Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.41.origin
- Android.Triada.417.origin
- Android.Triada.440.origin
- Android.Xiny.20
- Android.Xiny.224.origin
Downloads the following detected threats from the Web:
- Android.Xiny.20
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ja####.huita####.com:10091
- TCP(HTTP/1.1) www.pc####.com.####.cn:80
- TCP(HTTP/1.1) s####.x####.com.cn:80
- TCP(HTTP/1.1) z####.heyc####.net:80
- TCP(HTTP/1.1) i####.com:80
- TCP(HTTP/1.1) i####.pcon####.fas####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) im####.nic####.cn:80
- TCP(HTTP/1.1) qiniu-s####.cdn.d####.com:80
- TCP(HTTP/1.1) en####.tui####.com:80
- TCP(HTTP/1.1) w####.fun.tv:80
- TCP(HTTP/1.1) m.v####.com:80
- TCP(HTTP/1.1) m.cnt####.com:80
- TCP(HTTP/1.1) r####.qq####.cn:80
- TCP(HTTP/1.1) dup.baidust####.com:80
- TCP(HTTP/1.1) fp-st####.b0.a####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) idu####.qini####.com:80
- TCP(HTTP/1.1) pco####.ta####.com:80
- TCP(HTTP/1.1) 2####.187.226.25:80
- TCP(HTTP/1.1) p2.ai####.com:80
- TCP(HTTP/1.1) m####.z####.cn:80
- TCP(HTTP/1.1) 7k####.46####.com:20351
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) p.a####.net:80
- TCP(HTTP/1.1) www.ye####.org:80
- TCP(HTTP/1.1) b####.www.ye####.org:80
- TCP(HTTP/1.1) do.soi####.com:80
- TCP(HTTP/1.1) yun.d####.com.cn:80
- TCP(HTTP/1.1) z.no####.net:80
- TCP(HTTP/1.1) yun.russi####.cn.####.com:80
- TCP(HTTP/1.1) s####.funs####.net:80
- TCP(HTTP/1.1) d0.x####.com.cn:80
- TCP(HTTP/1.1) ec####.b####.com:80
- TCP(HTTP/1.1) ip.ch####.com:80
- TCP(HTTP/1.1) zf####.v.qin####.com:80
- TCP(HTTP/1.1) ob.nic####.cn:80
- TCP(HTTP/1.1) v####.funs####.com:80
- TCP(HTTP/1.1) yun.tuis####.com:80
- TCP(HTTP/1.1) p####.cdb####.cn:80
- TCP(HTTP/1.1) 7k####.46####.com:15215
- TCP(HTTP/1.1) m1.laogeda####.com:80
- TCP(HTTP/1.1) 1####.40.20.155:80
- TCP(HTTP/1.1) acti####.russi####.cn:80
- TCP(TLS/1.0) hotfix####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) api.nic####.cn:443
- TCP(TLS/1.0) i####.pcon####.fas####.com:443
- TCP(TLS/1.0) mg####.pcon####.com.cn:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) js.3con####.com:443
- TCP(TLS/1.0) pc####.i####.com:443
- TCP(TLS/1.0) dup.baidust####.com:443
- TCP(TLS/1.0) img.pcon####.com.####.cn:443
- TCP(TLS/1.0) fp.ton####.net:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) dis####.in####.com:443
- TCP(TLS/1.0) www.pc####.com.####.cn:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) i####.adhu####.com:443
- TCP(TLS/1.0) fp.fraudme####.cn:443
- TCP(TLS/1.0) ec####.b####.com:443
- TCP(TLS/1.0) c####.pc####.com.cn:443
- TCP(TLS/1.0) w####.pcon####.com.cn:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) p####.pc####.com.cn:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) ivy.pcon####.com.cn:443
