Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) vc.m####.com:80
- TCP(HTTP/1.1) ap####.v0.m####.com:80
- TCP(HTTP/1.1) imgal####.res.m####.com:80
- TCP(HTTP/1.1) v2.log.hun####.com:80
- TCP(HTTP/1.1) 0####.h####.com:80
- TCP(HTTP/1.1) g####.hun####.com:80
- TCP(HTTP/1.1) use####.api.max.####.com:80
- TCP(HTTP/1.1) pl####.log.hun####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) st.bz.m####.com:80
- TCP(HTTP/1.1) d####.t####.m####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) com####.m####.com:80
- TCP(HTTP/1.1) rc.m####.com:80
- TCP(HTTP/1.1) www.qchann####.cn:80
- TCP(HTTP/1.1) log.v2.hun####.com:80
- TCP(HTTP/1.1) x.da.m####.com:80
- TCP(HTTP/1.1) o####.ar####.api.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) 1####.h####.com:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) m####.api.m####.com:80
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) qin####.com.www.####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) mob.bz.m####.com:80
- TCP(HTTP/1.1) log.da.hun####.com:80
- TCP(HTTP/1.1) cou####.pe####.m####.com:80
- TCP(HTTP/1.1) o####.ac####.api.####.com:80
- TCP(HTTP/1.1) y.da.hun####.com:80
- TCP(HTTP/1.1) s5.hun####.com:80
- TCP(TLS/1.0) qq.i####.com:443
- TCP 43.2####.145.5:5227
- TCP sdk.o####.t####.####.com:5224
- TCP t####.nz4.ig####.com:5224
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 7j####.c####.z0.####.com
- a####.u####.com
- ap####.v0.m####.com
- api####.a####.com
- c-h####.g####.com
- com####.m####.com
- cou####.pe####.m####.com
- d####.t####.m####.com
- g####.hun####.com
- imgal####.res.m####.com
- log.da.hun####.com
- log.v2.hun####.com
- m####.api.m####.com
- m.i####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- mob.bz.m####.com
- o####.ac####.api.####.com
- o####.ar####.api.####.com
- pl####.log.hun####.com
- pub-####.qin####.com
- rc.m####.com
- s5.hun####.com
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- st.bz.m####.com
- t####.nz4.g####.net
- t####.nz4.ge####.com
- t####.nz4.ig####.com
- use####.api.max.####.com
- v2.log.hun####.com
- v2.res.log.####.com
- vc.m####.com
- www.qchann####.cn
- x.da.hun####.com
- x.da.m####.com
- y.da.hun####.com
Запросы HTTP GET:
- 0####.h####.com/preview/channel_images/20190213161130991.jpg_366x206.jpg
- 0####.h####.com/preview/sp_images/2018/zongyi/323564/4457296/20180709091...
- 0####.h####.com/preview/sp_images/2019/2/13/zongyi/328308/5155735/201902...
- 0####.h####.com/preview/sp_images/2019/2/21/zongyi/328308/5198141/201902...
- 0####.h####.com/preview/sp_images/2019/2/22/zongyi/328308/5202953/201902...
- 0####.h####.com/preview/sp_images/2019/2/27/zongyi/328308/5229447/201902...
- 0####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235688/201902...
- 0####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235886/201902...
- 0####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235955/201902...
- 1####.h####.com/preview/channel_images/20190109162052030.jpg_738x416.jpg
- 1####.h####.com/preview/channel_images/20190115183147174.jpg_738x416.jpg
- 1####.h####.com/preview/channel_images/20190220103623352.jpg_366x206.jpg
- 1####.h####.com/preview/cms_icon/2019/1/31/01/20190131213949220.jpg_750x...
- 1####.h####.com/preview/cms_icon/2019/2/14/02/20190214103959430.jpg_750x...
- 1####.h####.com/preview/crop/2019/02/28/3650303/crop_500x284_99_1.jpg
- 1####.h####.com/preview/sp_images/2018/12/25/dianshiju/323323/4863265/20...
- 1####.h####.com/preview/sp_images/2019/2/14/zongyi/328308/5162444/201902...
- 1####.h####.com/preview/sp_images/2019/2/26/zongyi/328308/5225141/201902...
