Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
- Adware.Waps.5.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) m.439####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) up####.sdk.jig####.cn:80
- TCP(HTTP/1.1) s####.m.img####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) cdn.43####.com:80
- TCP(HTTP/1.1) who.wa####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) 111102e####.dns.wa####.com:80
- TCP(HTTP/1.1) p####.43####.com:80
- TCP(HTTP/1.1) cloud####.fengkon####.com:80
- TCP(HTTP/1.1) qin####.com.www.####.com:80
- TCP(HTTP/1.1) f1.img####.com:80
- TCP(HTTP/1.1) f####.fengkon####.com:80
- TCP(TLS/1.0) m####.439####.net:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) 2####.58.211.110:443
- TCP(TLS/1.0) s####.j####.cn:443
- TCP pus####.43####.com:4800
- TCP 1####.248.241.134:7002
- TCP sdk.o####.t####.####.com:5224
- UDP s.j####.cn:19000
- TCP c####.g####.ig####.com:5225
- UDP easytom####.com:19000
Запросы DNS:
- 1111012####.dns.wa####.com
- 111102e####.dns.wa####.com
- 7j####.c####.z0.####.com
- a.img####.com
- ali-s####.j####.cn
- c####.g####.ig####.com
- c-h####.g####.com
- cdn.43####.com
- cloud####.fengkon####.com
- easytom####.com
- f####.fengkon####.com
- f1.img####.com
- l####.tbs.qq.com
- m####.439####.net
- m.439####.com
- mt####.go####.com
- p####.43####.com
- pub-####.qin####.com
- pus####.43####.com
- s####.j####.cn
- s####.m.img####.com
- s.j####.cn
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sis.j####.io
- sj2.img####.com
- t####.j####.cn
- up####.sdk.jig####.cn
- who.wa####.com
Запросы HTTP GET:
- 111102e####.dns.wa####.com/result?key=####&form=####&
- cdn.43####.com//app/android/v4.2/game-top-mareacode-999998-n-20-p-1-star...
- cdn.43####.com//app/android/v4.4.3/gameDetail-mareacode-999998-id-135522...
- cdn.43####.com/android/box/player/v3.1.1/miniGame-entryConfig-mareacode-...
- cdn.43####.com/app/android/v3.0/config-dailySign-mareacode-999998.html
- cdn.43####.com/app/android/v3.1/software-cover-mareacode-999998-coverSiz...
- cdn.43####.com/app/android/v3.4/config-common-mareacode-999998.html
- cdn.43####.com/app/android/v3.4/config-common.html
- cdn.43####.com/app/android/v3.5/game-category-mareacode-999998-n-20-star...
- cdn.43####.com/app/android/v4.4/game-index-mareacode-999998.html
- cdn.43####.com/app/forums/android/v2.1/chat-faces-mareacode-999998.html
- cdn.43####.com/app/forums/android/v3.3/chat-faces-mareacode-999998.html
- f1.img####.com/2060197063/middle?153252####
- f1.img####.com/2124444003/middle
- f1.img####.com/2141019664/middle?147242####
- f1.img####.com/2176439744/middle?152617####
- f1.img####.com/2381617090/middle?155196####
- f1.img####.com/2594741599/middle?155195####
- f1.img####.com/2915119375/middle?155106####
- f1.img####.com/2932086098/middle
- f1.img####.com/downloader/tpl/game/template396.zip
- f1.img####.com/downloader/tpl/thread/template554.zip
- f1.img####.com/ma~109196_logo2_f9b9.jpg~124x124
- f1.img####.com/ma~114518_logo2_b400.jpg~124x124
- f1.img####.com/ma~128921_logo2_371e.jpg~124x124
- f1.img####.com/ma~132576_logo2_ab09.jpg~124x124
- f1.img####.com/ma~134807_logo2_2cae.jpg~124x124
- f1.img####.com/ma~135053_logo2_2c88.jpg~124x124
- f1.img####.com/ma~135221_logo2_dc6e.jpg~124x124
- f1.img####.com/ma~135522_logo2_12ce.jpg~124x124
