Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.RemoteCode.188.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.md####.cn:80
- TCP(HTTP/1.1) n1.c.im####.com:80
- TCP(HTTP/1.1) s1.quh####.com.####.com:80
- TCP(HTTP/1.1) s####.gw.y####.net:80
- TCP(HTTP/1.1) t####.dmp.y####.net:80
- TCP(HTTP/1.1) api####.bao####.com:80
- TCP(HTTP/1.1) cdn.zs####.cn.####.cn:8080
- TCP(HTTP/1.1) s.y####.net:80
- TCP(TLS/1.0) q####.quh####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
Запросы DNS:
- 2####.nd####.y####.com
- and####.cli####.go####.com
- api####.bao####.com
- api.xiub####.com
- cdn.zs####.cn
- n1.c.im####.com
- q####.quh####.com
- r.y####.net
- s####.gw.y####.net
- s.y####.net
- s1.quh####.com
- t####.dmp.y####.net
- www.md####.cn
Запросы HTTP GET:
- api####.bao####.com/calendar/beautylive0130.jpg
- api####.bao####.com/calendar/bilibili.png
- api####.bao####.com/calendar/fenghuang.png
- api####.bao####.com/calendar/kdzl.jpg
- api####.bao####.com/calendar/qmgt.png
- api####.bao####.com/calendar/souhu.png
- api####.bao####.com/calendar/ssssslth.jpg
- api####.bao####.com/calendar/taobao.png
- api####.bao####.com/calendar/wdtg.jpg
- api####.bao####.com/calendar/xxsf.jpg
- api####.bao####.com/launcher/default/index?name=####
- api####.bao####.com/themes/default/browser?u=####
- cdn.zs####.cn.####.cn:8080/resource/gis/44
- n1.c.im####.com/1c2b2df6ba9bf3182c9a2d0adb4e1663a8e1f35c
- s####.gw.y####.net/stat/v3/conf?app=####&key=####&sig=####&rt=####
- s.y####.net/aos/v3/initf?s=####
- s.y####.net/spot/aos/v2/reqv3?s=####
- s.y####.net/stat/aos/v3/pkc?s=####
- s.y####.net/stat/v3/conf?app=####&key=####&sig=####&rt=####
- s.y####.net/stat/v3/udt2?appid=####&s=####
- s1.quh####.com.####.com//uploads/m_link/201902/06/1549458638976.jpg
- s1.quh####.com.####.com//uploads/m_link/201902/07/1549469173961.jpg
- s1.quh####.com.####.com//uploads/m_link/201902/07/1549476008399.jpg
- s1.quh####.com.####.com//uploads/m_link/201902/07/1549477506873.jpg
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/0571b05bb02...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/2c61e2261b7...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/329ce773f48...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/41f7be6d1c5...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/51dad9d8618...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/5dcda45a669...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/5f501e1cb8e...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/87a16e2fc18...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/939fd13e1a9...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/b8f3abfd2ef...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/b9133f73946...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/bb10a1b2c74...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/cacc6712cc8...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/cbb4fde3de4...
- s1.quh####.com.####.com/uploads/common/201512/21/user/spider/dcb491538fb...
- s1.quh####.com.####.com/uploads/common/201512/22/user/spider/f280b4d1942...
- s1.quh####.com.####.com/uploads/common/201512/23/user/source/91e5a15241f...
- s1.quh####.com.####.com/uploads/common/201512/23/user/spider/0a0196cc043...
- s1.quh####.com.####.com/uploads/common/201512/23/user/spider/54cb8bb35aa...
- s1.quh####.com.####.com/uploads/common/201512/23/user/spider/d23fa7cd0b2...
