Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Panda.2.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) how####.net:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(TLS/1.0) stat####.face####.com:443
- TCP(TLS/1.0) con####.face####.net:443
- TCP(TLS/1.0) dc.traffic####.net:443
- TCP(TLS/1.0) syndica####.twi####.com:443
- TCP(TLS/1.0) st####.xx.f####.net:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) how####.net:443
- TCP(TLS/1.0) az41####.vo.ms####.net:443
- TCP(TLS/1.0) cs1-l####.8####.e####.net:443
DNS requests:
- a.appj####.com
- az41####.vo.ms####.net
- con####.face####.net
- dc.serv####.visuals####.com
- how####.net
- plat####.twi####.com
- st####.xx.f####.net
- stat####.face####.com
- syndica####.twi####.com
- www.face####.com
HTTP GET requests:
- how####.net/
HTTP POST requests:
- a.appj####.com/ad-service/ad/mark
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/plugin.apk
- /data/media/####/.nomedia
Miscellaneous:
Executes next shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.
