffposbsy6uesj5egyejmt.tmp
- /data/media/####/2c7trau31y99gn1i8v52um3cj.tmp
- /data/media/####/2dz9djofgiy7cf9bdd1x70la6.tmp
- /data/media/####/2v3umvnepdty2m7w31fzbtoxx.tmp
- /data/media/####/2vm7gqbmqm3x3rpuyyqiak6u.tmp
- /data/media/####/2zsy6vzddvwy9umi97b292sv.tmp
- /data/media/####/30ke1poenqqm37v2mxgxj2zf1.tmp
- /data/media/####/35vwh5coas46zmsc5bfjj7n0m.tmp
- /data/media/####/38g9bnvtm78dav2al76cd0r26.tmp
- /data/media/####/3d60u9f6lgoa0m52d10ch2277.tmp
- /data/media/####/3f4xudfpnm1zqwhdxodx2rx4b.tmp
- /data/media/####/3pkxen0n6znibeirntz7a0m0h.tmp
- /data/media/####/3ptp1jy61rdlmriipmvvbaz3p.tmp
- /data/media/####/3qqsd3t1k24xxcsf6gi7ia97h.tmp
- /data/media/####/3xjg2xg5jphltuicuwo0wy16q.tmp
- /data/media/####/4e5hva9dzlvgvhgl4y8thbt19.tmp
- /data/media/####/4nzh48m6hcg4ixsts28lu6uqk.tmp
- /data/media/####/4o0f191ihlxpn6r4go965vqf9.tmp
- /data/media/####/4qutk8o7840k8rgnmgd5swkfo.tmp
- /data/media/####/4qxor48yrwt6msaszbak2f18n.tmp
- /data/media/####/4rvirh1rashxcu01egubnh3c.tmp
- /data/media/####/4ui9f7aq6q7kv8jedayuvehs.tmp
- /data/media/####/4wsme21i9zhq2jf36d15f6cwh.tmp
- /data/media/####/50dtrgfn9fd56yt3dp8vxsxmq.tmp
- /data/media/####/52dd22cc74a9bc1c752df5c421dfad3b (deleted)
- /data/media/####/5hlk385hb3823j44juhp0fdd8.tmp
- /data/media/####/5inj42es3trqqg6vpnjn8ybrt.tmp
- /data/media/####/5iu81jcvrrxy97udl6wmhvae6.tmp
- /data/media/####/5lnjagw5nv1by2tzektphxnmo.tmp
- /data/media/####/5s1uv9guffim3mdd7mgujkupd.tmp
- /data/media/####/5v4f3vg1fn6i4mn0cpn4mwb6g.tmp
- /data/media/####/60g8vavgo8canylhoawkhulaf.tmp
- /data/media/####/61mkh89axy03udjwfynlravyd.tmp
- /data/media/####/61qv01gnnrspvmg6i7ux2vyt.tmp
- /data/media/####/623q0prjht7fq65p2g5pcdhvn.tmp
- /data/media/####/64tan3imj4zdzzddp8xfkk62y.tmp
- /data/media/####/6aet0bmkxtkqnkb0mwezikjm3.tmp
- /data/media/####/6ejoedgd1ho7z2x2256apb2l4.tmp
- /data/media/####/6kujq09s2v3gcpb0d4o5pq9jq.tmp
- /data/media/####/70nvh2b6l1g0rcna4upeu4fbq.tmp
- /data/media/####/76efi996f1pg6etd7mnt8ow52.tmp
- /data/media/####/7dgxo19g3dza5lb1bomwt82w7.tmp
- /data/media/####/7kft5emhcnmebs9zz3o3zz9p7.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/cvph3ku9wfqe5np3wsoi3o1n.tmp
- /data/media/####/d41d8cd98f00b204e9800998ecf8427e
- /data/media/####/dfe55732e3ae9e6e6f3a4348457e1ba7
- /data/media/####/fzm940xzaywpen0ppv2pgqna.tmp
- /data/media/####/hgotxymqj3g4ebh77kd184u4.tmp
- /data/media/####/hrnztdll0lm9ev26uw7jk88z.tmp
- /data/media/####/iv1kyi6jqkg0kuybxh3qudss.tmp
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/tksfdxqoh96x7h00t6664rff.tmp
- /data/media/####/yfg0r77wt51f4hq1b3xnxdmq.tmp
Другие:
Загружает динамические библиотеки:
- libjiagu-2036463066
- locSDK7a
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- desede-CBC-PKCS5Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