- s1.quh####.com.####.com/uploads/m_link/201902/06/1549458638976.jpg
- s1.quh####.com.####.com/uploads/m_link/201902/07/1549477506873.jpg
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549458956194.jpg!hm
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549458956473.jpg!vm
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549458956506.jpg!vm
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549459488986.jpg
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549464354608.jpg
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549464798390.jpg
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549466750110.jpg
- s1.quh####.com.####.com/uploads/moment/201902/06/pic/1549467242657.jpg
Запросы HTTP POST:
- t####.dmp.y####.net/v1/android/packages?rt=####&sign=####
- t####.dmp.y####.net/v2/android/pkgtime?rt=####&sign=####
- www.md####.cn/pservers/loadip
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-1857282747-1230977170
- /data/data/####/-671987956-1462795246
- /data/data/####/-9368357572133067459
- /data/data/####/.jg.ic
- /data/data/####/00dd1a013c88489fd4879835970d437e71bbdd6673a109c....0.tmp
- /data/data/####/064d8e9cd2173785fdc2078b52aea54b15e254d35ff1585....0.tmp
- /data/data/####/0d31d6eb9e2358d4a1cb34109eb9720ddd99bac981283d4....0.tmp
- /data/data/####/0e99a3e3f0927d9e430d1f603a9083854709fd822093551....0.tmp
- /data/data/####/0eafa9915ca6576492cb82f842700fd7d927cca407687dc....0.tmp
- /data/data/####/137248476ef956bf712c065137073d8d655ed36ae0db3f6....0.tmp
- /data/data/####/1774252405670437422
- /data/data/####/1815352148-98640524
- /data/data/####/1857678774-1221887362
- /data/data/####/1857678774913386915
- /data/data/####/1cd2b700d6812baa1c9020ed0c70f6e1ec8045f86ccca2a....0.tmp
- /data/data/####/22aa1f231155a9252ef024316fa73e158b5790910d6a22a....0.tmp
- /data/data/####/257fa6fb3696fdcc6748e729e06485b4
- /data/data/####/257fa6fb3696fdcc6748e729e06485b4-journal
- /data/data/####/25a2247af58336b66b326fd643fcb10142eeeaee229aefe....0.tmp
- /data/data/####/29933a486f8fec3b958acbe04e82659f87c55b0d6a6fb6b....0.tmp
- /data/data/####/3fce7a5f2813332d11480cbc105d577f-journal
- /data/data/####/41bb1640232290f5c9d009eb0036fa980c441fbdca45a00....0.tmp
- /data/data/####/43000f764c5936706fa262221638a11f
- /data/data/####/43000f764c5936706fa262221638a11f-journal
- /data/data/####/459440d1fede0f9540f361102248ccc0730d9ff8aafc9bb....0.tmp
- /data/data/####/759585b8ffc18ef228c013fc2f29ae9f43ce203c0e9a65b....0.tmp
- /data/data/####/7a6d29f576e2dbdc72f5f1b24e5ff9473d513973dc1df3e....0.tmp
- /data/data/####/7ae4a650bda0417b8a4d6a5f4977e013548736580590717....0.tmp
- /data/data/####/888310114-1844295605
- /data/data/####/8b9e58db5e0c5066474a899ee5e2828c1accf488c755aa6....0.tmp
- /data/data/####/8dL16.zip
- /data/data/####/97b2b6dca69666225f26fe683c5926a13095958cbc047ec....0.tmp
- /data/data/####/9ab52c26446a2fc96dbfa8bc48ceca639388f59d689ea37....0.tmp
- /data/data/####/9c130f3f67f156c3a627419d84cf5cb7dbc5e23725495df....0.tmp
- /data/data/####/9f203457396322bc0e9b060b7eb144a5ae08a815d08da79....0.tmp
- /data/data/####/C0XKJAO3JLZKJPDKJFXLINQCJIOAOD.xml
- /data/data/####/CATEGORY_SAVE_FILE.xml
- /data/data/####/CE94557724F842149D690D0E8CBB1CBD.xml
- /data/data/####/CHACHE_DISCOVER_BOUTIQUE.xml
- /data/data/####/P15pKIjsm64m
