6. Traceability of Transmission Channels

根据中国互联网络信息中心（CNNIC）第45次发布《中国互联网络发展状况统计报告》显示，截止今年3月，我国网民规模达9.04亿，不法分子利用网络直播平台传播淫秽色情信息非法牟利现象屡见不鲜，国家六部门联合下发《关于加强网络直播服务管理工作的通知》，恒安嘉新暗影安全实验室针对此类问题，成立了移动互联网“黄赌骗”专题研究小组，持续针对“黄赌骗”黑色产业链进行研究，在国家互联网应急中心发布的《中国移动互联网安全报告（2019）》中，发表了移动互联网“黄赌骗”黑色产业专题研究报告。

近日，恒安嘉新暗影安全实验室接到用户投诉，一款名为“玖色直播”的应用程序涉及“黄赌骗”行为，安全研究人员第一时间进行了研究分析，发现该应用是一款直播软件，内容以色情为主，还包含网络赌博，网络私彩、在线小说（色情）等，同时，利用该软件进行招聘网络主播。本文主要是针对“玖色直播”的传播方式、盈利模式，溯源分析，情报挖掘等方面进行披露，以免更多网民上当受骗。

图1应用安装图标

一、样本基本信息

项目	描述
APP名称及版本	玖色直播_1.1.2
应用包名	com.jiuse.live
文件大小	47.05 MB
文件md5	692958B256747DA6C6338769C7A9B19D
签名信息	CN=jiuseliveapp,OU=jiuseliveapp,O=jiuseliveapp,L=jiuseliveapp,ST=jiuseliveapp,C=jiuseliveapp
检测时间	20200513
下载链接	http://jius********p.oss-cn-hangzhou.aliyuncs.com/20200516/jiuse_live_g4_v1.2.2_g4Release.apk
样本行为描述	该应用运行后直播色情影片、并含有赌博性质的游戏、网络私彩等内容诱导用户充值，具有流氓行为。同时利用该软件招聘网络主播（应为色情直播，目前直播功能暂未开放，APP内公告称6月25号开放）。

二、应用的传播方式、盈利模式

在测试样本内容时，我们发现应用本身包含“发展下级代理”的功能，即除了软件本身利用网络传播外，软件使用者作为另一传播源向下传播，一传十，十传百，如下图所示：

Figure 2 Application spread method

According to the test, the profit model of this live streaming software is very clear, including sharing with anchors, agency sharing, online betting, online private lottery, and gifts props given by users to anchors, all of which require recharge purchase.

Figure 3 Application profit model

3. Traceability relationship logic diagram

Figure 4 Application traceability relationship logic diagram

4. Based on the system expansion of intelligence clues mining

4.1 Server interaction information

4.1.1 Master address

Through packet capture analysis of the application, it was found that some suspicious URLs are as follows:

http://bj******as.com/Client/UserOperation.

Figure 5 Master 1

After investigating the filing information and whois information of this domain name, it was found that this domain name is not filed, and there is no valid registrant information in whois. The IP address has been queried, and this domain name corresponds to a total of 7 IP addresses, with physical addresses in Hong Kong, Taiwan, and South Korea.

Figure 6 Master 1 corresponding IP

IP address list:

bj******as.com	27.******.35	South Korea, Seoul daou network
bj******as.com	203.******.71	Hong Kong udomain company
bj******as.com	203.******.75	Hong Kong udomain company
bj******as.com	27.******.167	South Korea, Seoul daou network
bj******as.com	27.******.77	South Korea, Seoul daou network
bj******as.com	219.******.161	Taiwan Province, Taipei City so-net company
bj******as.com	203.******.27	Hong Kong udomain company

http://imapp.******.com:8888/:

Through the abovehttp://bjFrom the information returned by ******as.com/Client/UserOperation, it jumps tohttp://imapp.******.com:8888/.

Figure 7 Master 2

Query the filing information of this domain name, automatically filtered to the second-level domain: ******.com, obtaining the website filing person '*** Lin', and no relevant information was found after network search.

Figure 8 Master 2 filing information

IP query: Through inquiry, this domain name has only one corresponding IP

IP address: 183.******.145

Physical address: Zhejiang Jiaxing City, China Telecom

Figure 9 Master 2 corresponding IP

4.1.2 Software function interaction address

Through packet capture analysis of software functions, it can be traced back to some address information as follows:

Happy **:

https://dfqdvip2.******.com/manifest.json?v=0.19072484366816922

Figure 10 'Happy **' corresponds to the link

Through domain name filing inquiries, the owner is 'Changsha ** E-commerce Co., Ltd.'

Figure 11 'Happy **' corresponds to the domain name filing

The company has also registered other 3 domain nameswww.ky****.comwww.ky****.comwww.ky****.com.

Figure 12 Related Domains of the Enterprise

Query the information of the enterprise, the legal person of the company is *Tao.

