Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Spy.5537
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) d####.opensp####.cn:80
- TCP(HTTP/1.1) h####.opensp####.cn:80
- TCP(TLS/1.0) s####.j####.cn:443
- TCP(TLS/1.0) rr9---s####.g####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) 1####.250.150.95:443
- TCP(TLS/1.2) 1####.194.220.94:443
- UDP s.j####.cn:19000
- TCP 1####.78.9.251:7005
Запросы DNS:
- 456k####.com
- 456k####.com.8.####.8
- 5685####.com
- 5685####.com.8.####.8
- 7735####.com
- 7735####.com.8.####.8
- and####.b####.qq.com
- d####.opensp####.cn
- h####.opensp####.cn
- p####.google####.com
- rr9---s####.g####.com
- rut8####.com
- rut8####.com.8.####.8
- s####.j####.cn
- s.j####.cn
- sis.j####.io
- up####.sdk.jig####.cn
Запросы HTTP GET:
- h####.opensp####.cn/launchconfig?t=####&p=####
Запросы HTTP POST:
- and####.b####.qq.com/rqd/async?aid=####
- d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
- s####.j####.cn:443/v2/report
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.jgck
- /data/data/####/1004
- /data/data/####/24b28e04-88a3-4503-aa2e-1df0767534e1
- /data/data/####/65eb270b-1139-471e-8718-4a413420d06e
- /data/data/####/6f02e486-1766-44f2-9c90-cf37ecd63477
- /data/data/####/9a42a3dd-d0d9-46d8-8dc4-172056c82955
- /data/data/####/9ecedc07-ec3a-4d7b-94ce-b675f21a0bcf
- /data/data/####/AudioTourAndroidCommon.xml
- /data/data/####/JPushSA_Config.xml
- /data/data/####/JPushSA_Config.xml.bak
- /data/data/####/apkinformation.xml
- /data/data/####/appPackageNames_v2
- /data/data/####/bugly_db_-journal
- /data/data/####/cbdec23f-b4f1-420c-a5c1-bf72cb3e19d3
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.oat
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.iflytek.id.xml
- /data/data/####/com.iflytek.msc.xml
- /data/data/####/crashrecord.xml
- /data/data/####/e755e076-7297-4a7f-a886-fd4814ea219e
- /data/data/####/ifly_launch_lib.xml
- /data/data/####/ifly_launch_lib.xml.bak
- /data/data/####/iflytek_state_com.lvyou.chongqing.xml
- /data/data/####/ifremind.xml
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_local_notification.db
- /data/data/####/jpush_local_notification.db-journal
- /data/data/####/jpush_local_notification.db-journal (deleted)
- /data/data/####/jpush_local_notification.db-wal
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-journal (deleted)
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/jpush_statistics.db-wal (deleted)
- /data/data/####/libjiagu.so
- /data/data/####/local_crash_lock (deleted)
- /data/data/####/native_record_lock
- /data/data/####/proc_auxv
- /data/data/####/security_info
- /data/media/####/.2F6E2C5B63F0F83B
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/1.ico
- /data/media/####/1.png
- /data/media/####/103.png
- /data/media/####/104.png
- /data/media/####/105.png
- /data/media/####/106.png
- /data/media/####/107.png
- /data/media/####/11.png
- /data/media/####/161585brief
- /data/media/####/161586brief
- /data/media/####/161587brief
- /data/media/####/169289brief
- /data/media/####/169290brief
- /data/media/####/169291brief
- /data/media/####/169293brief
- /data/media/####/169294brief
- /data/media/####/169295brief
- /data/media/####/2.ico
- /data/media/####/3.ico
- /data/media/####/301.png
- /data/media/####/302.png
- /data/media/####/303.png
- /data/media/####/304.png
- /data/media/####/305.png
- /data/media/####/4.ico
- /data/media/####/5.ico
- /data/media/####/6.ico
- /data/media/####/7.ico
- /data/media/####/9999.png
