Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) large####.c####.l####.####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) sm.dd####.com:80
- TCP(HTTP/1.1) et2-na6####.wagbr####.ali####.####.com:80
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
Запросы DNS:
- l####.tbs.qq.com
- log.u####.com
- plb####.u####.com
- q####.dd####.com
- s####.u####.com
- sm.dd####.com
- u####.u####.com
Запросы HTTP GET:
- et2-na6####.wagbr####.ali####.####.com/bar/get/5719c8efe0f55a55cf000456/...
- large####.c####.l####.####.com//media//gods/wzsx3.png
- large####.c####.l####.####.com//media//photo/200714/63d64a2c-69fe-4888-b...
- large####.c####.l####.####.com//media//photo/200725/47df418f-6532-4a74-9...
- large####.c####.l####.####.com//media//photo/200729/c4de51b3-d6e8-4e15-b...
- large####.c####.l####.####.com//media/180523/180523140426470.png
- large####.c####.l####.####.com//media/2018-07-19180719185640651.jpg
- large####.c####.l####.####.com//media/2018-08-24180824092600742.jpg
- large####.c####.l####.####.com//media/2020-05-04200504020636473.jpg
- large####.c####.l####.####.com//media/2020-05-18200518181320756.jpg
- large####.c####.l####.####.com//media/2020-06-22200622110712322.jpg
- large####.c####.l####.####.com//media/2020-06-28200628132113778.jpg
- large####.c####.l####.####.com//media/artwork/180428/1718171cli_a_171818...
- large####.c####.l####.####.com//media/artwork/180503/2323154cli_a_232302...
- large####.c####.l####.####.com//media/default/img_gongshen.png
- large####.c####.l####.####.com//media/default/img_haoyouhebazi.png
- large####.c####.l####.####.com//media/default/trialimg.png
- large####.c####.l####.####.com//media/images/img_baziyunshi.png
- large####.c####.l####.####.com//media/photo/180321/122cbf5c-7387-4544-ad...
- large####.c####.l####.####.com//media/photo/180704/216639f5-ee6f-41a3-90...
- large####.c####.l####.####.com//media/photo/180704/a97274ef-5193-4355-88...
- large####.c####.l####.####.com//media/photo/180716/c90547c4-9ef4-4900-84...
- large####.c####.l####.####.com//media/photo/200803/97b1c7a6-e09c-4bac-b1...
- large####.c####.l####.####.com/media/artwork/180428/1718171cli_a_1718183...
- large####.c####.l####.####.com/media/artwork/180503/2323154cli_a_2323028...
- large####.c####.l####.####.com/media/gods/wzsx3.png
- large####.c####.l####.####.com/media/images/img_baziyunshi.png
- large####.c####.l####.####.com/media/main/bzpp.png
- large####.c####.l####.####.com/media/main/xykt.png
- large####.c####.l####.####.com/media/main/zbzq.png
- large####.c####.l####.####.com/media/main/zwds.png
- large####.c####.l####.####.com/media/main/zyqg.png
- large####.c####.l####.####.com/media/photo/180321/122cbf5c-7387-4544-ad5...
- large####.c####.l####.####.com/media/photo/180427/6fcdf59e-1261-4433-80d...
- large####.c####.l####.####.com/media/photo/180428/218abba3-03a0-441d-b22...
- large####.c####.l####.####.com/media/photo/180428/815de8d4-6bd6-428d-84c...
- large####.c####.l####.####.com/media/photo/180428/e72664db-bab1-4df9-bae...
- large####.c####.l####.####.com/media/photo/180428/f27ae019-4225-4dce-93d...
- large####.c####.l####.####.com/media/photo/180515/0c719a91-72b3-4a20-ad3...
- large####.c####.l####.####.com/media/photo/180515/0d1dbda0-3baa-4ec5-960...
- large####.c####.l####.####.com/media/photo/180704/216639f5-ee6f-41a3-90f...
