Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.792.origin
- Android.DownLoader.793.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) g.cn.miao####.com:80
- TCP(HTTP/1.1) tt.5####.net:80
- TCP(HTTP/1.1) map.dxpm####.com:80
- TCP(HTTP/1.1) c.d####.mob.com:80
- TCP(HTTP/1.1) stati####.5####.net:80
- TCP(HTTP/1.1) stati####.in####.j####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) wifia####.5####.net:80
- TCP(HTTP/1.1) i####.in####.j####.com:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) v####.6####.com:80
- TCP(HTTP/1.1) h####.b####.com:80
- TCP(HTTP/1.1) c.w####.com:80
- TCP(HTTP/1.1) s####.ch####.com:80
- TCP(HTTP/1.1) s####.j####.cn:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) d####.opensp####.cn:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) mp####.5####.net:80
- TCP(HTTP/1.1) dps.wt####.com:8085
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) x1.api.gg####.com:80
- TCP(HTTP/1.1) pco####.ta####.com:80
- TCP(HTTP/1.1) api.voic####.cn:80
- TCP(HTTP/1.1) weiboi####.g####.sina####.com:80
- TCP(HTTP/1.1) s.c####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) src.r####.com.####.com:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) bus.in####.j####.com:80
- TCP(HTTP/1.1) ip.adi####.net:80
- TCP(HTTP/1.1) g7.api.1####.cn:80
- TCP(HTTP/1.1) h####.opensp####.cn:80
- TCP(HTTP/1.1) di.w####.com:80
- TCP(HTTP/1.1) www.m####.com:80
- TCP(HTTP/1.1) adr-141####.cn-nor####.elb.####.cn:80
- TCP(HTTP/1.1) 362b3d8####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) www.3####.com:80
- TCP(HTTP/1.1) w####.e23.cn:80
- TCP(HTTP/1.1) t####.ssp.z####.com:80
- TCP(HTTP/1.1) q.in####.j####.com:80
- TCP(HTTP/1.1) m.chin####.com:80
- TCP(HTTP/1.1) sdk.c####.com:80
- TCP(HTTP/1.1) sdk.91a####.com:80
- TCP(HTTP/1.1) t####.r####.com:80
- TCP(HTTP/1.1) idv####.qini####.com:80
- TCP(HTTP/1.1) w####.5####.com:80
- TCP(TLS/1.0) an####.l####.com:443
- TCP(TLS/1.0) st####.qianma####.com:443
- TCP(TLS/1.0) ssp.huay####.com:443
- TCP(TLS/1.0) stati####.5####.net:443
- TCP(TLS/1.0) web.da.m####.com:443
- TCP(TLS/1.0) ip.adi####.net:443
- TCP(TLS/1.0) api.wf####.cn:443
- TCP(TLS/1.0) i####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) ssp.z####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) www.m####.com:443
- TCP(TLS/1.0) pmptrac####.gen####.net:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) wx1.c####.com:443
- TCP(TLS/1.0) h####.m####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) ia####.m####.com:443
- TCP(TLS/1.0) 5g.bai####.net.####.com:443
- TCP 1####.230.236.28:7008
- UDP s.j####.cn:19000
DNS requests:
- 362b3d8####.oss-cn-####.aliy####.com
- 5g.bai####.net
- a####.exc.mob.com
- adr-141####.cn-nor####.elb.####.cn
- ads.voic####.cn
- amap####.cn-hang####.oss####.####.com
- an####.l####.com
- api.s####.mob.com
- api.voic####.cn
- api.wf####.cn
- bus.in####.j####.com
- c####.mm####.com
- c.c####.com
- c.d####.mob.com
- c.w####.com
- d####.d####.mob.com
- d####.opensp####.cn
- di.w####.com
- dps.wt####.com
- g.cn.miao####.com
- g7.api.1####.cn
- h####.b####.com
- h####.m####.com
- h####.opensp####.cn
- i####.com
- i####.in####.j####.com
- ia####.m####.com
- ip.adi####.net
- js.c####.com
- js.m####.com
- l####.tbs.qq.com
- m.chin####.com
- m.d####.mob.com
- map.dxpm####.com
- mp####.5####.net
- pco####.c####.com
- pmptrac####.gen####.net
- q.in####.j####.com
- res####.a####.com
- s####.ch####.com
- s####.j####.cn
- s.c####.com
- s.j####.cn
- s13.c####.com
- s19.c####.com
- s22.c####.com
- sdk.91a####.com
- sdk.c####.com
- src.r####.com
- ssp.huay####.com
- ssp.z####.com
- st####.qianma####.com
- st####.w####.com
- stati####.5####.net
- stati####.in####.j####.com
- t####.r####.com
- t####.ssp.z####.com
- tt.5####.net
- v####.6####.com
- v.lstt####.com
- w####.5####.com
- w####.5####.com
- w####.e23.cn
- web.da.m####.com
- wifia####.5####.net
- www.3####.com
- www.m####.com
- wx1.c####.com