- TCP(TLS/1.0) aliyuns####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) aliyuno####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) i.tand####.com:443
- TCP(TLS/1.0) hm.b####.com:443
DNS requests:
- 7k####.46####.com
- a.appj####.com
- acti####.russi####.cn
- adm.t####.com
- aliyuno####.oss-cn-####.aliy####.com
- aliyuns####.oss-cn-####.aliy####.com
- aliyuns####.oss-cn-####.aliy####.com
- api.nic####.cn
- b####.www.ye####.org
- c####.baidust####.com
- c####.mm####.com
- c####.pc####.com.cn
- c.appj####.com
- c.c####.com
- d0.x####.com.cn
- dis####.in####.com
- do.soi####.com
- dup.baidust####.com
- ec####.b####.com
- en####.tui####.com
- fp.fraudme####.cn
- fp.ton####.net
- h####.c####.com
- hm.b####.com
- hotfix####.oss-cn-####.aliy####.com
- i####.adhu####.com
- i####.adhu####.com
- i####.adhu####.com
- i####.adhu####.com
- i####.com
- i####.pcon####.com.cn
- i####.x####.com.cn
- i####.xca####.com
- i.tand####.com
- im####.nic####.cn
- img.pc####.com.cn
- img.pcon####.com.cn
- ip.ch####.com
- ivy.pcon####.com.cn
- ja####.huita####.com
- js.3con####.com
- js.x####.com.cn
- m####.z####.cn
- m.cnt####.com
- m.cuda####.com
- m.v####.com
- m1.laogeda####.com
- mg####.pcon####.com.cn
- ob.nic####.cn
- p####.cdb####.cn
- p####.pc####.com.cn
- p####.x####.com.cn
- p.a####.net
- p2.ai####.com
- pc####.i####.com
- pco####.c####.com
- pos.b####.com
- r####.qq####.cn
- r####.wx.qq.com
- s####.funs####.net
- s####.x####.com.cn
- s11.c####.com
- s19.c####.com
- s22.c####.com
- s23.c####.com
- s95.c####.com
- st####.adhu####.com
- st####.fraudme####.cn
- st####.funs####.com
- v####.fun.tv
- v####.fun.tv
- v1.c####.com
- w####.fun.tv
- w####.iy####.cn
- w####.pc####.com.cn
- w####.pcon####.com.cn
- www.pc####.com.cn
- www.ye####.org
- y2####.uw####.com
- yun.d####.com.cn
- yun.russi####.cn
- yun.tuis####.com
- yun.tuit####.com
- z####.heyc####.net
- z.no####.net
- z1.c####.com
- z13.c####.com
- z5.c####.com
- z6.c####.com
- z8.c####.com
HTTP GET requests:
- acti####.russi####.cn/activity/getAllSkin?timestamp=####&couponSkinId=##...
- acti####.russi####.cn/activity/getReturnPage?slotId=####&id=####&login=#...
- acti####.russi####.cn/activity/index?id=####&slotId=####&login=####&appK...
- acti####.russi####.cn/statistics/activityPagePerf?group_type=####&platfo...
- acti####.russi####.cn/statistics/click?dpm=####&consumer_id=####&domain4...
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####
- c.c####.com/stat.php?id=####&web_id=####
- d0.x####.com.cn/pvlog/ad_count.php?t=####
- do.soi####.com/201811/wwj.jar
- dup.baidust####.com/js/os.js
- ec####.b####.com/rs.jpg?type=####&stamp=####
- en####.tui####.com/index/activity?appKey=####&adslotId=####
- fp-st####.b0.a####.com/v2/fm.js?ver=####&t=####
- gm.mm####.com/9.gif?abc=####&rnd=####
- i####.com/irt?_iwt_UA=####&jsonp=####
- i####.com/irt?_iwt_UA=####&ref=####&jsonp=####
- i####.com/irt?_iwt_UA=UA-xcar-000001&ref=/photo.xcar.com.cn/group/view_a...
