Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) im.miliyou####.vip:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) im.miliyou####.vip:8080
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) api.miliyou####.vip:80
- TCP(TLS/1.0) 3####.tc.qq.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5224
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.exc.mob.com
- and####.b####.qq.com
- api.miliyou####.vip
- c####.g####.ig####.com
- c-h####.g####.com
- im.miliyou####.vip
- l####.tbs.qq.com
- mil####.sclo####.com
- s.b####.m####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- www.miliyou####.vip
Запросы HTTP GET:
- api.miliyou####.vip/v2/config/announcement?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/goods/category?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/goods/lists?accessToken=####&accessUid=####&page=...
- api.miliyou####.vip/v2/goods/lists?accessToken=####&kill_id=####&accessU...
- api.miliyou####.vip/v2/index/banner?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/like?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/sec-kill-v2?accessToken=####&accessUid=####
- api.miliyou####.vip/v2/index/topic?accessToken=####&accessUid=####
- api.miliyou####.vip/v3/goods/alert
- api.miliyou####.vip/v3/system/get-beginning-ad
- im.miliyou####.vip/img/img_default_user.png
- im.miliyou####.vip/img/mark.png
- im.miliyou####.vip/img/ranking.png
- im.miliyou####.vip/img/team-buying.png
- im.miliyou####.vip:8080/
- t####.c####.q####.####.com/tdata_asl709
- ti####.c####.l####.####.com/1534550028978jataycovdefqcnfzyzh.png
- ti####.c####.l####.####.com/1539795242944uyejpuzylbyvdsmgfuo.png
- ti####.c####.l####.####.com/banner/2019/01/5c2c622d8a3f8.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/02/5c6058d693b22.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/04/5ca179c5b071f.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/04/5ca179cf9a125.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/04/5ca179d87bc3c.png?imageVi####
- ti####.c####.l####.####.com/banner/2019/04/5ca179e1e39f5.png?imageVi####
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- ti####.c####.l####.####.com/goods-topic/imgs/5c2c13f993742.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d552dfd81.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d6185e719.png
- ti####.c####.l####.####.com/goods-topic/logo/5b78d8180b2c0.png
- ti####.c####.l####.####.com/goods-topic/logo/5c0bf28a0f4b8.png
- ti####.c####.l####.####.com/goods-topic/logo/5c11d4eb3d71e.png
- ti####.c####.l####.####.com/goods-topic/logo/5c11d51c64bc2.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c7d30dfc6413.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c84f8dec6079.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c8915e11f2b6.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c9e1f35b3327.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5c9e2906bce54.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5ca0b747776b5.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5ca0bccf58111.png
- ti####.c####.l####.####.com/goods/thumb/2019/03/5ca0c9e26abbf.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca183c2a9cd5.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1849459428.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca189e8a1e99.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1958debf3f.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1b45dc4a0e.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1bf746e772.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1cfb0371a3.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1d58b8553f.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca1d8c6682f7.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca203981959f.png
- ti####.c####.l####.####.com/goods/thumb/2019/04/5ca20f3d85774.png
- ti####.c####.l####.####.com/tuihuo/2018/04/5ad87e70822cc.png
Запросы HTTP POST:
- a####.exc.mob.com/errconf
- and####.b####.qq.com/rqd/async
- and####.b####.qq.com/rqd/async?aid=####
- c-h####.g####.com/api.php?format=####&t=####
- l####.tbs.qq.com/ajax?c=####&k=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.duid
- /data/data/####/.lock
- /data/data/####/.vpl_lock
- /data/data/####/02065a4a996a41913e8a54281685b5a60cb256ebfc2b4da....0.tmp
- /data/data/####/047e07880e70e91a163ed17155f81297.0.tmp
- /data/data/####/047e07880e70e91a163ed17155f81297.1.tmp
- /data/data/####/06688edfe7434d3c34f69288aa07442d9b6408faaf1562a....0.tmp
- /data/data/####/0ab8ec572f305ac16fa94f0065ba60d51d049e99b439d37....0.tmp
- /data/data/####/0b278612ee7c50f886aefbfd0bc4afd824d73f7866f794f....0.tmp
- /data/data/####/0da2cee935f6a8784aaceb7907ceceb824320da664aaeb9....0.tmp
- /data/data/####/0dd239178d843c1576cacb9d2655bb23.0.tmp
- /data/data/####/0dd239178d843c1576cacb9d2655bb23.1.tmp
- /data/data/####/1002
- /data/data/####/1004
- /data/data/####/12215bf3b81e424b26638fc12bb540cc1acd63d52e2d46a....0.tmp
- /data/data/####/1b55a986b68584f85e050a3aaf0376d54d697fd0ae7aa4c....0.tmp
- /data/data/####/2156d05987f6543fcb9dc78dc7ff8478.0.tmp
- /data/data/####/2156d05987f6543fcb9dc78dc7ff8478.1.tmp
- /data/data/####/25cad2f2021bd74e7941bd23462b77302a3a8dc96ab6452....0.tmp