- f1.img####.com/ma~167_20181023095451_5bce7f6bc9def.png
- f1.img####.com/ma~30_20180423163038_5add99aec4cca.png
- f1.img####.com/ma~89868_logo2_9fe4.jpg~124x124
- f1.img####.com/ma~wap_s2_1551955468
- f1.img####.com/sj~100848_logo_580db13432b8b.jpg~124x124
- f1.img####.com/sj~112582_logo_59b5ff4abc10c.jpg~124x124
- f1.img####.com/sj~116122_logo_5a28b6f06860d.jpg~124x124
- f1.img####.com/sj~117700_logo_5a585d5c2ff12.jpg~124x124
- f1.img####.com/sj~135522_screenshot_5c7e48473552d.jpg
- f1.img####.com/sj~135522_screenshot_5c7e4848726b4.jpg
- f1.img####.com/sj~135522_screenshot_5c7e4849bd18c.jpg
- f1.img####.com/sj~135522_screenshot_5c7e484b15e93.jpg
- f1.img####.com/sj~135522_screenshot_5c7e484caabf6.jpg
- f1.img####.com/sj~92007_logo_595debbc5414d.jpg~124x124
- f1.img####.com/sj~98615_logo_57b41723beaf8.jpg~124x124
- m.439####.com/openapi/aliapi-index.html
- p####.43####.com/cloud.php?act=####&rectime=####&appid=####&uid=####&fla...
- p####.43####.com/cloud.php?act=####&rectime=####&flag=####&data=####
- qin####.com.www.####.com/tdata_EDT369
- t####.c####.q####.####.com/tdata_Cta775
- t####.c####.q####.####.com/tdata_YYn966
- t####.c####.q####.####.com/tdata_lOE499
- t####.c####.q####.####.com/tdata_nmo636
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- who.wa####.com/?key=####&form=####
Запросы HTTP HEAD:
- f1.img####.com/downloader/tpl/game/template396.zip
- f1.img####.com/downloader/tpl/thread/template554.zip
Запросы HTTP POST:
- c-h####.g####.com/api.php?format=####&t=####
- cloud####.fengkon####.com/v2/device/conf
- f####.fengkon####.com/v2/device/profile
- l####.tbs.qq.com/ajax?c=####&k=####
- s####.m.img####.com/trace/<Package>/1.0/360/.config?version=####
- s####.m.img####.com/trace/<Package>/1.0/360/1100gfRWiYsH5IVoxkCsk05ff
- sdk.o####.p####.####.com/api.php?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####&d=####&k=####
- up####.sdk.jig####.cn/v1/push/sdk/postlist
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.policy
- /data/data/####/02b9f62eb0f9af790edbe2cd032dbe8d5f37a39e4a8b7c1....0.tmp
- /data/data/####/02bfc27ffb58b9a3796a629dbcb3ab08721b757150a1c08....0.tmp
- /data/data/####/044e71c2a9622c895fc29a7a4d41075dc041b00b1471bcb....0.tmp
- /data/data/####/0920e350967658c1fd50fb0beeffd7a7bb8a4600551a082....0.tmp
- /data/data/####/0c9d3ded-7997-439b-aeef-11f5c895d5d6
- /data/data/####/137d4cfa739abfde0cbb5481012bcc0b15386564b7b7612....0.tmp
- /data/data/####/17766443c6434098180b659e16d4978ecb51f3faf97b514....0.tmp
- /data/data/####/195e1b88c3a2d67e255713e8bdceccea70c25665d263406....0.tmp
- /data/data/####/25536f46d46bc65e8564c1880bcd3f8f7b1675ed19720fd....0.tmp
- /data/data/####/26fd4886c6170c4f691eae8b5687b12619b803bdf1ff661....0.tmp
- /data/data/####/31c9414b9b6907f87efe94d3541836a34c3be9378fc71dd....0.tmp
- /data/data/####/36a197371b4c7c407779ecbd89b0758dc4516378c6c1fbc....0.tmp
- /data/data/####/450680b29c5e7d9de425ac47f142d77daf593a78989b27b....0.tmp
- /data/data/####/47903a1d72430de2ea08fff6e9813ed4b87a94294056668....0.tmp
- /data/data/####/47aa0e111a43b55b55afd42cbda188da161f83c67a6aa70....0.tmp
- /data/data/####/4eed0f41120d629da14f5e3a84fc3accf7ba9dc7df1cfd4....0.tmp
- /data/data/####/4eed0f41120d629da14f5e3a84fc3accf7ba9dc7df1cfd4...5e39.0
- /data/data/####/50f6b66843b6753efa06d9316156591aa5af4dee9678bb5....0.tmp
