Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Gexin.1
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) cdn-sdk####.g####.com.####.com:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) a####.goos####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) a1.eas####.com:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) www.eas####.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) 1####.177.126.95:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.2) 1####.177.126.95:443
- TCP(TLS/1.2) 1####.177.126.94:443
- TCP(TLS/1.2) 1####.177.96.113:443
- TCP cm-1####.g####.com:5227
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.goos####.com
- a####.u####.com
- a1.eas####.com
- and####.cli####.go####.com
- and####.google####.com
- android####.go####.com
- api####.a####.com
- c-h####.g####.com
- cdn-sdk####.g####.com
- cm-1####.g####.com
- cm-1####.g####.com
- instant####.google####.com
- log.u####.com
- m####.go####.com
- md####.google####.com
- p####.google####.com
- res####.a####.com
- s####.u####.com
- s####.u####.com.####.8
- sdk-ope####.g####.com
- sdk.c####.g####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- www.eas####.com
- www.google####.com
Запросы HTTP GET:
- a####.goos####.com/upload/Advertise/20151105104714kCWuBDZM_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214134751nZx5QvqX_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214134932ZT39EwGa_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214134957imKhhsnv_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214135418kKCxhEG9_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214135427qTMy9PdX_300x210.jpg
- a####.goos####.com/upload/Advertise/20151214135527GfKjY3Jh_300x210.jpg
- a####.goos####.com/upload/Advertise/20151226135548CB97fEqN_300x210.jpg
- a####.goos####.com/upload/Advertise/20160104135717BaUkFvri_300x210.png
- a####.goos####.com/upload/Advertise/20160105075111zFtqTzn7_300x210.png
- a####.goos####.com/upload/Advertise/20170213112635rzTE1Drb_600x300.png
- a####.goos####.com/upload/Advertise/20170303161057mT3jASTg_300x210.jpg
- a####.goos####.com/upload/Advertise/201703031611058umkBmn1_300x210.jpg
- a####.goos####.com/upload/Advertise/20170528145522ReMHStGq_300x210.jpg
- a####.goos####.com/upload/Advertise/20170620154854G3gVA3gU_600x300.png
- a####.goos####.com/upload/Advertise/20170712095300dUI8YFm9_300x210.png
- a####.goos####.com/upload/Advertise/20190420162418IE159CyH_600x300.jpg
- a####.goos####.com/upload/Advertise/20190420162624Cgr6zUTv_300x210.jpg
- a####.goos####.com/upload/Community/13308435525/20190511171304N9QwUY6u_3...
- a####.goos####.com/upload/Community/15006473853/201711092004527vJRUfqF_3...
- a####.goos####.com/upload/Community/15572223669/20190802114845iBWk7nfQ_3...
- a####.goos####.com/upload/Community/16621158215/20190713131055ud9avHmE_3...
- a####.goos####.com/upload/Community/18759556066/20190722111930SARkciie_3...
- a####.goos####.com/upload/Product/20161117150318f6IXgsFy_300x210.jpg
- a####.goos####.com/upload/SellBuy/13645967199/20200401200018TVpAruwf_300...
- a####.goos####.com/upload/SellBuy/15572228666/20190708221002RMdvpkRL_300...
- a####.goos####.com/upload/SellBuy/18871131333/20190507173411jbwPQEGx_300...
- a####.goos####.com/upload/scpic/sczx21/201510280713wzndlgui3jm_300x210.jpg
- a####.goos####.com/upload/scpic/sczx21/201510282150xebswenn033_300x210.jpg
- a####.goos####.com/upload/scpic/sczx21/201510283531enb23wffcur_300x210.jpg
- a####.goos####.com/upload/scpic/sczx21/201510284415gpobdcqhuuq_300x210.jpg
- a####.goos####.com/upload/scpic/sczx21/201510285349hihfiu54e0i_300x210.jpg
- a####.goos####.com/upload/user/201172517460183_300x210.jpg
- a####.goos####.com/version/version.json
- cdn-sdk####.g####.com.####.com/tdata_wyu452
- d####.c####.l####.####.com/config/hzv9.conf
- sdk.o####.p####.####.com/api/addr.htm
- ti####.c####.l####.####.com/tdata_VrM483
- www.eas####.com/easemob/server.xml?sdk_version=####&app_key=####&file_ve...
Запросы HTTP POST:
- a####.goos####.com/APP/AppSecAdvertiseController.do?getList####
- a####.goos####.com/APP/AppSecAdvertiseController.do?getList####&ADModel=...