- i####.pcon####.fas####.com/blank.gif
- idu####.qini####.com/2009/images/t0512_pics_arr.gif
- idu####.qini####.com/cms/group/r_map.gif
- idu####.qini####.com/group/images/s_l.cur
- idu####.qini####.com/group/js/changspeed.js
- idu####.qini####.com/group/js/picload.js
- idu####.qini####.com/group/view_ab.php?aid=####
- idu####.qini####.com/group/view_ab.php?pid=####
- im####.nic####.cn/group1/M00/01/10/rBGXxFttMk-ABVKHAABZSTtQu1Q581.png
- im####.nic####.cn/group1/M00/01/10/rBGXxFttMlyAad4SAABU8WvgQpw089.png
- im####.nic####.cn/group1/M00/01/10/rBGXxFttMmmAUlHaAABWJEQ0KcM028.png
- im####.nic####.cn/group1/M00/01/10/rBGXxFttMoSAd1OtAABW4mKzFSs098.png
- im####.nic####.cn/group1/M00/01/10/rBGXxFttMpSADKUMAAApDQYhFRk013.png
- im####.nic####.cn/group1/M00/01/FA/rBGXxFviwxmAKl5pAACwWXWukuk663.gif
- im####.nic####.cn/h5-mami/activity/hand.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn_click.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn_disabled.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/numBg.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/prize.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/prize2.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/process.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result1.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result2.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result3.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result4.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result5.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result6.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/rule.png
- im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/rule2.png
- im####.nic####.cn/h5-mami/activity/rollDick/png/coin1.png
- im####.nic####.cn/h5-mami/activity/rollDick/png/coin2.png
- im####.nic####.cn/h5-mami/activity/rollDick/png/coin3.png
- im####.nic####.cn/h5-mami/activity/rollDick/png/couponBtns.png
- im####.nic####.cn/h5-mami/couponPrize/3.6/btn.png
- im####.nic####.cn/h5-mami/couponPrize/3.6/line.png
- im####.nic####.cn/h5-mami/couponPrize/3.6/main3.png
- im####.nic####.cn/h5-mami/couponPrize/3.6/stars.png
- im####.nic####.cn/h5-mami/couponPrize/3.6/win.png
- im####.nic####.cn/h5/activity/colorball/images/prize_bg.png
- im####.nic####.cn/mami-media/img/m43a14sehw.png
- im####.nic####.cn/mami-media/img/rh5oe845hy.jpg
- ip.ch####.com/getip.aspx
- m.cnt####.com/chaoliufaxing/07/7789.html
- m.cnt####.com/iDdo4VRE1HKF.php?o=####&i=####&s=####&ad=####
- m.v####.com/JdcPAGsskmgA.php?o=####&i=####&s=####&ad=####
- m.v####.com/taiyangnennenyuan/29/8.html
- m1.laogeda####.com/ads/admaster24.php?o=####
- m1.laogeda####.com/ads/admaster24.php?o=####&umvgxs=####
- m1.laogeda####.com/ads/admaster240.php?o=####
- m1.laogeda####.com/templets/tui/js/jquery-1.8.3.min.js
- ob.nic####.cn/huodong/Production/20181031/node_modules/fastclick/lib/fas...
- ob.nic####.cn/huodong/Production/20181031/node_modules/iscroll/build/isc...
- ob.nic####.cn/huodong/Production/20181031/pkg/Common.js
- ob.nic####.cn/huodong/Production/20181031/pkg/Vendor.js
- ob.nic####.cn/huodong/Production/20181031/projects/page/DiceGame/DiceGam...
- ob.nic####.cn/huodong/Production/20181031/projects/page/DiceGame/css/ski...
- ob.nic####.cn/huodong/Production/20181031/projects/widget/PrizeModal/Dic...
- p####.cdb####.cn/z/2gdbvnfgbdf4x.zip
- p####.cdb####.cn/z/2hadfvsdvdr4x.zip
- p####.cdb####.cn/z/2jafghbdf4x.zip
- p####.cdb####.cn/z/2mbfgsdgfkl4x.zip
- p####.cdb####.cn/z/2wofgghjyj4x.zip
- p.a####.net/eppu
- p.a####.net/l/go/?time=6&url=https://i.tandehao.com/activities/?appKey=#...
- p2.ai####.com/activity/index?key=####
- pco####.ta####.com/app.gif?&cna=####
- pos.b####.com/dclm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
- qiniu-s####.cdn.d####.com/cms/iwt/iwt-min.js
- qiniu-s####.cdn.d####.com/tools/jq/1.5.1.min.js
- r####.qq####.cn/f/AAAfgskyg026
- r####.qq####.cn/g/fbgfby026
- s####.funs####.net/ecom-ad/ifar_all/?oc=####
- s####.funs####.net/ecom-ad/ifar_duration/?rprotocol=####&fck=####&mick=#...
- s####.funs####.net/ecom-ad/ifar_load/?rprotocol=1&fck=154164593486ad8&mi...
- s####.x####.com.cn/flow/flow.php?t=####
- v####.funs####.com/vasd/pa/index?zzt=####&sid=####&ref=####&mick=####&cv...
- w####.fun.tv/vplay/g-94965.v-11526
- www.pc####.com.####.cn/autox/x2.html
- www.pc####.com.####.cn/bbs/1364/20130829140349169542.jpg.webp
- www.pc####.com.####.cn/bbs/1364/20130829140350480452.jpg.webp
- www.pc####.com.####.cn/bbs/1364/m_20130829140349169542.jpg
- www.pc####.com.####.cn/bbs/1364/m_20130829140349692123.jpg
- www.pc####.com.####.cn/bbs/1364/m_20130829140350480452.jpg
- www.pc####.com.####.cn/bbs/1364/m_20130829140350617498.jpg
- www.pc####.com.####.cn/main/new/js/v8/core-min.js
- www.pc####.com.####.cn/main/new/js/v8/html/statIwt_www_new-min.js?v=####
- yun.d####.com.cn/h5-tuia/couponPrize/lucky.png?nnn=####
- yun.russi####.cn.####.com/h5-mami/activity/tiger/2.0/index_201710271800....
- yun.russi####.cn.####.com/h5-mami/activity/tiger/2.0/index_201807251509....
- yun.russi####.cn.####.com/h5-mami/activity/turnCircle/5.0/actBase_201809...
- yun.russi####.cn.####.com/h5-mami/common/actBase_201811011651.css
- yun.russi####.cn.####.com/h5-mami/common/actBase_201811051552.js
- yun.russi####.cn.####.com/h5-mami/common/common_201802011416.css
- yun.russi####.cn.####.com/h5-mami/common/common_201810281556.js
- yun.russi####.cn.####.com/h5-mami/h5-discern-simulator-1.0.19.min.js?t=#...
- yun.russi####.cn.####.com/h5-mami/pluginBase/common_201810291344.js
- yun.russi####.cn.####.com/mami-media/img/4d081nhhb6.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/4of1w62f9n.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/6rsyldzxdy.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/877jjc5m2k.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/amkmjkhcwb.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/kj4m5u3iyk.jpg
- yun.russi####.cn.####.com/mami-media/img/nvuzwfypyp.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/ocdvxw3v24.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/s3fn8166ux.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/svonn96trh.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/v180hfudtb.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/ys0ofqiy13.png?x-oss-process=####
- yun.russi####.cn.####.com/mami-media/img/yxg7ahqxyl.png?x-oss-process=####
- yun.tuis####.com/h5-mami/activity/components/incentive/gift.png?x-oss-pr...
- yun.tuis####.com/h5-mami/activity/packup.png
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/btn-disabled2.png?x-oss-...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/btn3.png?x-oss-process=#...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/coin-big2.png?x-oss-proc...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/coin-middle2.png?x-oss-p...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/coin-small2.png?x-oss-pr...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/coins-decoration.png
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/item-bg-green2.png?x-oss...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/item-bg-orange3.png?x-os...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/item-bg-red2.png?x-oss-p...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/light-active2.png?x-oss-...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/light2.png?x-oss-process...
- yun.tuis####.com/h5-mami/activity/tiger/2.0/img/mainBgShadow2.png?x-oss-...
- yun.tuis####.com/h5-mami/couponPrize/1.8.1/bg_gf.png
- yun.tuis####.com/h5-mami/couponPrize/1.8.1/button_gf.png
- yun.tuis####.com/h5-mami/couponPrize/1.8.1/index_201806261905.css
- yun.tuis####.com/h5-mami/couponPrize/1.8.1/index_201806261905.js
- yun.tuis####.com/h5-mami/couponPrize/1.8.1/win-tip_gf.png
- yun.tuis####.com/h5-mami/couponPrize/alipay/index_201807161748.css
- yun.tuis####.com/h5-mami/couponPrize/alipay/index_201807161748.js
- yun.tuis####.com/h5-mami/couponPrize/close.png
- yun.tuis####.com/h5-mami/thanksPrize/index_201801031425.css
- yun.tuis####.com/h5-mami/thanksPrize/index_201803121444.js
- yun.tuis####.com/newactivity/assets/encourageIcon.0c6fe406.css
- yun.tuis####.com/newactivity/assets/encourageIcon.2aa6e3e8.js
- yun.tuis####.com/newactivity/assets/encourageLayer.2fd1eb12.css
- yun.tuis####.com/newactivity/assets/encourageLayer.d3e12d72.js
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- zf####.v.qin####.com/market/ext/udc/c00100084.html?zzt=####
- zf####.v.qin####.com/unet/static/udc.js?zzt=####
HTTP POST requests:
- 7k####.46####.com:15215/tr/
- 7k####.46####.com:15215/ts/
- 7k####.46####.com:20351/ds/
- a.appj####.com/jiagu/check/upgrade
- acti####.russi####.cn/activity/getLimitTimes
- acti####.russi####.cn/activity/getPrizeDetail
- acti####.russi####.cn/pluginTools/responsiveIndex
- acti####.russi####.cn/pluginTools/timingIndex
- acti####.russi####.cn/statistics/activityPagePerf?type=####&skinName=###...
