Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Backdoor.158.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) up####.sdk.jig####.cn:80
- TCP(HTTP/1.1) pic.w####.com:80
- TCP(HTTP/1.1) c####.woma####.com:80
- TCP(HTTP/1.1) imag####.woma####.com.####.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) trac####.m.woma####.####.com:80
- TCP(HTTP/1.1) w####.m.w####.####.com:80
- TCP(TLS/1.0) api.growi####.com:443
- TCP(TLS/1.0) fp.fraudme####.cn:443
- TCP(TLS/1.0) adt.x####.com:443
- TCP(TLS/1.0) s####.j####.cn:443
- TCP(TLS/1.0) tra####.appa####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) cdn####.appa####.com:443
- TCP(TLS/1.0) m####.m.w####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) t.growi####.com:443
- TCP(TLS/1.0) t####.growi####.com:443
- UDP s.j####.cn:19000
- TCP 1####.25.50.79:7006
Запросы DNS:
- adt.x####.com
- api.growi####.com
- c####.m.w####.com
- c####.m.w####.com
- c####.woma####.com
- c####.x####.com
- cdn####.appa####.com
- experi####.appa####.com
- fp.fraudme####.cn
- imag####.woma####.com
- imag####.woma####.com
- imag####.woma####.com
- loc.map.b####.com
- m####.m.w####.com
- mip.m.w####.com
- pic.w####.com
- s####.j####.cn
- s.j####.cn
- ssl.google-####.com
- t####.growi####.com
- t.growi####.com
- tra####.appa####.com
- trac####.m.woma####.com
- up####.sdk.jig####.cn
- w####.m.w####.com
Запросы HTTP GET:
- c####.woma####.com/bi/click.gif?t=####&c=####&p=####
- c####.woma####.com/bi/page.gif?t=####&c=####&p=####
- c####.woma####.com/mapi.gif?t=####&c=####&p=####
- imag####.woma####.com.####.com/g/120550012/1084527/0.18806353074989313.1...
- imag####.woma####.com.####.com/g/159397159/1072447/0.7436299208230076.扶贫...
- imag####.woma####.com.####.com/g/184641840/1083029/0.6673509785527987.牛奶...
- imag####.woma####.com.####.com/g/190278190/945736/0.5516020673163231.15....
- imag####.woma####.com.####.com/g/197997197/982557/0.31613328662414797.1-...
- imag####.woma####.com.####.com/g/225720225/982559/0.3708385586746764.2.png
- imag####.woma####.com.####.com/g/240624024/1067451/0.7889280066545886.ap...
- imag####.woma####.com.####.com/g/277858277/1083014/0.24410643942268984.精...
- imag####.woma####.com.####.com/g/311512311/1067383/0.1801907557954031.ap...
- imag####.woma####.com.####.com/g/344827344/945752/0.26384836379102916.17...
- imag####.woma####.com.####.com/g/350923035/1083013/0.5773924071821461.精品...
- imag####.woma####.com.####.com/g/386220386/1067414/0.3621606916560751.ap...
- imag####.woma####.com.####.com/g/401947401/976525/0.6437075647010956.券省&...
- imag####.woma####.com.####.com/g/401947401/976526/0.9691518702605414.券省&...
- imag####.woma####.com.####.com/g/425747425/982560/0.5525129758016533.2-2...
- imag####.woma####.com.####.com/g/480223048/1068954/0.5891803479108577.弹层...
- imag####.woma####.com.####.com/g/490359049/1067386/0.3229753576913701.ap...
- imag####.woma####.com.####.com/g/497148497/982564/0.9357082340553269.4.png
- imag####.woma####.com.####.com/g/507123507/631065/0.36131279913827685.未标...
- imag####.woma####.com.####.com/g/520784520/1067430/0.6557849440532545.ap...
- imag####.woma####.com.####.com/g/535825350/982566/0.5804635639558846.4-4...
- imag####.woma####.com.####.com/g/547948547/1067400/0.9983427795746965.ap...
- imag####.woma####.com.####.com/g/551792551/1067419/0.13842348684239836.a...
- imag####.woma####.com.####.com/g/680878068/1067427/0.18688968130523254.a...
- imag####.woma####.com.####.com/g/707297707/1067426/0.057535531096917114....
- imag####.woma####.com.####.com/g/715454715/1067425/0.506588401334458.app...
- imag####.woma####.com.####.com/g/729148729/1083015/0.9911021094283685.华东...
- imag####.woma####.com.####.com/g/740398740/1084514/0.7980299811959998.45...
- imag####.woma####.com.####.com/g/748345748/968568/0.9220336663703345.弹层透...
- imag####.woma####.com.####.com/g/764557764/1084509/0.660888887614288.粮油-...
- imag####.woma####.com.####.com/g/775580775/1084670/0.4451553936327971.11...
- imag####.woma####.com.####.com/g/776355776/1067515/0.26354129462872455.a...
- imag####.woma####.com.####.com/g/782348782/1085067/0.838618166066292.260...
- imag####.woma####.com.####.com/g/804138804/1085562/0.864320340893755.炭烤腰...
- imag####.woma####.com.####.com/g/815183815/1084541/0.33265623208126627.1...
- imag####.woma####.com.####.com/g/821716821/1083473/0.6579213070325362.10...
- imag####.woma####.com.####.com/g/837412837/1076996/0.5368888819939933.12...
- imag####.woma####.com.####.com/g/853464853/1067379/0.8836663336736045.ap...
- imag####.woma####.com.####.com/g/862721862/982563/0.6693010274985182.3-3...
- imag####.woma####.com.####.com/g/882807882/945729/0.41948985283678786.10...
- imag####.woma####.com.####.com/g/912396912/1084513/0.6054066312029944.横&...
- imag####.woma####.com.####.com/g/933735933/1067422/0.29102604584807956.a...
- imag####.woma####.com.####.com/g/937273937/1067516/0.5167600748136861.ap...
- imag####.woma####.com.####.com/g/940871940/1084116/0.30551296659713445.直...
- imag####.woma####.com.####.com/g/979952979/945731/0.9610651876572294.11....
- imag####.woma####.com.####.com/g/994291994/1067403/0.8844514705604776.ap...
- pic.w####.com/upload/601/602/10203672/683402/10840027_1_phone390_5118.png
- pic.w####.com/upload/601/602/66008/76340/10644427_1_phone390_7211.jpg
- pic.w####.com/upload/601/603/500122/10796632_1_phone390_1464.jpg
- pic.w####.com/upload/601/603/577111/10741846_0_phone390_3704.jpg
- pic.w####.com/upload/601/603/606/6060/6065/73000/690971/10900037_1_phone...
- pic.w####.com/upload/601/603/606/7100/7102/601226/10804304_1_phone314_25...
- pic.w####.com/upload/601/604/439208/10908427/10908427_1_phone390_5362.jpg
- trac####.m.woma####.####.com/piwik/piwik.php?uid=####&apiv=####&_idvc=##...
- w####.m.w####.####.com/capi/getBottomMenu_3.5.0_0.html
- w####.m.w####.####.com/capi/getBottomMenu_3.5.0_100.html
- w####.m.w####.####.com/cartActiveConf/getCartActiveInfo.action
- w####.m.w####.####.com/city/cities.json
- w####.m.w####.####.com/g/147374147/1067376/0.7759548612098014.app-icon-0...
- w####.m.w####.####.com/g/285733285/1073679/0.9823821699238963.工行十一信用A...
- w####.m.w####.####.com/g/370788037/1083703/0.22209618433924916.霸屏_02.gif
- w####.m.w####.####.com/g/454353454/1083018/0.8909894838774477.时�&...
- w####.m.w####.####.com/g/567614567/1067415/0.7702005332558358.app-icon-0...
- w####.m.w####.####.com/g/673906730/1073144/0.19644623521221904.新客.jpg
- w####.m.w####.####.com/g/677949677/1067449/0.30112378023674236.app-icon-...
