Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) q####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) www.zhongli####.com:80
- TCP(HTTP/1.1) nsc####.b####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) zhong####.oss-cn-####.aliy####.com:80
- TCP(TLS/1.0) 1####.217.19.202:443
- TCP(TLS/1.0) www.p####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 1####.217.19.206:443
- TCP(TLS/1.0) 1####.217.17.106:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.2) 1####.217.17.106:443
- TCP(TLS/1.2) 1####.217.20.74:443
- TCP(TLS/1.2) 1####.217.19.202:443
- TCP sdk.o####.t####.####.com:5224
- TCP cm-1####.ig####.com:5226
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.u####.com
- and####.google####.com
- api.s####.b####.com
- b####.s####.b####.com
- c-h####.g####.com
- cm-1####.ig####.com
- instant####.google####.com
- l####.tbs.qq.com
- log.u####.com
- m####.go####.com
- nsc####.b####.com
- s####.u####.com
- s####.u####.com.####.8
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- www.p####.com
- www.zhongli####.com
- zhong####.oss-cn-####.aliy####.com
Запросы HTTP GET:
- nsc####.b####.com/v.gif?pid=####&type=####&l=####&t=####&s=####&v=####&f...
- nsc####.b####.com/v.gif?pid=####&type=####&sign=####&desturl=####&linkid...
- q####.c####.l####.####.com/config/hz-hzv6.conf
- s####.jom####.com/static/api/css/share_style0_16.css?v=####
- s####.jom####.com/static/api/js/base/tangram.js?v=####
- s####.jom####.com/static/api/js/component/partners.js?v=####
- s####.jom####.com/static/api/js/share.js?v=89860593.js?cdnversion=####
- s####.jom####.com/static/api/js/share/api_base.js
- s####.jom####.com/static/api/js/share/share_api.js?v=####
- s####.jom####.com/static/api/js/trans/logger.js?v=####
- s####.jom####.com/static/api/js/view/share_view.js?v=####
- s####.jom####.com/static/api/js/view/view_base.js
- s####.jom####.com/v.gif
- www.zhongli####.com/
- www.zhongli####.com/api.php?op=####&catid=####&num=####&start=####&metho...
- www.zhongli####.com/favicon.ico
- www.zhongli####.com/index.php?m=####&c=####&a=####
- www.zhongli####.com/list-72-1.html
- www.zhongli####.com/list-73-1.html
- www.zhongli####.com/statics/css/new/css/bootstrap.css
- www.zhongli####.com/statics/css/new/css/cidu.css
- www.zhongli####.com/statics/css/new/css/css.css
- www.zhongli####.com/statics/css/new/css/style_nav.css
- www.zhongli####.com/statics/images//new/img/index/block_first_default.png
- www.zhongli####.com/statics/images//new/img/index/block_fourth_default.png
- www.zhongli####.com/statics/images//new/img/index/block_second_default.png
- www.zhongli####.com/statics/images//new/img/index/block_third_default.png
- www.zhongli####.com/statics/images//new/img/index/index_erweima.png
- www.zhongli####.com/statics/images/new/img/bg.jpg
- www.zhongli####.com/statics/images/new/img/check.png
- www.zhongli####.com/statics/images/new/img/cidu_wechat.jpg
- www.zhongli####.com/statics/images/new/img/index/bg_certificate.png
- www.zhongli####.com/statics/images/new/img/index/chengjibiao.png
- www.zhongli####.com/statics/images/new/img/index/ds_background.png
- www.zhongli####.com/statics/images/new/img/index/footer_logo.png
- www.zhongli####.com/statics/images/new/img/index/guichengbiao.png
- www.zhongli####.com/statics/images/new/img/index/header_mall.png
- www.zhongli####.com/statics/images/new/img/index/header_search.png
- www.zhongli####.com/statics/images/new/img/index/jiaocai.png
- www.zhongli####.com/statics/images/new/img/index/shipin.png
- www.zhongli####.com/statics/images/new/img/index/yinyue.png
- www.zhongli####.com/statics/images/new/img/index/品牌成人拉丁舞鞋韩国定制.jpg
- www.zhongli####.com/statics/images/new/img/index/摩登选手专用舞鞋(韩国定制).jpg
- www.zhongli####.com/statics/images/new/img/index/男子拉丁竞赛专用舞鞋(韩国定制).jpg
- www.zhongli####.com/statics/images/new/img/index/男子摩登舞鞋(韩国定制).jpg
- www.zhongli####.com/statics/images/new/img/index/韩国品牌儿童舞鞋.jpg
- www.zhongli####.com/statics/images/new/img/inside/bg_header.png
- www.zhongli####.com/statics/images/new/img/inside/icon-home.png