Figure 13 Record Enterprise Information

Through Tianyancha, the following information was obtained:

Figure 14 'Tianyancha' Information of Record Enterprise

Enterprise Name	Changsha ** E-commerce Co., Ltd.
Legal Person and Members	Tao, Zuo Hui
Company Website	www.ky****.com
Contact Number	177****3149 (China Telecom, Liaoning Tieling)
Company Address	20th building, 3rd and 4th floors, Kaishang Trade City, Changsha City, Hunan Province
Business Scope	Internet sales of electronic products; Internet sales of agricultural products, cultural and artistic products, antiques, jade, jewelry, stamp, coin collection products. (Where necessary, in accordance with the provisions of the relevant departments of the people's government, the operation and business scope shall be permitted by the people's government.)

After querying the reserved phone number of the enterprise, it shows that the phone number is from Liaoning Tieling, is kept by the enterprise, and needs to upload business license, legal person *** information, etc. for modification, and no WeChat and Alipay accounts with the same phone number were found.

Figure 15 Reserved Phone Number

Free porn novel:

http://m2.*****.ltd/?access-token=cfa6ETs-ZncwfywIDyRYXClrMFJpNl5CKAs8bhRoAG5FOxJ7Rh1cb3YFSko。

Figure 16 'Porn Novel' Corresponding Link

Domain record information query, automatically filtered to the 2nd level domain ****.ltd, domain owner *Xixiang, latest registrant chenlin.

Figure 17 Domain Record Information

Figure 18 Domain Registration Information

Through searching the website owner 'Xixiang', it was found that two other domains registered, www.******.ltd and www.******.ltd, and the website names are all 'The Journey of Aojing's Heart'.

Figure 19 Other Domain Information of Website Owner

Figure 20 Other Domain Information of Website Owner

Initiate Alipay payment:

http://pay.*******.org/Home/Pay?id=3&charge_money=101.0&order_number=2005261958024fF0F&user_id=47466&charge_type=2。

Figure 21 Initiate 'Alipay' Payment Link

Record query, not recorded, IP address 182.******.110, physical address: Hong Kong simcentric network company.

Figure 22 Domain Corresponding IP

The above link will be redirected to the following link after connection:

https://cwww.https://cwww.******.cn/pay/receivables?order=3a9c8e4049f34083bf3d942c54d3a03e。

Figure 23 Payment Redirect Link

IP address 124.******.1, physical address: IDc room of China Telecom in Changsha City, Hunan Province.

Figure 24 Redirect Link Corresponding IP

The record information of cwww.******.cn is as follows:

Figure 25 Domain Name Record Information

The enterprise has also registered the following 3 domain names: www.******.cn, www.*******.cn, www.*******.cn.

Figure 26 Other Domain Name Information of the Enterprise

Through Tianyancha, query the information of the enterprise.

Figure 27 Record Information of the Registered Enterprise “Tianyancha”

Figure 28 Record Information of the Registered Enterprise “Tianyancha”

Enterprise Name	Changchun **** Technology Co., Ltd.
Legal Person and Members	Chao, Fu Jian
Company Website	www.*******.cn
Contact Number	157****5100 (China Mobile, Changchun, Jilin Province)
Company Address	Room 2102, Building ************, No. 2102, Jilin Province, Changchun City
Business Scope	Network technology promotion, network technology consultation, network technology development, network maintenance and consulting services; network information services; corporate image planning; management consulting services; organization of cultural and artistic exchanges; conference and exhibition services; real estate agency services; Internet of Things technology research and development, promotion, consultation; organization of exhibitions and exhibitions; craft design and production; agency, release of advertisements; network and platform construction, network software development, electronic product development and after-sales services, electronic products, cultural and office supplies wholesale and retail; business information consultation, computer hardware and software development and sales, mobile APP program development, website design and development, graphic design, communication engineering (If there are any other operations, please follow the relevant provisions of the Provisional Regulations of the People's Republic of China).

157****5100 This phone number can be searched for the same number WeChat and Alipay accounts. Through the Alipay account, it can be known that this phone number belongs to “*Chao”.Figure 29 Phone Number Corresponding to WeChat and Alipay Information

4.1.3 Customer Service Interaction Address

Through packet capture analysis of customer service functions, it is confirmed that it uses **Cloud Customer Service System:

https://pubcon.******.com/config_22874.json

https://22874.******.ink/chat.html

Figure 30 Customer Service Domain Name Record Information

Figure 31 Customer Service Domain Name Record Information

Introduction of the Customer Service Company:

****Network Technology Co., Ltd. was established in 2017 and independently developed a cloud customer service system based on the SaaS model. Registration is required to activate and use it, which is used for online dialogue and communication between enterprises and customers. It can help customer service teams of enterprises better collaborate and manage, and at the same time provide more convenient dialogue channels and elegant dialogue experiences for the customers of enterprises, enabling enterprises to better serve customers.

