Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.3.origin
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) a####.map.b####.com:80
- TCP(HTTP/1.1) api.map.b####.com:80
- TCP(HTTP/1.1) s####.tj####.com:8980
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) 1####.200.85.137:8080
- TCP(HTTP/1.1) s####.tj####.com:9999
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) m####.b####.com:443
- TCP(TLS/1.0) c####.net:443
- TCP(TLS/1.0) dl####.b####.com.####.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) ser####.dc####.net.cn:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.2) 1####.250.27.100:443
- TCP(TLS/1.2) 1####.250.102.94:443
- TCP(TLS/1.2) md####.google####.com:443
- TCP sdk.o####.t####.####.com:5224
Запросы DNS:
- a####.map.b####.com
- android####.go####.com
- api.map.b####.com
- c####.net
- c-h####.g####.com
- cm-1####.g####.com
- cm-1####.g####.com
- dl####.b####.com
- m####.b####.com
- md####.google####.com
- s####.serv####.moz####.com
- s####.tj####.com
- sdk.c####.g####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- ser####.dc####.net.cn
- st####.dc####.net.cn
Запросы HTTP GET:
- a####.map.b####.com/getmodules?v=####&t=####&mod=####&seckey=####
- api.map.b####.com/?qt=####&v=####&ak=####&callback=####&seckey=####
- api.map.b####.com/images/blank.gif?product=####&sub_product=####&v=####&...
- api.map.b####.com/location/ip?qt=####&coor=####&ak=####&timeout=####&cal...
- d####.c####.l####.####.com/config/hzv9.conf
- s####.tj####.com:8980/upload/yx_garage_identification/20180305170728774....
- s####.tj####.com:8980/upload/yx_garage_identification/20180331111555286....
- s####.tj####.com:8980/upload/yx_garage_identification/20180403134801015....
- s####.tj####.com:8980/upload/yx_garage_identification/20180530175616925....
- s####.tj####.com:8980/upload/yx_garage_identification/20180823132049969....
- s####.tj####.com:8980/upload/yx_garage_identification/20180823155653915....
- s####.tj####.com:8980/upload/yx_garage_identification/20191120143931010....
- s####.tj####.com:8980/upload/yx_garage_identification/20191120155336399....
- s####.tj####.com:8980/upload/yx_garage_identification/20191120161958019....
- s####.tj####.com:9999//upload/advertisement/20190124160156746.jpg
- s####.tj####.com:9999//upload/advertisement/20190124162023143.png
- s####.tj####.com:9999//upload/advertisement/20190124162035897.png
- s####.tj####.com:9999//upload/advertisement/20190124162045985.png
- s####.tj####.com:9999//upload/advertisement/20200120093855776.jpg
- s####.tj####.com:9999//upload/advertisement/20200120103622854.jpg
- s####.tj####.com:9999//upload/advertisement/20200723102144488.jpg
- s####.tj####.com:9999/System/clientInfo?appid=####&token=####&clientId=#...
- s####.tj####.com:9999/System/webrootpath
- s####.tj####.com:9999/content/appContentD/01_carArchives.html?appkey=###...
- s####.tj####.com:9999/content/appContentD/01_index.html?appkey=####&appi...
- s####.tj####.com:9999/content/appContentD/01_my.html?appkey=####&appid=#...
- s####.tj####.com:9999/content/appContentD/btnDemo.html
- s####.tj####.com:9999/content/appContentD/css/iconfont.css
- s####.tj####.com:9999/content/appContentD/css/icons-extra.css
- s####.tj####.com:9999/content/appContentD/css/index.css
- s####.tj####.com:9999/content/appContentD/css/mui.min.css
- s####.tj####.com:9999/content/appContentD/css/orange.css
- s####.tj####.com:9999/content/appContentD/fonts/iconfont.ttf
- s####.tj####.com:9999/content/appContentD/fonts/mui.ttf
- s####.tj####.com:9999/content/appContentD/images/1024x768a0a0.png
- s####.tj####.com:9999/content/appContentD/images/dengchang.png
- s####.tj####.com:9999/content/appContentD/images/dengchang2.png
- s####.tj####.com:9999/content/appContentD/images/dengchang3.png
- s####.tj####.com:9999/content/appContentD/images/ditu.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/baoyang.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/daifu.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/dangan.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/dengpao.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/hezuo.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/hongniu.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/huangguan.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/shopping_o2o.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/sos1.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/xinwen.png
- s####.tj####.com:9999/content/appContentD/images/icon-png/yuyue.png
- s####.tj####.com:9999/content/appContentD/images/icon_car.jpg
- s####.tj####.com:9999/content/appContentD/images/integral/icon_indexActi...
