Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Xiny.20
Загружает из Интернета следующие детектируемые угрозы:
- Android.Xiny.20
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) img.cool####.cn:80
- TCP(HTTP/1.1) r.izuoy####.cn:80
- TCP(HTTP/1.1) qq.com.yuchan####.####.cn:80
- TCP(HTTP/1.1) 1####.97.46.44:80
- TCP(HTTP/1.1) a.sm####.cn:80
- TCP(HTTP/1.1) cgi.con####.qq.com:80
- TCP(HTTP/1.1) www.izuoy####.cn:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(TLS/1.0) 1####.217.17.110:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
Запросы DNS:
- a.sm####.cn
- and####.cli####.go####.com
- cgi.con####.qq.com
- img.cool####.cn
- pi####.qq.com
- qq.com.yuchan####.####.cn
- r.izuoy####.cn
- www.izuoy####.cn
Запросы HTTP GET:
- cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
- img.cool####.cn/2011/lvs.jar
- r.izuoy####.cn/file/2017/03/17/201703171423150.jpg
- r.izuoy####.cn/file/2017/03/17/201703171423490.jpg
- r.izuoy####.cn/file/2017/03/17/201703171424290.jpg
- r.izuoy####.cn/file/M00/01/32/CgKwP1TQKiaAAeCCAAB347rfIyA665.jpg
- r.izuoy####.cn/file/M00/01/7A/CgKwP1TduMGACZT6AACQq5k8gzk135.jpg
- r.izuoy####.cn/file/M00/01/7A/CgKwP1TduS2AQZlDAACJsNvfvvE122.jpg
- r.izuoy####.cn/file/M00/01/7A/CgKwP1TduVGAPTLiAACtFDOxsK8626.jpg
- r.izuoy####.cn/file/M00/01/7A/CgKwP1Tduu6AcwiBAACGIuozLyY044.jpg
- r.izuoy####.cn/file/M00/01/7A/CgKwP1Tduy2AJK0AAACNT12ZbG4150.jpg
- www.izuoy####.cn/study-manager//assets/img/common/hg_2.png
- www.izuoy####.cn/study-manager/assets/css/common/mui.css
- www.izuoy####.cn/study-manager/assets/css/common/sweetalert.css
- www.izuoy####.cn/study-manager/assets/css/fonts/mui.ttf
- www.izuoy####.cn/study-manager/assets/css/owl.carousel.css
- www.izuoy####.cn/study-manager/assets/img/AjaxLoader.gif
- www.izuoy####.cn/study-manager/assets/img/common/back.png
- www.izuoy####.cn/study-manager/assets/img/common/list.png
- www.izuoy####.cn/study-manager/assets/js/classExercise/book_list.js
- www.izuoy####.cn/study-manager/assets/js/classExercise/classExercise.js
- www.izuoy####.cn/study-manager/assets/js/classExercise/exercise_catalog.js
- www.izuoy####.cn/study-manager/assets/js/classExercise/pullToRefresh.js
- www.izuoy####.cn/study-manager/assets/js/common/common.js
- www.izuoy####.cn/study-manager/assets/js/common/mui.lazyload.img.js
- www.izuoy####.cn/study-manager/assets/js/common/mui.lazyload.js
- www.izuoy####.cn/study-manager/assets/js/common/mui.min.js
- www.izuoy####.cn/study-manager/assets/js/common/owl.carousel.js
- www.izuoy####.cn/study-manager/assets/js/common/sweetalert-dev.js
- www.izuoy####.cn/study-manager/assets/js/homePage/exercise_list.js
- www.izuoy####.cn/study-manager/assets/js/jquery-2.1.1.min.js
- www.izuoy####.cn/study-manager/assets/js/pull/colorful.js
- www.izuoy####.cn/study-manager/assets/js/pull/iscroll.js
- www.izuoy####.cn/study-manager/assets/js/pull/pullToRefresh.css
- www.izuoy####.cn/study-manager/assets/js/pull/reset.css
- www.izuoy####.cn/study-manager/assets/js/teachStudy/jquery.lazyload.js
- www.izuoy####.cn/study-manager/classExercise/bookSection?ex_catalogName=...
- www.izuoy####.cn/study-manager/classExercise/getCatalogList?bookId=####&...
- www.izuoy####.cn/study-manager/homePage?appUpdate=####
Запросы HTTP POST:
- a.sm####.cn/cw/cp.action?requestId=####&g=####
- pi####.qq.com/mstat/report
- qq.com.yuchan####.####.cn/cw/interface!u2.action?protocol=####&version=#...
- www.izuoy####.cn/study-manager/classExercise/getBookList
- www.izuoy####.cn/study-manager/classExercise/getExerciseList
- www.izuoy####.cn/study-manager/personalCenter/getArea
- www.izuoy####.cn/study-manager/version/updateVersion
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/W_Key.xml
- /data/data/####/a.xml
- /data/data/####/cedjeurf.chdyeu364rytufhe.cnduejduf.sued_prefer...ml.bak
- /data/data/####/cedjeurf.chdyeu364rytufhe.cnduejduf.sued_preferences.xml
- /data/data/####/chehui_maiche.config.xml
- /data/data/####/com.tencent.open.config.json.1105076089
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downloadswc
- /data/data/####/downloadswc-journal
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/index
- /data/data/####/libjiagu.so
- /data/data/####/st.xml
- /data/data/####/tencent_analysis.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/4.6_lvs.jar.tmp
- /data/media/####/restime.dat
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- MtaNativeCrash
- dcae
- libjiagu
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
