Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.20
Downloads the following detected threats from the Internet:
- Android.Xiny.20
Deactivates a device administrator.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) do.soi####.com:80
- TCP(HTTP/1.1) r.eli####.cn:80
- TCP(HTTP/1.1) 1####.163.249.17:80
- TCP(HTTP/1.1) yes.yuchan####.com.cn:80
- TCP(TLS/1.0) 1####.217.17.78:443
DNS requests:
- a####.u####.com
- do.soi####.com
- mt####.go####.com
- r.eli####.cn
- yes.yuchan####.com.cn
HTTP GET requests:
- do.soi####.com/2011/gou.jar
HTTP POST requests:
- r.eli####.cn/k1?requestId=####&g=####&ua=####
- yes.yuchan####.com.cn/k2?protocol=####&version=####&cid=####
File system changes:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/W_Key.xml
- /data/data/####/a.xml
- /data/data/####/android_rate_pref_file.xml
- /data/data/####/com.ziyou.diansaguweipqotpaiet_preferences.xml
- /data/data/####/com.ziyou.diansaguweipqotpaiet_preferences.xml.bak
- /data/data/####/downloadswc
- /data/data/####/downloadswc-journal
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/lock_pref.xml
- /data/data/####/st.xml
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_feedback_user_info.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/4.8_gou.jar.tmp
- /data/media/####/restime.dat
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
- qpsr
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about active device administrators.
Displays its own windows over windows of other apps.