- www.zhongli####.com/statics/images/new/img/inside/time.png
- www.zhongli####.com/statics/images/new/img/phone.png
- www.zhongli####.com/statics/images/new/img/qq.png
- www.zhongli####.com/statics/images/new/img/renzhengchaxun.png
- www.zhongli####.com/statics/images/new/img/returntop.png
- www.zhongli####.com/statics/images/new/img/share1.png
- www.zhongli####.com/statics/images/new/img/share2.png
- www.zhongli####.com/statics/images/new/img/share3.png
- www.zhongli####.com/statics/images/new/img/showtag1.png
- www.zhongli####.com/statics/images/new/img/weixin.png
- www.zhongli####.com/statics/images/new/img/xing.png
- www.zhongli####.com/statics/images/new/number.png
- www.zhongli####.com/statics/images/new/select.png
- www.zhongli####.com/statics/images/new/user.png
- www.zhongli####.com/statics/js/new/js/bootstrap.min.js
- www.zhongli####.com/statics/js/new/js/bottom-share.js
- www.zhongli####.com/statics/js/new/js/cookie.js
- www.zhongli####.com/statics/js/new/js/jquery.js
- www.zhongli####.com/uploadfile/2014/0218/20140218105525331.png
- www.zhongli####.com/uploadfile/2014/0505/20140505030056985.png
- www.zhongli####.com/uploadfile/2014/1110/20141110011354467.jpg
- www.zhongli####.com/uploadfile/2015/0409/thumb_100_100_20150409030359840...
- www.zhongli####.com/uploadfile/2018/0804/thumb_100_100_20180804092405913...
- www.zhongli####.com/uploadfile/2019/0903/20190903052156915.jpg
- www.zhongli####.com/uploads/allimg/111017/10063TQ1-0.jpg
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0316/2019031611070712...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0316/2019031611080771...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0316/2019031611082756...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0316/2019031611091127...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0425/2019042503293918...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0822/2019082205121854...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0823/2019082311154120...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0910/2019091001574396...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0910/2019091002004047...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0910/2019091002030688...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0910/2019091002070148...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0919/2019091903062570...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0923/2019092302261198...
- zhong####.oss-cn-####.aliy####.com/uploadfile/2019/0923/2019092302312415...
- zhong####.oss-cn-####.aliy####.com/uploadfile/course/images/latin_newsta...
Запросы HTTP POST:
- c-h####.g####.com/api.php?format=####&t=####
- l####.tbs.qq.com/ajax?c=####&k=####
- sdk-ope####.g####.com/api.php?format=####&t=####
- www.zhongli####.com/index.php?m=####&c=####&a=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.jgck
- /data/data/####/09f84392c335171c_0
- /data/data/####/0aabfb5155eef7e7484feec26092f5c571b2c1c13a51724....0.tmp
- /data/data/####/0ba26895a11488fe_0
- /data/data/####/0d191584d2603a83_0
- /data/data/####/0dbaf9f571655329_0
- /data/data/####/0e4ddaff72746997_0
- /data/data/####/0e5f2483331567dd_0
- /data/data/####/0ff17275bac4523f_0
- /data/data/####/1158827bf0eed817_0 (deleted)
- /data/data/####/124ca80f5b513d0b_0
- /data/data/####/1569374541997.log
- /data/data/####/1a0ea66a486b8de4_0
- /data/data/####/1d5dc3417615f1d0_0
- /data/data/####/1dc13cadbef7ce95_0
- /data/data/####/1fca4bfe265a25cd_0
- /data/data/####/20a8f42e4680ae59_0
- /data/data/####/2146f9d5e97c743e_0
- /data/data/####/22e6d104ca8b87ef_0
- /data/data/####/271d821c4fa45877_0
- /data/data/####/29d7f35d8621bb98_0
- /data/data/####/2c234851d1300876_0
- /data/data/####/2f8ecc48aabcefb8_0
- /data/data/####/2f8ecc48aabcefb8_1
- /data/data/####/31289d198c2c988a_0
- /data/data/####/33a08c6ae0728d9f_0
- /data/data/####/33a33c381de7f0e4_0
- /data/data/####/34f220fbacf71d7e_0
- /data/data/####/376120001681e1e6_0
- /data/data/####/397d4cfe79d6b8e1_0
- /data/data/####/3c7de1ff2b3e08f0_0
