Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.DownLoader.859.origin
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c3.res.m####.####.com:80
- TCP(HTTP/1.1) src.r####.com.####.com:80
- TCP(HTTP/1.1) api-t####.m####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) 2####.195.1.254:8080
- TCP(HTTP/1.1) p####.q####.cn.####.net:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) c5.res.m####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) v.g####.qq.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) c6.res.m####.####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(TLS/1.0) 2####.58.212.142:443
- TCP(TLS/1.0) p####.q####.cn.####.net:443
- UDP s.j####.cn:19000
- TCP 1####.121.49.109:7004
Запросы DNS:
- a####.u####.com
- api-t####.m####.com
- c3.res.m####.com
- c5.res.m####.com
- c6.res.m####.com
- imgc####.qq.com
- mi.g####.qq.com
- p####.q####.cn
- p####.ugd####.com
- p4sfu####.bkt.clo####.com
- qp.yunanfu####.com
- qzones####.g####.cn
- s####.e.qq.com
- s.j####.cn
- sdk.c####.com
- src.r####.com
- v.g####.qq.com
Запросы HTTP GET:
- api-t####.m####.com/wallpapers/public/collection/detail/55?os=####&mzos=...
- api-t####.m####.com/wallpapers/public/collection/detail/56?os=####&mzos=...
- c3.res.m####.####.com/fileserver/lockpaper/86/00d3b05d195c4ae4ac06b245c2...
- c3.res.m####.####.com/fileserver/lockpaper/86/023df4c3e8f2433ea16233989a...
- c3.res.m####.####.com/fileserver/lockpaper/86/076d1687f4804c65b43f2101c2...
- c3.res.m####.####.com/fileserver/lockpaper/86/218d6dd424b64cde8b030d871f...
- c3.res.m####.####.com/fileserver/lockpaper/86/264c1088765648f090ca60e2fd...
- c3.res.m####.####.com/fileserver/lockpaper/86/2b0e161c9b1e4607a37fff84c6...
- c3.res.m####.####.com/fileserver/lockpaper/86/6caca6dfa0e04152875a6b60c6...
- c3.res.m####.####.com/fileserver/lockpaper/86/7bed179f66714906a7392d99fc...
- c3.res.m####.####.com/fileserver/lockpaper/86/b79a8161f2e24a8ea65d21e391...
- c3.res.m####.####.com/fileserver/lockpaper/86/cbefc40001174d0e85858071ee...
- c3.res.m####.####.com/fileserver/lockpaper/86/cd40a2e8a83c41d39b88a5f9f8...
- c3.res.m####.####.com/fileserver/lockpaper/86/fe54234a328442c7b46bdc40fa...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/0d0a1177da984...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/9119ec1a6d264...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/9a5447851b524...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/9c474447867e4...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/ad48a09ec8a84...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/ad96f000091e4...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/aeb328a7358b4...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/b8b68eadfafb4...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/d0a28a13c6194...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/fbfeb7de5ebf4...
- c3.res.m####.####.com/fileserver/operation/category/icon/1/fec0d090c8534...
- c3.res.m####.####.com/fileserver/wallpaper/214/4094bf25302b4bb1a16c9c7f0...
- c3.res.m####.####.com/fileserver/wallpaper/214/7440319609c74e74b561f1641...
- c3.res.m####.####.com/fileserver/wallpaper/215/c5556029a78c4739a21d29515...
- c3.res.m####.####.com/fileserver/wallpaper/216/9f67d2a297924db2871ccdd74...
- c3.res.m####.####.com/fileserver/wallpaper/217/1496c646cbfe44e3a3fd17e44...
- c3.res.m####.####.com/fileserver/wallpaper/222/1fc9fecc713b43bc8e21d799d...
- c3.res.m####.####.com/fileserver/wallpaper/260/04ceaab4704a43cdb8251e90f...
- c3.res.m####.####.com/fileserver/wallpaper/260/d023f4cadfee421dbe94bd0b8...
