Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) im.miliyou####.vip:8080
- TCP(HTTP/1.1) api.miliyou####.vip:80
- TCP(HTTP/1.1) www.miliyou####.vip:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5227
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.exc.mob.com
- and####.b####.qq.com
- api.miliyou####.vip
- c####.g####.ig####.com
- c-h####.g####.com
- im.miliyou####.vip
- l####.tbs.qq.com
- mil####.sclo####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- ssl.gst####.com
- www.go####.com
- www.gst####.com
- www.miliyou####.vip
Запросы HTTP GET:
- api.miliyou####.vip/v2/config/announcement?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/goods/category?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/goods/lists?accessToken=####&accessUid=####&page=...
- api.miliyou####.vip/v2/goods/lists?accessToken=####&kill_id=####&accessU...
- api.miliyou####.vip/v2/index/banner?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/like?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/sec-kill-v2?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/topic?accessToken=####&accessUid=####
- api.miliyou####.vip/v3/system/get-beginning-ad
- im.miliyou####.vip:8080/
- t####.c####.q####.####.com/tdata_asl709
- ti####.c####.l####.####.com/banner/2019/01/5c2c622d8a3f8.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/02/5c6058d693b22.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/03/5c7c826c0450b.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/03/5c7c8275e7910.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/03/5c7c8280637a1.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/03/5c7c828950b82.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/03/5c7c82920b133.png?imageVi####
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- ti####.c####.l####.####.com/goods-topic/imgs/5c2c13f993742.png
- ti####.c####.l####.####.com/goods-topic/imgs/5c2c1403ad77b.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d552dfd81.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d6185e719.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d8180b2c0.png
- ti####.c####.l####.####.com/goods-topic/logo/5c0bf28a0f4b8.png
- ti####.c####.l####.####.com/goods-topic/logo/5c11d4eb3d71e.png
- ti####.c####.l####.####.com/goods-topic/logo/5c11d51c64bc2.png
- ti####.c####.l####.####.com/goods/thumb/2018/07/5b3c35a034c26.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c78ca995eafd.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7ba2ad82700.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7ba421748a2.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bbfaf31a35.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bc7f1ddb7f.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bca1fd4ea9.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bcd27a2195.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bce1688b45.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bcea1de88b.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bcf990809d.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bd3d0146db.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bd6ead5537.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bdbd482eee.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7bdea74e817.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7cbaf46e83f.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7cc024a5d4b.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7ccc6f87e10.png
- www.miliyou####.vip/img/mark.png
- www.miliyou####.vip/img/ranking.png
- www.miliyou####.vip/img/team-buying.png
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- and####.b####.qq.com/rqd/async
- and####.b####.qq.com/rqd/async?aid=####
- c-h####.g####.com/api.php?format=####&t=####
- l####.tbs.qq.com/ajax?c=####&k=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.duid
- /data/data/####/.lock
- /data/data/####/.vpl_lock
- /data/data/####/01563ed7c04f8ea68eb7313bb1a99e252e943f8f9d944e9....0.tmp
- /data/data/####/047e07880e70e91a163ed17155f81297.0.tmp
- /data/data/####/047e07880e70e91a163ed17155f81297.1.tmp
- /data/data/####/0ab8ec572f305ac16fa94f0065ba60d51d049e99b439d37....0.tmp
- /data/data/####/0da2cee935f6a8784aaceb7907ceceb824320da664aaeb9....0.tmp
- /data/data/####/0dd239178d843c1576cacb9d2655bb23.0.tmp
- /data/data/####/0dd239178d843c1576cacb9d2655bb23.1.tmp
- /data/data/####/0ecfa4e59dd087b4c7e346a8ff46db14f6126ffd4bc7f08....0.tmp
- /data/data/####/0ecfa4e59dd087b4c7e346a8ff46db14f6126ffd4bc7f08...1f4b.0
- /data/data/####/1002
- /data/data/####/1004
- /data/data/####/11970765da26a12639d031739df9e21b137b6447016c7cd....0.tmp
- /data/data/####/158d006463062c41d212d8215521bbfb3d7baef5e5e3e3f....0.tmp
- /data/data/####/22922c3851f002c80f34a542d0899b5afdc0998a3c5db51....0.tmp
- /data/data/####/22a878332ff37cdc7218ccaecca898767a8bd58dd655cab....0.tmp
- /data/data/####/256825f0904839c3f16ef8c168657fc80468c65c7c7744f....0.tmp