- /data/data/####/3c7de1ff2b3e08f0_1
- /data/data/####/42df255c53762557_0
- /data/data/####/4495a6e1c4b6df92_0
- /data/data/####/45ad65b4a58f8da3_0
- /data/data/####/4880cb5d532371bdf2ca8636462944d2de5723a18cdd5f1....0.tmp
- /data/data/####/48a828ea954cfde6_0
- /data/data/####/502a4ba509849b67_0
- /data/data/####/52f2f2e9fd107916a0084f00c7af113b5bb1227ebf7e2ed....0.tmp
- /data/data/####/53b07dc9597c78d3_0
- /data/data/####/5513e33603170bc7_0
- /data/data/####/559aae9c45a5a896_0
- /data/data/####/560ae553e755a519_0
- /data/data/####/580a73277faf56fb_0
- /data/data/####/5bf175833da52064_0
- /data/data/####/5d2350969ffb5334_0
- /data/data/####/5e8f4b30cb00e4e6_0
- /data/data/####/646677a9bbe1e1b7_0
- /data/data/####/646677a9bbe1e1b7_1
- /data/data/####/64958e62bfcdd4f9_0
- /data/data/####/65a6a1a2a40015b5_0
- /data/data/####/666bf358d0afae64_0
- /data/data/####/67443c6e5ab445f2_0
- /data/data/####/67e776350b5c1ad7_0
- /data/data/####/6e60f1b0df571a3df9afdbcc9316a29fa409a9adeef66e3....0.tmp
- /data/data/####/713cc20aa2050641_0
- /data/data/####/7767cee988f0c108_0
- /data/data/####/781cfad164634669_0
- /data/data/####/789436e1794a7eee_0
- /data/data/####/7efabab91c67b807_0
- /data/data/####/880e6b91a99a2efd_0
- /data/data/####/89652eb53bd42975_0
- /data/data/####/9172321be76b1d78_0
- /data/data/####/9535725c5aaaa4ed_0
- /data/data/####/9959f4a9fa6e4ddf_0
- /data/data/####/9b36622ebbe1a490_0 (deleted)
- /data/data/####/9caeea9caaf518f5_0
- /data/data/####/9f49dc994c966b99_0
- /data/data/####/9f49dc994c966b99_1
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/Cookies-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/ZlArtFile.db-journal
- /data/data/####/a4ff2ceddb076afc_0
- /data/data/####/a691ee40da138d3b_0
- /data/data/####/a691ee40da138d3b_1
- /data/data/####/aed344a728668ba6_0
- /data/data/####/b3535293cad46eb3_0
- /data/data/####/b450f7529dad4739_0
- /data/data/####/b450f7529dad4739_1
- /data/data/####/b74eeeae6fff107a_0
- /data/data/####/b9fd29313adbbcf3_0
- /data/data/####/bdbac52515777da6_0
- /data/data/####/c08edf5b120b56d6_0
- /data/data/####/c3446966fdec1424_0
- /data/data/####/c6be98d42b419ae8_0
- /data/data/####/c6be98d42b419ae8_1
- /data/data/####/c841bb7b0a4377db_0
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.oat
- /data/data/####/com.theaty.zhonglianart_preferences.xml
- /data/data/####/core_info
- /data/data/####/d14172d9426aa628_0
- /data/data/####/d1bfb99cc488e5f4_0
- /data/data/####/d1e31ca58e3f304f_0
- /data/data/####/d3ed02c93c87f69e_0
- /data/data/####/d3ed02c93c87f69e_1
- /data/data/####/d7b01bda4d076011_0
- /data/data/####/d7b01bda4d076011_1
- /data/data/####/dbb8ce195124e955_0
- /data/data/####/dca85c12a1ca6afa_0
- /data/data/####/dd5efb4148db1ad9_0
- /data/data/####/download_upload
- /data/data/####/e0e52cd022a75893_0
- /data/data/####/e15324c0de362cf5_0
- /data/data/####/e307a896bfb101b7_0
- /data/data/####/e307a896bfb101b7_1
- /data/data/####/e3bb351ec31fffd0_0
- /data/data/####/eb391eb1cfdfe989_0
- /data/data/####/ed4a7034ee0ce44f_0
- /data/data/####/ed4a7034ee0ce44f_1
- /data/data/####/eec29fec5506aee8_0
- /data/data/####/efec70b2eaa0f193_0
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f0f71d548b5e4897_0
- /data/data/####/fa1b93195d7e4fbeb67f561305de543e51c124084a35cc8....0.tmp
- /data/data/####/getui_sp.xml
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/metrics_guid
- /data/data/####/pgyersdk.xml
- /data/data/####/proc_auxv
- /data/data/####/push.pid
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/songqi_deliver_info.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/the-real-index
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dex2oat --instruction-set=x86 --dex-file=<Package Folder>/.jiagu/classes.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes2.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes3.dex --oat-file=<Package Folder>/.jiagu/classes.oat --inline-depth-limit=0 --compiler-filter=speed
- getprop ro.product.cpu.abi
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
