Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Spy.127.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) d####.g####.p####.com:80
- TCP(HTTP/1.1) recom####.p####.com:80
- TCP(HTTP/1.1) t####.p####.com:80
- TCP(HTTP/1.1) s####.p####.com:80
- TCP(HTTP/1.1) webcdn-####.g####.p####.com:80
- TCP(HTTP/1.1) searc####.p####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) api.usergr####.p####.com:80
- TCP(HTTP/1.1) web-st####.g####.p####.com:80
- TCP(TLS/1.0) api.usergr####.p####.com:443
Запросы DNS:
- a####.u####.com
- ac####.d####.pp####.com
- api####.a####.com
- api.pass####.p####.com
- api.usergr####.p####.com
- cld####.mo####.p####.com
- gro####.p####.com
- i####.pp####.cn
- ios.syna####.com
- m####.api.p####.com
- plt.d####.pp####.com
- recom####.p####.com
- s####.p####.com
- searc####.p####.com
- so.api.p####.com
- sp####.mo####.p####.com
- sr1.pp####.cn
- sr1.pp####.com
- sr2.pp####.cn
- sr2.pp####.com
- sr3.pp####.cn
- sr3.pp####.com
- sr4.pp####.com
- t####.p####.com
- v.img.pp####.cn
- way.p####.com
Запросы HTTP GET:
- api.usergr####.p####.com/get/aphone?index=####&appplt=####&ustr=gu####&d...
- api.usergr####.p####.com/getUserCreditDoublePolicy?appid=####&from=####&...
- api.usergr####.p####.com/pcardInfo/getMonthPcard?username=####&from=####...
- api.usergr####.p####.com/public/ppi?appid=####&appplt=####&tk=####&cc=##...
- api.usergr####.p####.com/v6/流风清音/Favorites?version=####&from=####
- api.usergr####.p####.com/v6/流风清音/Recent?version=####&from=####
- recom####.p####.com/recTopic?uid=####&extraFields=####&rmTopicIds=####&s...
- s####.p####.com/v7/流风清音/Barrage/all?from=####&version=####&tk=####
- searc####.p####.com/query/nt?hasVirtual=####&ppi=####&cnt=####&cm=####&q...
- searc####.p####.com/query/topSearch.api?ppi=####&appid=####&appplt=####&...
- t####.p####.com/
- web-st####.g####.p####.com/2012/12/30/18195216887_230X306.jpg.webp
- web-st####.g####.p####.com/2019/01/07/15410550920_230X306.jpg.webp
- web-st####.g####.p####.com/cms/13/73/c0a4bea8cfd59562b65f3448f6c5691f.jpg
- web-st####.g####.p####.com/cms/14/24/d2b37f1e306938e9e0bf1ade235e24f3.png
- web-st####.g####.p####.com/cms/16/35/c66c61fda8eb103aaf86bdf565afa2bc.png
- web-st####.g####.p####.com/cms/19/13/de5f123f0eea25fd412227ae7e36c196.png
- web-st####.g####.p####.com/cms/20/48/3ca7889db8b07c62dc914a2201694f8e.png
- web-st####.g####.p####.com/cms/24/68/da4d0a1a503b296131941dda5ea71f9f.jpg
- web-st####.g####.p####.com/cms/26/75/207855ec7b873e10e448d4418968011e.jpg
- web-st####.g####.p####.com/cms/35/53/5cbec9231bc112f376028069ebd2fb0b.gif
- web-st####.g####.p####.com/cms/39/16/8649981b2d5455a352bae8329087cbaa.jpg
- web-st####.g####.p####.com/cms/39/35/f5e255e4cbf8c6ace832ba82d318d983.png
- web-st####.g####.p####.com/cms/40/08/420462a279acbe7b942cfe917564f7bb.png
- web-st####.g####.p####.com/cms/41/46/ae9dc76632409e0815c42d5655d5c4fa.png
- web-st####.g####.p####.com/cms/42/44/6275b2cd05b5554c9a8ce81839003de7.png
- web-st####.g####.p####.com/cms/63/33/e624ab92ecebabc6c87263e5d315de5e.gif
- web-st####.g####.p####.com/cp308/60/63/6063744673e37673f6ec019f631708f5/...
- web-st####.g####.p####.com/cp308/a2/54/a25446f4052a4fa8dc3ae2b4ac89aa78/...
- web-st####.g####.p####.com/cp308/d0/d1/d0d10337a109a173e1a01807fa704d45/...