- /data/media/####/APlayer.min.css
- /data/media/####/APlayer.min.js
- /data/media/####/InfoBox_min.js
- /data/media/####/JD_1
- /data/media/####/JD_10
- /data/media/####/JD_11
- /data/media/####/JD_12
- /data/media/####/JD_13
- /data/media/####/JD_14
- /data/media/####/JD_15
- /data/media/####/JD_16
- /data/media/####/JD_17
- /data/media/####/JD_18
- /data/media/####/JD_19
- /data/media/####/JD_2
- /data/media/####/JD_20
- /data/media/####/JD_21
- /data/media/####/JD_22
- /data/media/####/JD_23
- /data/media/####/JD_24
- /data/media/####/JD_25
- /data/media/####/JD_26
- /data/media/####/JD_27
- /data/media/####/JD_28
- /data/media/####/JD_29
- /data/media/####/JD_3
- /data/media/####/JD_30
- /data/media/####/JD_31
- /data/media/####/JD_32
- /data/media/####/JD_33
- /data/media/####/JD_34
- /data/media/####/JD_35
- /data/media/####/JD_36
- /data/media/####/JD_37
- /data/media/####/JD_38
- /data/media/####/JD_39
- /data/media/####/JD_4
- /data/media/####/JD_40
- /data/media/####/JD_41
- /data/media/####/JD_42
- /data/media/####/JD_43
- /data/media/####/JD_44
- /data/media/####/JD_45
- /data/media/####/JD_46
- /data/media/####/JD_47
- /data/media/####/JD_48
- /data/media/####/JD_49
- /data/media/####/JD_5
- /data/media/####/JD_50
- /data/media/####/JD_6
- /data/media/####/JD_7
- /data/media/####/JD_8
- /data/media/####/JD_9
- /data/media/####/MarkerClusterer_bd.js
- /data/media/####/MarkerClusterer_min.js
- /data/media/####/TextIconOverlay_min.js
- /data/media/####/Thumbs.db
- /data/media/####/anim.js
- /data/media/####/aplayer-fontello.eot
- /data/media/####/aplayer-fontello.svg
- /data/media/####/aplayer-fontello.ttf
- /data/media/####/aplayer-fontello.woff
- /data/media/####/apoint_end
- /data/media/####/apoint_end.png
- /data/media/####/apoint_start.png
- /data/media/####/arrow-down.png
- /data/media/####/atask.log
- /data/media/####/audio.png
- /data/media/####/background.mp3
- /data/media/####/bg.png
- /data/media/####/car
- /data/media/####/cb_scout_sprite_api_003.png
- /data/media/####/cc.js
- /data/media/####/close.png
- /data/media/####/closedhand_8_8.cur
- /data/media/####/common.js
- /data/media/####/controls.js
- /data/media/####/cover2.jpg
- /data/media/####/crosshair.cur
- /data/media/####/didong.mp3
- /data/media/####/down.png
- /data/media/####/download.db
- /data/media/####/download.db-journal
- /data/media/####/drag_cross_67_16.png
- /data/media/####/drawing.js
- /data/media/####/drawing.png
- /data/media/####/drawing_impl.js
- /data/media/####/ellipsis.xml
- /data/media/####/exploreMarker
- /data/media/####/foot.html
- /data/media/####/fw1.png
- /data/media/####/ga.js
- /data/media/####/geocoder.js
- /data/media/####/geometry.js
- /data/media/####/global.css
- /data/media/####/global_phone.js
- /data/media/####/google_white.png
- /data/media/####/grey.gif
- /data/media/####/guide.html
- /data/media/####/guider0
- /data/media/####/guider1
- /data/media/####/head.jpg
- /data/media/####/head1.jpg
- /data/media/####/home_poi_icon_attractions
- /data/media/####/home_poi_icon_floor
- /data/media/####/home_poi_icon_food
- /data/media/####/home_poi_icon_gate
- /data/media/####/home_poi_icon_hotel
- /data/media/####/home_poi_icon_other
- /data/media/####/home_poi_icon_pier
- /data/media/####/home_poi_icon_shopping
- /data/media/####/home_poi_icon_snack
- /data/media/####/home_poi_icon_souvenir
- /data/media/####/home_poi_icon_traffic
- /data/media/####/home_poi_icon_wc
- /data/media/####/howto.html
- /data/media/####/ic_home_article
- /data/media/####/ic_home_foot
