Техническая информация
Вредоносные функции:
Осуществляет доступ к приватному интерфейсу ITelephony.
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) w####.sosta####.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) 1####.114.206.188:8888
- TCP(HTTP/1.1) yun.lveha####.com:80
- TCP(HTTP/1.1) yun.pop####.cn.####.com:80
- TCP(HTTP/1.1) en####.pop####.com:80
- TCP(TLS/1.0) 1####.217.17.78:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) d####.iap####.com:443
- TCP(TLS/1.0) c.c####.com:443
Запросы DNS:
- a####.exc.mob.com
- a####.u####.com
- api.s####.mob.com
- c.c####.com
- co####.wow####.com
- d####.iap####.com
- en####.pop####.com
- m.d####.mob.com
- s13.c####.com
- s4.c####.com
- w####.sosta####.com
- wow####.com
- yun.lveha####.com
- yun.pop####.com
- z11.c####.com
- z7.c####.com
Запросы HTTP GET:
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/z_stat.php?id=####
- en####.pop####.com/api/v1/activity/get4web?request_id=####&app_key=####&...
- en####.pop####.com/api/v1/activity/spm4web?slotId=4290&app_key=461zSXG6e...
- w####.sosta####.com/?s=####
- w####.sosta####.com/admin/upload/app/EUDABKeC5wIw8qDL5pCgT6FGDLLprCSS5yk...
- w####.sosta####.com/admin/upload/app/GSXmtGAv2EokWxV38stfKazzug0Vm5F2lKv...
- w####.sosta####.com/admin/upload/app/IwuXQArKbDGvdZcdWEzmFZs5Q5oJjoyknLI...
- w####.sosta####.com/admin/upload/app/Jw6pr0VN22UlBXQAYjAVxWcJYqvv4kQXuPR...
- w####.sosta####.com/admin/upload/app/VxdPnB1C18qmjjjA0dlPK70NseiyoQDmt6p...
- w####.sosta####.com/admin/upload/app/a7dBqeNVuNRyUyfpDHoQgKwJtnL01O6aVZ0...
- w####.sosta####.com/admin/upload/app/eJuCZZICgiqZRAYpwaTTrmAlsbLgXjn3BwY...
- w####.sosta####.com/admin/upload/app/i1o8zWZGdvQSsT4kUpcaQBcgv4Al8PklzMy...
- w####.sosta####.com/admin/upload/app/iMCIGLm1FCIJ83n1lkDXwjbN4UXYqi8u0bp...
- w####.sosta####.com/admin/upload/app/j3NiR6pKHtlmWUpZEfgJ9uuOBN0oTtmf16Z...
- w####.sosta####.com/admin/upload/app/oU8MAf906WeWESCNCuIEOb1lM1mglxSxSER...
- w####.sosta####.com/admin/upload/app/s8ziJ7u55B3tTzFVjEfzx3gQxO7IShlSVPG...
- w####.sosta####.com/admin/upload/app/tqsvh1OeY5ANMwTXg5r6Ut52apPKDLKbsNB...
- w####.sosta####.com/admin/upload/hpic/head_16.webp
- w####.sosta####.com/admin/upload/hpic/head_68.webp
- w####.sosta####.com/admin/upload/image/20170927/1506517319915.webp
- w####.sosta####.com/admin/upload/image/20170927/1506521377085.webp
- w####.sosta####.com/admin/upload/image/20171105/1509884837675.webp
- w####.sosta####.com/admin/upload/image/20171222/1513926226332.webp
- w####.sosta####.com/admin/upload/image/20171222/1513926524102.webp
- w####.sosta####.com/admin/upload/image/20171222/1513926891043.webp
- w####.sosta####.com/admin/upload/image/20171222/1513927285898.webp
- w####.sosta####.com/admin/upload/image/20171222/1513927617783.webp
- w####.sosta####.com/admin/upload/image/20171225/1514171810794.webp
- w####.sosta####.com/admin/upload/image/20171225/1514171835838.webp
- w####.sosta####.com/admin/upload/image/20171225/1514171855445.webp
- w####.sosta####.com/admin/upload/image/20171225/1514171877523.webp
- w####.sosta####.com/admin/upload/image/20171225/1514171896260.webp
- w####.sosta####.com/admin/upload/video/1506224375975.webm
- w####.sosta####.com/appserver/classes/Ad?where=####&limit=####&order=###...
- w####.sosta####.com/appserver/classes/Album?where=####&limit=####&skip=#...
- w####.sosta####.com/appserver/classes/Comment?limit=####&where=####&skip...
- w####.sosta####.com/appserver/classes/Feed?limit=####&where=####&skip=##...
- w####.sosta####.com/appserver/classes/Photo?where=####&limit=####&order=...