- large####.c####.l####.####.com/media/photo/180704/a97274ef-5193-4355-884...
- large####.c####.l####.####.com/media/photo/180716/c90547c4-9ef4-4900-84b...
- large####.c####.l####.####.com/media/photo/200714/63d64a2c-69fe-4888-b26...
- large####.c####.l####.####.com/media/photo/200725/47df418f-6532-4a74-9a9...
- large####.c####.l####.####.com/media/photo/200729/c4de51b3-d6e8-4e15-b59...
- large####.c####.l####.####.com/media/photo/200803/97b1c7a6-e09c-4bac-b1b...
- large####.c####.l####.####.com/media/sm/191101/191101145132851.png
- large####.c####.l####.####.com/media/sm/191118/191118141732943.png
- large####.c####.l####.####.com/media/sm/200313/200313101300247.jpg
- large####.c####.l####.####.com/media/sm/200727/200727110903283.png
- large####.c####.l####.####.com/media/sm/200803/200803120000569.png
- sm.dd####.com/sm/android_client_update.html?online=####&uid_must=####&pr...
- sm.dd####.com/sm/appuser/getUser?online=####&uid_must=####&providername=...
- sm.dd####.com/sm/appuser/isperfecgold.html?online=####&userid=####&uid_m...
- sm.dd####.com/sm/appuser/mychangevalue?online=####&uid_must=####&provide...
- sm.dd####.com/sm/askquestion/mainnew?online=####&uid_must=####&providern...
- sm.dd####.com/sm/cartoon/screen?online=####&uid_must=####&providername=#...
- sm.dd####.com/sm/data/gettime?online=####&uid_must=####&providername=###...
- sm.dd####.com/sm/live/main?online=####&uid_must=####&providername=####&u...
- sm.dd####.com/sm/master/list?online=####&uid_must=####&providername=####...
- sm.dd####.com/sm/masterques/mqtype?type=####&clientType=####&versionCode...
- sm.dd####.com/sm/newselftest/zncsnew?online=####&uid_must=####&providern...
- sm.dd####.com/sm/testuser/testuserlist.html?appuserId=####&online=####&u...
Запросы HTTP POST:
- l####.tbs.qq.com/ajax?c=####&k=####
- sm.dd####.com/sm/and_clt_au.html
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/07bdd1bdc091ac33511cc6a09783b96b403534b742e831e....0.tmp
- /data/data/####/0b35744d72553846029465ecd114adf23c4d94e991cf2ee....0.tmp
- /data/data/####/0d5d9a512a6e27fb88f9952f7b40e172eee3c453ceb828a....0.tmp
- /data/data/####/1596495361162.log
- /data/data/####/19cef58bcbc67b8672b027d22de0cabdb54bbb2dcf60be7....0.tmp
- /data/data/####/21d7e597639d19e1106cd2d1c752983b482f73a5635270e....0.tmp
- /data/data/####/2e353cb3c41ef0f0e56f62730dd3bfbc45d61d634dee948....0.tmp
- /data/data/####/2e6a01e28c50c50963e90585de93aaaf6a878d49ac3b4de....0.tmp
- /data/data/####/30c35d34c825d148bd97af1fe8893529d2b1ac7f01cbc9f....0.tmp
- /data/data/####/32aaa9ffce8c0b8e1b4b0169bedd09fe39cf2be84303383....0.tmp
- /data/data/####/335b2584f81a8c280e98f15c684eefd84a50df323813d0e....0.tmp
- /data/data/####/3731b4e88cafa15db91242e0500804e219b00ebe52f8143....0.tmp
- /data/data/####/464cc65de08267405493c9af9ef513d1cb5bbdddd085f71....0.tmp
- /data/data/####/4b359c8d0b04fb54709f269ea566fa86dcc4f8316da8386....0.tmp
- /data/data/####/6058bae833bc4e788d9d1c73730a913585f1570375a517b....0.tmp
- /data/data/####/62e7383e5df9525eca9c6fc74d3032efd5592e2477a52dd....0.tmp
- /data/data/####/72de6906558a99f9d72d81f276f9b6e5bdc1584211135e2....0.tmp