- /data/data/####/52db5e3fc0c181ea7160c200238989f478ff63c71dee1c1....0.tmp
- /data/data/####/5e05f5ed903be32b0553cd04a96633653a2173ccc44f2db....0.tmp
- /data/data/####/5e3498a645913a43fdff82541ed496cddedf72e85676ef0....0.tmp
- /data/data/####/65ba45b6d904b43a814e892f96443b8d17719e241c79f6e....0.tmp
- /data/data/####/68bf9eb4bcd16f3f60e6b2eae5f519ec68be5fe92aa0fcc....0.tmp
- /data/data/####/6c1bf8cd6c61a4077025780544386897067130cb0386ff0....0.tmp
- /data/data/####/70d0272b2cedf2cee555ac11fa91100a9b51d714fe79fb8....0.tmp
- /data/data/####/7175d15d317731161acbcbf16d177e644a48375fabf44e8....0.tmp
- /data/data/####/72e821fb9ece296c04d90a4e22600b3490a0380763f2e2f....0.tmp
- /data/data/####/7857e947fd4112f4cb8998311c57382f97592b090e6d74f....0.tmp
- /data/data/####/9a2dd87ceb2ef694ba3126ddf0c0eee0602eb64a8a7f7aa....0.tmp
- /data/data/####/9ce12d7ddf3da9cb364055debc5024484a0d6fc1c0dc087....0.tmp
- /data/data/####/9fb31748-81ae-4e25-b1a0-6aa24cd57c9e
- /data/data/####/JPushSA_Config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/MyAnalytics_VERSION_INFO.xml
- /data/data/####/MyAnalytics_device_id.xml
- /data/data/####/MyAnalytics_general_config.xml
- /data/data/####/MyAnalytics_send_config.xml
- /data/data/####/UserInfo.xml
- /data/data/####/a07ea608-7410-4e40-9bbf-8568a5d47559
- /data/data/####/a9e9ad05-1b5a-409c-8a81-3c43aa5e6bb2
- /data/data/####/appPackageNames_v2
- /data/data/####/asset-manifest.json
- /data/data/####/b29c10ca5609aec350e99313b1de5f19b555be9d60f0c50....0.tmp
- /data/data/####/bc125d54b40cbb566f09e3b0a5c427045fa514c7db8f080....0.tmp
- /data/data/####/bc4e0145-5ac1-4b13-88b9-005272cddc63
- /data/data/####/bd005fa02328ef85462a8b552822d28b8c1eef897ca25ad....0.tmp
- /data/data/####/c065d0281bbb00cb2c62d2da04773a574efe942991c9aec....0.tmp
- /data/data/####/c108c6ba5652717eb06fabf376426129212cd84f11f8f54....0.tmp
- /data/data/####/c2d3322b5814eaafc13208259d16474a4629ac43822e6de....0.tmp
- /data/data/####/c636bd541e8a75fc44a51a2aab0c66d35c517cc1462e6ca....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/ce5a72365fad12d5f86186a2bbc3f5b44e72c9159b7cff9....0.tmp
- /data/data/####/ceb17627f81924d9480178da87a9ab2e265d0d65e36afd0....0.tmp
- /data/data/####/cf8ed96e217db3a1bb2521c906bc15d83b3352be5533103....0.tmp
- /data/data/####/cloudms.conf.xml
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.m4399.gamecenter_preferences.xml
- /data/data/####/com.m4399.gamecenter_preferences.xml.bak
- /data/data/####/com.m4399.gamecenter_preferences.xml.bak (deleted)
- /data/data/####/com.shumei.xml
- /data/data/####/comment.zip
- /data/data/####/core_info
- /data/data/####/d4298a716a44caa24100215e2097ac2c311b1e611bb4919....0.tmp
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/download_upload
- /data/data/####/downloads.db-journal
- /data/data/####/e0e03e659c9aa656aba302e6e50c1d766a4f4f86d078c03....0.tmp
- /data/data/####/e532875de4c7dd28bc9c55908cd865f41cd9571bfcf2adb....0.tmp
- /data/data/####/e82adcdad213c5cc9874cf2289e649781be349de53b1484....0.tmp
- /data/data/####/e9d01bc0985ee515b3518e7eef84717259bf5e32002dcff....0.tmp
- /data/data/####/ee365c29f021de035358bfce1366b4198fab009d8182e9f....0.tmp
- /data/data/####/f413eef05a490b086812c47b58628364b9e18be6878faf7....0.tmp
- /data/data/####/f51d4c6c-c426-4712-962b-79e6896a640d