- w####.sosta####.com/appserver/classes/Version?where=####&limit=####
- w####.sosta####.com/css/arrow.css?v=####
- w####.sosta####.com/css/down.css?v=####
- w####.sosta####.com/css/list.css?v=####
- w####.sosta####.com/imgs/arrow_01.png
- w####.sosta####.com/imgs/arrow_04.png
- w####.sosta####.com/imgs/arrow_05.png
- w####.sosta####.com/imgs/favicon.png
- w####.sosta####.com/imgs/ndapp.png
- w####.sosta####.com/imgs/qrcode_for_gh_ab4ba77d2180_258.jpg
- w####.sosta####.com/imgs/qrcode_for_gh_f73809b614fa_258_service.jpg
- w####.sosta####.com/imgs/swwq.png
- w####.sosta####.com/js/clipboard.min.js
- w####.sosta####.com/js/jquery-3.2.1.min.js
- w####.sosta####.com/js/viewport.min.js
- w####.sosta####.com/layer_mobile/layer.js
- w####.sosta####.com/layer_mobile/need/layer.css?2####
- w####.sosta####.com/wap/
- w####.sosta####.com/wap/content.php?cid=####
- w####.sosta####.com/wap/css/article6.css
- w####.sosta####.com/wap/css/buttons.css
- w####.sosta####.com/wap/css/comstyle.css
- w####.sosta####.com/wap/css/font-awesome.css
- w####.sosta####.com/wap/css/list.css?v=####
- w####.sosta####.com/wap/js/base-loading.js
- yun.lveha####.com/h5/media/media-3.2.1.min.js
- yun.pop####.cn.####.com/mami-media/img/g7klwsglwp.jpg
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- a####.u####.com/app_logs
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/snsconf
- w####.sosta####.com/appserver/batch/save
- w####.sosta####.com/appserver/functions/updateReadCount
Запросы HTTP PUT:
- w####.sosta####.com/appserver/always_collect
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.app_sharepreference.xml
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.task_sharepreference.xml
- /data/data/####/0428d17f1e095e9c20511872dfc5817a
- /data/data/####/0a932fefe643fb1c387f06fbda2296f051971a24ae96104....0.tmp
- /data/data/####/0cc9eca3365309095b8f8cf37c81cd3f4129562af59d1bb....0.tmp
- /data/data/####/0e00b09d3220d8789ff5c358fe851043fe6cce8dd2ee7d5....0.tmp
- /data/data/####/322f2aec7f30e526932e4e979e370157
- /data/data/####/3636904ad2f9743a11efe1fce66e60e0b9fddc35fa594a7....0.tmp
- /data/data/####/4a199f91436658022e2ae50acd87c4b6
- /data/data/####/4b3bcb290541db6c918e6cccce6ec966
- /data/data/####/4f506f4b1d391dae7636b65273194c094b20694399c8f24....0.tmp
- /data/data/####/58b88e41f9a36099094063943223936630806b51cd18a68....0.tmp
- /data/data/####/59c968352d7d9ae716d4b27cfb5b0c4db8bdd4a2157f7b3....0.tmp
- /data/data/####/679c9e80ccabf2480ea342861b531064a5818cd18265491....0.tmp
- /data/data/####/7065f5946c42906d39bb4ad220cae202565c8defa62554a....0.tmp
- /data/data/####/7b4b355d8596bb3e166ee2c59395839a5b2faca6df48591....0.tmp
- /data/data/####/8560336117559ed0a85955ae7eb79f90f98dff191ba1996....0.tmp
- /data/data/####/89e448b44557ae4eccaa5c0ce6dda00c5e4893d2c509fe1....0.tmp
- /data/data/####/94165132ee577eee0320503ac9cb7178b542b9459eb5d0c....0.tmp
- /data/data/####/959e13ca3027f49a2801e169f3931573c12f0feb32af3d5....0.tmp
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/a139bfba4fa734b27fd18c77464acc29b3813c2308ae872....0.tmp
- /data/data/####/a4054966595e94a7b7a54852bab3514d
- /data/data/####/acacd8c5e31094e8809c15d718cb1a2f
- /data/data/####/ad13622c12484e50f4229e4a92660ed5e8ce8459806fc2a....0.tmp
- /data/data/####/af035461c7db9fd7a92418498c1cfe086437e6d42a96ac1....0.tmp
- /data/data/####/b7d4c1c5e8eb612041e97c6becea463e91b2c6f064879d6....0.tmp
- /data/data/####/b876b009f15c87392bcc8c2b2ec4751e9ea06c551c83c48....0.tmp
- /data/data/####/c0a28ce878223bd608d6eaa142dd89c0bfab79a84cfd953....0.tmp
- /data/data/####/c418b9973e7f5489a9917950939ea1fc1f2100409eb7988....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cf13c1a1f9f2bbe0699795be2e1f8c656bdadfacf3f195a....0.tmp
- /data/data/####/com.avos.avoscloud.RequestStatisticsUtil.data.xml
- /data/data/####/com.avos.avoscloud.analysis.xml
- /data/data/####/com.avos.avoscloud.approuter.EkOej4AwDQcg7TSMoi...sz.xml
- /data/data/####/d7acd72da8096484a687daa4e905ab31c2a38b091238040....0.tmp
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/e1fef3ad7566e8f9c520219467055071f7db9d45c351f18....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/http_wubi.sostation.com_0.localstorage-journal
- /data/data/####/iapppay_config.xml
- /data/data/####/index
- /data/data/####/installation
- /data/data/####/journal.tmp
- /data/data/####/libjiagu-1556479558.so
- /data/data/####/mob_commons_1.xml
- /data/data/####/mob_sdk_exception_1.xml
- /data/data/####/share_sdk_1.xml
- /data/data/####/statistics_preference.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.pkg_lock
- /data/media/####/1552671685947.log
- /data/media/####/1552671685947.log (deleted)
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/audio_feed_110
- /data/media/####/audio_feed_111
- /data/media/####/audio_feed_113
Другие:
Загружает динамические библиотеки:
- libjiagu-1556479558
- ndkbitmap
- neh
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