- c3.res.m####.####.com/fileserver/wallpaper/284/a13cf52cc08e48469193c5554...
- c3.res.m####.####.com/fileserver/wallpaper/330/190508182c9c4afdbcccb0a7e...
- c3.res.m####.####.com/fileserver/wallpaper/485/d1440b3e91734b08be22c8205...
- c5.res.m####.com/fileserver/lockpaper/86/8d68d6c2dded4ab8a60c0d7eeb72766...
- c5.res.m####.com/fileserver/operation/category/icon/1/5b01ce4116204192af...
- c5.res.m####.com/fileserver/operation/category/icon/1/f0a228e522734f0085...
- c5.res.m####.com/fileserver/wallpaper/497/907f134d4cb84701adeaaa7504d5b6...
- c6.res.m####.####.com/fileserver/lockpaper/86/a5b7627d9d4f46328e85de44e4...
- c6.res.m####.####.com/fileserver/lockpaper/86/a65b87a7e0db43b1a3d0622809...
- c6.res.m####.####.com/fileserver/operation/category/icon/1/297d370fa0cd4...
- c6.res.m####.####.com/fileserver/operation/category/icon/1/c4bfefec95e64...
- c6.res.m####.####.com/fileserver/wallpaper/147/cc222747d4994bb88f3feb809...
- c6.res.m####.####.com/fileserver/wallpaper/264/89ed49b55f8d42fba85f04a71...
- c6.res.m####.####.com/fileserver/wallpaper/515/93bebfa334aa48f0992ba0b3d...
- mi.g####.qq.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&data...
- p####.q####.cn.####.net/qqvideo_ori/0/a0555rdykjy_496_280/0
- p####.q####.cn.####.net/qqvideo_ori/0/c0022undq9q_496_280/0
- p####.q####.cn.####.net/qqvideo_ori/0/l0021g43dmq_496_280/0
- p####.q####.cn.####.net/qqvideo_ori/0/p0397sfygv6_496_280/0
- p####.q####.cn.####.net/qqvideo_ori/0/q0526pfzoqk_496_280/0
- p####.q####.cn.####.net/qqvideo_ori/0/x0559vjml2i_496_280/0
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.appcache
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.html
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/banner_close_b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg02.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg03.jpg
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg07.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/close02.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/close03.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/download_icon....
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/download_icon_...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/gdt_logo_black...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/icon-ad.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/sdk_bg.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tc-gdt-sdk-ope...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js-release/20170821/b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js/lib/require.js
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android02/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- s####.tc.qq.com/gdt/0/DAAkTUXABIABIAAGBcbg03Co0-HrHC.jpg/0?ck=####
- s####.tc.qq.com/gdt/0/transformer_17176376324627418588_1551868690_80.jpg...
