Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.657.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) pg.x####.com:80
- TCP(HTTP/1.1) poll-di####.cooteks####.com:80
- TCP(HTTP/1.1) unipa####.wos####.cn:8080
- TCP(HTTP/1.1) unip####.wos####.cn:8080
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) un####.wos####.cn:8061
- UDP(NTP) 1.cn.p####.####.org:123
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) adser####.go####.com:443
DNS requests:
- 1.cn.p####.####.org
- adser####.go####.com
- i####.cn
- pg.x####.com
- poll-di####.cooteks####.com
- se####.wos####.cn
- ssl.gst####.com
- un####.wos####.cn
- unip####.wos####.cn
- unipa####.wos####.cn
- www.go####.com
- www.go####.nl
- www.gst####.com
HTTP GET requests:
- poll-di####.cooteks####.com/dualsim/appkey_dsi?appkey=####&host=####&man...
- unip####.wos####.cn:8080/upload/1533274889497.zip
- www.go####.com/complete/search?hl=en&client=android&q=https://www.google...
HTTP POST requests:
- pg.x####.com/api/q/a/3c99d6d9a19c2699cbe29901bb0c04372
- pg.x####.com/api/statis/3c99d6d9a19c2699cbe29901bb0c04372/app-F2EB33FA41...
- un####.wos####.cn:8061/logserver/unipay/unipayLogin
- unipa####.wos####.cn:8080/sdk_upgrade_server/sdkupdate.action
Modified file system:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/4.8.0M2111B0715_resource_400.apk
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TD_app_pefercen_profile.xml.bak (deleted)
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDtcagent.db
- /data/data/####/TDtcagent.db-journal
- /data/data/####/app_crash_34ba9bad83871519909ba07fea4a7906.txt
- /data/data/####/app_crash_45d4888260522f13052b4393edc7f644.txt
- /data/data/####/app_crash_5d86092a0ca78bcf1d79b6b2b3fc081d.txt
- /data/data/####/app_crash_6409401cac1deea71ccfa297f3048ebd.txt
- /data/data/####/app_crash_666e6d9775484cccc50f53dc9b311456.txt
- /data/data/####/app_crash_9882a91e1e3bd6c054cc722e573d9f64.txt
- /data/data/####/app_crash_ce30af4a148c2f26a90fcb5c4fc5de40.txt
- /data/data/####/app_crash_d5b0a56552fc6ec6f996814a014a8ca9.txt
- /data/data/####/app_crash_efe56f2b47b9c70383907989db80e954.txt
- /data/data/####/com.sg.atmjjw.nearme.gamecenter_preferences.xml
- /data/data/####/libjiagu1024523599.so
- /data/data/####/libonlywechat_plugin.so
- /data/data/####/local.jar
- /data/data/####/login
- /data/data/####/msg_store.xml
- /data/data/####/oppo_game_service_232.apk_temp
- /data/data/####/oppo_game_service_232.dex
- /data/data/####/plugin_framework.xml
- /data/data/####/sdk_load_info.xml
- /data/data/####/talkingdata_app.db-journal
- /data/data/####/talkingdata_app_process_preferences_file
- /data/data/####/talkingdata_app_version_preferences_file
- /data/data/####/td.lock
- /data/data/####/tdid.xml
- /data/data/####/unicom_cl.xml
- /data/data/####/wwoclasses.dex
- /data/data/####/wwoclasses.dve
- /data/data/####/wwoclasses.jar
- /data/media/####/.tcookieid
- /data/media/####/data0.dat
- /data/media/####/data1.dat
- /data/media/####/data111.dat
- /data/media/####/dualsim.dat
Miscellaneous:
Executes next shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu1024523599.so
- netstat -apn
Loads the following dynamic libraries:
- libjiagu1024523599
- me_unipay
- megjb
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- DESede-CBC-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- DESede-CBC-NoPadding
- RSA-ECB-PKCS1Padding
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.