Adware.Youmi.17

Adware.Youmi.17

Added to the Dr.Web virus database: 2023-08-09

Virus description added: 2023-08-09

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Youmi.1.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
UDP(DNS) 8####.8.4.4:53
TCP(HTTP/1.1) pi####.qq.com:80
TCP(TLS/1.0) and####.a####.go####.com:443
TCP(TLS/1.0) rr9---s####.g####.com:443
TCP(TLS/1.0) 1####.194.222.94:443
TCP(TLS/1.0) and####.google####.com:443
TCP(TLS/1.0) p####.google####.com:443
TCP(TLS/1.0) pla####.google####.com:443
TCP(TLS/1.2) 1####.194.222.94:443
TCP(TLS/1.2) and####.google####.com:443

DNS requests:

5####.nd####.y####.com
8####.nd####.y####.com
ad.h####.com
and####.a####.go####.com
and####.google####.com
m####.go####.com
o####.b####.cn
o####.b####.cn.####.8
p####.google####.com
pi####.qq.com
pin####.qq.com
pla####.google####.com
rr9---s####.g####.com
s####.gw.y####.####.8
s####.gw.y####.net
s.y####.net
s.y####.net.####.8
t####.dmp.y####.####.8
t####.dmp.y####.net
www.google####.com

HTTP POST requests:

pi####.qq.com/mstat/report/?index=####

File system changes:

Creates the following files:

/data/data/####/.jg.ic
/data/data/####/694db223cbf0787fddfbc8a7f9332527
/data/data/####/694db223cbf0787fddfbc8a7f9332527-journal
/data/data/####/7a72e1d49b21bf172a64fa36ee653c06
/data/data/####/7a72e1d49b21bf172a64fa36ee653c06-journal
/data/data/####/96cd5aa3300b5b40bf746f52cbcc08b1-journal
/data/data/####/C0XKJAO3JLZKJPDKJFXLINQCJIOAOD.xml
/data/data/####/CE94557724F842149D690D0E8CBB1CBD.xml
/data/data/####/CE94557724F842149D690D0E8CBB1CBD.xml.bak (deleted)
/data/data/####/P15pKIjsm64m
/data/data/####/P15pKIjsm64m-journal
/data/data/####/T1oX0rhhuXWt
/data/data/####/T1oX0rhhuXWt-journal
/data/data/####/XKwVoK0huy3R
/data/data/####/XKwVoK0huy3R-journal
/data/data/####/appPref.xml
/data/data/####/classes.dex
/data/data/####/classes.oat
/data/data/####/classes2.dex
/data/data/####/com.whj.app.facechat_preferences.xml
/data/data/####/data.db3
/data/data/####/data.db3-journal
/data/data/####/ij.dex
/data/data/####/ij.dex (deleted)
/data/data/####/ij.dex.flock (deleted)
/data/data/####/jqIqJYOT3JpT
/data/data/####/jqIqJYOT3JpT-journal
/data/data/####/libjiagu.so
/data/data/####/pri_tencent_analysis.db_com.whj.app.facechat-journal
/data/data/####/proc_auxv
/data/data/####/tencent_analysis.db_com.whj.app.facechat-journal
/data/data/####/wIU6pTyUBYWX
/data/data/####/wIU6pTyUBYWX-journal
/data/data/####/wsUL1uCdKvjD
/data/data/####/wsUL1uCdKvjD-journal
/data/data/####/ymdex.dex
/data/data/####/ymdex.dex.flock (deleted)
/data/data/####/ymdex.jar
/data/media/####/i42d45df023jnkdd93la483f9xGFKXI
/data/media/####/mproject
/data/media/####/s92TjjdfoP2n3o9dfji2l9s1olkjf0p
/data/misc/####/primary.prof

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/cat /sys/devices/system/cpu/kernel_max
cat /sys/class/net/wlan0/address
chmod 755 /data/user/0/<Package>/.jiagu/libjiagu.so

Loads the following dynamic libraries:

libBmobStat
libbmob
libjiagu

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CFB-NoPadding
PBEWITHMD5andDES
RSA-NONE-PKCS1PADDING

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
PBEWITHMD5andDES

Accesses the ITelephony private interface.

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Adds tasks to the system scheduler.

Requests the system alert window permission.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial