Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.589.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) large11####.c####.l####.####.com:80
- TCP(HTTP/1.1) da####.c####.qini####.com:80
- TCP(HTTP/1.1) img-a####.b0.upa####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) api.meme####.com:80
- TCP(HTTP/1.1) sa.meme####.com:80
- TCP(HTTP/1.1) idu####.qini####.com:80
- TCP(HTTP/1.1) gl####.w.kunl####.####.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) ws.meme####.com:6010
- TCP(HTTP/1.1) 1####.89.97.82:8000
- TCP(HTTP/1.1) img.su####.com.####.com:80
- TCP(HTTP/1.1) p####.ws.su####.com:80
- TCP(TLS/1.0) c####.im.ta####.com:443
- TCP(TLS/1.0) v####.dn####.top:443
- TCP(TLS/1.0) img.su####.com.####.com:443
Запросы DNS:
- a####.u####.com
- and####.b####.qq.com
- api.meme####.com
- c####.im.ta####.com
- cdn.app.12####.top
- cdn.app.dn####.top
- dl.su####.com
- img-a####.b0.upa####.com
- img-p####.su####.com
- img.su####.com
- loc.map.b####.com
- p####.ws.su####.com
- sa.meme####.com
- v####.dn####.top
- ws.meme####.com
Запросы HTTP GET:
- api.meme####.com/activity/packet_list
- api.meme####.com/activity/room_packet?room_id=####&qd=####
- api.meme####.com/app/index
- api.meme####.com/appload/load_page?qd=####
- api.meme####.com/properties/list
- api.meme####.com/public/blackword_list/0
- api.meme####.com/public/blackword_list/1
- api.meme####.com/public/inform?size=####&type=####
- api.meme####.com/public/poster/2
- api.meme####.com/public/room_admin/62976270
- api.meme####.com/public/room_by_ids?ids=####
- api.meme####.com/public/room_guards?id1=####
- api.meme####.com/public/room_list?sort=####&page=####&live=####&live_typ...
- api.meme####.com/public/room_sofa/62976270
- api.meme####.com/public/room_star/62976270
- api.meme####.com/public/room_star?id1=####
- api.meme####.com/public/room_viewer/62976270?page=####&size=####
- api.meme####.com/public/t_hex
- api.meme####.com/show/bell_gift_list
- api.meme####.com/show/cars_list
- api.meme####.com/show/gift_list
- api.meme####.com/show/gift_list?app_live=####
- api.meme####.com/starraceinfo2016/star?room_id=####
- api.meme####.com/statistic/welcome_event?date=####&button=####&qd=####&i...
- api.meme####.com/zone/mission_num
- api.meme####.com/zone/photo_list/62976270?page=####&size=####
- api.meme####.com/zone/user_info/62976270
- api.meme####.com/zone/user_medal/62976270
- d####.c####.l####.####.com/14/6/62976270_null_200200_1551169537739.jpg?v...
- d####.c####.l####.####.com/14/6/62976270_null_200200_1551173043387.jpg?v...
- d####.c####.l####.####.com/27/3/32422171_null_200200_1551172553904.jpg?v...
- d####.c####.l####.####.com/51/3/70993971_0.jpg?v=####
- da####.c####.qini####.com/dp
- gl####.w.kunl####.####.com/20/4/1492536061844.jpg
- gl####.w.kunl####.####.com/41/1/1492522470441.jpg
- idu####.qini####.com/app/memezhibo.apk
- img-a####.b0.upa####.com/1206088/0202/7d1f647e244713e4e63f818dd458fa3e.j...
- img-a####.b0.upa####.com/2912313/0526/3c65c45e0172a32e1a3b6746ee0ee053.j...
- img-a####.b0.upa####.com/38289623/0123/c1b37b04eaf711024b30b94584225712....
- img-a####.b0.upa####.com/5340504/0517/71d092f45d58d820812c173a5fe912b8.J...