- 1####.h####.com/preview/sp_images/2019/2/27/zongyi/328308/5228292/201902...
- 1####.h####.com/preview/sp_images/2019/2/27/zongyi/328308/5229675/201902...
- 1####.h####.com/preview/sp_images/2019/2/27/zongyi/328308/5230908/201902...
- 1####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235119/201902...
- 1####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235519/201902...
- 1####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235920/201902...
- 1####.h####.com/preview/sp_images/2019/2/28/zongyi/328308/5235926/201902...
- ap####.v0.m####.com/buffer.php?td=####&net=####&istry=####&aver=####&tim...
- ap####.v0.m####.com/pv.php?nt=####&cpid=####&md=####&tst=####&gps=####&s...
- ap####.v0.m####.com/pv.php?nt=####&ftl=####&cpid=####&md=####&tst=####&g...
- com####.m####.com/video_comment/getcount?type=####&subject_id=####
- cou####.pe####.m####.com/message/poll?uid=####&osVersion=####&did=####&m...
- d####.t####.m####.com/vod.do?arange=####&fid=####&gsid=####&pm=####&svri...
- d####.t####.m####.com/vod.do?arange=####&fid=####&gsid=####&pm=####&ver=...
- g####.hun####.com/mobile/distribute.do?deviceid=####
- imgal####.res.m####.com/mediafiles/wiad_creative/1008/15508361592873.png
- imgal####.res.m####.com/mediafiles/wiad_creative/1037/15508308057769.jpg
- log.da.hun####.com/info.php?f=####&ex=####&e=####&b=####&c=####&mod=####...
- mo####.api.hun####.com/user/getActivity?uid=####&osVersion=####&ticket=#...
- mo####.api.hun####.com/v6/search/recommend?uid=####&osVersion=####&ticke...
- mob.bz.m####.com/odin/c1/channel/list?uid=####&osVersion=####&mac=####&o...
- o####.ac####.api.####.com/artist/getRecommendCollectArtist?uid=####&osVe...
- o####.ar####.api.####.com/artist/getArtistListByIds?artistIds=####&type=...
- o####.ar####.api.####.com/artist/getArtistListByIds?uid=####&type=####&t...
- pl####.log.hun####.com/playerQuality.gif?first_frame_time=####&seeking_t...
- qin####.com.www.####.com/tdata_EDT369
- rc.m####.com/mobile/like?did=####&uid=####&vid=####&c=####
- rc.m####.com/mobile/rank?c=####
- rc.m####.com/mobile/rank?uid=####&osVersion=####&c=####&mac=####&osType=...
- s5.hun####.com/channel/live?uid=####&osVersion=####&ticket=####&appVersi...
- s5.hun####.com/mobile/uip?uid=####&osVersion=####&ticket=####&appVersion...
- s5.hun####.com/recommend?uid=####&platform=####&osVersion=####&mac=####&...
- s5.hun####.com/user/payConfig?uid=####&osVersion=####&ticket=####&appVer...
- s5.hun####.com/v1/config/play?uid=####&osVersion=####&ticket=####&appVer...
- s5.hun####.com/v5/listconfig?uid=####&platform=####&osVersion=####&mac=#...
- s5.hun####.com/v7/playlist/list?clipId=####&abroad=####
- s5.hun####.com/v7/video/getSource?uid=####&osVersion=####&mac=####&osTyp...
- s5.hun####.com/v8/video/info?uid=####&osVersion=####&mac=####&osType=###...
- s5.hun####.com/v8/video/list?uid=####&appVersion=####&ticket=####&fstlvl...
- s5.hun####.com/v8/video/relative?uid=####&appVersion=####&ticket=####&fs...
- st.bz.m####.com/odin/c1/channel/index?uid=####&osVersion=####&mac=####&o...
- t####.c####.q####.####.com/tdata_AXX896
- t####.c####.q####.####.com/tdata_BAI450
- t####.c####.q####.####.com/tdata_Fus136
- ti####.c####.l####.####.com/config/bj-bjv6.conf
- ti####.c####.l####.####.com/config/hz-bjv6.conf
- use####.api.max.####.com/person5819c51b48a87.jpg
- use####.api.max.####.com/person58d395d17c2ec.jpg
- use####.api.max.####.com/person5a55e23601aad.jpg
- use####.api.max.####.com/person5ad6eea479eeb.png@1wh_1e_1c_0o_0l_130h_13...