- wx2.sin####.cn
- x1.api.gg####.com
- z1.c####.com
- z7.c####.com
- z8.c####.com
HTTP GET requests:
- 362b3d8####.oss-cn-####.aliy####.com/h.html?id=id=1####&web_id=####
- adr-141####.cn-nor####.elb.####.cn/direct?cc=####
- api.s####.mob.com/date
- api.voic####.cn/hotUpdate/?ver=####
- bus.in####.j####.com/getHomeApi?client=####&type=####&version=####
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/z_stat.php?id=####&web_id=####
- c.w####.com/dummy?log=####&act=####&media_type=####&domain=####&wksspid=...
- c.w####.com/dummy?log=####&act=####&ref=####&_t=####&wkssp_tkey=####
- di.w####.com/allcdc/android.json?b1538243737530=####
- dps.wt####.com:8085/js/blhc7/yz.js
- g.cn.miao####.com/x/k=2097264&p=7II4c&dx=__IPDX__&rt=2&ns=95.211.190.198...
- g7.api.1####.cn/jump.htm?t=####&pid=####&p=S2WhC####
- gm.mm####.com/9.gif?abc=####&rnd=####
- h####.opensp####.cn/launchconfig?t=####&p=ZWxwZ####
- i####.in####.j####.com/version?category=####&rest=####&client=####&ver=#...
- idv####.qini####.com/static/crossd_iframe.html
- ip.adi####.net/api/ad/ad/getNativeAd?ad_channal_code=####
- ip.adi####.net/api/ad/ad/sendDeviceInfo
- m.chin####.com/658.js
- m.chin####.com/hot/658.ashx?a=####&eid=####&make=####&model=####
- m.d####.mob.com/v4/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
- map.dxpm####.com/cm/receive?dxp_p=####&mzid=####
- mp####.5####.net/news/2707135198822400.html?fromId=####&newsId=####&docI...
- pco####.ta####.com/app.gif?&cna=####
- q.in####.j####.com/data/upload/2018/0102/16/5a4b496a524d0.png
- q.in####.j####.com/data/upload/2018/0102/16/5a4b497807ab8.png
- q.in####.j####.com/data/upload/2018/0102/16/5a4b49a42fe38.png
- q.in####.j####.com/data/upload/2018/0102/16/5a4b49b23a3d5.png
- q.in####.j####.com/data/upload/2018/0102/16/5a4b49c150796.png
- q.in####.j####.com/data/upload/2018/0102/16/5a4b49ebb6f7c.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4a573673f.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4a5fd7321.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4a6f5bf36.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4a8329920.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4a9dc710c.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4ac2ea8f5.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4acecd473.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4aeb7dcf4.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b025b929.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b0dabb23.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b20d21a7.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b2d64cef.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b3991a49.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b5cb2c37.png
- q.in####.j####.com/data/upload/2018/0102/17/5a4b4b689b9bb.png
- q.in####.j####.com/data/upload/2018/0103/09/5a4c33ef7b78d.png
- q.in####.j####.com/data/upload/2018/0103/09/5a4c350662052.png
- q.in####.j####.com/getAdConfig?client=####&version=####
- q.in####.j####.com/getRank?client=####&imei=####&euid=####
- q.in####.j####.com/temperature/weather/b0.png?v=####
- q.in####.j####.com/userinfo?client=####&mid=hO7####&user_id####&key=####
- s####.ch####.com/extra/information/list?acc=####
- s.c####.com/s.htm?s=####&id=####&pid=####
- sdk.91a####.com/static/20180925144459mod.enc
- sh.wagbr####.aliyun####.com/sdkcoor/android/x86/libJni_wgs2gcj.so
- src.r####.com.####.com/kubo/dex/hh_8.6_109.dex
- stati####.5####.net/htdoc/news/scripts/detail.min.js
- stati####.5####.net/htdoc/news/styles/detail.min.css
- stati####.in####.j####.com/Uploads/Activity/2018-5/201805161015238314.jpg
- stati####.in####.j####.com/Uploads/Activity/2018-7/201807241545491239.jpg
- stati####.in####.j####.com/Uploads/Activity/2018-9/201809101045404688.jpg
- stati####.in####.j####.com/Uploads/Activity/2018-9/201809251354597696.jpg
- stati####.in####.j####.com/Uploads/News/2018-9/201809291416511773.jpg_b....
