Adware.Plague.329

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Plague.1.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) api.p2nser####.com:80
TCP(HTTP/1.1) net.ray####.com:80
TCP(HTTP/1.1) api.appclou####.net:80
TCP(HTTP/1.1) cdn.iphon####.com:80
TCP(HTTP/1.1) set####.ray####.com:80
TCP(TLS/1.0) ads.ne####.ak####.net:443
TCP(TLS/1.0) api.face####.com:443
TCP(TLS/1.0) 1####.217.17.78:443
TCP(TLS/1.0) d####.fl####.com:443
TCP(TLS/1.0) sett####.crashly####.com:443
TCP(TLS/1.0) googl####.g.doublec####.net:443
TCP(TLS/1.0) loca####.appclou####.net:443
TCP(TLS/1.0) e.crashly####.com:443

DNS requests:

ads.mp.m####.mobi
ads.ne####.com
api.appclou####.net
api.p2nser####.com
cdn.iphon####.com
d####.fl####.com
e.crashly####.com
fbwallc####.api-all####.com
g####.face####.com
googl####.g.doublec####.net
gwallc####.api-all####.com
loca####.appclou####.net
ma.few####.com
ma1.few####.com
ma2.few####.com
mt####.go####.com
net.ray####.com
set####.ray####.com
sett####.crashly####.com

HTTP GET requests:

api.appclou####.net/rao?d=RqMfT####&s=gnriw####&p=sbq8R####&i=7l1pE####&...
api.p2nser####.com/service/tracklist.php?adnum=####&os=####&ngp=####&aid...
cdn.iphon####.com/androidflashlight/alerts/flashlight_button-1.2.5-alert...
cdn.iphon####.com/androidflashlight/configs/config-flashlight_button-1.2...
cdn.iphon####.com/remoteui/adstyle1.zip
cdn.iphon####.com/remoteui/adstyle2.zip
cdn.iphon####.com/remoteui/adstyle3.zip
cdn.iphon####.com/remoteui/adstyle5.zip
net.ray####.com/openapi/ad/v3?app_id=####&unit_id=####&category=####&req...
set####.ray####.com/setting?app_id=####&sign=####&platform=####&os_versi...

Modified file system:

Creates the following files:

<Package Folder>/.jiagu/libjiagu.so
<Package Folder>/app_luusclasses.jar
<Package Folder>/cache/####/._background@large.png
<Package Folder>/cache/####/._background@normal.png
<Package Folder>/cache/####/._background@xlarge.png
<Package Folder>/cache/####/._button.png
<Package Folder>/cache/####/._root.xml
<Package Folder>/cache/####/1033e1ced86ec666d5b077fcb4cb1a3c.tmp.zip
<Package Folder>/cache/####/3bb1d053454a8439666937f4ad03c4fd.tmp.zip
<Package Folder>/cache/####/457cf2ba93442b5314e81a9de161b777.tmp.zip
<Package Folder>/cache/####/6eef48b3662876c6e6948efe706db5f9.tmp.zip
<Package Folder>/cache/####/background@large.png
<Package Folder>/cache/####/background@normal.png
<Package Folder>/cache/####/background@xlarge.png
<Package Folder>/cache/####/button.png
<Package Folder>/cache/####/data_0
<Package Folder>/cache/####/data_1
<Package Folder>/cache/####/data_2
<Package Folder>/cache/####/data_3
<Package Folder>/cache/####/index
<Package Folder>/cache/####/root.xml
<Package Folder>/cache/ApplicationCache.db-journal
<Package Folder>/cache/ads-1182798725.jar
<Package Folder>/databases/dbmpz-journal
<Package Folder>/databases/mobvista.msdk.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/databases/webviewCookiesChromium.db-journal
<Package Folder>/files/####/.jg.ic
<Package Folder>/files/####/1510833289497.tmp.zip
<Package Folder>/files/####/5A0D7C8601F6-0001-0820-1AFF18B08C01...s_temp
<Package Folder>/files/####/com.crashlytics.settings.json
<Package Folder>/files/####/initialization_marker
<Package Folder>/files/####/sa_19cfad05-1f8f-49b5-ad51-4557d8dc...31.tap
<Package Folder>/files/####/sa_40214de9-c1d0-4942-9f59-7b54fe32...37.tap
<Package Folder>/files/####/session_analytics.tap
<Package Folder>/files/####/session_analytics.tap.tmp
<Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsData_Z...8N_216
<Package Folder>/files/.YFlurrySenderIndex.info.AnalyticsMain
<Package Folder>/files/.yflurrydatasenderblock.c52e94ff-c43c-47...f3d6ff
<Package Folder>/files/.yflurryreport.173d4517ab39b932
<Package Folder>/files/AppEventsLogger.persistedsessioninfo
<Package Folder>/files/alerts.conf
<Package Folder>/files/temp.config-flashlight_button-1.2.5-3.0.conf
<Package Folder>/shared_prefs/<Package>.xml
<Package Folder>/shared_prefs/<Package>_preferences.xml
<Package Folder>/shared_prefs/ChargingPrefs.xml
<Package Folder>/shared_prefs/ChargingPrefs.xml.bak
<Package Folder>/shared_prefs/FLURRY_SHARED_PREFERENCES.xml
<Package Folder>/shared_prefs/TwitterAdvertisingInfoPreferences.xml
<Package Folder>/shared_prefs/com.crashlytics.prefs.xml
<Package Folder>/shared_prefs/com.crashlytics.sdk.android;answe...gs.xml
<Package Folder>/shared_prefs/com.facebook.sdk.appEventPreferences.xml
<Package Folder>/shared_prefs/com.facebook.sdk.attributionTracking.xml
<Package Folder>/shared_prefs/com.google.android.gms.measurement.prefs.xml
<Package Folder>/shared_prefs/com.ihandysoft.ad.theme.NativeAdT...er.xml
<Package Folder>/shared_prefs/io.fabric.sdk.android;fabric;b.a.a.a.m.xml
<Package Folder>/shared_prefs/jg_so_upgrade_setting.xml
<Package Folder>/shared_prefs/mobvista.xml
<Package Folder>/shared_prefs/multidex.version.xml
<Package Folder>/shared_prefs/paxr_sh.xml
<Package Folder>/shared_prefs/quickswitch_have_showed.xml
<Package Folder>/shared_prefs/surpax_lcd_tips.xml
<Package Folder>/shared_prefs/surpax_quickswitch_from_others.xml
<Package Folder>/shared_prefs/widget_restart_time.xml

Miscellaneous:

Executes next shell scripts:

chmod 755 <Package Folder>/.jiagu/libjiagu.so

Loads the following dynamic libraries:

dgy
libjiagu

Uses the following algorithms to encrypt data:

AES-ECB-PKCS7Padding
DES-ECB-PKCS5Padding

Uses the following algorithms to decrypt data:

AES
AES-CBC-PKCS5Padding
AES-ECB-PKCS7Padding

Uses special library to hide executable bytecode.

Gains access to camera interface.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Gains access to information about running applications.

Displays its own windows over windows of other applications.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial