Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Dowgin.3.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) x.da.hun####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) 0####.h####.com:80
- TCP(HTTP/1.1) cd.md.c####.####.net:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) ta.tt.031####.com:80
- TCP(HTTP/1.1) 1####.h####.com:80
- TCP(HTTP/1.1) mo####.api.hun####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) mo####.log.hun####.com:80
- TCP(TLS/1.0) 1####.217.17.46:443
Запросы DNS:
- 0####.h####.com
- 1####.h####.com
- 2####.h####.com
- 3####.h####.com
- 4####.h####.com
- a####.u####.com
- api####.a####.com
- au.u####.co
- au.u####.com
- cd.md.c####.cn
- i5.hun####.com
- mo####.api.hun####.com
- mo####.log.hun####.com
- oc.u####.com
- ta.tt.031####.com
- x.da.hun####.com
Запросы HTTP GET:
- 0####.h####.com/preview/cms_icon/2019/4/15/04/20190415100642497.jpg
- 0####.h####.com/preview/cms_icon/2019/5/15/05/20190515165104431.jpg
- 0####.h####.com/preview/cms_icon/2019/5/16/05/20190516095228717.jpg
- 0####.h####.com/preview/cms_icon/2019/5/16/05/20190516114824941.jpg
- 0####.h####.com/preview/cms_icon/2019/5/16/05/20190516120112650.jpg
- 0####.h####.com/preview/cms_icon/2019/5/16/05/20190516180435810.gif
- 0####.h####.com/preview/cms_icon/2019/5/7/05/20190507160447961.jpg
- 0####.h####.com/preview/sp_images/2019/5/10/dianshiju/327440/5603261/201...
- 0####.h####.com/preview/sp_images/2019/5/13/dongman/327436/5616446/20190...
- 0####.h####.com/preview/sp_images/2019/5/15/zongyi/328308/5631948/201905...
- 0####.h####.com/preview/sp_images/2019/5/16/dianshiju/325692/5635426/201...
- 0####.h####.com/preview/sp_images/2019/5/16/zongyi/328308/5634736/201905...
- 0####.h####.com/preview/sp_images/2019/5/16/zongyi/328308/5635789/201905...
- 1####.h####.com/preview/aicrop/2019/05/16/3806389/crop_500x284_2083_1.jpg
- 1####.h####.com/preview/cms_icon/2019/4/13/04/20190413210122720.jpg
- 1####.h####.com/preview/cms_icon/2019/5/10/05/20190510232642120.jpg
- 1####.h####.com/preview/cms_icon/2019/5/11/05/20190511205036209.jpg
- 1####.h####.com/preview/cms_icon/2019/5/11/05/20190511205133602.jpg
- 1####.h####.com/preview/cms_icon/2019/5/12/05/20190512153747227.jpg
- 1####.h####.com/preview/cms_icon/2019/5/13/05/20190513170612081.jpg
- 1####.h####.com/preview/cms_icon/2019/5/13/05/20190513183746567.jpg
- 1####.h####.com/preview/cms_icon/2019/5/14/05/20190514154138924.jpg
- 1####.h####.com/preview/cms_icon/2019/5/14/05/20190514224221796.jpg
- 1####.h####.com/preview/cms_icon/2019/5/15/05/20190515122954172.jpg
- 1####.h####.com/preview/cms_icon/2019/5/15/05/20190515153332066.jpg
- 1####.h####.com/preview/cms_icon/2019/5/15/05/20190515155217623.jpg
- 1####.h####.com/preview/cms_icon/2019/5/15/05/20190515164418128.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516113157803.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516114121790.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516144253199.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516154934965.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516211620065.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516211954722.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516212422839.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516222008156.gif
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516232209574.jpg
- 1####.h####.com/preview/cms_icon/2019/5/16/05/20190516234659298.jpg
- 1####.h####.com/preview/cms_icon/2019/5/7/05/20190507164218873.jpg
- 1####.h####.com/preview/cms_icon/2019/5/9/05/20190509152154446.jpg
- 1####.h####.com/preview/cms_icon/auto_gif/2019/05/16/355059159635274750....
- 1####.h####.com/preview/cms_icon/auto_gif/2019/05/16/417021514850389031....
- 1####.h####.com/preview/sp_images/2018/dongman/322751/4413268/2018053116...
- 1####.h####.com/preview/sp_images/2018/dongman/324927/4466419/2018071618...
- 1####.h####.com/preview/sp_images/2019/4/29/dianshiju/328427/5543921/201...
- 1####.h####.com/preview/sp_images/2019/5/14/dianshiju/326804/5626438/201...
- 1####.h####.com/preview/sp_images/2019/5/15/zongyi/328308/5630749/201905...
- 1####.h####.com/preview/sp_images/2019/5/15/zongyi/328308/5631860/201905...