- /data/data/####/2ad53135e896b8a771ca9e2315576a99f03106a2e79f1c1....0.tmp
- /data/data/####/34929512b190f82fc089efcb73adf8e7.0.tmp
- /data/data/####/34929512b190f82fc089efcb73adf8e7.1.tmp
- /data/data/####/35501401cffe10a2081bc425fb56fd293d423c2f71cf8c0....0.tmp
- /data/data/####/3952b6d5f3d6d7836fe191687deb9237356d9ebdd98d150....0.tmp
- /data/data/####/39d74d78c84a2544924da6d900388db335e7605520627d0....0.tmp
- /data/data/####/3a781a74707805b182ece0940a9bad0655cc5031d7f4e6b....0.tmp
- /data/data/####/3b4a46d39946aecacfef7040d93f4a1d450fd003e14b4d6....0.tmp
- /data/data/####/3ff5358dd4c169c0effaeb288a33c572ea3e7c403917e87....0.tmp
- /data/data/####/4449f5a9b57c704a2ed30173d788f3eeba8541d18ab64a6....0.tmp
- /data/data/####/4b4e5ddb2f5bc38b4d06ed9888a800db.0.tmp
- /data/data/####/4b4e5ddb2f5bc38b4d06ed9888a800db.1.tmp
- /data/data/####/4ca5923c7df9c4288e98c03e4ac63721ee1be64320957f8....0.tmp
- /data/data/####/4cdbd5ccdae10d38bf6222a7b5404e6860e63ed30e69ee2....0.tmp
- /data/data/####/547864d797d4c67d728a4c9b5a709f49b2f5b8bb36d20e2....0.tmp
- /data/data/####/55ac03e7e502bb633b062aace33faf9ec8f2107fd3fd4f3....0.tmp
- /data/data/####/5ea3690d272b2252d36e7a0b12f0af44fde0cf1fafb1a0c....0.tmp
- /data/data/####/64812c270274f66be8ae133414a5354c34eca89cfe772a9....0.tmp
- /data/data/####/66d6edff8357194a5b4c0aeec9ef68ef2e3a92c8e5193c3....0.tmp
- /data/data/####/6ed19ce371537d6bf14a68c2b696d70e880be924d26728b....0.tmp
- /data/data/####/8b394731c99f1ae3a6a77d089e24c8151d9fb12f03b73e6....0.tmp
- /data/data/####/8c6c5a4381724b5262f265ddd1c8dc7967ff5ce146729f9....0.tmp
- /data/data/####/8fa8dba68a9954828b312b348e205520.0.tmp
- /data/data/####/8fa8dba68a9954828b312b348e205520.1.tmp
- /data/data/####/8febbea09c53619c1c81f664b29201e4bcdb609582efec4....0.tmp
- /data/data/####/9c22d65ba4ff3bc8c69546918ca7ffd1a56312aa0081321....0.tmp
- /data/data/####/9c9797fd13b9fa4627f6400c5e1a59731fb9c56bfecb40d....0.tmp
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/Hawk
- /data/data/####/Hawk-journal
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/a1b60f061d19a85a9184a4e1de0e930aab04990e1652ef7....0.tmp
- /data/data/####/a6666463bab23f3854b884e992f313fb50da8b5aa52647d....0.tmp
- /data/data/####/b2e1d650c688eb12d8e65785221d3b4afaa6e673a25df1e....0.tmp
- /data/data/####/b2e1d650c688eb12d8e65785221d3b4afaa6e673a25df1e...b95e.0
- /data/data/####/b9f9e065964eaf4896545dda8e686f4afcc38f7ace81309....0.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_db_legu-journal
- /data/data/####/c00f5b0803e3a2d418a8f039bd8c1390662ce9f30a11f14....0.tmp
- /data/data/####/c84db5c975378e5b11294230363cb461f48cfac31e46744....0.tmp
- /data/data/####/c9d8663f47beb9d9bcd599f8d0f6b592.0.tmp
- /data/data/####/c9d8663f47beb9d9bcd599f8d0f6b592.1.tmp
- /data/data/####/cb1cfeb2402a16124e3350cf895170834bf23cdbe0f7b51....0.tmp
- /data/data/####/cb1d45ef1a846def07ee7a13a0d677222f63e6528f5041d....0.tmp
- /data/data/####/com.sclonsee.miliyoutuan.BETA_VALUES.xml
- /data/data/####/core_info
- /data/data/####/crashrecord.xml
- /data/data/####/d6e5656e780e695961a04142556bde65dc2af4e9f35f7d8....0.tmp
- /data/data/####/d78ecf995710cb72b023370d40a684137f55ac806d88bd4....0.tmp
- /data/data/####/dc16c4774328b9f903db876b6a9419481fdf66b22afbabe....0.tmp
- /data/data/####/domain_1
- /data/data/####/e7c27bfb0c3d9a214bd729f68fe3e43d.0.tmp
- /data/data/####/e7c27bfb0c3d9a214bd729f68fe3e43d.1.tmp
- /data/data/####/ef8d0efba4976d885a98d5972381f5635eb79c73615a0e9....0.tmp
- /data/data/####/f056016961ef91ba3111954faab41879.0.tmp
- /data/data/####/f056016961ef91ba3111954faab41879.1.tmp
- /data/data/####/f3fdf0b0db49487f731e86d46c17a23f96b3f030af97ca5....0.tmp
- /data/data/####/f8baea78b60bd271391ef520418bc91bca9eed1e83e2730....0.tmp
- /data/data/####/fffba8085b0c1e9e110fbbc3b56ba505678a56c59bd3570....0.tmp
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/history.db-journal
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/khistory.db
- /data/data/####/khistory.db-journal
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.1.2.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/mix.dex
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/okgo.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/security_info
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_asl709
- /data/data/####/tdata_asl709.jar
- /data/media/####/.artc_lock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.im_lock
- /data/media/####/.lesd_lock
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.pkg_lock
- /data/media/####/.pkgs_lock
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/.ss_lock
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.sclonsee.miliyoutuan.bin
- /data/media/####/com.sclonsee.miliyoutuan.db
- /data/media/####/comsclonseemiliyoutuan_3.0.6_17479b68-fe8f-5bc...3f.apk
- /data/media/####/tdata_asl709
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GrayService 25487 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.1.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GrayService 25487 300 0
Загружает динамические библиотеки:
- Bugly
- getuiext2
- libnfix
- libshella-2.9.1.2
- libufix
- nfix
- ufix
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
