Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.3394
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) en.wikip####.org:80
- TCP(HTTP/1.1) www.cdn.am####.com:80
- TCP(SSL/3.0) userm####.k####.net:443
- TCP(TLS/1.0) u####.o####.net:443
- TCP(TLS/1.0) t####.rubicon####.com:443
- TCP(TLS/1.0) i####.de####.net:443
- TCP(TLS/1.0) up####.wikim####.org:443
- TCP(TLS/1.0) d####.a####.com:443
- TCP(TLS/1.0) t####.blu####.com.####.net:443
- TCP(TLS/1.0) s####.1rx.io:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) odr.moo####.com:443
- TCP(TLS/1.0) log-####.a####.tv:443
- TCP(TLS/1.0) ads.twi####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) bh.contex####.com:443
- TCP(TLS/1.0) unag####.am####.com:443
- TCP(TLS/1.0) x.bidsw####.net:443
- TCP(TLS/1.0) s####.ipredic####.com:443
- TCP(TLS/1.0) s.amazon-####.com:443
- TCP(TLS/1.0) trc.tab####.com:443
- TCP(TLS/1.0) aa.a####.com:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) ssum####.casalem####.com.####.net:443
- TCP(TLS/1.0) cm.g.doublec####.net:443
- TCP(TLS/1.0) m.media-a####.com:443
- TCP(TLS/1.0) im####.pubm####.com.####.net:443
- TCP(TLS/1.0) userm####.k####.net:443
- TCP(TLS/1.0) gat####.p####.us-ea####.####.com:443
- TCP(TLS/1.0) ads.y####.com:443
- TCP(TLS/1.0) aax-us-####.amazon-####.com:443
- TCP(TLS/1.0) en.wikip####.org:443
- TCP(TLS/1.0) p####.adverti####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) s####.search####.spotxch####.####.net:443
- TCP(TLS/1.0) g.geo####.com:443
- TCP(TLS/1.0) www.cdn.am####.com:443
DNS requests:
- a.appj####.com
- aa.a####.com
- aax-us-####.amazon-####.com
- ads.y####.com
- analy####.twi####.com
- bh.contex####.com
- cm.g.doublec####.net
- d.a####.com
- dpm.de####.net
- en.m.wikip####.org
- en.wikip####.org
- fl####.am####.com
- googl####.g.doublec####.net
- ib.a####.com
- im####.pubm####.com
- image####.ssl-ima####.com
- l####.wikim####.org
- m####.m.wikim####.org
- m####.wikim####.org
- m.media-a####.com
- odr.moo####.com
- p####.adverti####.com
- s####.1rx.io
- s####.ad####.adverti####.com
- s####.blu####.com
- s####.ipredic####.com
- s####.se####.spotxch####.com
- s.amazon-####.com
- ssum####.casalem####.com
- t####.blu####.com
- t####.rubicon####.com
- trc.tab####.com
- u####.o####.net
- unag####.am####.com
- up####.wikim####.org
- userm####.k####.net
- www.am####.com
- www.face####.com
- www.go####.com
- www.go####.nl
- x.bidsw####.net
HTTP GET requests:
- en.wikip####.org/wiki/Sigma
- www.cdn.am####.com/
- www.go####.com/complete/search?hl=####&client=####&q=####
HTTP POST requests:
- a.appj####.com/ad-service/ad/mark
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/com.happy.maau.apk
- /data/data/####/com.happy.maau.xml
- /data/data/####/equations.sqlite
- /data/data/####/equations.sqlite-journal
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/webview.db-journal
Miscellaneous:
Executes next shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
- DES
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.