- /data/data/####/P15pKIjsm64m-journal
- /data/data/####/T1oX0rhhuXWt
- /data/data/####/T1oX0rhhuXWt-journal
- /data/data/####/XKwVoK0huy3R
- /data/data/####/XKwVoK0huy3R-journal
- /data/data/####/a289516a1c754792c6809a63ed0332a5887ad59f3c414a0....0.tmp
- /data/data/####/a554b05a7de1f46873a55b25897b50ac9d009986dd01750....0.tmp
- /data/data/####/a60d293b543a539d4d113e2fee9d207f91c118883d44e3e....0.tmp
- /data/data/####/ad04b04f31e5729c69bb66bc4d31cc3de87dfdd290f105b....0.tmp
- /data/data/####/ae3a67d3ebc22fa1cc692bc6528be77c2dce373ad757b1a....0.tmp
- /data/data/####/b1a5ad8d48db3235cb76854d88f3e17bf46f1c07c6e17ff....0.tmp
- /data/data/####/browser_pre.xml.xml
- /data/data/####/c2f554949598d68e1295ba7592b15c7bd033177e37034dd....0.tmp
- /data/data/####/c3a35ea26eba5448cbbebcea62cb19c161af294803932f1....0.tmp
- /data/data/####/c5e5b6e540e45f4007db699541963199fe2b5ad3eaff1ae....0.tmp
- /data/data/####/c69907a84d1a588cee2953d59cfedec6e54a6c3bdd6f73b....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/core_info
- /data/data/####/database_webview.db-journal
- /data/data/####/dd5cff35c9bacf97043dcbe552a6ce500d1ef1eadbed17c....0.tmp
- /data/data/####/debug.conf
- /data/data/####/dec015dbac95947986533aa849b7587fe8f7fdd88afbdc9....0.tmp
- /data/data/####/e0300ab935d1a757f94037f4f93a1476eb77b9858e2693c....0.tmp
- /data/data/####/e4cb708179c2a12c7b8b80c66ab8fb7b8f66847e45203c6....0.tmp
- /data/data/####/e55227329697387a08dbe8b58a48820033dfd522221923c....0.tmp
- /data/data/####/e8a1ed285e1e6fd2eaae60c2d751db6322498c4959ef8d2....0.tmp
- /data/data/####/ec4b58452428c1065762f9ffa1f4aac6137126890fef8ba....0.tmp
- /data/data/####/f98d31914ee53a6cb708c1b7a63b447de617b30e473afb4....0.tmp
- /data/data/####/fc497d93f62df219330e3857c89dad6a9e492cba702d596....0.tmp
- /data/data/####/journal.tmp
- /data/data/####/jqIqJYOT3JpT
- /data/data/####/jqIqJYOT3JpT-journal
- /data/data/####/libjiagu1687216312.so
- /data/data/####/mobclick_agent_cached_com.example.mm.txweblibrary11
- /data/data/####/red_package.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/wIU6pTyUBYWX
- /data/data/####/wIU6pTyUBYWX-journal
- /data/data/####/webview.db-journal
- /data/data/####/wsUL1uCdKvjD
- /data/data/####/wsUL1uCdKvjD-journal
- /data/data/####/ymdex.jar
- /data/media/####/.nomedia
- /data/media/####/com.example.mm.txweblibrary.zip
- /data/media/####/i42d45df023jnkdd93la483f9xGFKXI
- /data/media/####/icon_-1018665290
- /data/media/####/icon_-1206443250
- /data/media/####/icon_-1292340748
- /data/media/####/icon_-1680686063
- /data/media/####/icon_-737316092
- /data/media/####/icon_-781502806
- /data/media/####/icon_1068324105
- /data/media/####/icon_1159392837
- /data/media/####/icon_1796290063
- /data/media/####/icon_330819134
- /data/media/####/icon_381668235
- /data/media/####/journal.tmp
- /data/media/####/s92TjjdfoP2n3o9dfji2l9s1olkjf0p
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/kernel_max
- chmod 755 <Package Folder>/.jiagu/libjiagu1687216312.so
Загружает динамические библиотеки:
- abcdefgh
- libjiagu1687216312
Использует следующие алгоритмы для шифрования данных:
- AES
- PBEWITHMD5andDES
Использует следующие алгоритмы для расшифровки данных:
- AES-CFB-NoPadding
- PBEWITHMD5andDES
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