- 1####.h####.com/preview/sp_images/2019/5/16/zongyi/327991/5632598/201905...
- 1####.h####.com/preview/sp_images/2019/5/16/zongyi/328308/5635851/201905...
- 1####.h####.com/preview/sp_images/2019/5/16/zongyi/328308/5635987/201905...
- 1####.h####.com/preview/sp_images/2019/5/16/zongyi/329184/5637837/201905...
- 1####.h####.com/preview/sp_images/2019/5/9/dianshiju/327435/5595170/2019...
- 1####.h####.com/s1/2016/yuanxiao/icon/dubo.png
- 1####.h####.com/s1/2016/yuanxiao/icon/fufei.png
- 1####.h####.com/s1/2016/yuanxiao/icon/huaxu.png
- 1####.h####.com/s1/2016/yuanxiao/icon/lianzai.png
- 1####.h####.com/s1/2016/yuanxiao/icon/mianfeibo.png
- 1####.h####.com/s1/2016/yuanxiao/icon/soufa.png
- 1####.h####.com/s1/2016/yuanxiao/icon/yugao.png
- cd.md.c####.####.net/offer/20171206/201712061752304.png
- cd.md.c####.####.net/offer/20181109/201811091511627.apk
- cd.md.c####.####.net/offer/20181204/201812041054759.png
- cd.md.c####.####.net/offer/20190403/201904031138116.apk
- cd.md.c####.####.net/offer/20190403/201904031407486.png
- mo####.api.hun####.com/channel/getDetail?userId=####&osVersion=####&devi...
- mo####.api.hun####.com/channel/getList?userId=####&osVersion=####&device...
- mo####.api.hun####.com/channel/getWPDetail?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getCategorys?userId=####&osVersion=####&de...
- mo####.api.hun####.com/mobile/getRsaKey
- mo####.api.hun####.com/mobile/iconLink?userId=####&osVersion=####&device...
- mo####.api.hun####.com/mobile/loadimage?userId=####&osVersion=####&devic...
- mo####.api.hun####.com/search/hotWords
Запросы HTTP POST:
- a####.u####.com/app_logs
- mo####.log.hun####.com/data.cgi
- oc.u####.com/check_config_update
- res####.a####.com/v3/log/init
- ta.tt.031####.com/3eerf/ffbf/e76
- ta.tt.031####.com/3eerf/ffbf/p76
- ta.tt.031####.com/3eerf/ffbf/q76
- ta.tt.031####.com/3eerf/ffbf/r76
- ta.tt.031####.com/3eerf/ffbf/s76
- ta.tt.031####.com/3eerf/ffbf/t76
- ta.tt.031####.com/3eerf/ffbf/u76
- ta.tt.031####.com/3eerf/ffbf/w76
- x.da.hun####.com/json/app/boot
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jiagu.ls
- /data/data/####/ImgoPad-journal
- /data/data/####/MGTVCommon.xml
- /data/data/####/MGTVCommon.xml.bak
- /data/data/####/MV3Plugin.ini
- /data/data/####/_mhfreeqs.xml
- /data/data/####/_mjtfreep.xml
- /data/data/####/_msfree_r.xml
- /data/data/####/com.aozoyi.owyixe.prv.jar
- /data/data/####/com.txj.play.free.push_sync.xml
- /data/data/####/com.txj.play.free.xml
- /data/data/####/last_know_location.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_online_setting_com.txj.play.free.xml
- /data/data/####/plugin-deploy.jar
- /data/data/####/plugin-deploy.key
- /data/data/####/pst.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/zscom.db
- /data/data/####/zscom.db-journal
- /data/media/####/.nomedia
- /data/media/####/1gwhfxf6qns2awdoih3gboc50.tmp
- /data/media/####/1htx6hzguvi0nvl7v7yyxlll4.tmp
- /data/media/####/1mrl5shstd8hgupdpnqkmg4lm.tmp
- /data/media/####/1nsope5uagg4hdumhow5txkeh.tmp
- /data/media/####/1wq5b73fj3ws0jng9m5cwcyrg.tmp
- /data/media/####/1wsjc9mxf9e5sfw47kwcn93xk.tmp
- /data/media/####/1xfnpfqplge4iv0jl8noq7000.tmp
- /data/media/####/1z4ov378owksnisljskyjha23.tmp
- /data/media/####/23e0xiw6r09ouyrq6yb10nr00.tmp
- /data/media/####/29v9ydho79m6jgr97weot0g37.tmp