- b####.www.ye####.org/i?requestId=####&g=####
- c.appj####.com/ad/splash/stats.html
- ja####.huita####.com:10091/wisdom/marking
- m####.z####.cn/s
- ob.nic####.cn/niceapi/getactivity
- ob.nic####.cn/niceapi/getactivitybuoy
- ob.nic####.cn/niceapi/getadvertorder
- ob.nic####.cn/niceapi/orderdatainfo
- www.ye####.org/i?requestId=####&g=####
- z####.heyc####.net/getlist
- z####.heyc####.net/xlogin
- z.no####.net/m/a/f
- z.no####.net/m/a/t
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/4e793485339d62b7f39474831e879f9a
- /data/data/####/518b137efcadca43d34c532689bb9f56.log
- /data/data/####/518b137efcadca43d34c532689bb9f56.log.temp
- /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log
- /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log.temp
- /data/data/####/718808d93795e42acb919bab227e6424.xml
- /data/data/####/JSON.xml
- /data/data/####/TUlaxH6RSU.jar
- /data/data/####/W_Key.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/a4be9ff4668403efdb304dc0106533f6.log
- /data/data/####/a4be9ff4668403efdb304dc0106533f6.log.temp
- /data/data/####/ad_show_time.xml
- /data/data/####/b3yAHuBO.jar
- /data/data/####/com.showtpc.jkhdjbq_preferences.xml
- /data/data/####/commmauwucik.xml
- /data/data/####/countClickIP.xml
- /data/data/####/d3dneRi.jar
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/downloadswc
- /data/data/####/downloadswc-journal
- /data/data/####/dpi
- /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log
- /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log.temp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/f_000029
- /data/data/####/f_00002a
- /data/data/####/f_00002b
- /data/data/####/f_00002c
- /data/data/####/f_00002d
- /data/data/####/f_00002e
- /data/data/####/f_00002f
- /data/data/####/f_000030
- /data/data/####/ff533ee364e852cd5369a6766a6f448b.log
- /data/data/####/ff533ee364e852cd5369a6766a6f448b.log.temp
- /data/data/####/gameid
- /data/data/####/gameid.zip
- /data/data/####/hid.db
- /data/data/####/index
- /data/data/####/jRiuyo8GYa.jar
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/kuofmgnc.jar
- /data/data/####/libjiagu.so
- /data/data/####/libmbgv.so
- /data/data/####/libmbgv.so-32
- /data/data/####/libmbgv.so-64
- /data/data/####/plsghuaw.xml
- /data/data/####/st.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/yd_config_c.xml
- /data/data/####/z.xml
- /data/media/####/.nid
- /data/media/####/.uucrrux
- /data/media/####/0668F4008AFBD99853A8C2B6CF76D3FD.temp
- /data/media/####/0668F4008AFBD99853A8C2B6CF76D3FD.zip
- /data/media/####/5.0wwj.jar
- /data/media/####/restime.dat
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh
- cat /proc/version
- cat /sys/class/android_usb/android0/idProduct
- cat /sys/class/android_usb/android0/idVendor
- cat /sys/class/net/wlan0/address
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- ls -l /dev
- ls -l /dev/block
- ls -l /dev/block/vold
- ls -l /dev/bus
- ls -l /dev/bus/usb
- ls -l /dev/bus/usb/001
- ls -l /dev/com.android.settings.daemon
- ls -l /dev/cpuctl
- ls -l /dev/cpuctl/apps
- ls -l /dev/cpuctl/apps/bg_non_interactive
- ls -l /dev/graphics
- ls -l /dev/input
- ls -l /dev/log
- ls -l /dev/pts
- ls -l /dev/snd
- ls -l /dev/socket
- ps
Loads the following dynamic libraries:
- libjiagu
- libmbgv
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES
- RSA
- RSA-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- DES
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, IMEI, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.