- s####.tj####.com:9999/content/appContentD/images/m_header.png
- s####.tj####.com:9999/content/appContentD/images/search.png
- s####.tj####.com:9999/content/appContentD/js/common.js
- s####.tj####.com:9999/content/appContentD/js/common_ex.js
- s####.tj####.com:9999/content/appContentD/js/getLocation.js
- s####.tj####.com:9999/content/appContentD/js/integration/communityShop.js
- s####.tj####.com:9999/content/appContentD/js/jquery.base64.js
- s####.tj####.com:9999/content/appContentD/js/jquery.min.2.2.2.js
- s####.tj####.com:9999/content/appContentD/js/lonum.js
- s####.tj####.com:9999/content/appContentD/js/mui.min.js
- s####.tj####.com:9999/content/appContentD/js/redDot.js
- s####.tj####.com:9999/content/appContentD/js/vue.js
- s####.tj####.com:9999/content/appContentD/pages/carArchives/css/carArchi...
- s####.tj####.com:9999/content/appContentD/pages/doctor/base/css/common.css
- s####.tj####.com:9999/content/appContentD/pages/doctor/base/css/index.css
- s####.tj####.com:9999/content/appContentD/pages/doctor/base/js/auto.js
- s####.tj####.com:9999/content/appContentD/pages/doctor/base/js/com.rgspa...
- s####.tj####.com:9999/content/appContentD/pages/doctor/base/js/jquery-2....
- s####.tj####.com:9999/content/appContentD/pages/doctor/css/doctor_list.css
- s####.tj####.com:9999/content/appContentD/pages/doctor/css/mui.min.css
- s####.tj####.com:9999/content/appContentD/pages/doctor/images/list_banne...
- s####.tj####.com:9999/content/appContentD/pages/doctor/images/list_searc...
- s####.tj####.com:9999/content/appContentD/pages/doctor/images/list_tiwen...
- s####.tj####.com:9999/content/appContentD/pages/doctor/page/doctorlist.h...
- s####.tj####.com:9999/content/appContentD/pages/my/css/my.css
- s####.tj####.com:9999/content/appContentD/pages/my/images/makeAppointmen...
- s####.tj####.com:9999/content/appContentD/pages/my/images/makesos.png
- s####.tj####.com:9999/content/appContentD/pages/my/images/xiaoqiche.png
- s####.tj####.com:9999/content/appContentD/pages/my/js/my.js
- s####.tj####.com:9999/content/appContentD/redDot.html
- s####.tj####.com:9999/content/images/offical/dengpao.png
- s####.tj####.com:9999/content/images/offical/xinwen.png
- s####.tj####.com:9999/favicon.ico
- sdk.o####.p####.####.com/api/addr.htm
Запросы HTTP POST:
- ser####.dc####.net.cn:443/advert/splash
- ser####.dc####.net.cn:443/collect/plusapp/startup
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imei.txt
- /data/data/####/.jg.ic
- /data/data/####/.jgck
- /data/data/####/00c9e3e5d6cdf4b1_0
- /data/data/####/07774be2f0cb978a_0
- /data/data/####/07a1c628ab93ba9b_0
- /data/data/####/0970d74e5bb08d5a_0
- /data/data/####/0d16b3a7444b02ca_0
- /data/data/####/0d16b3a7444b02ca_1
- /data/data/####/0f4ad94e4e488835_0
- /data/data/####/0f6bbe6b0ee7a6f7_0
- /data/data/####/0ff1a2a40a0ae26d_0
- /data/data/####/10fe6825890601af_0
- /data/data/####/162b0a88c2105d9e_0
- /data/data/####/162b0a88c2105d9e_1
- /data/data/####/1d8f8f5285f67696_0
- /data/data/####/20c0700fd53d2858_0
- /data/data/####/20c0700fd53d2858_1
- /data/data/####/20e5c4c43374ea95_0
- /data/data/####/233ea47c144c03e7_0
- /data/data/####/2749481d49a4c712_0
- /data/data/####/2788a0dad3d41c7f_0
- /data/data/####/29f47c5f0001b274_0
- /data/data/####/2c0c29fa15a08b00_0
- /data/data/####/2c1a1046e128397e_0
- /data/data/####/2c7a845eb32cfd6f_0
- /data/data/####/2dc560ea16d708a8_0
- /data/data/####/2dc560ea16d708a8_1
- /data/data/####/36cfa708752f972b_0
- /data/data/####/3781483257573444_0
- /data/data/####/3be01062e729c749_0
- /data/data/####/3ff812fa6f02d896_0
- /data/data/####/406e277a4c619745_0
- /data/data/####/414968e6f5182b8e_0
- /data/data/####/423dbaff1d31c0cf_0
- /data/data/####/42f96674a8baefee_0
- /data/data/####/4a6ab137e138c3a4_0
- /data/data/####/50c95181c9b6733b_0
- /data/data/####/53df8578bedcc38c_0
- /data/data/####/54c2fd98ad24ae6b_0
- /data/data/####/5a8eaad8fc346f12_0
- /data/data/####/5f3d2809842dad51_0
- /data/data/####/63815741b2374a80_0
- /data/data/####/65b9532c60289032_0
- /data/data/####/666c189027367819_0
- /data/data/####/666c189027367819_1
- /data/data/####/6736aafac18c87de_0
- /data/data/####/6a0c1d01c2714c94_0
- /data/data/####/6a0c1d01c2714c94_1
- /data/data/####/6daede980714ad44_0
- /data/data/####/73e3160ebdb0f85e_0
- /data/data/####/761e1f1b1ab9852b_0
- /data/data/####/761e1f1b1ab9852b_1
- /data/data/####/76e9e4fedf1b0e7d_0
- /data/data/####/79ec2ddd0d87030c_0
- /data/data/####/7dcd6ee7c5fcaa37_0
- /data/data/####/7dcd6ee7c5fcaa37_1
- /data/data/####/7ef15e2ab1e43328_0
- /data/data/####/81bec6c7bd40cbdc_0
- /data/data/####/856fbbdd0ac05b5a_0
- /data/data/####/885c9b5dc2bd1040_0
- /data/data/####/8bdd2e07e97bf4e6_0
- /data/data/####/8cb7802a21a11b28_0
- /data/data/####/8cb7802a21a11b28_1
- /data/data/####/8db907cb9dfc59cb_0
- /data/data/####/8db907cb9dfc59cb_1
- /data/data/####/8ef75afed6b1ac17_0
- /data/data/####/908f1a1136b39038_0
- /data/data/####/9da8282285138f1e_0
- /data/data/####/9df4804cb4175b0a_0
- /data/data/####/Cookies-journal
- /data/data/####/H54C849A1.xml
- /data/data/####/H54C849A1.xml.bak
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/_adio.dcloud.feature.ad.a.a.xml
- /data/data/####/a0823633849680b2_0
- /data/data/####/a19b6762144ceb00_0
- /data/data/####/a22872d9ff3e5d2f_0
- /data/data/####/a2b69c108a3d8858_0
- /data/data/####/a400ebdbd2e1d793_0
- /data/data/####/a9771f3219a72a51_0
- /data/data/####/abc83749c4868bc6_0
- /data/data/####/ad296955717fa157_0
- /data/data/####/b050be826b1a6ba5_0
- /data/data/####/b419829156f90634_0
- /data/data/####/b75d03dd419ad6e5_0
- /data/data/####/baf9f7c62357fa84_0
- /data/data/####/baf9f7c62357fa84_1
- /data/data/####/bbff3fc67974a470_0
- /data/data/####/bbff3fc67974a470_1
- /data/data/####/be1c5503053e6846_0
- /data/data/####/c0bd0fc1852a0029_0
- /data/data/####/c0e33043602fb18e_0
- /data/data/####/c1025dcee855d526_0
- /data/data/####/c3b4e91deefb6672_0
- /data/data/####/c7a4064f501d5be5_0
- /data/data/####/c949ed58fe6eddb5_0
- /data/data/####/c949ed58fe6eddb5_1
- /data/data/####/cd2cca2669897dc9_0
- /data/data/####/classes.dex
- /data/data/####/classes.oat
- /data/data/####/clientid_igexin.xml
- /data/data/####/common.js
- /data/data/####/d50ad64e0210b649_0
- /data/data/####/dac226b94119c425_0
- /data/data/####/dc_ad_type_key.xml
- /data/data/####/e0918a85a00d09b4_0
- /data/data/####/e0c31c71c6fdf1c0_0
- /data/data/####/e4e5e0490bb754dc_0
- /data/data/####/e51d1495bfa4b216_0
- /data/data/####/e772c091ff548fc1_0
- /data/data/####/e772c091ff548fc1_1
- /data/data/####/e8315f30f2b0c16a_0
- /data/data/####/e8315f30f2b0c16a_1
- /data/data/####/ec966d7b4d84d61f_0
- /data/data/####/ed0c717a97e66b9a_0
- /data/data/####/ed73d3bed35ec658_0
- /data/data/####/eje3cnc
- /data/data/####/f187f506cf9706ee_0
- /data/data/####/f6c042766524adb2_0
- /data/data/####/getui_sp.xml
- /data/data/####/html5Geo.xml
- /data/data/####/http_saas.tjqcwx.com_9999.localstorage-journal
- /data/data/####/iconfont.css
- /data/data/####/iconfont.ttf
- /data/data/####/icons-extra.css
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/io.dcloud.H54C849A1_preferences.xml
- /data/data/####/libjiagu.so
- /data/data/####/list-to-detail.css
- /data/data/####/manifest.json
- /data/data/####/metrics_guid
- /data/data/####/mui-icons-extra.ttf
- /data/data/####/mui.min.css
- /data/data/####/mui.min.js
- /data/data/####/mui.ttf
- /data/data/####/pdr.xml
- /data/data/####/proc_auxv
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/start.html
- /data/data/####/start_statistics_data.xml
- /data/data/####/stream_permission.xml
- /data/data/####/test_app
- /data/data/####/the-real-index
- /data/media/####/.imei.txt
- /data/media/####/AdEnable.dat
- /data/media/####/io.dcloud.H54C849A1.bin
- /data/media/####/test.log
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