- /data/media/####/ic_home_in
- /data/media/####/ic_home_list
- /data/media/####/ic_home_other
- /data/media/####/icon.ico
- /data/media/####/icon.png
- /data/media/####/icon10.png
- /data/media/####/icon10a.png
- /data/media/####/icon11.png
- /data/media/####/icon11b.png
- /data/media/####/icon12a.png
- /data/media/####/icon12b.png
- /data/media/####/icon12c.png
- /data/media/####/icon12d.png
- /data/media/####/icon12e.png
- /data/media/####/icon12f.png
- /data/media/####/icon12g.png
- /data/media/####/icon12h.png
- /data/media/####/icon12i.png
- /data/media/####/icon12j.png
- /data/media/####/icon12k.png
- /data/media/####/icon12l.png
- /data/media/####/icon14.png
- /data/media/####/icon15.png
- /data/media/####/icon16a.png
- /data/media/####/icon16b.png
- /data/media/####/icon16c.png
- /data/media/####/icon17a.png
- /data/media/####/icon22.png
- /data/media/####/icon23.png
- /data/media/####/icon24.png
- /data/media/####/icon25.png
- /data/media/####/icon31.jpg
- /data/media/####/icon33.jpg
- /data/media/####/icon33b.png
- /data/media/####/icon33c.png
- /data/media/####/icon34a.png
- /data/media/####/icon34b.png
- /data/media/####/icon7.png
- /data/media/####/icon_pause.png
- /data/media/####/icon_play.png
- /data/media/####/iflyworkdir_test (deleted)
- /data/media/####/imgbg.jpg
- /data/media/####/imgs8.png
- /data/media/####/index.html
- /data/media/####/infobox.js
- /data/media/####/infowindow.js
- /data/media/####/iw3.png
- /data/media/####/iw_close.gif
- /data/media/####/iw_minus.gif
- /data/media/####/iw_plus.gif
- /data/media/####/jquery-1.7.2.min.js
- /data/media/####/jquery.lazyload.js
- /data/media/####/jquery_easing.js
- /data/media/####/kml.js
- /data/media/####/label_bg.png
- /data/media/####/layers.js
- /data/media/####/lib.js
- /data/media/####/linetest.js
- /data/media/####/loader.gif
- /data/media/####/location
- /data/media/####/location_pin.png
- /data/media/####/m1.png
- /data/media/####/m2.png
- /data/media/####/m3.png
- /data/media/####/m4.png
- /data/media/####/m5.png
- /data/media/####/main.js
- /data/media/####/mainindex.xml
- /data/media/####/mainindex_en.xml
- /data/media/####/mainindextop.xml
- /data/media/####/mainindextop_en.xml
- /data/media/####/map.js
- /data/media/####/map_cancel.png
- /data/media/####/map_end
- /data/media/####/map_end.png
- /data/media/####/map_mode.jpg
- /data/media/####/map_start
- /data/media/####/map_start.png
- /data/media/####/map_start1
- /data/media/####/map_start1.png
- /data/media/####/mapapi.js
- /data/media/####/mapcontrols3d7.png
- /data/media/####/maplabel.js
- /data/media/####/marker.js
- /data/media/####/markerAnimate.js
- /data/media/####/markerGroup
- /data/media/####/marker_sprite.png
- /data/media/####/markerclusterer.js
- /data/media/####/maxzoom.js
- /data/media/####/mc1.png
- /data/media/####/menu_twp_play.png
- /data/media/####/mkAnim.js
- /data/media/####/newlib.js
- /data/media/####/onion.js
- /data/media/####/openhand_8_8.cur
- /data/media/####/overlay.js
- /data/media/####/photo.png
- /data/media/####/places.js
- /data/media/####/places_impl.js
- /data/media/####/poly.js
- /data/media/####/qq.png
- /data/media/####/re_last.png
- /data/media/####/re_last_dis.png
- /data/media/####/re_next.png
- /data/media/####/re_next_dis.png
- /data/media/####/re_pause_normal.png
- /data/media/####/re_play_normal.png
- /data/media/####/rotate2.png
- /data/media/####/scene
- /data/media/####/scene_select
- /data/media/####/share.html
- /data/media/####/sign_play
