Technical information
Malicious functions:
Executes code of the following detected threats:
- Tool.SilentInstaller.1.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) t####.c####.l####.####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) 1####.57.220.164:8080
- TCP(HTTP/1.1) api.to####.today:80
- TCP(HTTP/1.1) bmob-cd####.b0.upa####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) pay.h####.com:8860
- TCP c####.g####.ig####.com:5225
- TCP sdk.o####.t####.####.com:5224
DNS requests:
- 7j####.c####.z0.####.com
- and####.b####.qq.com
- api.to####.today
- bmob-cd####.b0.upa####.com
- c####.g####.ig####.com
- c-h####.g####.com
- pay.h####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
HTTP GET requests:
- bmob-cd####.b0.upa####.com/2017/03/03/8f4f2872409cb88380b6763959873fae.dex
HTTP POST requests:
- api.to####.today/v2/statistics
- pay.h####.com:8860/pay/update
Modified file system:
Creates the following files:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_b_sta/####/2029223031.dex
- <Package Folder>/app_b_sta/####/2029223031.dex (deleted)
- <Package Folder>/app_b_sta/####/2029223031.z
- <Package Folder>/app_b_sta/####/cache
- <Package Folder>/app_bwap_0/c
- <Package Folder>/app_bwap_1/p.dex
- <Package Folder>/databases/bugly_db_-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushg.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/gdaemon_20161017
- <Package Folder>/files/init.pid
- <Package Folder>/files/init_c1.pid
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/native_record_lock
- <Package Folder>/files/native_record_lock (deleted)
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/files/security_info
- <Package Folder>/files/tdata_iDv216
- <Package Folder>/files/tdata_iDv216.jar
- <Package Folder>/files/tdata_kwS356
- <Package Folder>/files/tdata_kwS356.jar
- <Package Folder>/shared_prefs/bmob_sp.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/getui_sp.xml
- <Package Folder>/shared_prefs/gx_sp.xml
- <Package Folder>/virtual/####/0.xml
- <Package Folder>/virtual/####/userlist.xml
- <Package Folder>/z_ij_d_p/ij.dex
- <SD-Card>/libs/<Package>.bin
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/libs/test.log
- <SD-Card>/system/####/tdata_iDv216
- <SD-Card>/system/####/tdata_kwS356
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c type su
- <Package Folder>/files/gdaemon_20161017 0 <Package>/io.virtualapp.service.DemoPushService 24819 300 0
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.board.platform
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/io.virtualapp.service.DemoPushService 24819 300 0
Loads the following dynamic libraries:
- Bugly
- bmobwpay
- getuiext2
- libjiagu
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
- DES
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-GCM-NoPadding
Uses special library to hide executable bytecode.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
