Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Click.406.origin
Сетевая активность:
Подключается к:
- UDP(???) pla####.google####.com:443
- UDP(???) rr1---s####.g####.com:443
- UDP(???) rr8---s####.g####.com:443
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) l####.xima####.com.####.com:80
- TCP(HTTP/1.1) ls.qing####.fm.####.com:80
- TCP(HTTP/1.1) broad####.tx.x####.####.com:80
- TCP(HTTP/1.1) stream####.surfern####.com:80
- TCP(HTTP/1.1) qingtin####.b0.a####.com:80
- TCP(HTTP/1.1) st####.z####.fm:80
- TCP(HTTP/1.1) l####.q####.cn:80
- TCP(HTTP/1.1) ima####.x####.com.####.com:80
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) l####.xima####.com.####.com:443
- TCP(TLS/1.0) www.z####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) rr1---s####.g####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) we####.qing####.fm:443
- TCP(TLS/1.0) rr8---s####.g####.com:443
- TCP(TLS/1.0) ima####.x####.com.####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) m####.7884####.xyz:443
- TCP(TLS/1.0) connect####.gst####.com:443
- TCP(TLS/1.2) www.google####.com:443
- TCP(TLS/1.2) 1####.253.130.95:443
- TCP(TLS/1.2) 1####.177.14.100:443
- TCP(TLS/1.2) and####.google####.com:443
- TCP(TLS/1.2) 74.1####.205.103:443
Запросы DNS:
- and####.a####.go####.com
- and####.google####.com
- android####.go####.com
- api.l####.net
- broad####.tx.x####.####.com
- connect####.gst####.com
- devicei####.google####.com
- firebas####.google####.com
- ima####.x####.com.####.com
- l####.q####.cn
- l####.xima####.com.####.com
- ls-h####.q####.cn.####.com
- ls.qing####.fm.####.com
- m####.7884####.xyz
- m.st8.h####.org
- mo####.xima####.com.####.cn
- p####.google####.com
- pla####.google####.com
- qingtin####.b0.a####.com
- rr1---s####.g####.com
- rr8---s####.g####.com
- st####.z####.fm
- stream####.surfern####.com
- we####.qing####.fm
- www.google####.com
- www.xima####.com.####.cn
- www.z####.com
- z####.com
Запросы HTTP GET:
- broad####.tx.x####.####.com/live/55_64_260615_000003_ab1.aac
- broad####.tx.x####.####.com/live/55_64_260615_000003_ab2.aac
- broad####.tx.x####.####.com/live/56_64_260615_000004_ab0.aac
- broad####.tx.x####.####.com/live/58_64_260615_000004_ab0.aac
- ima####.x####.com.####.com/group28/M05/30/3C/wKgJSFkxRmPRF6OsAAI3a6VCUA0...
- ima####.x####.com.####.com/group73/M01/8A/1F/wKgO0V6BooPT71CqAABvbnqaCnE...
- ima####.x####.com.####.com/group73/M03/89/5B/wKgO0V6BmG_ArBlKAAAmfae2-Is...
- ima####.x####.com.####.com/group73/M0A/91/FD/wKgO216CtByRS1FUAABsl3iLVdY...
- ima####.x####.com.####.com/group73/M0B/99/50/wKgO216DEI2hmFMZAABiTlObcic...
- ima####.x####.com.####.com/group74/M00/7D/CD/wKgO3F6BmBKDtVVfAAAfa2609Cw...
- ima####.x####.com.####.com/group74/M05/9D/8B/wKgO0l6C9J2DHT7YAAA_ILmGB6o...
- ima####.x####.com.####.com/group75/M02/9D/D8/wKgO016C-JXyWHpaAABbrrJjShM...
- ima####.x####.com.####.com/group75/M06/1E/E6/wKgO3V6L9FHD0pQnAAJnjRFwGy8...
- ima####.x####.com.####.com/group75/M0B/22/A6/wKgO3V6MJRjDymu5AAFHwAgugBM...
- ima####.x####.com.####.com/group76/M0B/8C/22/wKgO3l6Bl2Cjt7xhAAA9HISjsTA...
- ima####.x####.com.####.com/group76/M0B/9E/1C/wKgO3l6Cr7KDSW6pAAAq5-6OEvQ...
- ima####.x####.com.####.com/group77/M00/A2/04/wKgO1V6CtMSidKKuAAAkEDIzNg0...
- ima####.x####.com.####.com/group77/M06/7D/1B/wKgO316Bl4jxDftfAAAvkhrCJzk...
- ima####.x####.com.####.com/storages/0103-audiofreehighqps/6B/21/GMCoOSYH...
- ima####.x####.com.####.com/storages/20ef-audiofreehighqps/00/CA/GMCoOR8H...
- ima####.x####.com.####.com/storages/3e09-audiofreehighqps/F8/12/GKwRIDoL...
- ima####.x####.com.####.com/storages/47c3-audiofreehighqps/C3/B1/GKwRIaIL...
- ima####.x####.com.####.com/storages/73f5-audiofreehighqps/67/C2/GMCoOSAI...
- ima####.x####.com.####.com/storages/b264-audiofreehighqps/BE/A8/GMCoOSIH...
- ima####.x####.com.####.com/storages/d4b6-audiofreehighqps/CF/D0/GMCoOSIH...
- ima####.x####.com.####.com/storages/e303-audiofreehighqps/4C/38/GKwRIRwN...
- ima####.x####.com.####.com:443/group81/M05/5D/56/wKgPDV6umL2S5RYMAAF2Jg2...
- l####.q####.cn/live/1286/64k.mp3
- l####.q####.cn/live/1644/64k.mp3
- l####.xima####.com.####.com/radio-first-page-app/live/55/64.m3u8
- l####.xima####.com.####.com/radio-first-page-app/live/56/64.m3u8
- l####.xima####.com.####.com/radio-first-page-app/live/58/64.m3u8
- l####.xima####.com.####.com/radio-first-page-app/live/966/64.m3u8
- l####.xima####.com.####.com:443/radio-first-page-app/homePage
- l####.xima####.com.####.com:443/radio-first-page-app/search?locationId=#...
- l####.xima####.com.####.com:443/revision/category/allCategoryInfo
- ls.qing####.fm.####.com/live/3412131.m3u8?bitrate=####
- m####.7884####.xyz:443/dj/radio/hot?cateId=####&limit=####&offset=####
- qingtin####.b0.a####.com/2014/0829/20140829044142919.png
- qingtin####.b0.a####.com/2015/0323/20150323103813782.jpg
- qingtin####.b0.a####.com/2015/1223/20151223210921313.jpg
- qingtin####.b0.a####.com/2020/0331/20200331035111.jpeg
- qingtin####.b0.a####.com/2020/0402/20200402042931.png
- qingtin####.b0.a####.com/2020/1016/20201016121634.png
- qingtin####.b0.a####.com/2022/0619/20220619063631.jpeg
- qingtin####.b0.a####.com/sso/198/1572602894027_Jv8W5VjLR.jpeg
- qingtin####.b0.a####.com/sso/48/1641438475219_mv9SoJP78.jpeg
- st####.z####.fm/jrte4o6dt1muv
- stream####.surfern####.com/jrte4o6dt1muv?zt=####
- we####.qing####.fm:443/api/mobile/radio/filter
- we####.qing####.fm:443/api/mobile/radio/list/0/0
- www.z####.com:443/
Изменения в файловой системе:
Создает следующие файлы:
- /data/app/####/config.en
- /data/data/####/.fsgkea
- /data/data/####/.jg.ac
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jg.store.report_pid
- /data/data/####/.x (deleted)
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.oat
- /data/data/####/com.hongjiao1.radio_preferences.xml
- /data/data/####/cs2
- /data/data/####/cs2.dex
- /data/data/####/cs2.dex.flock (deleted)
- /data/data/####/libjiagu.so
- /data/data/####/metrics_guid
- /data/data/####/proc_auxv
- /data/media/####/.nomedia
- /data/media/####/1ctx2ynjvummeuezpv4civpm8
- /data/media/####/1lqmkpneat3qva5dev2dzbk6m
- /data/media/####/1nr7d3ms9pw1beo5auccvl62i
- /data/media/####/1u1phjbmce7cemm41e4ilr9k4
- /data/media/####/1wncs82obzpe47nx1lrooo0ik
- /data/media/####/1won00xy3w66j9ayqykhgsp4i
- /data/media/####/2239gfjxb75oscm86l5s1pcdq
- /data/media/####/28lqp7941f20c8tla256t2wql
- /data/media/####/2nvh1m0ovnnv75a3dkkf9fb4w
- /data/media/####/2tqvjdjfom3rqfz1vo9l40s67
- /data/media/####/39xpxommda2mzfkthhsn7wgj2
- /data/media/####/3jf7e6c76v263v01sb8rld8sf
- /data/media/####/3pmeqvxw693t509uuvftptqov
- /data/media/####/48gvm1kih4h7n3b0hs04ubth2
- /data/media/####/4ineo8lwqvkms5blutmp5y8od.tmp (deleted)
- /data/media/####/4ofht0lzg7sztonimlzhaz8ol
- /data/media/####/4rfa7wltqkqah0ndha8h2vbhm
- /data/media/####/4xvk5sdde49t4yspf4jh4pnum
- /data/media/####/4yf19bmrnbh4vsflr0lovofet
- /data/media/####/58x4idrj94jjomylg4kjg1f2n
- /data/media/####/5ujoryidzzdjkbq0je0a2tf18.tmp (deleted)
- /data/media/####/6anz2czzcjn7i0xrkb87ppmtt
- /data/media/####/6c5w3wahu5ccox1m3eafx2lhk
- /data/media/####/6csrbi9b10dmvou6k1si5qh13
- /data/media/####/6m0l8zz645kok2lyalztip136
- /data/media/####/73nfuqqagc8p82ddg4umbs9xv
- /data/media/####/a2wmbhsvvpk1eyjg7jyh3ci0
- /data/media/####/hjl6eqn7m7hhf88jnigtc7sl
- /data/media/####/hjl6eqn7m7hhf88jnigtc7sl.tmp (deleted)
- /data/media/####/kuwo.txt
- /data/media/####/qd.txt
- /data/media/####/radiosc.txt
- /data/media/####/sc.inc
- /data/media/####/t2ucemkct3d1ndyyyjn2e7s7
- /data/media/####/wnwwt5l4239qgenh1shytccy
- /data/media/####/wnwwt5l4239qgenh1shytccy.tmp
- /data/media/####/xc4an62dp4hu3nk33s83pd9e
- /data/media/####/ynzhi7nsk5wd3l8c4c3xmino
- /data/misc/####/primary.prof
Другие:
Загружает динамические библиотеки:
- libijkffmpeg
- libijkplayer
- libijksdl
- libjiagu
Использует следующие алгоритмы для расшифровки данных:
- DES-CBC-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