Figure 32 Customer Service Official Website Introduction

V. Payment Traceability

The recharge and payment system of this live streaming software is roughly divided into three types: bank transfer, Alipay, and WeChat payment.

Figure 33 Recharge and Payment Methods

(I)*Payment:**

Bank transfer can only be transferred to Agricultural Bank, and there is only one payee named '*Chun Hua'.

Figure 34: Bank Transfer

Name	Bank	Card Number
*Chun Hua	Agricultural Bank of China	6228***********3674

(2) WeChat Payment:

There are two options for WeChat-initiated payments: one is WeChat transfer to ***, and the other is WeChat QR code payment, and the current WeChat QR code payment function shows 'No QR code payment available in the current region'.

Figure 35: WeChat Payment Method One

Select WeChat transfer to ***, a QR code page pops up, this QR code does not require scanning, and the prompt is 'Click'.

Figure 36: WeChat Payment Method Two

Test initiating WeChat transfer to *** click the QR code payment operation, multiple occurrences of the following several *** numbers.

Figure 37: WeChat Payment Payee and Card Number One

Figure 38: WeChat Payment Payee and Card Number Two

*Ming Cong	6230***********7851	Zhejiang Rural Credit Union
*Liang	6225********6968	Shanghai Pudong Development Bank
*Liang	6217***********2620	Postal Savings Bank of China
*Liang	6230***********0350	Xiamen Bank
*Liang	6230***********2615	Ping An Bank
*Jin Wang	6231***********2552	Guangxi Rural Credit Cooperative
*Yan Ping	6217***********5018	Postal Savings Bank of China

Among them, the *** named as '*Liang' involves multiple banks, with 4 different bank *** numbers.

Note: The payee and random-generated *** numbers cannot be guaranteed to be obtained in the test

(3) Alipay Payment:

Alipay-initiated payments can be directly redirected to Alipay payment, or payments can be made based on the appearing payee and account number.

Redirected to Alipay payment, only showing the payee's name, not the card number.

Figure 39: Alipay In-app Payment

The payee's name and account number that appear when initiating an Alipay payment.

Figure 40: Alipay Payee and Card Number One

Figure 41: Alipay Payee and Card Number Two

Figure 42: Alipay Payee and Card Number Three

Figure 43: Alipay Payee and Card Number Four

Figure 44: Alipay Payee and Card Number Five

Name	Card Number	Bank
*Tian Rong	6226********7141	Minsheng Bank
*Yong Jun	6217***********8912	China Construction Bank
*Wen Hao	6212***********7902	Industrial and Commercial Bank of China
*Long Jie	6216***********9410	Bank of China
*Xiao Yun	6228***********9973	Agricultural Bank of China
*Yong Jun	6221***********4740	Postal Savings Bank of China
*Wei Xing	6216***********9386	Bank of China
*Run E	6216***********9682	Bank of China
*Zhi Peng	6217***********5884	Bank of China
*Haibin	6226********0797	China Minsheng Bank
*Junbin	6217********8856	China Citic Bank
*Zhao'an	6222***********3967	Bank of Communications
*Fei	6217***********4790	Bank of China
*Wei	6214***********3000	Bank of Communications

Among them, “*Yongjun” appeared twice, containing two *** numbers

Note: The payee and random-generated *** numbers cannot be guaranteed to be obtained in the test

6. Traceability of Transmission Channels

This software was obtained through user complaints from Hang'an Jiaxin Dark Shadow Security Lab, and during the testing process, multiple software download entries were found, as follows:

Figure 45 Customer Service System Default Message

	456*.com ~ 456*.com
2	http://ji********.vip/
3	http://ji********.net/
4	http://ji********.com/
5	http://ji********.org/

Domain/IP location query, the physical addresses are all in Hong Kong.


Domain/IP	Digital Address	Physical Location of IP
ji********.org	3414661959	Hong Kong UDomain Company
3414661963	Hong Kong UDomain Company
ji********.net	3414661963	Hong Kong UDomain Company
3414661959	Hong Kong UDomain Company
ji********.vip	3414661959	Hong Kong UDomain Company
3414661963	Hong Kong UDomain Company
ji********.com	3414661959	Hong Kong UDomain Company
3414661963	Hong Kong UDomain Company
456***.com	3414661959	Hong Kong UDomain Company
3414661963	Hong Kong UDomain Company

After visiting the above address, the returned page content is the same as shown in the figure below:

Figure 46 “Jiu Se Live” download entrance

Click the quick download button:

Figure 47 “Jiu Se Live” software download button

A link appears as follows:

http://jius********p.oss-cn-hangzhou.aliyuncs.com/20200516/jiuse_live_g4_v1.2.2_g4Release.apk.

This link is verified to be an Aliyun server:

Figure 48 Download link record information

7. Expanded Clues

By performing correlation analysis on the application in the APP panoramic situation platform of Hang'an Jiaxin, a total of 3 applications in the same series were found.

Figure 49 “Jiu Se Live” series applications