Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Kyview.2.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) o####.b####.cn:80
- TCP(TLS/1.0) co####.ad####.cn:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
DNS requests:
- co####.ad####.cn
- log.u####.com
- o####.b####.cn
- o####.b####.cn
- s####.u####.com
HTTP POST requests:
- o####.b####.cn/8/create
- o####.b####.cn/8/find
- o####.b####.cn/8/init
- o####.b####.cn/8/secret
File system changes:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/1594479977744.log
- /data/data/####/SDK20161602041135h7vuucsw8e2u8pb_banner.xml
- /data/data/####/bmob_sp.xml
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/lesson.db
- /data/data/####/lesson.db-journal
- /data/data/####/libjiagu.so
- /data/data/####/score.db
- /data/data/####/score.db-journal
- /data/data/####/setting.db
- /data/data/####/setting.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_socialize.xml
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
Uses the following algorithms to encrypt data:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- DES
Uses the following algorithms to decrypt data:
- AES-CBC-NoPadding
- AES-CBC-PKCS5Padding
- DES
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.