- img-a####.b0.upa####.com/62976270/0217/02bdbb528cdd6b1f8ac70cd5609b6373....
- img-a####.b0.upa####.com/62976270/0217/413f06dd57db4903c766a4d91a653f61....
- img-a####.b0.upa####.com/62976270/0217/75b754600fde998cb1aa30457d7902da....
- img-a####.b0.upa####.com/62976270/0217/7c28828ae680ed1469b41f08311f2ad0....
- img-a####.b0.upa####.com/62976270/0512/bc6b68a0d1f6c57e27497c89b494af2a....
- img-a####.b0.upa####.com/63268041/0325/0fee60f5753d830f87c77729188be8a9....
- img-a####.b0.upa####.com/63682389/0521/164aaecd5d31f88e52651b89e2ae1b2b....
- img.su####.com.####.com/10/2/1441794853770.jpg
- img.su####.com.####.com/12/4/1404113913292.jpg
- img.su####.com.####.com/12/4/1438840897548.jpg
- img.su####.com.####.com/13/5/1429582714317.jpg
- img.su####.com.####.com/16/0/1404113557712.jpg
- img.su####.com.####.com/17/1/1461741991953.jpg
- img.su####.com.####.com/17/1/1486433151121.jpg
- img.su####.com.####.com/20/4/1492536061844.jpg
- img.su####.com.####.com/21/5/1492523049237.jpg
- img.su####.com.####.com/22/6/1453881002134.jpg
- img.su####.com.####.com/23/7/1442374000663.jpg
- img.su####.com.####.com/24/0/1461738947672.jpg
- img.su####.com.####.com/24/0/1480556318040.jpg
- img.su####.com.####.com/28/4/1404113697308.jpg
- img.su####.com.####.com/28/4/1426750171036.jpg
- img.su####.com.####.com/3/3/1438841119811.jpg
- img.su####.com.####.com/3/3/1493029648003.jpg
- img.su####.com.####.com/30/6/1404115010078.jpg
- img.su####.com.####.com/31/7/1493376986335.jpg
- img.su####.com.####.com/32/0/1404113597600.jpg
- img.su####.com.####.com/33/1/1407985123169.jpg
- img.su####.com.####.com/35/3/1404113848931.jpg
- img.su####.com.####.com/35/3/1404119398883.jpg
- img.su####.com.####.com/36/4/1435644545252.jpg
- img.su####.com.####.com/36/4/1478766324580.jpg
- img.su####.com.####.com/36/4/1492522102308.jpg
- img.su####.com.####.com/37/5/1404114308069.jpg
- img.su####.com.####.com/37/5/1404114756837.jpg
- img.su####.com.####.com/37/5/1486453235941.jpg
- img.su####.com.####.com/38/6/1441877346406.jpg
- img.su####.com.####.com/38/6/1485166714022.jpg
- img.su####.com.####.com/39/7/1442306112295.jpg
- img.su####.com.####.com/4/4/1441534817732.jpg
- img.su####.com.####.com/4/4/1458802075332.jpg
- img.su####.com.####.com/4/4/1528191918468.jpg
- img.su####.com.####.com/40/0/1441590005416.jpg
- img.su####.com.####.com/45/5/1493376975533.jpg
- img.su####.com.####.com/5/5/1404115511429.jpg
- img.su####.com.####.com/50/2/1404114270962.jpg
- img.su####.com.####.com/50/2/1446688769010.jpg
- img.su####.com.####.com/51/3/1404113662771.jpg
- img.su####.com.####.com/51/3/1500278134963.jpg
- img.su####.com.####.com/53/5/1442214601781.jpg
- img.su####.com.####.com/56/0/1501830032760.jpg
- img.su####.com.####.com/57/1/1441534642361.jpg
- img.su####.com.####.com/58/2/1441959947962.jpg
- img.su####.com.####.com/58/2/1498638914490.jpg
- img.su####.com.####.com/60/4/1404117661500.jpg
- img.su####.com.####.com/60/4/1441868324796.jpg
- img.su####.com.####.com/61/5/1443173232445.jpg
- img.su####.com.####.com/61/5/1462849483453.jpg
- img.su####.com.####.com/63/7/1404119155455.jpg
- img.su####.com.####.com/63/7/1503554774655.jpg
- img.su####.com.####.com/9/1/1422624662729.jpg
- img.su####.com.####.com/9/1/1441879794057.jpg
- large11####.c####.l####.####.com/sfile/201902/26/all/cp_V3.1.2.txt
- p####.ws.su####.com/10000?ws_getip=####
- sa.meme####.com/api/vtrack/config/Android.conf
- ws.meme####.com:6010/socket.io/?EIO=####&uid=####&f=####&app=####&rom=##...