- /data/data/####/76efe1e7598570dc8257cacc21aa7601eb60b86326b7f39....0.tmp
- /data/data/####/9294e15a9e23898777b153baace334494b669842e883cf8....0.tmp
- /data/data/####/97f1263699f4b51a432c257980e58b2899e3a3f9c77ca75....0.tmp
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/L3VtcHhfZXJyb3JzXzE1OTY0OTUzNjcwMDU=;
- /data/data/####/MultiDex.lock
- /data/data/####/a1f56d3799ee5ffc1e41b3e53574f3256b5fce9b7fe78c5....0.tmp
- /data/data/####/a97b1aadb1a99a27a6bd1f61b700d28d19c11d8fd78b4e4....0.tmp
- /data/data/####/aa8f806f09ee633049f9b7b753aa27786936eba2e90b7cd....0.tmp
- /data/data/####/b45103f2ac1bbba30097cfb6a00fe061433a2b047cca3e5....0.tmp
- /data/data/####/b65de80d33bf6734fb607a768a3cfa993be1d6714e40cf4....0.tmp
- /data/data/####/c11b3d726e823abc06480ced365de39e5790c9d22a2e6ac....0.tmp
- /data/data/####/c124bd9a5c613c0608b778d3d9f32b5ac1d5f1e7cc92ac7....0.tmp
- /data/data/####/c6b836cc850da20142b43b03fdc5a20d286d95be1685551....0.tmp
- /data/data/####/c8855a33f34128a9fd4eb8679e56a3be0e22c0877ee6e87....0.tmp
- /data/data/####/client_preferences.xml
- /data/data/####/core_info
- /data/data/####/d5bab5f97c250bf70de15ecf8abee76be21d5754767302a....0.tmp
- /data/data/####/d6c6b765920bc82feecd039c60853153384aafe5a2af018....0.tmp
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTk2NDk1MzYyNTU5;
- /data/data/####/db8ecf7e20e66de6c36f12224c855694f0b47a965a034ba....0.tmp
- /data/data/####/db_float_desk
- /data/data/####/db_float_desk-journal
- /data/data/####/e213db78b42b9882b90e78daf5e1a4ed1ac000401165d07....0.tmp
- /data/data/####/ee916c43d7f9c6a374eddeb40edc13266b60c1560ed44bc....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f1505568ca7fced2a967c4242cd7483b7243ee6143c093f....0.tmp
- /data/data/####/f2f1a6c850e2c29c278bcf72157a801d8b59d44d1205fbe....0.tmp
- /data/data/####/f650e1215c9f544517cb4d7277c6554c608d7d1d177ad9a....0.tmp
- /data/data/####/fd8292ac12a250db158a09a5797eb3a14cb75973daff842....0.tmp
- /data/data/####/i==1.2.0&&2.6.2_1596495362614_envelope.log
- /data/data/####/imei.xml
- /data/data/####/info.xml
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/multidex.version.xml
- /data/data/####/sm_update.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/umexecption.json
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/200313101300247.jpg
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/getMainSelectionTest$d$d$d$1062774$g$g$g$
- /data/media/####/getMainViewData$d$d$d$1062774$g$g$g$0,0
- /data/media/####/getRelaxFunHomeData$d$d$d$0$g$g$g$
- /data/media/####/getTestUserList$d$d$d$1062774$g$g$g$1
- /data/media/####/getTotalRankings$d$d$d$0$g$g$g$
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/key_cache_version
- /data/media/####/sysid.dat
- /data/media/####/tbslog.txt
- /data/media/####/wzsx3.png
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- ls /
- ls /sys/class/thermal
Загружает динамические библиотеки:
- libjiagu
- umeng_error_catch
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- RSA-ECB-NoPadding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