- web-st####.g####.p####.com/cp308/f2/5d/f25d18757da6fd1f8845a20fe97855f1/...
- web-st####.g####.p####.com/lpic/03d/3c7/555/319b537694d90ec9e19bdd79ce4e...
- web-st####.g####.p####.com/lpic/059/86c/5e6/621c75286348694e60336f2b97e5...
- web-st####.g####.p####.com/lpic/14e/e16/4fa/67bbbb3286c4e055890edfee6cd4...
- web-st####.g####.p####.com/lpic/1c9/347/a5f/5e8b55a762683018720355aaa50c...
- web-st####.g####.p####.com/lpic/2a2/471/b28/f7c3fda294ab97cbf185735ea93f...
- web-st####.g####.p####.com/lpic/34e/8d4/055/697d9911c7de6d1d31edcbe4b7f8...
- web-st####.g####.p####.com/lpic/34f/c9c/038/bd2c61f50606c9791897ed5f37db...
- web-st####.g####.p####.com/lpic/3b0/72d/a26/b9e831e1ecee0a1c40229b1f1e02...
- web-st####.g####.p####.com/lpic/3fd/d0c/b40/1226c621b1885e1f022c84db043d...
- web-st####.g####.p####.com/lpic/4aa/79e/3c6/0cd1f90527dff999f06e606a10ea...
- web-st####.g####.p####.com/lpic/627/a8b/893/025ef89c5b866b3bf9c8a720462c...
- web-st####.g####.p####.com/lpic/665/7c3/26f/212da4d69887801eb643ae08e70f...
- web-st####.g####.p####.com/lpic/6a3/050/974/340d82145c90c38aa24ba1f20504...
- web-st####.g####.p####.com/lpic/711/11c/502/d6c778947ae18f27233fc9acc126...
- web-st####.g####.p####.com/lpic/76c/3a0/e00/a338d86c8585d53e0c608cb741a1...
- web-st####.g####.p####.com/lpic/8b7/0f6/064/ec2bae855ed67c39ad62dd796fb2...
- web-st####.g####.p####.com/lpic/8f3/6f9/319/5ac4ba9f78bb97b7b85a69197c2c...
- web-st####.g####.p####.com/lpic/9c8/a62/fde/549c02c84aaa7f9d313f81d39cf8...
- web-st####.g####.p####.com/lpic/a1b/e75/24a/123fb2cf66cb6dc5689b194229b2...
- web-st####.g####.p####.com/lpic/a3a/43b/3a0/5161180b5e872063a92df44d342e...
- web-st####.g####.p####.com/lpic/bb5/7f2/662/4a5283bfd743f3e9e9c25c826253...
- web-st####.g####.p####.com/lpic/bdc/c29/d05/d8a327ea7275ea9dd6bcd3c77bc6...
- web-st####.g####.p####.com/lpic/be7/e55/6e7/5d999810b19c221c8ebd147a53c9...
- web-st####.g####.p####.com/lpic/beb/ddd/6e9/acbd2ce6346bae749d76fe1ec0ad...
- web-st####.g####.p####.com/lpic/ce3/929/4c3/73c4a0ddb077e5d4a87fb979a56d...
- web-st####.g####.p####.com/lpic/e7a/1cc/98e/ba380cb081662aea267eca222672...
- web-st####.g####.p####.com/lpic/eb0/cd3/81e/5783c5e91b063c01e738ac8ae56d...
- web-st####.g####.p####.com/lpic/ec4/c42/6f2/63862f99377cf076907cb63c4a42...
- web-st####.g####.p####.com/lpic/f2b/82c/c6e/9cd0be6d82d7d86627dca7d79a80...
- webcdn-####.g####.p####.com/check_update?platform=####&appplt=####&osv=#...
- webcdn-####.g####.p####.com/competition/v1/list
- webcdn-####.g####.p####.com/competitionschedule/v1/list?competitionid=####
- webcdn-####.g####.p####.com/control?ver=####&userLevel=####&platform=###...
- webcdn-####.g####.p####.com/generalConfig?platform=####&appplt=####&conf...
- webcdn-####.g####.p####.com/generalConfig?platform=####&configkey=####&a...
- webcdn-####.g####.p####.com/getConfig?ZGV2aWNlaWQ9MzU2NTA3MDU5MzUxODk1Jm...
- webcdn-####.g####.p####.com/globalConfig?platform=####&appplt=####&osv=#...
- webcdn-####.g####.p####.com/manual_update?platform=####&appplt=####&osv=...
- webcdn-####.g####.p####.com/v4/module?lang=####&platform=####&appid=####...
Запросы HTTP POST:
- a####.u####.com/app_logs
- d####.g####.p####.com/event/1.html
- recom####.p####.com/uniSearch.api
- res####.a####.com/v3/log/init
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/MATSharedPreferences.xml
- /data/data/####/USER_BILLING.xml
- /data/data/####/_ire-journal
- /data/data/####/applog.log
- /data/data/####/cn.com.mma.mobile.tracking.other.xml
- /data/data/####/com.pplive.androidphone_preferences.xml
- /data/data/####/config.xml
- /data/data/####/configcenter.txt
- /data/data/####/exitadinfo
- /data/data/####/globalConfig.txt
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.pplive.androidphone999999999
- /data/data/####/multidex.version.xml
- /data/data/####/pptv.db-journal
- /data/data/####/pptv.xml
- /data/data/####/static_config
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/unicom.xml
- /data/data/####/view_from.xml
- /data/data/####/webp.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/-1023432470
- /data/media/####/-1288710204.tmp
- /data/media/####/-1372347336.tmp
- /data/media/####/-1403916186
- /data/media/####/-1441862793.tmp
- /data/media/####/-1491227863
- /data/media/####/-1523223674.tmp
- /data/media/####/-154234153.tmp
- /data/media/####/-1624000149
- /data/media/####/-1693854143.tmp
- /data/media/####/-1717685947.tmp
- /data/media/####/-1812578290
- /data/media/####/-1836083016.tmp
- /data/media/####/-1917343618
- /data/media/####/-1917343619
- /data/media/####/-1920326167.tmp
- /data/media/####/-1936410676.tmp
- /data/media/####/-1943459813.tmp
- /data/media/####/-1978696088.tmp
- /data/media/####/-2020577616.tmp
- /data/media/####/-203299418.tmp
- /data/media/####/-2039158379
- /data/media/####/-2088254443
- /data/media/####/-26748261.tmp
- /data/media/####/-311146098.tmp
- /data/media/####/-434886813.tmp
- /data/media/####/-465549933.tmp
- /data/media/####/-469773622.tmp
- /data/media/####/-50650037.tmp
- /data/media/####/-566439259.tmp
- /data/media/####/-604839425
- /data/media/####/-605536553
- /data/media/####/-622514476.tmp
- /data/media/####/-645134678.tmp
- /data/media/####/-660528491
- /data/media/####/-694572465.tmp
- /data/media/####/-716525078.tmp
- /data/media/####/-736216026.tmp
- /data/media/####/-764849759.tmp
- /data/media/####/-865236958.tmp
- /data/media/####/-873981658.tmp
- /data/media/####/-886208790.tmp
- /data/media/####/-962110919.tmp
- /data/media/####/.nomedia
- /data/media/####/1071670298.tmp
- /data/media/####/1073965773.tmp
- /data/media/####/1122221299.tmp
- /data/media/####/1163989295.tmp
- /data/media/####/1228872519.tmp
- /data/media/####/13734783
- /data/media/####/1492337729
- /data/media/####/1553521954.tmp
- /data/media/####/1583631258.tmp
- /data/media/####/1599532657
- /data/media/####/161611219
- /data/media/####/171980557.tmp
- /data/media/####/1775006297
- /data/media/####/191419125.tmp
- /data/media/####/191986008.tmp
- /data/media/####/1953121240.tmp
- /data/media/####/213108540
- /data/media/####/25448553
- /data/media/####/25610745
- /data/media/####/280983358.tmp
- /data/media/####/460567684.tmp
- /data/media/####/54939787.tmp
- /data/media/####/594047960.tmp
- /data/media/####/596620795.tmp
- /data/media/####/806154864
- /data/media/####/917906215.tmp
- /data/media/####/965397903.tmp
- /data/media/####/971348396
- /data/media/####/_livetab1
- /data/media/####/_livetab2
- /data/media/####/_livetabtab
- /data/media/####/journal.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/files/libjiagu.so
Загружает динамические библиотеки:
- audioeffect_jni
- libjiagu
- meet
- mresearch
- subtitle-jni
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
- DESede-CBC-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию о настроках APN.
Отрисовывает собственные окна поверх других приложений.
