Android.Triada.756

Android.Triada.756

Added to the Dr.Web virus database: 2018-03-19

Virus description added: 2018-03-19

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Triada.309

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) 1####.159.53.238:80
TCP(HTTP/1.1) f.up.v####.####.com:80
TCP(HTTP/1.1) 1####.92.201.20:3003
TCP(HTTP/1.1) i####.cn.com:80
TCP(HTTP/1.1) 1####.76.224.67:80
TCP(HTTP/1.1) 1####.159.208.192:80
TCP(TLS/1.0) www.go####.com:443
TCP(TLS/1.0) pay.v####.com.cn:443

DNS requests:

f.up.v####.####.cn
i####.cn.com
pay.v####.com.cn
pg.x####.com
unitedp####.lemuel####.com
www.go####.com

HTTP GET requests:

i####.cn.com/a/3cff577985556567209c8fa8131303f63

HTTP POST requests:

f.up.v####.####.com/usrsys/reportUsrsys?version=####

Modified file system:

Creates the following files:

<Package Folder>/.jiagu/libjiagu.so
<Package Folder>/app_lemuellabs_reserved/2e11c531d09d3148.jar
<Package Folder>/app_lemuellabs_reserved/3ad3f1f20da14e93.jar
<Package Folder>/app_lemuellabs_reserved/3e9f906300798756.jar
<Package Folder>/app_lemuellabs_reserved/8f9e5f185a92f875.jar
<Package Folder>/app_lemuellabs_reserved/codex.so
<Package Folder>/app_lemuellabs_reserved/e89f9543bf9fa976.jar
<Package Folder>/app_lemuellabs_reserved_/546689bbfe750768.jar
<Package Folder>/app_lemuellabs_reserved_/72602359ebefdd51.jar
<Package Folder>/app_lemuellabs_reserved_/a6f2cf5b8f9040ba.jar
<Package Folder>/app_lemuellabs_reserved_/baa8511f2ce15a8b.jar
<Package Folder>/app_lemuellabs_reserved_/codex_inner.so
<Package Folder>/app_lemuellabs_reserved_/ea4f4e02018fe169.jar
<Package Folder>/app_lemuellabs_reserved_/lemuel_security_inner.so
<Package Folder>/cache/####/-1143945219847306209
<Package Folder>/databases/talkingdata_app.db-journal
<Package Folder>/databases/trackevents.db-journal
<Package Folder>/databases/unionuserinfo.db-journal
<Package Folder>/files/####/.jg.ic
<Package Folder>/files/####/srebg_f.zip
<Package Folder>/files/####/vivounionapk_v2.2.1_a1381cb_201704101737.vua
<Package Folder>/files/UNITEDPAYACTLIST_
<Package Folder>/files/talkingdata_app_process_preferences_file
<Package Folder>/files/talkingdata_app_version_preferences_file
<Package Folder>/shared_prefs/3cff577985556567209c8fa8131303f63...le.xml
<Package Folder>/shared_prefs/<Package>_preferences.xml
<Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
<Package Folder>/shared_prefs/jg_so_upgrade_setting.xml
<Package Folder>/shared_prefs/pref_file.xml
<Package Folder>/shared_prefs/qihoo_jiagu_crash_report.xml
<Package Folder>/shared_prefs/td_pefercen_profile.xml
<Package Folder>/shared_prefs/tdid.xml
<SD-Card>/.tcookieid
<SD-Card>/.vivoAccountsdk/sdkaccountinfo.db
<SD-Card>/.vivoAccountsdk/sdkaccountinfo.db-journal
<SD-Card>/.vivounionapk/vivounionapk_v2.2.1_a1381cb_201704101737.vua

Miscellaneous:

Executes next shell scripts:

chmod 755 <Package Folder>/.jiagu/libjiagu.so

Loads the following dynamic libraries:

_lemuel_security
codex
codex_inner
game
lemuel_security_inner
libjiagu
vivo_account_sdk

Uses special library to hide executable bytecode.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Displays its own windows over windows of other applications.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial