Android.Packed.41329

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.DownLoader.343.origin
Android.DownLoader.414.origin
Android.DownLoader.455.origin
Android.DownLoader.570.origin
Android.DownLoader.723
Android.DownLoader.725

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) ff.t####.com.####.com:80
TCP(HTTP/1.1) www.p####.com:80
TCP(HTTP/1.1) oc.u####.com:80
TCP(HTTP/1.1) a.appj####.com:80
TCP s1.sk####.com:9101
TCP s1.sk####.com:9102
TCP t1.jz####.com:7101
TCP t1.jz####.com:7102
TCP s3.sk####.com:9103
TCP t1.jz####.com:7103

DNS requests:

a####.u####.com
a.appj####.com
feed####.u####.com
ff.t####.com
oc.u####.com
s1.sk####.com
s2.sk####.com
s3.sk####.com
t1.jz####.com
t2.jz####.com
t3.jz####.com
www.p####.com

HTTP GET requests:

ff.t####.com.####.com/d/4170.jpg
ff.t####.com.####.com/d/43wk.jpg
ff.t####.com.####.com/d/44y3.jpg
ff.t####.com.####.com/d/44y6.jpg

HTTP POST requests:

a####.u####.com/app_logs
a.appj####.com/ad-service/ad/mark
oc.u####.com/check_config_update
www.p####.com/apiv1/sdkstat/install
www.p####.com/apiv1/sdkstat/launch
www.p####.com/apiv1/update/check

File system changes:

Creates the following files:

/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/13565070593518951.db-journal
/data/data/####/1543887486055p.jar
/data/data/####/1543887486267s.jar
/data/data/####/15438874865030.jar
/data/data/####/62FD9F7FDB6FA40C.xml
/data/data/####/BB1639DFC4583902.xml
/data/data/####/com.wbswlsy.gzwl_preferences.xml
/data/data/####/fappInfo_f_356507059351895.xml
/data/data/####/fconf_f356507059351895.xml
/data/data/####/fconf_f_356507059351895.xml
/data/data/####/finfo_f_356507059351895.xml
/data/data/####/ftrategy_f_356507059351895.xml
/data/data/####/i.xml
/data/data/####/jg_app_update_settings_random.xml
/data/data/####/libjiagu.so
/data/data/####/mobclick_agent_online_setting_com.wbswlsy.gzwl.xml
/data/data/####/pgyersdk.xml
/data/data/####/ss_d.db-journal
/data/data/####/umeng_feedback_conversations.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/webview.db-journal
/data/data/####/wtxfhg.t
/data/media/####/086E6949EB8BD08533C8494896B5B5C7
/data/media/####/2DF918D2ECA7E0255A5DC3308A50A32C88671C4C1CE869...77D8E9
/data/media/####/2DF918D2ECA7E025AD32EB557A6EF1A9131B9CE8F8BDD871
/data/media/####/4133212EB5AD472B20EC21C7757FE6F1CFB8F230246C7353
/data/media/####/4170.jpg.dat
/data/media/####/43wk.jpg.dat
/data/media/####/44y3.jpg.dat
/data/media/####/44y6.jpg.dat
/data/media/####/52F586B40932DF71131B9CE8F8BDD871
/data/media/####/54AB0F21F8A5AB9FDF1050659911C6E5CFB8F230246C7353
/data/media/####/84D0A26BD14E0A1B5B8C6AB4D568CB1E
/data/media/####/919A919A8826F59A
/data/media/####/9437AE2BBB0B4510F28925D2692794D3131B9CE8F8BDD871
/data/media/####/BBF032719D64E9B4
/data/media/####/C93B98C15C219BC130F48CD6DF8FFE3E131B9CE8F8BDD871
/data/media/####/DB2BE60772D70B0EBCC3F384A4BBD92D30BA7C24E2D7A82F
/data/media/####/__pasys_remote_banner.jar
/data/media/####/gzwl
/data/media/####/gzwl-journal
/data/media/####/rvdbm
/data/media/####/rvdbm.zip
/data/media/####/wtxfhg
/data/media/####/xoovfuilragtazmetjiezoeqnll.zip

Miscellaneous:

Executes the following shell scripts:

<Package Folder>/wtxfhg -p <Package> -r am start --user 0 -n <Package>/tqpke.ntxqc.zbm -a daemon -h http://127.0.0.1:7123/report/allData -i 2274
chmod 777 <Package Folder>/wtxfhg
sh <Package Folder>/wtxfhg -p <Package> -r am start --user 0 -n <Package>/tqpke.ntxqc.zbm -a daemon -h http://127.0.0.1:7123/report/allData -i 2274

Loads the following dynamic libraries:

libjiagu

Uses the following algorithms to encrypt data:

Uses the following algorithms to decrypt data:

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial