Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Spy.127.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ap####.sc.p####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) d####.g####.p####.com:80
- TCP(HTTP/1.1) recom####.p####.com:80
- TCP(HTTP/1.1) t####.p####.com:80
- TCP(HTTP/1.1) st####.g.p####.com:80
- TCP(HTTP/1.1) api.usergr####.p####.com:80
- TCP(HTTP/1.1) way.p####.com:80
- TCP(HTTP/1.1) m####.ap####.g####.####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(TLS/1.0) t####.p####.com:443
Запросы DNS:
- a####.u####.com
- and####.co####.syna####.com
- ap####.sc.p####.com
- api####.a####.com
- api.usergr####.p####.com
- cld####.mo####.p####.com
- epg.api.p####.com
- f####.pass####.pp####.com
- ios.syna####.com
- m####.api.p####.com
- passp####.pp####.com
- pi####.qq.com
- plt.d####.pp####.com
- recom####.p####.com
- s####.p####.com
- sr1.pp####.cn
- sr1.pp####.com
- sr2.pp####.cn
- sr2.pp####.com
- sr3.pp####.cn
- sr3.pp####.com
- sr4.pp####.cn
- sr4.pp####.com
- st####.g.p####.com
- t####.p####.com
- v.img.pp####.cn
- way.p####.com
Запросы HTTP GET:
- ap####.sc.p####.com/cms/12/09/fb77e26382e00ebaba288bff25cd1997.png
- ap####.sc.p####.com/cms/23/38/1ff1292221d3a0cd3ae1ffd3fd8f1084.png
- ap####.sc.p####.com/cms/29/57/087f354f32b3b4d85cf0965f0b91f0b5.png
- ap####.sc.p####.com/cms/36/67/6a9adc6a363ed792ef87a059d38dda0e.png
- ap####.sc.p####.com/cms/88/72/69974ade4b7b01760047f165b2869485.png
- ap####.sc.p####.com/cp308/0c/8b/0c8bd74f62bca3649791b1f158441089/3.jpg.w...
- ap####.sc.p####.com/cp308/18/87/188742dd757613a83f9f2003f95c9f89/1532073...
- ap####.sc.p####.com/cp308/22/89/2289bdcb1382021b78f84b0b934eaeaa/1532184...
- ap####.sc.p####.com/cp308/36/23/362305d1b06d1cec52f61a6eb0f51c9f/3.jpg.w...
- ap####.sc.p####.com/cp308/36/8a/368ae60ca8f612fc7b49098d715c299c/1518423...
- ap####.sc.p####.com/cp308/3f/3f/3f3fd3983f69fb6e5498262247b12e23/3.jpg.w...
- ap####.sc.p####.com/cp308/43/17/4317fed0f1a6ea0eea5450bab4ebd535/3.jpg.w...
- ap####.sc.p####.com/cp308/45/6c/456c88635a031398daaad147872c0844/1512532...
- ap####.sc.p####.com/cp308/56/c4/56c48654ad8410d9d358215fa54fec88/1520241...
- ap####.sc.p####.com/cp308/5d/3e/5d3eae4e022cd0586f3b3e6674698eeb/3.jpg.w...
- ap####.sc.p####.com/cp308/63/81/6381e3041a848fcdd21256720931a6de/1520240...
- ap####.sc.p####.com/cp308/66/cc/66cc6341058d89e1a19b472f1fcd47b3/1528269...
- ap####.sc.p####.com/cp308/67/b1/67b1ac707115f271547a017158623343/3.jpg.w...
- ap####.sc.p####.com/cp308/7e/f8/7ef884bed89cf61d47ecec1a828bc4fd/3.jpg.w...
- ap####.sc.p####.com/cp308/8b/53/8b53c113a558088e45667ebff716d2de/3.jpg.w...
- ap####.sc.p####.com/cp308/97/5c/975cee667717283c9ecbbe840bfc686c/1530839...
- ap####.sc.p####.com/cp308/a3/08/a308885daea4f7f095d28cbb3df32f57/1520243...
- ap####.sc.p####.com/cp308/b5/61/b56133683ab6192d6a47ae10f7d1e68b/3.jpg.w...
- ap####.sc.p####.com/cp308/bc/20/bc20efbe036d502836019baeba47fc9f/1545965...
- ap####.sc.p####.com/cp308/c3/a6/c3a68c253de717821de72f3159000719/1505995...
- ap####.sc.p####.com/cp308/c6/a3/c6a37c81e14b7dc53bb674e158444697/3.jpg.w...
- ap####.sc.p####.com/cp308/c6/c6/c6c6438b532bf420d69f95ac2eb56a3e/3.jpg.w...
- ap####.sc.p####.com/cp308/d3/6d/d36d26e57d6f5e99ae21555a992ad08c/3.jpg.w...
- ap####.sc.p####.com/cp308/d5/1b/d51be541086d86dbe375a5a158431912/3.jpg.w...
- ap####.sc.p####.com/cp308/e5/08/e5088245cdc25c34d5656911b833fde3/1534785...
- ap####.sc.p####.com/cp308/e8/ca/e8ca2f26b6dc8db7945ee33956ac56be/1538359...
- ap####.sc.p####.com/cp308/ea/51/ea5179c544b68d0e5926066cb2b64baf/1520439...
- ap####.sc.p####.com/cp308/ec/d8/ecd8985e37fcedb0171be3e9f5ad4ca7/1534391...
- ap####.sc.p####.com/cp308/f6/f5/f6f5777e9cc2682c4f20e6e4c4841f0b/1528251...
- ap####.sc.p####.com/cp308/fa/26/fa26668118da6ece7a1f53f5cdc950b7/1535620...
- ap####.sc.p####.com/cp308/ff/99/ff99b44c6c04e6a7aac2bc171732aa5c/1532184...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_26642849/feed/list?appid=####&a...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_28489499/feed/list?appid=####&a...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_28489571/feed/list?appid=####&a...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_29480369/feed/list?appid=####&a...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_29480379/feed/list?appid=####&a...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_9045695/feed/list?appid=####&ap...
- ap####.sc.p####.com/sc/v3/pplive/ref/vod_9047646/feed/list?appid=####&ap...
- api.usergr####.p####.com/StorePEInfo.do?PEInfo=####&deviceid=####&from=#...
- api.usergr####.p####.com/get/aphone?index=####&appplt=####&ustr=Eg####&d...
- api.usergr####.p####.com/getUserCreditDoublePolicy?appid=####&from=####&...
- api.usergr####.p####.com/v6/流风清音/Favorites?version=####&from=####
- api.usergr####.p####.com/v6/流风清音/Recent?version=####&from=####
- d####.g####.p####.com/1.html?sdPg0uX####
- d####.g####.p####.com/1.html?sdPg0uXTraCSqrOYlrKpmpyoraSSrKeioJawpqmapqW...
- d####.g####.p####.com/frontendrec/1.html?puid=####&vip=####&uid=####&ut=...
- m####.ap####.g####.####.com/check_update?platform=####&appplt=####&osv=#...
- m####.ap####.g####.####.com/control?ver=####&userLevel=####&platform=###...
- m####.ap####.g####.####.com/generalConfig?platform=####&appplt=####&conf...
- m####.ap####.g####.####.com/v4/module?lang=####&platform=####&appid=####...
- recom####.p####.com/recommend?uid=####&ppi=####&vipUser=####&num=####&re...