- w####.m.w####.####.com/g/748345748/1024751/0.28980837821972216..弹层透明.png
- w####.m.w####.####.com/g/748345748/1175239/0.18326718041541767.弹层透明.png
- w####.m.w####.####.com/g/760569076/1083012/0.9918659511353538.精品推荐红薯.jpg
- w####.m.w####.####.com/g/766970766/1086090/0.2947685125263646.横�&...
- w####.m.w####.####.com/g/841898841/945728/0.15963848334731012.9.jpg
- w####.m.w####.####.com/g/899669899/982556/0.38326575109706007.1.png
- w####.m.w####.####.com/g/936386936/1067378/0.444024329490334.app-icon-02...
- w####.m.w####.####.com/g/945747945/982561/0.6148114573310302.3.png
- w####.m.w####.####.com/g/980996980/1083017/0.8554898425747021.跨境.jpg
- w####.m.w####.####.com/index/App_4.7.5_100_index.html?cityId=####&rc=###...
Запросы HTTP POST:
- loc.map.b####.com/offline_loc
- loc.map.b####.com/sdk.php
- up####.sdk.jig####.cn/v1/push/sdk/postlist
- w####.m.w####.####.com//getDataFromRedis/getNewOldUserPop.action
- w####.m.w####.####.com//user/signTips
- w####.m.w####.####.com/activitySpec/getAbleActivitysByPage.action
- w####.m.w####.####.com/address/getUpdatedAddressList.action
- w####.m.w####.####.com/api/flutter.action
- w####.m.w####.####.com/appfacility/saveAppFacility.action
- w####.m.w####.####.com/consult.action
- w####.m.w####.####.com/geo/getGeolocation
- w####.m.w####.####.com/getCartsProductTotalCount.action
- w####.m.w####.####.com/getaddress.action
- w####.m.w####.####.com/getunique.action
- w####.m.w####.####.com/home/homeProducts.action
- w####.m.w####.####.com/home/resourceProductsSimple.action
- w####.m.w####.####.com/indexTab/addUserTab.action
- w####.m.w####.####.com/indexTab/getList.action
- w####.m.w####.####.com/personal/getPersonalIndex.action
- w####.m.w####.####.com/prompt/searchOptimization.action
- w####.m.w####.####.com/redEggs/queryLists.action
- w####.m.w####.####.com/redPacket/getRedPacketInfo.action
- w####.m.w####.####.com/startPic/getStartPicHref.action
- w####.m.w####.####.com/state/appConfig.action
- w####.m.w####.####.com/tinker/tinkerPatch.action
- w####.m.w####.####.com/versionupgrade/getVersionUpgrade.action
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.jg.store.report_cf
- /data/data/####/.td-3
- /data/data/####/00ca2b33-27a4-4634-b228-c227a51e4d98
- /data/data/####/0d697a78-96c6-4564-bce4-e6e6340cde78
- /data/data/####/1036f98d-dff8-42f2-8358-f4dc04630315
- /data/data/####/14d1b626-8eaf-498b-bc6e-f732170fc004
- /data/data/####/1572026876235_2218
- /data/data/####/1572026876369_2218
- /data/data/####/1572026876471_2218
- /data/data/####/1572026877004_2218
- /data/data/####/1572026878917_2218
- /data/data/####/31b2bf61f6826c22f56c9d6164a3fd192e1021ec920cfa5....0.tmp
- /data/data/####/39fd827337125960579532029ff5ad1be11b5d548f093fb....0.tmp
- /data/data/####/3a043ad637cdc03230e42c7e4147d13f28e9e3512808daa....0.tmp
- /data/data/####/62e39935234910147dac4ea7831a31b84c6f44418562ea7....0.tmp
- /data/data/####/68ebe766a84b3237684b6a524f8e336acfbd53231b036a6....0.tmp
- /data/data/####/69652c8dbd915c8f6b932d1f79724f54c197236c1ed6ded....0.tmp
- /data/data/####/95aabc0c56fc9c4f69489b4cc011f4d185f3c6334a97403....0.tmp
- /data/data/####/96b3c9497536a23349ab9a8ca8251f370678e496a8a113b....0.tmp
