Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(TLS/1.0) 2####.58.212.174:443
- TCP(TLS/1.0) api.q####.com:443
- TCP(TLS/1.0) d####.fl####.com:443
DNS requests:
- a####.m.ta####.com
- api.q####.com
- d####.fl####.com
HTTP POST requests:
- a####.m.ta####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=##...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
File system changes:
Creates the following files:
- /data/data/####/.YFlurrySenderIndex.info.AnalyticsData_ZHYXY6HD...M2_225
- /data/data/####/.YFlurrySenderIndex.info.AnalyticsMain
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/.yflurrydatasenderblock.679e9842-6b4b-4d11-bb26...96d3bc
- /data/data/####/.yflurryreport.-1936632302e544a
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/FLURRY_SHARED_PREFERENCES.xml
- /data/data/####/UTCommon.xml
- /data/data/####/UTMCConf-1350376735.xml
- /data/data/####/UTMCLog-1350376735.xml
- /data/data/####/app_logo.jpg
- /data/data/####/block_upload.db-journal
- /data/data/####/btime.db-journal
- /data/data/####/btimeIM.db-journal
- /data/data/####/btimeIM.setting.xml
- /data/data/####/libjiagu.so
- /data/data/####/multidex.version.xml
- /data/data/####/setting.xml
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- btime
- libjiagu
- videosplitter
- weibosdkcore
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