- st####.g.p####.com/cms/10/19/183f7a8ef51f50249c4946dd100c3f64.png
- st####.g.p####.com/cms/10/90/5f7d1d96f778d7411656e36b1450c2eb.png
- st####.g.p####.com/cms/15/25/fe41c010658f41c3e533cf678a32706c.png
- st####.g.p####.com/cms/16/36/bc527cb74b4345fa37e077dbaf20f680.png
- st####.g.p####.com/cms/17/75/fa385e8018c17d12da5ae56f66a643d9.png
- st####.g.p####.com/cms/18/60/ecab3242860b8f72b5cb2beed280becd.png
- st####.g.p####.com/cms/19/13/de5f123f0eea25fd412227ae7e36c196.png
- st####.g.p####.com/cms/19/79/f14dabde4f44f5f9de7f39335c505b62.png
- st####.g.p####.com/cms/37/11/ea1ecbe86522b48b7e187bba29143620.png
- st####.g.p####.com/cms/39/35/f5e255e4cbf8c6ace832ba82d318d983.png
- st####.g.p####.com/cms/43/19/d8a54ed924af596fed0217efe61d5904.png
- st####.g.p####.com/cms/62/99/dd6a428b51c090f5197849d352cec458.png
- st####.g.p####.com/cms/95/24/818c3ba6698754ba6aa56e8afd92ca54.png
- st####.g.p####.com/game/ppstore/aph_v3/gameconfig.xml
- t####.p####.com/
- t####.p####.com/cms/11/80/0d87c3c29853acbf0cbb7b6821858d6b.jpg
- t####.p####.com/cms/14/68/d1af09fd5cca4cf20033e31200d93f16.jpg
- t####.p####.com/cms/14/97/dc83e3f442f8d93a04a540292e9f1891.jpg
- t####.p####.com/cms/15/41/4cc9153c934cb65c8894d35921d1fa0f.gif
- t####.p####.com/cms/17/74/0d723612e0e9da7fb913319d98f1de55.png
- t####.p####.com/cms/21/63/4c389f31a9ab68c3ed6dd3f461039ab6.jpg
- t####.p####.com/cms/22/62/36270b72ade256f1320ddfa6b5b4faaf.png
- t####.p####.com/cms/24/17/5e8473e588274c679ee1af6fc831e89a.jpg
- t####.p####.com/cms/24/32/2ae717601f5ae2f3d36b4ac5da2cd808.png
- t####.p####.com/cms/25/36/76e3fbec495896ce3b66e22b8d1bd046.gif
- t####.p####.com/cms/34/45/8a9ec92bf1ecec75ab6bacee5f581962.png
- t####.p####.com/cms/35/53/5cbec9231bc112f376028069ebd2fb0b.gif
- t####.p####.com/cms/36/24/f550ca8a0231d88de256fcb1738881f4.png
- t####.p####.com/cms/63/33/e624ab92ecebabc6c87263e5d315de5e.gif
- t####.p####.com/cms/76/65/7b62a1443380b1637f49234ba8098eed.jpg
- t####.p####.com/cms/89/25/5ec2a410637039de6be252b1a1d6a476.png
- t####.p####.com/cms/96/91/bd3dc10439594952efee0d5683746bd6.png
- t####.p####.com/detail.api?auth=####&canal=####&userLevel=####&ppi=####&...
- t####.p####.com/feature-list.api?auth=####&ppi=####&vid=####&c=####&cont...
- t####.p####.com/getConfig?ZGV2aWNlaWQ9MzU2NTA3MDU5MzUxODk1JmRldmljZXR5cG...
- t####.p####.com/getPostRecommend?appid=####&platform=####&sv=####&appplt...
- t####.p####.com/globalConfig?platform=####&appplt=####&osv=####&appid=##...
- t####.p####.com/recom/tribe?appplt=####
- way.p####.com/public/ppi?appid=####&appplt=####&tk=####&cc=####&appver=#...
Запросы HTTP POST:
- a####.u####.com/app_logs
- pi####.qq.com/mstat/report/?index=####
- res####.a####.com/v3/log/init
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.mta-wxop.xml
- /data/data/####/GCVasSp.xml
- /data/data/####/MATSharedPreferences.xml
- /data/data/####/PullToRefresh.xml
- /data/data/####/USER_BILLING.xml
- /data/data/####/_ire-journal
- /data/data/####/applog.log
- /data/data/####/cn.com.mma.mobile.tracking.other.xml
- /data/data/####/com.pplive.androidphone_preferences.xml
- /data/data/####/config.xml
- /data/data/####/configcenter.txt
- /data/data/####/download.xml
- /data/data/####/exitadinfo
- /data/data/####/globalConfig.txt
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.pplive.androidphone999999999
- /data/data/####/pptv.db-journal
- /data/data/####/pptv.xml
- /data/data/####/pri_wxop_tencent_analysis.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/unicom.xml
- /data/data/####/view_from.xml
- /data/data/####/webp.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wxop_tencent_analysis.db-journal
- /data/media/####/-1030901135
- /data/media/####/-1043909301.tmp
- /data/media/####/-1063033578.tmp