- /data/data/####/ADHOC_SHARED_PREFERENCE.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/JPushSA_Config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_cloudcontrol2.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime1.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime1.xml
- /data/data/####/appPackageNames_v2
- /data/data/####/areadb.db
- /data/data/####/areadb.db-journal
- /data/data/####/b501ff24-940b-4cd7-b067-6896bf1485ed
- /data/data/####/bc959479f72d09f8170b97396cacbcc06f36de49a69ec81....0.tmp
- /data/data/####/bd6a018c6f75f3389b761f18e1cfd37713bc759248b0840....0.tmp
- /data/data/####/c2061779516d9efebb732edcb53295b6f2bab83dd43ca73....0.tmp
- /data/data/####/c99deac7dd1b661c8ae4e84eccdf00e263d6f31fcaca4ff....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.google.android.gms.analytics.prefs.xml
- /data/data/####/d5fee35cda51115829aae36c7bef0fffb641b18df4bb33c....0.tmp
- /data/data/####/d9044b0bd379f402f3352cab706fe5eb609ea48556a90c6....0.tmp
- /data/data/####/da462bc29148e6989915231408be48b9115a73d1ba76757....0.tmp
- /data/data/####/db841748b91c5d05d30ed043780ff2389689998360b0929....0.tmp
- /data/data/####/de264a54-0d4b-430d-ae97-0f6d8d6a2c42
- /data/data/####/de2ab65efe3ff9e1b03f682d04ef064e23bdfb6ebdb05a0....0.tmp
- /data/data/####/e8815b1d1c9f584133e6df090a5881ae791bcb9397ad874....0.tmp
- /data/data/####/ee931cc59f1b54061b0b80b9642a167f0a294b5fc2865d8....0.tmp
- /data/data/####/eeb3c3f5673ff7da13347f21b5bd4038756c786b3b5a5b4....0.tmp
- /data/data/####/f08fe47cba49b491bd03acfc3f448515342d7e0ac049e20....0.tmp
- /data/data/####/fb36ee8b0a2816b67cf4d2209036e8e977ceedce787d492....0.tmp
- /data/data/####/firll.dat
- /data/data/####/fm_shared.xml
- /data/data/####/gaClientId
- /data/data/####/google_analytics_v4.db-journal
- /data/data/####/growing.db
- /data/data/####/growing.db-journal
- /data/data/####/growing_ecsid.xml
- /data/data/####/growing_persist_data.xml
- /data/data/####/growing_profile.xml
- /data/data/####/growing_server_pref.xml
- /data/data/####/increment_cache_filecom.womai
- /data/data/####/iv
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/libjiagu-1283831632.so
- /data/data/####/multidex.version.xml
- /data/data/####/ofl.config
- /data/data/####/ofl_location.db
- /data/data/####/ofl_location.db-journal
- /data/data/####/ofl_statistics.db
- /data/data/####/ofl_statistics.db-journal
- /data/data/####/org.piwik.sdk.xml
- /data/data/####/salt
- /data/data/####/shortcut.xml
- /data/data/####/tdid.xml
- /data/data/####/womai_bi_data.xml
- /data/data/####/womai_db_cache
- /data/data/####/womai_db_cache-journal
- /data/data/####/womai_share_config.xml
- /data/media/####/.cuid
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/conlts.dat
- /data/media/####/ller.dat
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/test.0
- /data/media/####/yoh.dat
- /data/media/####/yol.dat
- /data/media/####/yom.dat
Другие:
Запускает следующие shell-скрипты:
- getprop
- getprop net.dns1
Загружает динамические библиотеки:
- jcore120
- libjiagu-1283831632
- locSDK6a
- tongdun
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS7Padding
- DESede
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-ECB-NoPadding
- DESede
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