- stati####.in####.j####.com/Uploads/StreetScape/2018-9/29/Thumbnail/20180...
- t####.r####.com/trace/pm?et=####&e=####
- t####.ssp.z####.com/myad/cslog/show?v=####&url=TAs####&s=####
- tt.5####.net/hotNews.do?callback=####&dlFrom=####&_=####
- w####.e23.cn/uploadfile/2018/0522/20180522024144932.jpg
- w####.e23.cn/uploadfile/2018/0522/20180522024145866.jpg
- w####.e23.cn/uploadfile/2018/0522/20180522024146312.jpg
- weiboi####.g####.sina####.com/large/006KER4wgy1flxrc5uqh9j306z04odgs.jpg
- wifia####.5####.net/wifiapi/rd.do?f=####&b=####&a=####&v=####&_t=####
- wifia####.5####.net/wifiapi/rd.do?f=####&b=####&n=####&a=####&v=####&_t=...
- www.3####.com/s.htm?s=####&id=####&pid=####
- www.m####.com/
- z.c####.com/stat.htm?id=1271282416&r=http://mp-api.51y5.net/news/2707135...
HTTP POST requests:
- a####.exc.mob.com/errconf
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/log4
- api.s####.mob.com/snsconf
- api.voic####.cn/ad/request
- c.d####.mob.com/v3/cdata
- d####.d####.mob.com/dinfo
- d####.d####.mob.com/dsign
- d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
- g7.api.1####.cn/api.htm?pid=####
- h####.b####.com/app.gif
- l####.tbs.qq.com/ajax?c=####&k=####
- q.in####.j####.com/addUserInfo
- s####.j####.cn/v2/report
- sdk.91a####.com/api/DeviceReport.ashx
- sdk.c####.com/getsiteapi.php
- sdk.c####.com/sdkallapi.php
- sdk.c####.com/sdkreapi.php
- sdk.c####.com/versiontapi.php?v=####&type=####
- v####.6####.com/0/ca477c3b25914a5f821296be846eca73.html
- v####.6####.com/18/a41844eff5ff4a0a96c9603142acfcf6.html
- v####.6####.com/20/8c10c5184b36491eb6ed32bdbafb1eb4.html
- v####.6####.com/21/951b059d52e34526bd44b82d5204ff96.html
- v####.6####.com/9/17ecff40f1644f1a9cbb04dad5d6013f.html
- v####.6####.com/9/83c2961314204ae699a3379a8f3dbc1e.html
- v####.6####.com/api/CheckModule.ashx
- v####.6####.com/api/GetLockAppOpenTask.ashx
- v####.6####.com/api/GetModuleConfig.ashx
- v####.6####.com/api/GetPkNameList.ashx
- v####.6####.com/api/GetTreasureJS.ashx
- v####.6####.com/api/GetTreasureTask.ashx
- v####.6####.com/api/ReportAppLog.ashx
- w####.5####.com/0/76179c31f5d04e21bcf7fee1debf1df1.html
- x1.api.gg####.com/api.htm?pid=####&appid=####
Modified file system:
Creates the following files:
- /data/data/####/-1169818910.tmp
- /data/data/####/-1227478746.tmp
- /data/data/####/-1270945639.tmp
- /data/data/####/-1288425462.tmp
- /data/data/####/-1297256444.tmp
- /data/data/####/-1570697124.tmp
- /data/data/####/-1662822299.tmp
- /data/data/####/-1713610005.tmp
- /data/data/####/-1730896518.tmp
- /data/data/####/-188936681.tmp
- /data/data/####/-1895930687.tmp
- /data/data/####/-2082189689.tmp
- /data/data/####/-2122588830.tmp
- /data/data/####/-213697123.tmp
- /data/data/####/-267883143.tmp
- /data/data/####/-302376483.tmp
- /data/data/####/-435256951.tmp
- /data/data/####/-585338512.tmp
- /data/data/####/-682485924.tmp
- /data/data/####/-709314341.tmp
- /data/data/####/-763137869.tmp
- /data/data/####/-828425399.tmp
- /data/data/####/.duid
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.vpl_lock
- /data/data/####/1166343777.tmp
- /data/data/####/12102457033216.0
- /data/data/####/1252031899.tmp
- /data/data/####/1404444115.tmp
- /data/data/####/1528932046.tmp
- /data/data/####/1565756577.tmp
- /data/data/####/1928315393.tmp
- /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
- /data/data/####/232325630.tmp
- /data/data/####/3461093078437.0
- /data/data/####/356905472.tmp
- /data/data/####/4181651487970.0
- /data/data/####/626494754.tmp
- /data/data/####/646702105.tmp
- /data/data/####/7440462326498.0
- /data/data/####/AdDex.3.1.0.dex
- /data/data/####/DownloadTaskStore.db-journal
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/__Baidu_Stat_SDK_SendRem.xml
- /data/data/####/__local_last_session.json
- /data/data/####/__local_stat_cache.json
- /data/data/####/adsp.xml
- /data/data/####/ax_c.xml
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/cn.jpush.preferences.v2.xml.bak
- /data/data/####/com.iflytek.id.xml
- /data/data/####/com.iflytek.msc.xml
- /data/data/####/core_info
- /data/data/####/d734a396262fed7b7e4fa1276c05b624.0
- /data/data/####/data.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/domainset
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/hh_8.6.dex
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/ibkad_config.xml
- /data/data/####/ibus_20180712
- /data/data/####/ifly_launch_lib.xml
- /data/data/####/iflytek_state_com.cn.bushelper.xml
- /data/data/####/index
- /data/data/####/indexnews
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_local_notification.db
- /data/data/####/jpush_local_notification.db-journal
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/libjiagu312090826.so
- /data/data/####/loctemp.so
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/max_pref.xml
- /data/data/####/mc109.dex
- /data/data/####/mc_cache.xml
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/mod.dec
- /data/data/####/mod.dex
- /data/data/####/mod.enc
- /data/data/####/multidex.version.xml
- /data/data/####/native_plates
- /data/data/####/native_plates-journal
- /data/data/####/phan.xml
- /data/data/####/pref.xml
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/smartbusdata.db-journal
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak (deleted)
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/test.dat
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/welcome
- /data/media/####/.al
- /data/media/####/.artc_lock
- /data/media/####/.dh-journal
- /data/media/####/.dhlock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.digap
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.lecd
- /data/media/####/.lesd_lock
- /data/media/####/.mcli
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.nulal
- /data/media/####/.nulplt
- /data/media/####/.pkg_lock
- /data/media/####/.plst
- /data/media/####/.push_deviceid
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/1538243706828.db
- /data/media/####/alsn20170807.db
- /data/media/####/alsn20170807.db-journal
- /data/media/####/id.tmp
- /data/media/####/iflyworkdir_test
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.pm.Pm list packages
- cat /sys/class/net/wlan0/address
- chmod 755 <Package Folder>/.jiagu/libjiagu312090826.so
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Loads the following dynamic libraries:
- jpush213
- libjiagu312090826
- msc
- sqlcipher
- utlilib
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Gains access to information about running applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