- /data/data/####/f613f43845ca510dced3fe88513c127bb4a0ad3ac7435d1....0.tmp
- /data/data/####/favicon.ico
- /data/data/####/framework.db-journal
- /data/data/####/gamecenter182.db-journal
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/index
- /data/data/####/index.html
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/libjiagu1858054988.so
- /data/data/####/loading_content0.png
- /data/data/####/loading_content1.png
- /data/data/####/loading_content2.png
- /data/data/####/loading_content3.png
- /data/data/####/m4399AppEmoji3.0.json
- /data/data/####/m4399BBSEmoji3.0.json
- /data/data/####/main.09a595df.css
- /data/data/####/main.1785be00.css
- /data/data/####/main.2a7c9643.js
- /data/data/####/main.3b4857ab.css
- /data/data/####/main.3f8382c8.js
- /data/data/####/main.4a10a7f2.js
- /data/data/####/main.598c208e.js
- /data/data/####/main.f9259969.css
- /data/data/####/manifest.json
- /data/data/####/mobclick_agent_cached_com.m4399.gamecenter1322
- /data/data/####/multidex.version.xml
- /data/data/####/placeholder.png
- /data/data/####/plugin.meta
- /data/data/####/plugin_init.log
- /data/data/####/pref.app.covers.new.1.pt
- /data/data/####/pref.headup.message.chat.unread.pt
- /data/data/####/push.jar
- /data/data/####/push.pid
- /data/data/####/push.zip
- /data/data/####/push_box_sdk_version.xml
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushk.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/seq.xml
- /data/data/####/service-worker.js
- /data/data/####/skin_main_plugin_pref.xml
- /data/data/####/statistics_agent_cached_com.m4399.gamecenter
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_Cta775
- /data/data/####/tdata_Cta775.jar
- /data/data/####/tdata_YYn966
- /data/data/####/tdata_YYn966.jar
- /data/data/####/tdata_lOE499
- /data/data/####/tdata_lOE499.jar
- /data/data/####/tdata_nmo636
- /data/data/####/tdata_nmo636.jar
- /data/data/####/template.zip
- /data/data/####/tracker.db-journal
- /data/data/####/type1
- /data/data/####/type2
- /data/data/####/umeng_general_config.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.disys
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/.test.txt
- /data/media/####/.thumbcache_idx0
- /data/media/####/.udid
- /data/media/####/5c760796-2cdb7.download
- /data/media/####/5c7e6a77-59b71.download
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.m4399.gamecenter.bin
- /data/media/####/com.m4399.gamecenter.db
- /data/media/####/com.m4399.gamecenter.sdklogin
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/shumei.txt
- /data/media/####/t1v554.meta
- /data/media/####/t2v396.meta
- /data/media/####/tdata_Cta775
- /data/media/####/tdata_YYn966
- /data/media/####/tdata_lOE499
- /data/media/####/tdata_nmo636
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GTPushService 24788 300 0
- cat /proc/self/cgroup
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- dmesg
- getprop
- getprop ro.product.cpu.abi
- grep -i blueStacks
- grep -i virtualbox
- logcat -c
- ls /system/bin
- ls /system/lib
- mount
- ps
- sh
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GTPushService 24788 300 0
Загружает динамические библиотеки:
- getuiext2
- jcore123
- libjiagu1858054988
- m4399
- smsdk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- DES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