- /data/media/####/2a1q8o8r57ojelbj31tdh0p36.tmp
- /data/media/####/2ap619di5x1mtghzgn51d4wc.tmp
- /data/media/####/2esoyt2ydddeo9sbl05pzwuih.tmp
- /data/media/####/2gd4d6t15ne2drekjj4i0c9cq.tmp
- /data/media/####/2hnk2mc23bg5pgr2uq8u34fco.tmp
- /data/media/####/2jj7pejv2zrc7dp1ejo6k8nmx.tmp
- /data/media/####/2uvwksw6oeiokm9s1gqh9n90d.tmp
- /data/media/####/2x48dr9mkcshof7pukvtfy6an.tmp
- /data/media/####/306b01ihf3rfnhtswdumn48k7.tmp
- /data/media/####/369vgdybln8nxjgtw9zu00j07.tmp
- /data/media/####/39c8lybk5th369mtk7wzx7kx4.tmp
- /data/media/####/3aaeosq5cfeq85rltv3dlna17.tmp
- /data/media/####/3cu4dwud1pwlqbvhmikr5sbz8.tmp
- /data/media/####/3f8lbtw4md4qug2nxtihbdmxz.tmp
- /data/media/####/3ky8j7c23fegki46dlx0h9vqs.tmp
- /data/media/####/3mxmeheunwxwe20ufyehshacd.tmp
- /data/media/####/3r099m06ha206jbc9fexukhd4.tmp
- /data/media/####/3tpj9djube3mr57kchm2wn0dg.tmp
- /data/media/####/3zk4q57jnlevl186k7ly0gplr.tmp
- /data/media/####/45iwq2eo8hgc8ibl18dlp5dpk.tmp
- /data/media/####/4a5jl3kz2wyfkbjnmp6ueyg3n.tmp
- /data/media/####/4a5obzacmb076yoi327hi8j91.tmp
- /data/media/####/4a8nhgb9cxt8hpeuz83lght71.tmp
- /data/media/####/4fn1z8gf3v2nwyyznngvungmj.tmp
- /data/media/####/4wf3rtaujmp59ol82ws8dolmn.tmp
- /data/media/####/4yef7jzfw7jsloamjhou4e7c2.tmp
- /data/media/####/525ncvuom13c1htbsupsyw4sx.tmp
- /data/media/####/52aqkr97mse4jgncorloixez0.tmp
- /data/media/####/54wdani8clg0bqhj4aww875ti.tmp
- /data/media/####/55hr85fpnub17xoody6608tvi.tmp
- /data/media/####/5awtrvfpvkj67mbqrg1kn6ngf.tmp
- /data/media/####/5do3ygtrehboihtimzp1sxcom.tmp
- /data/media/####/5g4cvx0bbpwnzhm30ii7h2ord.tmp
- /data/media/####/5hg2ovwghoo07d16ya298rq9s.tmp
- /data/media/####/5ja8l68olt8lh9vjdg1gq9z72.tmp
- /data/media/####/5kc79khn81r2p68uluepbf58h.tmp
- /data/media/####/5x4osil95pdg5wy4lmnkebdet.tmp
- /data/media/####/5y7hr4nihri58j6xuv0xfmg32.tmp
- /data/media/####/64of28lh2jkmuxymbp2s7jxzm.tmp
- /data/media/####/6b2obfn7r7kq3luweexvkxj20.tmp
- /data/media/####/6cf6a2abf10879c08285a274e72327e1.tmp
- /data/media/####/6g8fulmb9kv9rnrz582s7hwom.tmp
- /data/media/####/70komizgwpo8vx3s8d4g6muuj.tmp
- /data/media/####/747jcgifhndvbd7si2ahc4ueh.tmp
- /data/media/####/77veyug1bogpjnatxlfmhkimh.tmp
- /data/media/####/7fc000b614430
- /data/media/####/8950f1cae1554
- /data/media/####/8fbec85d084f84a32336fbbd8852c38e.tmp
- /data/media/####/b076ac23900b2
- /data/media/####/caff5x6974x6r399mwn2ct7l.tmp
- /data/media/####/journal.tmp
- /data/media/####/oc3mluiqhwbdzuvpzyv3m2h7.tmp
- /data/media/####/p3dxk9zwnmxjgwblfpb793qq.tmp
- /data/media/####/pr.p
- /data/media/####/sm9tjoso8esnl0ycji7p2eqf.tmp
- /data/media/####/ta709608i3o2cwl38y4nwm6.tmp
Другие:
Запускает следующие shell-скрипты:
- chmod 777 /storage/emulated/0/download/omtx//6cf6a2abf10879c08285a274e72327e1.tmp
- chmod 777 /storage/emulated/0/download/omtx//8fbec85d084f84a32336fbbd8852c38e.tmp
Загружает динамические библиотеки:
- bspatch
- libjiagu
- libmv3_common
- libmv3_jni
- libmv3_jni_4.0
- libmv3_mpplat
- libmv3_platform
- libmv3_playerbase
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS5Padding
- DES
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- DES
- RSA-ECB-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Отрисовывает собственные окна поверх других приложений.
