Android.Triada.1236

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Triada.248.origin
Android.Triada.373.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) l.ace####.com:80
TCP(HTTP/1.1) 1####.215.106.114:8081
TCP(HTTP/1.1) img.ace####.com:80
TCP(HTTP/1.1) pg.x####.com:80
TCP(HTTP/1.1) i####.cn.com:80
TCP(HTTP/1.1) loc.map.b####.com:80
TCP(TLS/1.0) and####.cli####.go####.com:443

DNS requests:

and####.cli####.go####.com
i####.cn.com
img.ace####.com
l.ace####.com
loc.map.b####.com
mt####.go####.com
pg.x####.com

HTTP GET requests:

i####.cn.com/a/3c1e0985093cceca4f16f5f8da551f103
img.ace####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/...
img.ace####.com/ando-res/m/5Rlwv1la6TsrR2g3NB13ZwiHPBL12Klc86S1ING23KedR...

HTTP POST requests:

l.ace####.com/ando/v2/ap?app_id=####&r=####
l.ace####.com/ando/v2/lv?app_id=####&r=####
l.ace####.com/ando/v2/qa?app_id=####&r=####
loc.map.b####.com/sdk.php
pg.x####.com/api/q/a/3c1e0985093cceca4f16f5f8da551f103

Modified file system:

Creates the following files:

/data/data/####/.jg.ic
/data/data/####/1z_zyNLhNtcvIuzRim715-lnTPzTO4fh.new
/data/data/####/250026699187743|account_file.xml
/data/data/####/3LHRsSeOVn3olSo7TDQIMhdULxEkPuUtT7kpDw==.new
/data/data/####/5Y-CS1f9m3L83Udg9U2AeNREHow=.new
/data/data/####/5xB2MhMVRUT6cM4PG0DL3sNmahbYLk9V.new
/data/data/####/7h2JuCp954GLJnzq
/data/data/####/A2H8VvZLigrSZ63I.zip
/data/data/####/Allw_mryCZqxh2fPHVXjjA==.new
/data/data/####/EukreTNky3w84OWw-xQQ2N5FWdN_Oz3pUpBGgf6SSSE=.new
/data/data/####/I_qcQNkTqduAr1u3XQTeRQ==.new
/data/data/####/J0puYehnPw0Qphi1Ww998vor6-0s0im5.new
/data/data/####/KKpRmxRTIakjqOMvCq6yZahMDhJHWnLg.new
/data/data/####/KQ1yUrlT7rl0xQyapH6EeWQJ_Wo=.new
/data/data/####/NeErQCTfy-eKyF3tpd9osQ==
/data/data/####/Q4J3lwRL6NDu73f-r6iJmy2ufb6RAajmfuP-9XRKIjI=.new
/data/data/####/Rgn4Nvd0Tpo5U65uMF6J-uJjanKiu-AljVnJI1C_QSs=.new
/data/data/####/SZ-3hczAEL7R9y1NI-3ER4i3g_c=.new
/data/data/####/SiqQWUzNZSxQg03ACxNofZd4gCrsAjGA_nr5RI84Lo4=.new
/data/data/####/TD_app_pefercen_profile.xml
/data/data/####/TRSgXEq1LhZm6I3A78ggZI2C2T0=
/data/data/####/TdBCdVF66jhTN_oL.new
/data/data/####/Z5pv14n6sZnWvgqH1O0zL5iWUj8=.new
/data/data/####/ZO-MPi-fvatbo3px
/data/data/####/_XEPigLyFt_a7hOSTTi59KDZaJE=.new
/data/data/####/b18acd32-8c39-4390-b048-54d377e51ad8.pic.temp
/data/data/####/bkIgoCN4wrKSUhfHsQuDBhtvkqA=.temp
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/ddb179a0-1e70-4d06-bf86-5bf1da8bc70d.pic
/data/data/####/dlaz-weZtTBEiDPP_URyo-RU0X4=.new
/data/data/####/gNNeerOcA6gCIIjxX7bM5w==
/data/data/####/genbvw_f.dex
/data/data/####/genbvw_f.zip
/data/data/####/jg_so_upgrade_setting.xml
/data/data/####/ld1ccABjznJfiYugeZ51uH18EgA=.new
/data/data/####/libjiagu.so
/data/data/####/mRqHpwgKF03t4A_uHLPQZhh_7LjN8LYE3r03-Q==.new
/data/data/####/mobclick_agent_cached_com.newversion.kxddzUU1
/data/data/####/mpush_game.db
/data/data/####/mpush_game.db-journal
/data/data/####/mpush_gateway_preferences_file
/data/data/####/mpush_version_preferences_file
/data/data/####/oeQNw4cueaPik-j3JPAu6n6k9s15OsGGg-zkVw==.new
/data/data/####/pref_file.xml
/data/data/####/qihoo_jiagu_crash_report.xml
/data/data/####/r5Ry_-mz0JcW7nex45p_6-NmH-E=.temp
/data/data/####/rdata_comgzoezgpnf.new
/data/data/####/runner_info.prop.new
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_0as50ysIwkM4mJ...ournal
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_0as50ysIwkM4mJTZAQN7yg==
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_ET7EH3jF36MFb_...ournal
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_ET7EH3jF36MFb_...puQZY=
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_OmKTLjSchx3NmG...ournal
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_OmKTLjSchx3NmGM1d7wGFA==
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_rPhHKr1C7JM=-journal
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_yEeowxNSBPGYgYaM
/data/data/####/t9R2ciXieHzDd6xqxvtwgwURl576PJOu_yEeowxNSBPGYgYaM-journal
/data/data/####/tW6fOeVDYymKm04qoP4FY7sZly7WzmEy.new
/data/data/####/td_pefercen_profile.xml
/data/data/####/tdid.xml
/data/data/####/umeng_general_config.xml
/data/data/####/vI7I19ySRPbgpxk-zu0IDA==.new
/data/data/####/vNLEAh3MlcOGBBfNdrW_b8cZ2y_QIgNH.new
/data/data/####/xEYAlIOoBRCFM8edAvxu6vOpCdPAHlWo.new
/data/data/####/xZqYZm0giNXczcRQhOWtLS8eMo7cS3nt.new
/data/data/####/yYvyFVJKoLHMXFf0pPSBou4kxBa38mNh.new
/data/media/####/.tcookieid
/data/media/####/.uunique
/data/media/####/.uunique.new
/data/media/####/.uunique.old (deleted)
/data/media/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
/data/media/####/7bf7cfd0-a44e-4a9a-b499-bd54fd19d973.res
/data/media/####/91193a56-e317-46e5-8565-1bf3255bf6aa.res
/data/media/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
/data/media/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
/data/media/####/MP8MtaBuguN9jnuSwtN1kQ==
/data/media/####/r_pkDgN4OhnkSa0D

Miscellaneous:

Executes next shell scripts:

<Package Folder>/code-708673/7h2JuCp954GLJnzq -p <Package> -c com.gzoe.zgpnf.entity.PapayaReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
chmod 755 <Package Folder>/.jiagu/libjiagu.so
sh <Package Folder>/code-708673/7h2JuCp954GLJnzq -p <Package> -c com.gzoe.zgpnf.entity.PapayaReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung

Loads the following dynamic libraries:

cocos2dcpp
libjiagu

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Gains access to information about running applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Gains access to information about sent/received SMS messages.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial