Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Dowgin.14.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) pcvid####.t####.m####.####.com:80
- TCP(HTTP/1.1) imgal####.res.m####.com:80
- TCP(HTTP/1.1) ri.ti.r####.cn:80
- TCP(HTTP/1.1) 0####.h####.com:80
- TCP(HTTP/1.1) trac####.ad-su####.com:80
- TCP(HTTP/1.1) use####.api.max.####.com:80
- TCP(HTTP/1.1) pCvID####.T####.M####.cOm:80
- TCP(HTTP/1.1) pcvid####.t####.m####.####.COM:80
- TCP(HTTP/1.1) ii.vi.i####.cn:80
- TCP(HTTP/1.1) hun####.m.cn.####.com:80
- TCP(HTTP/1.1) geo.gridsum####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) 2####.h####.com:80
- TCP(HTTP/1.1) 1####.h####.com:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) com####.hun####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) pcViD####.t####.m####.CoM:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) rc.mpp.hun####.com:80
- TCP(TLS/1.0) 0####.h####.com:443
- TCP(TLS/1.0) 2####.58.208.110:443
- TCP(TLS/1.0) ys.da.m####.com:443
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 4####.h####.com
- PCVId####.T####.M####.com
- PcVid####.T####.m####.COM
- a####.u####.com
- api####.a####.com
- au.u####.co
- au.u####.com
- av####.h####.com
- bd.id.bai####.com
- com####.hun####.com
- geo.gridsum####.com
- hun####.m.cn.####.com
- i5.hun####.com
- ii.vi.i####.cn
- imgal####.res.m####.com
- log.v2.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- oc.u####.com
- pCvID####.T####.M####.cOm
- pcViD####.t####.m####.CoM
- rc.mpp.hun####.com
- ri.ti.r####.cn
- trac####.ad-su####.com
- use####.api.max.####.com
- x.da.hun####.com
- ys.da.m####.com
Запросы HTTP GET:
- 0####.h####.com/5/1ce196b9/bj0kqe224e7andid6n10?x-oss-process=####
- 0####.h####.com/5/afe406bc/be3amqlmugg6brjuhrjg?x-oss-process=####
- 0####.h####.com/6/4e0c62bd/bfeke4k7mq0hfqlv6350?x-oss-process=####
- 0####.h####.com/78HHrqFW5MTTTPKZ1flbodmvfSwenR.jpg?x-oss-process=####
- 0####.h####.com/iT4FqEJ4sIVv9cm6yLI8fogRE1CIqU.jpg?x-oss-process=####
- 0####.h####.com/preview/cms_icon/2019/5/14/05/20190514193530244.gif
- 0####.h####.com/preview/cms_icon/2019/5/14/05/20190514203423525.jpg
- 0####.h####.com/preview/cms_icon/2019/5/6/05/20190506121623334.jpg
- 0####.h####.com/preview/cms_icon/2019/5/8/05/20190508200337712.png
- 1####.h####.com/preview/cms_icon/2019/5/14/05/20190514203917586.gif
- 1####.h####.com/preview/cms_icon/2019/5/14/05/20190514224221796.jpg
- 1####.h####.com/preview/cms_icon/2019/5/8/05/20190508200313564.png
- 1####.h####.com/preview/cms_icon/auto_gif/2019/05/13/788004468108434403....
- 1####.h####.com/preview/sp_images/2019/3/23/zongyi/328606/5354871/201903...
- 1####.h####.com/preview/sp_images/2019/5/14/dianshiju/322443/5625774/201...
- 2####.h####.com/preview/cms_icon/2019/5/11/05/20190511104818060.jpg
- 2####.h####.com/preview/cms_icon/2019/5/11/05/20190511213150998.jpg
- 2####.h####.com/preview/cms_icon/2019/5/13/05/20190513102328060.gif
- 2####.h####.com/preview/cms_icon/2019/5/13/05/20190513120228363.jpg
- 2####.h####.com/preview/cms_icon/2019/5/13/05/20190513184717029.jpg
- 2####.h####.com/preview/cms_icon/2019/5/8/05/20190508200407586.png
- 2####.h####.com/preview/cms_icon/2019/5/8/05/20190508200508271.png
- 2####.h####.com/preview/sp_images/2019/5/10/dianshiju/322443/5603054/201...
- 2####.h####.com/preview/sp_images/2019/5/14/dianshiju/322443/5626181/201...
- 2####.h####.com/s1/2016/yuanxiao/icon/dubo.png
- 2####.h####.com/s1/2016/yuanxiao/icon/teji.png
- 2####.h####.com/s1/2016/yuanxiao/icon/zhibo.png
- 2####.h####.com/s1/2016/yuanxiao/icon/zhizhi.png
- com####.hun####.com/mobile_comment/top?userId=####&osVersion=####&subjec...
- geo.gridsum####.com/v2/g.aspx
- hun####.m.cn.####.com/x/k=2119191&p=7OM2X&dx=0&rt=2&ns=95.211.190.197&ni...
- hun####.m.cn.####.com/x/k=2120369&p=7OfeK&dx=0&rt=2&ns=95.211.190.197&ni...
- hun####.m.cn.####.com/x/k=2120978&p=7Omc0&dx=0&rt=2&ns=95.211.190.197&ni...
- ii.vi.i####.cn/d
- imgal####.res.m####.com/mediafiles/wiad_creative/1024/15567181888634.jpg
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/comment/read?userId=####&osVersion=####&device=##...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/loadimage?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/v2/video/getMultiplyList?userId=####&osVersion=##...