- ws.meme####.com:6010/socket.io/?EIO=####&uid=####&f=####&sid=####&app=##...
Запросы HTTP POST:
- a####.u####.com/app_logs
- and####.b####.qq.com/rqd/async
- loc.map.b####.com/offline_loc
- loc.map.b####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/AllRoomList
- /data/data/####/Alvin2.xml
- /data/data/####/AppStore.xml
- /data/data/####/BANNER
- /data/data/####/BELL_GIFT_LIST
- /data/data/####/CHEST_GIFT_LIST
- /data/data/####/ContextData.xml
- /data/data/####/GIFT_LIST
- /data/data/####/KEY_WORD
- /data/data/####/LIN1001.xml
- /data/data/####/LIN1002.xml
- /data/data/####/LIN1003.xml
- /data/data/####/LIN1004.xml
- /data/data/####/LIN1005.xml
- /data/data/####/LIN1006.xml
- /data/data/####/LIN1007.xml
- /data/data/####/LIN1008.xml
- /data/data/####/LIN1009.xml
- /data/data/####/LIN1010.xml
- /data/data/####/LIN1011.xml
- /data/data/####/LIN1013.xml
- /data/data/####/LIN1014.xml
- /data/data/####/LIN1015.xml
- /data/data/####/MISSION_COUNT
- /data/data/####/MOBILE_GIFT_LIST
- /data/data/####/MOUNT_MALL
- /data/data/####/MixRoomList
- /data/data/####/PLAZA_DATA
- /data/data/####/PROPERTIES_LIST
- /data/data/####/RECENTLY_VIEW_STAR_LIST
- /data/data/####/RECHARGE_AWARD
- /data/data/####/RED_PACKET_LIST
- /data/data/####/RTMP_BACKUP_IP
- /data/data/####/SENSITIVE_WORD
- /data/data/####/SOFA_MAP
- /data/data/####/UmengLocalNotificationStore.db-journal
- /data/data/####/V3.1.2.txt
- /data/data/####/V3.1.2.xml
- /data/data/####/Zego_live_demo2.xml
- /data/data/####/bugly_db_-journal
- /data/data/####/com.sensorsdata.analytics.android.sdk.SensorsDataAPI.xml
- /data/data/####/com.superzhiboba.android_preferences.xml
- /data/data/####/com.superzhiboba.android_prefs.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/firll.dat
- /data/data/####/firstedlink.xml
- /data/data/####/flag
- /data/data/####/inittime.xml
- /data/data/####/kr.xml
- /data/data/####/last_cache_time
- /data/data/####/libcuid.so
- /data/data/####/libjiagu.so
- /data/data/####/local_crash_lock
- /data/data/####/mobclick_agent_cached_com.superzhiboba.android1008
- /data/data/####/multidex.version.xml
- /data/data/####/ofl.config
- /data/data/####/ofl_location.db
- /data/data/####/ofl_location.db-journal
- /data/data/####/ofl_statistics.db
- /data/data/####/ofl_statistics.db-journal
- /data/data/####/ov.jar
- /data/data/####/pf.jar
- /data/data/####/security_info
- /data/data/####/sensorsdata
- /data/data/####/sensorsdata-journal
- /data/data/####/show.db-journal
- /data/data/####/shuzilm.db
- /data/data/####/t_u.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/user_message_record.db-journal
- /data/data/####/vbz.xml
- /data/media/####/.cuid
- /data/media/####/.cuid2
- /data/media/####/.nomedia
- /data/media/####/0279e3a7b7ecbf7a665c6d724659d417.tmp