- use####.api.max.####.com/person5b1a4e6712024.jpg
- use####.api.max.####.com/person5b1b72e5b9d13.jpg@1wh_1e_1c_0o_0l_130h_13...
- use####.api.max.####.com/person5b73a0e9765bb.jpg
- use####.api.max.####.com/person5c357a519f6e6.jpg
- use####.api.max.####.com/person5c60e6b63915b.jpg
- use####.api.max.####.com/person5c640589b3bc6.jpg
- use####.api.max.####.com/person5c6405bab6e6c.jpg
- use####.api.max.####.com/person5c6405cde32bf.jpg
- use####.api.max.####.com/person5c6405e5c0730.jpg
- use####.api.max.####.com/person5c6405fd9f9a4.jpg
- v2.log.hun####.com/info.php?f=-1&ex=&e=3.400601.300600&b=1&c=1&mod=<Syst...
- v2.log.hun####.com/info.php?f=0&ex=&e=&b=1&c=1&mod=<System Property>&a=0...
- v2.log.hun####.com/info.php?f=0&ex=&e=105000&b=1&c=1&mod=<System Propert...
- vc.m####.com/v2/dynamicinfo?uid=####&osVersion=####&mac=####&pid=####&os...
- y.da.hun####.com/app/impression?_serverip=####&adid=####&adtotal=####&ap...
Запросы HTTP POST:
- a####.u####.com/app_logs
- c-h####.g####.com/api.php?format=####&t=####
- log.da.hun####.com/v1/t
- log.v2.hun####.com/dispatcher.do
- m####.api.m####.com/mpns/parseLog
- mo####.log.hun####.com/data.cgi
- o####.ac####.api.####.com/global/config
- o####.ar####.api.####.com/artist/getArtistListByIds
- res####.a####.com/v3/log/init
- sdk-ope####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####&d=####&k=####
- vc.m####.com/v2/watch
- www.qchann####.cn/center/adj
- www.qchann####.cn/center/adj?appkey=####
- x.da.hun####.com/json/app/boot
- x.da.hun####.com/m/page
- x.da.hun####.com/video/player
- x.da.m####.com/m/page
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-613445811
- /data/data/####/-613446801
- /data/data/####/.imprint
- /data/data/####/04279eeaf6a5c8f6c2391aae469dae5c09b2f45aaa5d2ee....0.tmp
- /data/data/####/08baa24c7f7cde3a5378c7febbf1570d2d9233b17ec0865....0.tmp
- /data/data/####/09ddc5ce7d3b191a296f5c16a88486fcaaa89db17edca06....0.tmp
- /data/data/####/0b8f020982c5b4453c17f47c766a7531fd53894eb61b8b7....0.tmp
- /data/data/####/1703720991
- /data/data/####/18c2d647a83488e9e4f3990834de42ac
- /data/data/####/199f5b94a57064a5cc12270e3be6f85a3eb472bd8bffa73....0.tmp
- /data/data/####/1a656245e0cc240977c688bcc57b7b6008b4708b05dabde....0.tmp
- /data/data/####/1e75a00faf385d82d81649d949916d16
- /data/data/####/257306020
- /data/data/####/257306028
- /data/data/####/3204a75e1d2cde368d342b4dd855bb82135ab3a314fe9db....0.tmp
- /data/data/####/34e0dddc8c73b533c3615486a0f1887ec60ab84b4e8fe63....0.tmp
- /data/data/####/35f43374bedc18ad0db642a264ef50f201fc321f3485efd....0.tmp
- /data/data/####/3890046c5469b25b2c848bba360c32f5918940a823e302d....0.tmp
- /data/data/####/3e304289cd3b71103d37ee2fb132cfb0037512e71267254....0.tmp
- /data/data/####/45c37341ad30135f4c1c9885552250402ac0c52b4332d14....0.tmp
- /data/data/####/46c25fb1f30c077aaf755dbc0199cae172b4d2467fcb424....0.tmp
- /data/data/####/470472167f6877e8039d96c622b18ca8
- /data/data/####/4782192e789b7c2c973a32b2c74daf502cf7eb9975b5fc2....0.tmp
- /data/data/####/48b2ad31c5b0e70b8b6947545bdc24a41466739734e2e3f....0.tmp