- /data/data/####/25cad2f2021bd74e7941bd23462b77302a3a8dc96ab6452....0.tmp
- /data/data/####/34929512b190f82fc089efcb73adf8e7.0.tmp
- /data/data/####/34929512b190f82fc089efcb73adf8e7.1.tmp
- /data/data/####/35501401cffe10a2081bc425fb56fd293d423c2f71cf8c0....0.tmp
- /data/data/####/4449f5a9b57c704a2ed30173d788f3eeba8541d18ab64a6....0.tmp
- /data/data/####/4b4e5ddb2f5bc38b4d06ed9888a800db.0.tmp
- /data/data/####/4b4e5ddb2f5bc38b4d06ed9888a800db.1.tmp
- /data/data/####/532c2886345bbcaea3f0906ba25f99f1d3c93b98d9869e6....0.tmp
- /data/data/####/532c2886345bbcaea3f0906ba25f99f1d3c93b98d9869e6...806c.0
- /data/data/####/547864d797d4c67d728a4c9b5a709f49b2f5b8bb36d20e2....0.tmp
- /data/data/####/5a7982a3dbd7e0b3bae7a86c5b9b21ff9f88905268ad097....0.tmp
- /data/data/####/64812c270274f66be8ae133414a5354c34eca89cfe772a9....0.tmp
- /data/data/####/66d6edff8357194a5b4c0aeec9ef68ef2e3a92c8e5193c3....0.tmp
- /data/data/####/68f68a62e8124acb2e666232f33c3ff8cbd13d1a644bcf8....0.tmp
- /data/data/####/70a742cc6d17116a462fb62bcde4ff2659c4250de857ee9....0.tmp
- /data/data/####/7691f3cc12f4c5d914be61c6dd033bfd285df51b8fb5f8b....0.tmp
- /data/data/####/7a5aff3f7f4fc248e378d330c8a99b901dd6c18475dfcdf....0.tmp
- /data/data/####/7beeeeb4042af038c2789cbdfa8f3f288f16b8a0fa31076....0.tmp
- /data/data/####/82b528da22e2b1cb682bcb03d227ee25.0.tmp
- /data/data/####/82b528da22e2b1cb682bcb03d227ee25.1.tmp
- /data/data/####/8c6c5a4381724b5262f265ddd1c8dc7967ff5ce146729f9....0.tmp
- /data/data/####/8d170660ae2f00a413201dc4fbf4ce04bff74bceba84043....0.tmp
- /data/data/####/8fa8dba68a9954828b312b348e205520.0.tmp
- /data/data/####/8fa8dba68a9954828b312b348e205520.1.tmp
- /data/data/####/917ddc507b64650cf819d3f4ee39483b210f6716f84556c....0.tmp
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/Hawk
- /data/data/####/Hawk-journal
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/a1b60f061d19a85a9184a4e1de0e930aab04990e1652ef7....0.tmp
- /data/data/####/a9da3e7a07985800a11cb93630c2c5a2a756af0c02354aa....0.tmp
- /data/data/####/ae781ed7bfdf211346fcd722383514510f078543218b0b8....0.tmp
- /data/data/####/b2e1d650c688eb12d8e65785221d3b4afaa6e673a25df1e....0.tmp
- /data/data/####/b9f9e065964eaf4896545dda8e686f4afcc38f7ace81309....0.tmp
- /data/data/####/bcf16fa70eebaef2a4faf469348ff210937af3c6b72dbf1....0.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_db_legu-journal
- /data/data/####/c61f86f109084af2ba6274b2cd0b324f16941ba75990a1b....0.tmp
- /data/data/####/c73ebde5bebcc6c94a66697f81787fc5d98a84a336a7b3c....0.tmp
- /data/data/####/c96db336954e345b32778b28d933703f86e2bc86540d33d....0.tmp
- /data/data/####/c9d8663f47beb9d9bcd599f8d0f6b592.0.tmp
- /data/data/####/c9d8663f47beb9d9bcd599f8d0f6b592.1.tmp
- /data/data/####/cb1cfeb2402a16124e3350cf895170834bf23cdbe0f7b51....0.tmp
- /data/data/####/cb1d45ef1a846def07ee7a13a0d677222f63e6528f5041d....0.tmp
- /data/data/####/com.sclonsee.miliyoutuan.BETA_VALUES.xml
- /data/data/####/core_info
- /data/data/####/crashrecord.xml
- /data/data/####/d0ab64fd86e1f031f3e05a14938d5c341716ef389d59f5c....0.tmp
- /data/data/####/d78ecf995710cb72b023370d40a684137f55ac806d88bd4....0.tmp
- /data/data/####/dc16c4774328b9f903db876b6a9419481fdf66b22afbabe....0.tmp
- /data/data/####/domain_1
- /data/data/####/e7c27bfb0c3d9a214bd729f68fe3e43d.0.tmp
- /data/data/####/e7c27bfb0c3d9a214bd729f68fe3e43d.1.tmp
- /data/data/####/f056016961ef91ba3111954faab41879.0.tmp
- /data/data/####/f056016961ef91ba3111954faab41879.1.tmp
- /data/data/####/f554176693578dc9c6f95daa01d4766ecdfeed72c874019....0.tmp
- /data/data/####/f8baea78b60bd271391ef520418bc91bca9eed1e83e2730....0.tmp
- /data/data/####/fa6d4786c292238add98c6cd43b28718d99611b17325f49....0.tmp
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/history.db-journal
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/khistory.db
- /data/data/####/khistory.db-journal
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.1.2.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/okgo.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/security_info
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_asl709
- /data/data/####/tdata_asl709.jar
- /data/media/####/.artc_lock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.im_lock
- /data/media/####/.lesd_lock
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.pkg_lock
- /data/media/####/.pkgs_lock
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/.ss_lock
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.sclonsee.miliyoutuan.bin
- /data/media/####/com.sclonsee.miliyoutuan.db
- /data/media/####/tdata_asl709
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GrayService 25487 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.1.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Загружает динамические библиотеки:
- Bugly
- getuiext2
- libnfix
- libshella-2.9.1.2
- libufix
- nfix
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