- /data/media/####/02d7f102553f238d88d0f47a07745615.tmp
- /data/media/####/03c74f856738cca9a2588caeb9b4dd44.tmp
- /data/media/####/126e8dac61e3455dc5cd6400209e4940.tmp
- /data/media/####/128411de7293bbaf25fd1e2eeb22e09b.tmp
- /data/media/####/12ba220d2eacbb15106a46b5c2f036d6.tmp
- /data/media/####/138e2a18a2de7ee5a60bd39c84caf0aa.tmp
- /data/media/####/15872ce8e587d00dce665b6b5b4031e2.tmp
- /data/media/####/1d065b5e368b94d1269b6371930a65f1.tmp
- /data/media/####/2731d07352df098f25feb14fa55b8f57.tmp
- /data/media/####/2892de4511fa5872b6fe4800d42534f9.tmp
- /data/media/####/2ddd8bf062045076522c6ab6d32ae6b1.tmp
- /data/media/####/31f216820afafd54affc4c6c609f0a4f.tmp
- /data/media/####/343a5a1e594573a7d2e09c8ee6b18977.tmp
- /data/media/####/3883d862cae55a876c0d7bb30c1b8c99.tmp
- /data/media/####/3e9735b7c5feecf55c1d792798145b9f.tmp
- /data/media/####/405ab30c6b21d3733b1e12127ed30378.tmp
- /data/media/####/43e23fd3b22079b6e73f28dbe19bf2cd.tmp
- /data/media/####/44b4a13839bc2f8462c3a0f57557495f.tmp
- /data/media/####/47354d5db2b50beef0fa739d96a2b860.tmp
- /data/media/####/48cb3a91d4640a37378899c0bf783e1e.tmp
- /data/media/####/4a8cec119afe6bc1d6c0170ce4ba15a8.tmp
- /data/media/####/4e55e4572683a2ca8870b104d1f55aca.tmp
- /data/media/####/4ee2325900f172cdd34417b94abc60a5.tmp
- /data/media/####/523f27da5d9cc24dfac6d4d566ec2721.tmp
- /data/media/####/5583df7fadf83e1ab0f86029ec7529f8.tmp
- /data/media/####/57752d96499214af9aff577bcba618f2.tmp
- /data/media/####/5872f4f2cc6d6733b8351c663fb83808.tmp
- /data/media/####/5ef78776cee5030cf03da761de6697fc.tmp
- /data/media/####/6a019540417a59b840209d1230184833.tmp
- /data/media/####/6c07142b022080cfd310ad27de6367bc.tmp
- /data/media/####/6ca719e78b01cd53b90e9d332036b9b0.tmp
- /data/media/####/6e4e0d52fbfad9c8d09b141c1c728b18.tmp
- /data/media/####/6f02253d4e9aede230c5de096c2eb5ac.tmp
- /data/media/####/7220413067fc59ef49a406fdf72b2eb1.tmp
- /data/media/####/7670a6b9fe7c6b592de28d37daacadb5.tmp
- /data/media/####/767b68cae876d4fcbd7cd7487cf89c35.tmp
- /data/media/####/76f26cb8989172f717d90442d1bba4c5.tmp
- /data/media/####/7ae482dd76ed0849bea93a88216e1ef9.tmp
- /data/media/####/7ee0bd8f0911d5964fc742be3c06d03c.tmp
- /data/media/####/7f1d76ea6ec595287e293dace753c125.tmp
- /data/media/####/8610424b319137d3120a37d9dd28b857.tmp
- /data/media/####/869e8fe73a722cfffac59b9385da8de6.tmp
- /data/media/####/86fbf8db44558c344e07ada552041c0a.tmp
- /data/media/####/9348cf6ea4340033c3109d5e66400842.tmp
- /data/media/####/94b127ec9b0b5372b00c067c777f8df5.tmp
- /data/media/####/94ea944f9c649683c2efe9cc86eba659.tmp
- /data/media/####/9927b8ae927f79e8b2a0d006970065bc.tmp
- /data/media/####/9aa11fb9dc84d557be1c3fe2442a2a1a.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/_driver.dat
- /data/media/####/_system.dat