- a####.goos####.com/APP/AppSecCommunity.do?getList####
- a####.goos####.com/APP/AppSecDicController.do?getDic####
- a####.goos####.com/APP/AppSecNewsController.do?getList####
- a####.goos####.com/APP/AppSecProductController.do?getList####
- a####.goos####.com/APP/AppSecSellBuyController.do?getList####
- a####.u####.com/app_logs
- a1.eas####.com/1127161026178028/stoneapp/devices
- c-h####.g####.com/api.php?format=####&t=####
- res####.a####.com/v3/log/init
- sdk-ope####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####&d=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/1587798016111.log
- /data/data/####/ParseOfflineStore
- /data/data/####/ParseOfflineStore-journal
- /data/data/####/applicationId
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/classes.dex
- /data/data/####/classes2.dex
- /data/data/####/com.jm.stone.activity_preferences.xml
- /data/data/####/db
- /data/data/####/db-journal
- /data/data/####/device_id.xml.xml
- /data/data/####/dynamicamapfile.db
- /data/data/####/dynamicamapfile.db-journal
- /data/data/####/easemob.sdk.pref.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/init.pid
- /data/data/####/init_c.pid
- /data/data/####/libjiagu.so
- /data/data/####/log.umsns.com.443
- /data/data/####/profile
- /data/data/####/push.pid
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_wyu452
- /data/data/####/tdata_wyu452.dex
- /data/data/####/tdata_wyu452.dex.flock (deleted)
- /data/data/####/tdata_wyu452.jar
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/media/####/000.html
- /data/media/####/01cf96c4c067a3d0bfaca4056d4bf58be8a5cc0cbf4fbd....0.tmp
- /data/media/####/09071f585b7ceddc757b767a8b73a5a9076345c9655567....0.tmp
- /data/media/####/0e9fb5f2a8fa4363b0a3f877b24f039030316e72dde9a0....0.tmp
- /data/media/####/1b80961288573435de0d0d670ba8e91efe49fc9c20bfd8....0.tmp
- /data/media/####/2174c0010ce43a1886fb566c5740316bd81f87ca51211e....0.tmp
- /data/media/####/2743d0e699455db4fa9b4a2b4b64c3023aceeee6347cee....0.tmp
- /data/media/####/2f6c43cb273a2a10d42dfe99728ab6067e8508946513dd....0.tmp
- /data/media/####/3883fde949aa73c693c2901695f7634021fce2f21a0a2f....0.tmp
- /data/media/####/44293dbfee72149fe8e006a707b025a423fa7ce162bad8....0.tmp
- /data/media/####/601baf7c1234c0d6f75fd5fc7e8acc25fa0fe360f7db00....0.tmp
- /data/media/####/6c02c54c0ce201562ff38fcecefb5274118737c73b8387....0.tmp
- /data/media/####/7342973a44c7b1a6248f18a60f7168b0b33ff1186c045f....0.tmp
- /data/media/####/739a22dff072eb2a5d6c3bd3e4c45630377c8c2608bc07....0.tmp
- /data/media/####/76c88489039fd78749508bd9068f4c0c21a8143011b0f8....0.tmp
- /data/media/####/7a83baf174e6e394902f4ea68deede7c2350a242de04ee....0.tmp
- /data/media/####/800e01d777e6f617e58edd3c068982e95b84c837520031....0.tmp
- /data/media/####/8374a2e94046be0b13bbb5a8fc81e31869e45ff50dc6fa....0.tmp
- /data/media/####/9a219c3aff12c489515a31c656c9b0d15ace408727b704....0.tmp
- /data/media/####/a2332f022a9614bf593746048c9492bc42fc2d6fe68441....0.tmp
- /data/media/####/a2f385975138cb656297240b948c275595c1cd2d33be7f....0.tmp
- /data/media/####/a61468d47ccead54bee7724a41aa4899c60ab7e3dd1ed7....0.tmp
- /data/media/####/af6faa29d92439092e707ce7cdbb8b66d063c42a1ac4a9....0.tmp
- /data/media/####/app.db
- /data/media/####/c04a38b5859a9c2af220af8514eb6d0bc53a40bd712b62....0.tmp
- /data/media/####/c56b6cc38b6c0baa88afa739702c0508bf374ea17528a5....0.tmp
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.jm.stone.activity.db
- /data/media/####/d7953e52eb6fe3d62642a4109c53cc9194ce7676369f93....0.tmp
- /data/media/####/d8992deba88cbecb3a4e8dab52dfda50c575ce011d0b51....0.tmp
- /data/media/####/e2d536103c97f1daea2d0f6d5afd6b21ff31ddf3ecf596....0.tmp
- /data/media/####/e49e346255a517a3bce8ca017e4b78a1a9a0f99e2c87aa....0.tmp
- /data/media/####/e62ad5579b97706e1c6f52680657e888f4a215728c261e....0.tmp
- /data/media/####/ea4a03fa0bbf77954aab94a22aa07379e9c125ba5f2535....0.tmp
- /data/media/####/f967fb497ec771509a9be433fa9abfd2ca0355e48316ff....0.tmp
- /data/media/####/fc8f03b945d786a3299f7cde4b803fec28670f3ce1f2bc....0.tmp
- /data/media/####/fcd1834a305d7eddd734332ddf23ab22fd142e9df7f9d9....0.tmp
- /data/media/####/journal (deleted)
- /data/media/####/journal.tmp
- /data/media/####/tdata_wyu452
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tdata_wyu452.jar --oat-fd=61 --oat-location=/data/user/0/<Package>/files/tdata_wyu452.dex --compiler-filter=speed
- chmod 755 /data/user/0/<Package>/.jiagu/libjiagu.so
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