- /data/media/####/-10868662.tmp
- /data/media/####/-1173757123.tmp
- /data/media/####/-117959629.tmp
- /data/media/####/-1219532717.tmp
- /data/media/####/-1220329468.tmp
- /data/media/####/-1223599815.tmp
- /data/media/####/-1269514739
- /data/media/####/-1289852114
- /data/media/####/-1291381302.tmp
- /data/media/####/-134341455.tmp
- /data/media/####/-1377025038.tmp
- /data/media/####/-1401906699
- /data/media/####/-1424316075.tmp
- /data/media/####/-1432224890.tmp
- /data/media/####/-1441336949.tmp
- /data/media/####/-1504255604.tmp
- /data/media/####/-1523223674.tmp
- /data/media/####/-1528423314.tmp
- /data/media/####/-1571347033.tmp
- /data/media/####/-1624000149
- /data/media/####/-1644376080
- /data/media/####/-1698974099.tmp
- /data/media/####/-1771599035.tmp
- /data/media/####/-180409336
- /data/media/####/-1804304537.tmp
- /data/media/####/-1805955364
- /data/media/####/-1830409938.tmp
- /data/media/####/-192609082.tmp
- /data/media/####/-1932420448
- /data/media/####/-1998232956
- /data/media/####/-2030677829
- /data/media/####/-2091452258.tmp
- /data/media/####/-2102599478.tmp
- /data/media/####/-2120848152.tmp
- /data/media/####/-22960843
- /data/media/####/-231272295.tmp
- /data/media/####/-297038857.tmp
- /data/media/####/-305556478.tmp
- /data/media/####/-344430645.tmp
- /data/media/####/-355870188
- /data/media/####/-357403157.tmp
- /data/media/####/-396978799.tmp
- /data/media/####/-434886813.tmp
- /data/media/####/-579859073.tmp
- /data/media/####/-606829606
- /data/media/####/-617881173.tmp
- /data/media/####/-720956053.tmp
- /data/media/####/-785963582.tmp
- /data/media/####/-805948722.tmp
- /data/media/####/-822686938
- /data/media/####/-852693663
- /data/media/####/-910634920.tmp
- /data/media/####/-936664005
- /data/media/####/-954257687
- /data/media/####/-995064913.tmp
- /data/media/####/.mid.txt
- /data/media/####/.nomedia
- /data/media/####/1088091250.tmp
- /data/media/####/1102116569
- /data/media/####/110800293
- /data/media/####/1279544699.tmp
- /data/media/####/1290494678.tmp
- /data/media/####/130232760
- /data/media/####/1419310224.tmp
- /data/media/####/1439677153
- /data/media/####/1535663791.tmp
- /data/media/####/1651285821.tmp
- /data/media/####/1693452162.tmp
- /data/media/####/1713049527.tmp
- /data/media/####/1788806618.tmp
- /data/media/####/1877397192
- /data/media/####/1877559384
- /data/media/####/1895535272
- /data/media/####/1904565800.tmp
- /data/media/####/1931859095.tmp
- /data/media/####/1937256583
- /data/media/####/1939967849
- /data/media/####/1951221869.tmp
- /data/media/####/1953121240.tmp
- /data/media/####/1954212646.tmp
- /data/media/####/2018070926
- /data/media/####/2059908907.tmp
- /data/media/####/208735727
- /data/media/####/2102067622
- /data/media/####/2124424380.tmp
- /data/media/####/306544584.tmp
- /data/media/####/309631394.tmp
- /data/media/####/321763015.tmp
- /data/media/####/339743347.tmp
- /data/media/####/356078352.tmp
- /data/media/####/404590489.tmp
- /data/media/####/429553163.tmp
- /data/media/####/545942691.tmp
- /data/media/####/54939787.tmp
- /data/media/####/633091420
- /data/media/####/702301104.tmp
- /data/media/####/728422243
- /data/media/####/779825734.tmp
- /data/media/####/787246645.tmp
- /data/media/####/836919988
- /data/media/####/991080770.tmp
- /data/media/####/journal.tmp
- /data/media/####/slot.png
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- chmod 755 <Package Folder>/files/libjiagu.so
Загружает динамические библиотеки:
- breakpad_util_jni
- libjiagu
- libppbox_jni-android-x86-gcc44-mt-1.1.0
- meet
- mresearch
- ppbox_jni-android-x86-gcc44-mt-1.1
Использует следующие алгоритмы для шифрования данных:
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