- /data/media/####/aeacda196cc9caad6b64506faefd627b.tmp
- /data/media/####/b0eff06b9ce7b1e2c7b6cf8c6ec5dd27.tmp
- /data/media/####/b7a96615940050395f3ea2bad4458514.tmp
- /data/media/####/b897a628c5374e0b5999f1e861559a4d.tmp
- /data/media/####/ba72b3ca52e29bafa8870c5995e42b83.tmp
- /data/media/####/c1350429f955cfb23de752bfd63847d0.tmp
- /data/media/####/c168933e6456bf2a2e41b750d4e1dba1.tmp
- /data/media/####/c1c5b67911ebe81179e65bffee0f2f7d.tmp
- /data/media/####/c4d52af921af8289d715d70fcfe73d1d.tmp
- /data/media/####/c5d9bc25f1f261420a5213488061da3c.tmp
- /data/media/####/cdb038dedaa9201027745e7dece470f7.tmp
- /data/media/####/cdfe164bc000b76000527e9cb04284cf.tmp
- /data/media/####/config.dat
- /data/media/####/conlts.dat
- /data/media/####/d2d98ee67a54a084e8cf763377435b17.tmp
- /data/media/####/d4435119712305fdcbfd02ea6fc15139.tmp
- /data/media/####/d9896702fe449c3cb835f35cdd174697.tmp
- /data/media/####/e1c0ef161e4e3989bdd44b421e169aa0.tmp
- /data/media/####/e4049a1abbfa08f5e121ea613de8010e.tmp
- /data/media/####/e99dadf4f1540239db837d97bd768b2f.tmp
- /data/media/####/ea98f9cca48d9f7898c00508a32effce.tmp
- /data/media/####/ec35710ae4ef57a5522e33253066a5cc.tmp
- /data/media/####/f9e292f0095241478995853c022816d0.tmp
- /data/media/####/fbb353f92bbfb5ac4efbbc6dee56554c.tmp
- /data/media/####/fddd62333b762f567af5c2752d846e3d.tmp
- /data/media/####/ller.dat
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/lut
- /data/media/####/memezhibo.apk
- /data/media/####/test.0
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop androVM.vbox_dpi
- /system/bin/sh -c getprop gsm.sim.state
- /system/bin/sh -c getprop gsm.sim.state2
- /system/bin/sh -c getprop qemu.sf.fake_camera
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.debuggable
- /system/bin/sh -c getprop ro.genymotion.version
- /system/bin/sh -c getprop ro.secure
- /system/bin/sh -c type su
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop androVM.vbox_dpi
- getprop gsm.sim.state
- getprop gsm.sim.state2
- getprop qemu.sf.fake_camera
- getprop ro.board.platform
- getprop ro.debuggable
- getprop ro.genymotion.version
- getprop ro.secure
- ls /dev/socket
- netstat
- service call iphonesubinfo 1
- sh -c cat /proc/cpuinfo
- sh -c cat /proc/net/arp
- sh -c cat /proc/sys/kernel/osrelease
- sh -c cat /proc/sys/kernel/random/boot_id
- sh -c cat /proc/sys/kernel/random/uuid
Загружает динамические библиотеки:
- Bugly
- du
- game
- gif
- libjiagu
- locSDK6a
- openal
- zegoavkit
- zegoavkit2_jni
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- RSA
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- DES
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Осуществляет доступ к интерфейсу камеры.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
