Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.3394
- Android.DownLoader.635.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) googl####.g.doublec####.net:80
- TCP(TLS/1.0) googl####.g.doublec####.net:443
DNS requests:
- googl####.g.doublec####.net
HTTP GET requests:
- googl####.g.doublec####.net/mads/static/mad/sdk/native/sdk-core-v40-load...
- googl####.g.doublec####.net/mads/static/mad/sdk/native/sdk-core-v40.html
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/ColorfulBrideDressUp.sxx
- /data/data/####/ads788529677.jar
- /data/data/####/air.lo.ColorfulBrideDressUp.AIRSharedPref.xml
- /data/data/####/air.lo.ColorfulBrideDressUp.apk
- /data/data/####/application.xml
- /data/data/####/curl-ca-bundle.crt
- /data/data/####/data.amr
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/extension.xml
- /data/data/####/f_000001
- /data/data/####/game.swf
- /data/data/####/http_googleads.g.doubleclick.net_0.localstorage-journal
- /data/data/####/index
- /data/data/####/javaTrustStore.tmp
- /data/data/####/libjiagu.so
- /data/data/####/library.swf
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /proc/cpuinfo
- /system/bin/cat /proc/meminfo
- /system/bin/cat /sys/devices/system/cpu/present
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libCore
- libjiagu
- libstlport_shared
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.
