Technical information
Malicious functions:
Downloads the following detected threats from the Web:
- Android.DownLoader.173
Network activity:
Connecting to:
- cha####.####.com
- ti####.####.com
- mo####.####.com
- h####.####.com
- lfand####.####.com
- statson####.####.com
- a####.####.com
HTTP GET requests:
- mo####.####.com/ads/js/c.js
- mo####.####.com/ads/css/min/main.css
- mo####.####.com/ads/ads.appcache
- mo####.####.com/cpro/ui/mads.php?code2=####&b1493731255386=####
- mo####.####.com/ads/pa/__pasys.apk
- lfand####.####.com/apps/Recipes.apk
- mo####.####.com/ads/pa/__pasys_remote_banner.jar
- mo####.####.com/ads/js/ads.trunk.js
- mo####.####.com/ads/pa/__pasys_remote_banner.php?v=####&tp=####&os=####&...
- lfand####.####.com/apps/taobao/tejia.apk
- mo####.####.com/ads/index.htm
- lfand####.####.com/apps/zhenv2.apk.apk
HTTP POST requests:
- statson####.####.com/pushlog
- h####.####.com/app.gif
- a####.####.com/appjiagu
- cha####.####.com/rest/2.0/channel/4541871108197832677
- ti####.####.com/kirinsdk/updatequery
- cha####.####.com/rest/2.0/channel/channel
Modified file system:
Creates the following files:
- /data/data/####/files/libjiagu.so
- /sdcard/baidu/pushservice/files/apps
- /sdcard/update/zhenv2.apk
- /sdcard/baidu/pushservice/database/pushlappv2.db
- /data/data/####/files/kirin_static_data_####
- /data/data/####/shared_prefs/####.xml
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/shared_prefs/pst.xml
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/shared_prefs/dbVersion.xml
- /data/data/####/app_push_lib/plugin-deploy.key
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/databases/app_data.db-journal
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/shared_prefs/####.kirin_strategy_control_pref.xml
- /data/data/####/shared_prefs/####.kirin_strategy_control_pref.xml.bak
- /data/data/####/app_database/ApplicationCache.db-journal
- /sdcard/baidu/pushservice/database/pushlappv2.db-journal
- /data/data/####/files/__pasys_remote_banner.jar
- /data/data/####/files/__pasys_remote_banner.tmp.jar
- /data/data/####/databases/app_data.db
- /sdcard/baidu/hybrid/lightappdb/lightapp_V4.db-journal
- /sdcard/baidu/hybrid/lightappdb/lightapp_V4.db
- /data/data/####/app_push_lib/plugin-deploy.jar
- /data/data/####/databases/webview.db-journal
- /data/data/####/shared_prefs/####.push_sync.xml
- /sdcard/baidu/pushservice/database/pushstat_4.1.db
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/cache/webviewCacheChromium/f_000003
- /sdcard/baidu/.cuid
- /data/data/####/files/__local_stat_cache.json
- /sdcard/update/Recipes.apk
- /data/data/####/jiagu.lock
- /data/data/####/app_database/localstorage/http_mobads.baidu.com_0.localstorage-journal
- /sdcard/baidu/pushservice/database/pushstat_4.1.db-journal
- /data/data/####/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- /data/data/####/files/__pasys.apk
- /data/data/####/cache/webviewCacheChromium/index
- /sdcard/update/tejia.apk
Miscellaneous:
Executes next shell scripts:
- /system/bin/dexopt --dex 27 47 40 440152 /data/data/####/files/__pasys_remote_banner.jar 1184390829 -721271709 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/f
- /system/bin/dexopt --dex 27 43 40 831656 /data/data/####/app_push_lib/plugin-deploy.jar 1157865803 -1302394417 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/f
- /system/bin/dexopt --dex 27 102 40 27468 /data/data/####/files/__pasys.apk 1232695150 1266831751 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/frame
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
