Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.3394
- Android.DownLoader.635.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) f####.ai####.jp:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) and####.pu####.as####.net:80
- TCP(HTTP/1.1) img.polymor####.jp:80
- TCP(HTTP/1.1) i####.as####.net:80
- TCP(HTTP/1.1) www.s####.net:80
- TCP(TLS/1.0) 18####.measure####.com:443
- TCP(TLS/1.0) 1####.217.168.206:443
DNS requests:
- 18####.measure####.com
- and####.pu####.as####.net
- c.appj####.com
- f####.ai####.jp
- i####.as####.net
- img.polymor####.jp
- www.s####.net
HTTP GET requests:
- and####.pu####.as####.net/ast01433cj8d49av2fux/mbget.cgi?size=####&ucd=#...
- and####.pu####.as####.net/ast01433ruhwh3p528m8/click.cgi?idx=####&ucd=####
- and####.pu####.as####.net/ast01433ruhwh3p528m8/jump.cgi?url=https://1859...
- and####.pu####.as####.net/ast01433ruhwh3p528m8/mbget.cgi?size=####&ucd=#...
- and####.pu####.as####.net/getsess/g
- f####.ai####.jp/anime.butler/mbget.cgi?ucd=####&idx=####
- f####.ai####.jp/getsess/g
- i####.as####.net/uploads/00000000000000000001/44335cf88de5d4a576d3c88a14...
- i####.as####.net/uploads/00000000000000000001/58bde9eb0ab2240e3a594b75d2...
- i####.as####.net/uploads/00000000000000000001/6e46f4fa22d859636473376242...
- i####.as####.net/uploads/00000000000000000001/75897b83e83b8f3cb56939d398...
- i####.as####.net/uploads/00000000000000000001/a65a55a1a68662b18a9585e206...
- i####.as####.net/uploads/00000000000000000001/df4dbf81f9049f4427778dd3d3...
- img.polymor####.jp/creative/80f7f93fdb439a22/12f8514a3b754cc4/0e2469e066...
- img.polymor####.jp/creative/80f7f93fdb439a22/7413aa9ed4e5d0d4/05e6f2d03d...
HTTP POST requests:
- c.appj####.com/ad/splash/stats.html
- www.s####.net/Mini/niouy.action?key=####
File system changes:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/ad_show_time.xml
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/jp.maru.mrd.records.xml
- /data/data/####/libjiagu.so
- /data/data/####/me.tg.bler.apk
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
Uses the following algorithms to encrypt data:
- RSA
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