- mo####.api.hun####.com/v2/video/getShortList?userId=####&osVersion=####&...
- mo####.api.hun####.com/v2/video/getVideoInfo?userId=####&osVersion=####&...
- mo####.api.hun####.com/v3/video/getSource?userId=####&osVersion=####&dev...
- mo####.api.hun####.com/video/getSupport?userId=####&osVersion=####&devic...
- pCvID####.T####.M####.cOm/pb/2019/05/06/1354/3B9B4F6F7760DB805EF746C85C1...
- pcViD####.t####.m####.CoM/pb/2019/05/06/1048/844AF0048C5BF2AB59DEC6976D1...
- pcvid####.t####.m####.####.COM/pb/2019/04/24/1558/E7408D3B178DC701EE0BCA...
- pcvid####.t####.m####.####.com/pb/2019/03/28/1001/004F8F6F05C89AF7C13975...
- rc.mpp.hun####.com/mobile/v1/cms/alike?userId=####&osVersion=####&device...
- rc.mpp.hun####.com/mobile/v1/cms?userId=####&collectionid=####&osVersion...
- trac####.ad-su####.com/impression?1143;1;####
- use####.api.max.####.com/person5c7c9a4b3bebd.jpg@1wh_1e_1c_0o_0l_60h_60w...
Запросы HTTP POST:
- a####.u####.com/app_logs
- mo####.log.hun####.com/data.cgi
- mo####.log.hun####.com/dispatcher.do
- oc.u####.com/check_config_update
- res####.a####.com/v3/log/init
- ri.ti.r####.cn/FeK/ZDX/KNk/l07
- ri.ti.r####.cn/Nx/zc8
- ri.ti.r####.cn/Wpc/BLr/nEH/h78
- ri.ti.r####.cn/pm/xc8
- ri.ti.r####.cn/t/z/O/k77
- x.da.hun####.com/json/app/boot
- x.da.hun####.com/video/player
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/05d65.xml
- /data/data/####/2a7ba36e5e.xml
- /data/data/####/9f3cea1.xml
- /data/data/####/GridsumCommon.xml
- /data/data/####/ImgoPad-journal
- /data/data/####/MGTVCommon.xml
- /data/data/####/MGTVCommon.xml.bak
- /data/data/####/MV3Plugin.ini
- /data/data/####/com.txj.play.free.push_sync.xml
- /data/data/####/com.txj.play.free.xml
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_online_setting_com.txj.play.free.xml
- /data/data/####/net.yfe.mpggx.jar
- /data/data/####/plugin-deploy.jar
- /data/data/####/plugin-deploy.key
- /data/data/####/pst.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/.nomedia
- /data/media/####/0038985776fa18fde44695e425e0b602
- /data/media/####/1fjvwyk7wgoe6hi0ivvb5gxvv.tmp
- /data/media/####/1ycuk9qnz18iiho2v1sv0nyb.tmp
- /data/media/####/225u8mscjepi4xm3cxjh0xkbf.tmp
- /data/media/####/2jsr3d0fxkbyeltkpq881fs8x.tmp
- /data/media/####/36kq7bv3343ce39fkph3a69cf.tmp
- /data/media/####/3bahlo61s9nr6er71qkgjbzhz.tmp
- /data/media/####/3ifrlfxue0909vjwrrkyey67a.tmp
- /data/media/####/3tpj9djube3mr57kchm2wn0dg.tmp
- /data/media/####/4bwrvpx0p56ahgu7zitcs52oe.tmp
- /data/media/####/4fqjfwhgcimccjv12mg0a3kmh.tmp
- /data/media/####/4jx318zlzu3zkt3u2rvz16j0a.tmp
- /data/media/####/4kde2wlxgt4hxohhcjmfreqmc.tmp
- /data/media/####/4qh8xgyf01tgg378fwxh9gv9l.tmp
- /data/media/####/4ry73nnlz36c1txp8mw7lx5c5.tmp
- /data/media/####/52tve34x41knie4pgvymd08pa.tmp
- /data/media/####/530ntpe3mjcu8fsd79321spjz.tmp
- /data/media/####/5cm0qhpzap69akoc8per562wr.tmp
- /data/media/####/5q2y1tezokjzrq8h8p2qzct22.tmp
- /data/media/####/5r31lej7co5500l4lnybmii6y.tmp
- /data/media/####/5y7hr4nihri58j6xuv0xfmg32.tmp
- /data/media/####/6a3nh3kckiw6qrtengmjfblql.tmp
- /data/media/####/6ceag9z99rhoymqdvwfp5aohi.tmp
- /data/media/####/6mi0x6arl8gx2bee0g8ofz02k.tmp
- /data/media/####/77o3pg7o3x5kwlaljcys8u6uo.tmp
- /data/media/####/78cn6vn9hsxv4zq50f8xahgor.tmp
- /data/media/####/7brpskob3kktz7cx1oneefmg9.tmp
- /data/media/####/7hkta86abyki1a39ibbkiyh9p.tmp
- /data/media/####/ghhqqxwm6de6pkkk1678h0e6.tmp
- /data/media/####/journal.tmp
- /data/media/####/kaqar5obefwki0pjmlhg8vz.tmp
- /data/media/####/mfz.d
- /data/media/####/r1dw8b2dtzq7ma31q03ggsgj.tmp
- /data/media/####/rmty3v07ieceihk8i35kld82.tmp
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Загружает динамические библиотеки:
- ayhi
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- RSA-ECB-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