- src.r####.com.####.com/kubo/
- src.r####.com.####.com/kubo/dex/luomi10.249.dex
- src.r####.com.####.com/kubo/hongbao/hb6/chaishenye_1.png
- src.r####.com.####.com/kubo/hongbao/hb6/chaishenye_2.png
- src.r####.com.####.com/kubo/hongbao/hb7/hongbao1.png
- src.r####.com.####.com/kubo/hongbao/hb7/hongbao2.png
- src.r####.com.####.com/kubo/hongbao/hb8/hongbao1.png
- src.r####.com.####.com/kubo/hongbao/hb8/hongbao2.png
- src.r####.com.####.com/kubo/hongbao/hb8/hongbao3.png
- src.r####.com.####.com/kubo/hongbao/hb8/hongbao4.png
- v.g####.qq.com/gdt_stats.fcg?viewid=####&i=####&os=####&xp=####&gap=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- s####.e.qq.com/activate
- s####.e.qq.com/msg
- sdk.c####.com/versiontapi.php?v=####&type=####
- v.g####.qq.com/gdt_stats.fcg
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/01a60dc232615c4037edd18039ff05ddb05e1cebc3c1184....0.tmp
- /data/data/####/036bc555dd05699e87e7b403cdb664331970100430c47a8....0.tmp
- /data/data/####/044d353f7f4db3de87736970034003b586fb38a281b4822....0.tmp
- /data/data/####/09677f648f36ec311109aecae13edd77e6a279157964e04....0.tmp
- /data/data/####/0f10d6befc47f5a1f273847a87ed6b92d8c7f845047db8e....0.tmp
- /data/data/####/14372be977472e1f81901a9b5b3e674b524c478399582e0....0.tmp
- /data/data/####/195ac1539aaf249d8f5860d11c2ef96e508d314a50b28a6....0.tmp
- /data/data/####/1e7c9bf144c25e59e08cb0794e924984402b1ea8ddddee5....0.tmp
- /data/data/####/204212f7f729d7c1b87b9a0f233c702c8b8b7eb954bbded....0.tmp
- /data/data/####/25096b563e5ded6e1322d79b20ee3e7ad14efac96be1b6f....0.tmp
- /data/data/####/27971daa016dc86c0cb0528a62d20e7eec597557659f8bd....0.tmp
- /data/data/####/2ba1b3224d843ced59efe50881693e7b65055e33de5b430....0.tmp
- /data/data/####/2bd81ddddfad515132782933f49da7e50cdaa9880559ec0....0.tmp
- /data/data/####/30b0c020efbbc1ee91bb9dc456439ba856924664968aba3....0.tmp
- /data/data/####/31993114063159c289fee5298d3a0a613ef408b8119a6ac....0.tmp
- /data/data/####/322c6d2f50325b0bf0065aeede1d90d5b5fff20d2cdf22f....0.tmp
- /data/data/####/35a4d7df3b2d70b0b9d5e3d0155bc774a36d677c07b5749....0.tmp
- /data/data/####/38dcb458a73b9756fed1f836eb75b7fbe033742ff5254fb....0.tmp
- /data/data/####/3a9046ff3a99bf684d263b5f14261e616a455ab9c7cfbf1....0.tmp
- /data/data/####/3c6f70017adb0fc3a881e66216598d8285eb774a9504bc5....0.tmp
- /data/data/####/3ec57afbc4071460239e5703a3be8d4cc0eadc0017ebb82....0.tmp
- /data/data/####/44d0dcb88a9000f33c696813bb5a4019ae23f01692ee7bb....0.tmp
- /data/data/####/473b3a09e6fc097208f7b4c740a453b7ccfca47ebec08e8....0.tmp
- /data/data/####/484640c31c8ac2690a653cba4e5913f1442a4a5c90e12cd....0.tmp
- /data/data/####/4a0413bd236ed0f18a870a4588fc68ac6aaa72694dfcd33....0.tmp
- /data/data/####/52830ee31d3736d06faf6a2faf1280b6956abbf8d127b88....0.tmp
- /data/data/####/593845e31cd5c6da3c5a86cad7597d4159c44453323a46b....0.tmp
- /data/data/####/59fc8e1d3c8f48c8ac259118eb6411c7fde8f93bccc7086....0.tmp
- /data/data/####/5dd7daaf18f8e21851828a0a559eb6641e23a282ec06877....0.tmp
- /data/data/####/5ead7c1916e321af3ee0d7d6aa595238.temp
- /data/data/####/60378ae024e135170435a43b16f6d80bdd0dd2407ead8a1....0.tmp
- /data/data/####/61457f104eb9c010975dd8883366111a415f39b13a168db....0.tmp
- /data/data/####/649eba800f8cfd30e2da173ec8e7d0041cc84df281d4930....0.tmp
- /data/data/####/67d3a98ae03d294176dfa65a03637cd14aa38d30e69bfc0....0.tmp