- /data/data/####/4f7cf7af656f2846f78bb7c9ac1e13ceda7228ede682608....0.tmp
- /data/data/####/5ab5b13ac77af8bf8b26867dd58a07e2
- /data/data/####/5bb9df363337f880722ea8d1241e76a55c2301decacc671....0.tmp
- /data/data/####/614108960
- /data/data/####/6164488808ecdfe1bb669cf1488d6e4f
- /data/data/####/629aafead820731afba156ec5f5872e223a9ffc0cd0eb1a....0.tmp
- /data/data/####/655014ea0d3d9d148e8efa8d11b21b7b54aa4e6ef90d5da....0.tmp
- /data/data/####/698f1fdad0bc399140d78422315242fb3f3f312247e1c35....0.tmp
- /data/data/####/6d18d94f9baacc2504f8bcfe876d3d699f5a70606e8a65d....0.tmp
- /data/data/####/6e3493ef50cfeaf7003389b47bfc5b7fc39f753d63c0d6e....0.tmp
- /data/data/####/7175d38d9d300db04741c883130b690f0ffe1f23678b129....0.tmp
- /data/data/####/71d182a79ff8e50b2b2f26e1c5dc0476
- /data/data/####/723a1f6b785a35a4cb80c0f9f6846454e75316b718a6a48....0.tmp
- /data/data/####/74b7a6c4d03cbd878dd37a49babf735d5984f40cf499c34....0.tmp
- /data/data/####/83960bc60f89edcc1cc8838e57cc08c1854fcfe4872417a....0.tmp
- /data/data/####/8a3e69848fb858126300be11468503dfd3f3b16408801c4....0.tmp
- /data/data/####/8dd1d6f2d475bb0b7c370adfb80ec329a85473951a81a42....0.tmp
- /data/data/####/933978904
- /data/data/####/94788b87dee8f985b4ab1c94c36f74bf3167e6a2a8e60e7....0.tmp
- /data/data/####/980d71f09c64a786f84b866bc46afc484f828e0bb118024....0.tmp
- /data/data/####/9b2c8fdc9174e4f082163632d253e8155d2ef69ecdd6467....0.tmp
- /data/data/####/9b6f750c6adfe0320aedce1b0b66af459a90c93ade3988e....0.tmp
- /data/data/####/9c172334e56ba7b216bfd8af693c71a1d4778bed5490234....0.tmp
- /data/data/####/ImgoPad-journal
- /data/data/####/LOG_CACHE.xml
- /data/data/####/MGTVCommon.xml
- /data/data/####/MGTVCommon.xml.bak
- /data/data/####/MV3Plugin.ini
- /data/data/####/MV3Plugin_Default.ini
- /data/data/####/QT.xml
- /data/data/####/a62a110dec4e2f925671c20e7c9972cb32ebd5e19b0d6a1....0.tmp
- /data/data/####/aab5dd611e69eb39d6ee0c1eed4770862c2a0abbb545448....0.tmp
- /data/data/####/ad9ccece8a90775b389e69e2579dd03f
- /data/data/####/ae5a873c915c
- /data/data/####/arch.xml
- /data/data/####/b34c6e8e48c696813e4aa84a3958c3c50f82c60c6aa48bc....0.tmp
- /data/data/####/b48175466dd6efca0ac843c5c5709231
- /data/data/####/bcbc209056dc0b875a49d8870cc8ef480afca89ffcca739....0.tmp
- /data/data/####/c0ca0e6822d0c1080adc6851e607c203cb66b76c914b3f0....0.tmp
- /data/data/####/c378440b12cd0603c903740069aa1337cd65bdd30dcf407....0.tmp
- /data/data/####/c8d68832791847d393f02e98b50eca7fd15750f0ccb5858....0.tmp
- /data/data/####/cdea7431a5f27405192f7cf2c2ad04d68452e20384c800e....0.tmp
- /data/data/####/cn.com.mma.mobile.tracking.other.xml
- /data/data/####/d591d6d80012a95951b84df071c65b00ed9c2e5d0a09b97....0.tmp
- /data/data/####/d818f3e129e4f55f0e7efce9ce4659be
- /data/data/####/deb400f8245f815d1525bd0174b7110f7478dd8a9adff9e....0.tmp
- /data/data/####/df7cf54c712cf6592a0dd438e87d00cfd0cc37db67cb4d0....0.tmp
- /data/data/####/e223fdc712a0e4203ea9d57bf10adeefb3b56e2e68cc037....0.tmp
- /data/data/####/e7b5c74b248d2bb50688221386d599e6a0c3494e6bd775c....0.tmp
