Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.564.origin
Downloads the following detected threats from the Web:
- Android.Backdoor.564.origin
Network activity:
Connecting to:
- a####.####.cn
- ga####.####.com
- hotp####.####.com
- i####.####.com
- s####.####.com
HTTP GET requests:
- a####.####.cn/info/verfiy_api_id?api_id=####&api_secret=####
- hotp####.####.com/patch?version=####&patchver=####&platform=####&appId=#...
- i####.####.com/service/getIpInfo.php?ip=####
HTTP POST requests:
- ga####.####.com/?st=####&sv=####&tm=####&sid=####&apn=####&ct=####&pi=##...
- s####.####.com/api.php?format=####&t=####
Modified file system:
Creates the following files:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/1496221983553
- <Package Folder>/cache/####/1496221986101
- <Package Folder>/cache/####/journal
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/lib.point-journal
- <Package Folder>/databases/notes-db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/05-31_09_13_<Package>_2113
- <Package Folder>/files/####/05-31_09_13_<Package>_2273
- <Package Folder>/files/####/05-31_09_13_<Package>_2373
- <Package Folder>/files/####/05-31_09_13_<Package>_TcmsService_2146
- <Package Folder>/files/####/libBaiduMapSDK_base_v4_3_0.so
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsData_78ZPDHTPZ3RJQKPZTWN9_216
- <Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsMain
- <Package Folder>/files/.yflurrydatasenderblock.7aaf0cd9-0a3a-46e2-8c98-68aaacaef923
- <Package Folder>/files/.yflurrydatasenderblock.dc76bfb4-c775-49f1-83f8-76dda84a97ad
- <Package Folder>/files/init_c1.pid
- <Package Folder>/files/init_er.pid
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/lotuseed.lock
- <Package Folder>/files/lotuseed.s
- <Package Folder>/files/mobclick_agent_cached_<Package>38
- <Package Folder>/lib-main/dso_deps
- <Package Folder>/lib-main/dso_lock
- <Package Folder>/lib-main/dso_manifest
- <Package Folder>/lib-main/dso_state
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/app_preferences.xml
- <Package Folder>/shared_prefs/authStatus_<Package>.xml
- <Package Folder>/shared_prefs/finance_cache_preference.xml
- <Package Folder>/shared_prefs/finance_cache_preference.xml.bak
- <Package Folder>/shared_prefs/getui_sp.xml
- <Package Folder>/shared_prefs/lotuseed_global.xml
- <Package Folder>/shared_prefs/lotuseed_main.xml
- <Package Folder>/shared_prefs/mobclick_agent_user_<Package>.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/notification_config.xml
- <Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
- <Package Folder>/shared_prefs/tcms_istied.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.system/lotuseed.devid
- <SD-Card>/<Package>/####/2_20170531_r
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
Miscellaneous:
Executes next shell scripts:
- chmod 755 /data/data/com.microfundrn/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- logcat -v time -t 500 2113
- logcat -v time -t 500 2273
- logcat -v time -t 500 2373
- logcat -v time -t 500 2462
- logcat -v time -t 500 2584
- logcat -v time -t 500 2688
- logcat -v time -t 500 2786
- logcat -v time -t 500 2911
- logcat -v time -t 500 3005
- logcat -v time -t 500 3096
- logcat -v time -t 500 3182
- logcat -v time -t 500 3291
- logcat -v time -t 500 3387
- logcat -v time -t 500 3493
- ps
- sh
Uses special library to hide executable bytecode.