- /data/media/####/sign_play0
- /data/media/####/sign_play1
- /data/media/####/sign_play2
- /data/media/####/sign_play3
- /data/media/####/smiconname_2
- /data/media/####/smiconname_3
- /data/media/####/smiconname_4
- /data/media/####/smiconname_5
- /data/media/####/smiconname_6
- /data/media/####/smiconname_7
- /data/media/####/spot_good
- /data/media/####/spot_good_select
- /data/media/####/spot_icon_web_1
- /data/media/####/spot_icon_web_2
- /data/media/####/spot_icon_web_3
- /data/media/####/spot_icon_web_4
- /data/media/####/spot_icon_web_5
- /data/media/####/spot_icon_web_6
- /data/media/####/spot_icon_web_7
- /data/media/####/spot_icon_web_8
- /data/media/####/spot_icon_web_door
- /data/media/####/spot_icon_web_food
- /data/media/####/spot_icon_web_gift
- /data/media/####/spot_icon_web_select_1
- /data/media/####/spot_icon_web_select_2
- /data/media/####/spot_icon_web_select_3
- /data/media/####/spot_icon_web_select_4
- /data/media/####/spot_icon_web_select_5
- /data/media/####/spot_icon_web_select_6
- /data/media/####/spot_icon_web_select_7
- /data/media/####/spot_icon_web_select_8
- /data/media/####/spot_icon_web_select_door
- /data/media/####/spot_icon_web_select_food
- /data/media/####/spot_icon_web_select_gift
- /data/media/####/spot_icon_web_select_ship
- /data/media/####/spot_icon_web_ship
- /data/media/####/spot_marker_icon_web_1
- /data/media/####/spot_marker_icon_web_1_select
- /data/media/####/spot_marker_icon_web_2
- /data/media/####/spot_marker_icon_web_2_select
- /data/media/####/spot_marker_icon_web_3
- /data/media/####/spot_marker_icon_web_3_select
- /data/media/####/spot_marker_icon_web_4
- /data/media/####/spot_marker_icon_web_4_select
- /data/media/####/spot_marker_icon_web_5
- /data/media/####/spot_marker_icon_web_5_select
- /data/media/####/spot_marker_icon_web_6
- /data/media/####/spot_marker_icon_web_6_select
- /data/media/####/spot_marker_icon_web_7
- /data/media/####/spot_marker_icon_web_7_select
- /data/media/####/spot_marker_icon_web_8
- /data/media/####/spot_marker_icon_web_8_select
- /data/media/####/spot_marker_icon_web_door
- /data/media/####/spot_marker_icon_web_door_select
- /data/media/####/spot_marker_icon_web_food
- /data/media/####/spot_marker_icon_web_food_select
- /data/media/####/spot_marker_icon_web_gift
- /data/media/####/spot_marker_icon_web_gift_select
- /data/media/####/spot_marker_icon_web_ship
- /data/media/####/spot_marker_icon_web_ship_select
- /data/media/####/spot_marker_icon_web_unknown
- /data/media/####/spot_marker_icon_web_unknown_select
- /data/media/####/spotindex.xml
- /data/media/####/spotindex_en.xml
- /data/media/####/stats.js
- /data/media/####/style.css
- /data/media/####/style_2.css
- /data/media/####/szc4.png
- /data/media/####/text.png
- /data/media/####/tourindex.xml
- /data/media/####/tourindex_en.xml
- /data/media/####/transparent.png
- /data/media/####/ts.png
- /data/media/####/ttserror.mp3
- /data/media/####/undo_poly.png
- /data/media/####/usage.js
- /data/media/####/user_normal
- /data/media/####/user_normal.png
- /data/media/####/util.js
- /data/media/####/wall3
- /data/media/####/yxMobileSlider.js
- /data/media/####/zoom-in.png
- /data/media/####/zoom-in_g.png
- /data/media/####/zoom-out.png
- /data/media/####/zoom-out_g.png
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- getprop
Загружает динамические библиотеки:
- libBugly
- libjcore120
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-GCM-NoPadding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.