- /data/data/####/e835ecba96a69d8907966817681b19daa030a8f8aa56991....0.tmp
- /data/data/####/efbdf4d490afd1ce41ab4b9b7da8b4d3324d312c537460a....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/f0428ae492b75f1d0e54f896b4042a5ca2fb7549db2e30c....0.tmp
- /data/data/####/f50f0af8d882bc702527cc62ab922eb549072add6632550....0.tmp
- /data/data/####/fe91ac7dd7764fbf938acaaac978989246e47bea0ba01f5....0.tmp
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/hmt_agent_commonutill_com.airsky.tv.mobiletv.xml
- /data/data/####/hmt_agent_commonutill_device_id.xml
- /data/data/####/hmt_agent_online_setting_com.airsky.tv.mobiletv.xml
- /data/data/####/hmt_analytics
- /data/data/####/hmt_analytics-journal
- /data/data/####/hmt_init_savetime.xml
- /data/data/####/hmt_irsuid.xml
- /data/data/####/hmt_session_id.xml
- /data/data/####/hmt_session_id_savetime.xml
- /data/data/####/hmt_session_id_savetime.xml.bak
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu124132796.so
- /data/data/####/multidex.version.xml
- /data/data/####/openudid_prefs.xml
- /data/data/####/playinfo.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/qtsession.xml
- /data/data/####/root.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_AXX896
- /data/data/####/tdata_AXX896.jar
- /data/data/####/tdata_BAI450
- /data/data/####/tdata_BAI450.jar
- /data/data/####/tdata_Fus136
- /data/data/####/tdata_Fus136.jar
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_general_config.xml.bak (deleted)
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/.nomedia
- /data/media/####/00be610a805f1af51dda1d53b911c2d1
- /data/media/####/043abbb29de80113f8d4a795cddbc1fc
- /data/media/####/1_log.txt
- /data/media/####/8662cd4ca63cd2a0b84af7c4f61baa39
- /data/media/####/9e2c62fbd12c2ae5cb3557259ca0ceed
- /data/media/####/AN.csv-20190228085241
- /data/media/####/APITimeMark.txt
- /data/media/####/TruthInfo.csv-1551343963871
- /data/media/####/UA.csv-20190228085247
- /data/media/####/UnicomTrafficFree.log
- /data/media/####/apge.csv-20190228085310
- /data/media/####/app.db
- /data/media/####/caf2748161ec1214c6a06d55b448bccc
- /data/media/####/com.airsky.tv.mobiletv.bin
- /data/media/####/com.airsky.tv.mobiletv.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/d51144ea0156497cc69466745fba0cfa
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/qt.csv.1551343958522.txt
- /data/media/####/tdata_AXX896
- /data/media/####/tdata_BAI450
- /data/media/####/tdata_Fus136
- /data/media/####/test.log
- /data/media/####/uuid
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.hunantv.imgo.service.GetuiPushService 25216 300 0
- cat /proc/cpuinfo
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- mount
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.hunantv.imgo.service.GetuiPushService 25216 300 0
Загружает динамические библиотеки:
- CdnAuth
- ImgoFfmpeg
- ImgoHelp
- ImgoMediaPlayer_V3.0.3
- getuiext2
- libjiagu124132796
Использует следующие алгоритмы для шифрования данных:
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