- /data/data/####/68312c1ecb2fcbd64b22602ff2cedfa0b928db7af30858b....0.tmp
- /data/data/####/6de167137c88942bc1e553dc99b09e02cbdf150b3fb7937....0.tmp
- /data/data/####/6e5f6af66c5be68df40fd2d046a0588520e285da84e55da....0.tmp
- /data/data/####/6e756a2ce62d19b058b72e1ae8201cf25e734474e2a3b12....0.tmp
- /data/data/####/72e46cf0c1a17d95037a47127b52f258e1dc784c0edf8da....0.tmp
- /data/data/####/7ab78a2deaeef1d2300128c1764ab8c4a6da61952452ed5....0.tmp
- /data/data/####/7ebea722e93d14d547f6f9faa1c7f4ee97179c6081eb1e1....0.tmp
- /data/data/####/825e1dbd5e426eeeb76e45aaaa1897ffa7bd8c459b74ede....0.tmp
- /data/data/####/83624088c2c2b25f44b911eec93c9638.temp
- /data/data/####/867498df74d21418d99142b932d1cabdb30ebb6e65b7a61....0.tmp
- /data/data/####/8817506868b20df0448b3bda845c7bc28a194346a9221a8....0.tmp
- /data/data/####/883e3905fbf3ad89a1e0484a795ecffa69c97d5b476b3b0....0.tmp
- /data/data/####/8a9bd20d45b107c67eaca338ec1613b3ca8ab856193fc03....0.tmp
- /data/data/####/9a94aa0e12cada1ff7d581d4701db38f5ed37b85a5ad2f9....0.tmp
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/DownloadTaskStore.db-journal
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/a339a872810286a497a875a67c43d0383380e728fea178f....0.tmp
- /data/data/####/a3be7e1fe891a6711972ba072ca2ed0021e1f4d1ec047cb....0.tmp
- /data/data/####/b0781909eba05c496d0dd6d75e64afbbb1c13f854fd3494....0.tmp
- /data/data/####/c3512f1a5db046ca198c8fb3ddef60034168c143dfd9a68....0.tmp
- /data/data/####/c58f000307141dc00b839eb3992f8ec01601d3bec16046e....0.tmp
- /data/data/####/c6b9c9c9c70377de7617289e6e9568097a457d400a4bcef....0.tmp
- /data/data/####/c860d6ff862a52168f1bdbf4dd17dcb06242b933897f615....0.tmp
- /data/data/####/cb3d9859e4fdcd61a4c86321d7f48062495fbd195dfebb9....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/cn.jpush.preferences.v2.xml.bak
- /data/data/####/d06c1d0e5a8ec902f01d405ffcd2fb94d0c1f1c06981fb1....0.tmp
- /data/data/####/d70539e30810f9fd7bda53afd5bc54dadb99bad9d0e5fba....0.tmp
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/dianrui_cache.xml
- /data/data/####/e4975ed7d51e58080df812f0ed782ba02c1a6f188d2e82c....0.tmp
- /data/data/####/e57c3ef6132368e0df599fb9267ecdd8a5ddc690b203fa5....0.tmp
- /data/data/####/ed3cf2332f890425a7b5af274a20b3497fe4038edac2394....0.tmp
- /data/data/####/ed83994d4d32e2835843b7bfad9be03b8f0a1c12b00dccb....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f37ab773e1b099478160506b009baf4ba949d42607e6c65....0.tmp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/fa0e962e1beb5cf3e4b4ebef251f5e733c9988183508190....0.tmp
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/gdt_plugin.tmp
- /data/data/####/gdt_plugin.tmp.sig
- /data/data/####/gdt_suid
- /data/data/####/index
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/luomi261.dex
- /data/data/####/luomi_cache.xml
- /data/data/####/luomi_dex_ok_ok.dex
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/update_lc
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.push_deviceid
- /data/media/####/chaishenye_1.png
- /data/media/####/chaishenye_2.png
- /data/media/####/hongbao1.png
- /data/media/####/hongbao2.png
- /data/media/####/hongbao3.png
- /data/media/####/hongbao4.png
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- jpush220
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
