Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.255.origin
- Android.DownLoader.343.origin
- Android.DownLoader.725
Downloads the following detected threats from the Web:
- Android.DownLoader.255.origin
- Android.DownLoader.343.origin
- Android.DownLoader.725
Network activity:
Connecting to:
- b####.com
- j####.####.cn
HTTP GET requests:
- b####.com/
HTTP POST requests:
- j####.####.cn/ts/list_icons
Modified file system:
Creates the following files:
- <Package Folder>/cache/####/-16100876281558011522
- <Package Folder>/cache/####/646368540-1866955315
- <Package Folder>/databases/COMFATESKYJAPPKABATARIAPROP-journal
- <Package Folder>/databases/downmodel.db-journal
- <Package Folder>/databases/dxt_yx_sdk-journal
- <Package Folder>/databases/gmodel.db-journal
- <Package Folder>/databases/hsarpseh.hf-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/libjiagu.so
- <Package Folder>/files/yxsdk.jar
- <Package Folder>/shared_prefs/INITSP.xml
- <Package Folder>/shared_prefs/SHARED_PREFS_BATTERY_INFO.xml
- <Package Folder>/shared_prefs/SHARED_PREFS_GENERAL.xml
- <Package Folder>/shared_prefs/SHARED_PREFS_HARDWARE_STATE.xml
- <Package Folder>/shared_prefs/SHARED_PREFS_PROFILE.xml
- <Package Folder>/shared_prefs/comfateskyjappkabatariapro.xml
- <Package Folder>/shared_prefs/comfateskyjappkabatariapro.xml.bak
- <Package Folder>/shared_prefs/hengshu.xml
- <Package Folder>/shared_prefs/keySP.xml
- <Package Folder>/shared_prefs/zping.xml
- <Package Folder>/zbaidu.t
- <SD-Card>/Android/####/closeMatter
- <SD-Card>/Android/####/lmark
- <SD-Card>/Android/####/loadimg
- <SD-Card>/Android/####/notiicon
- <SD-Card>/Android/####/rmark
- <SD-Card>/Android/####/tb_jiance
- <SD-Card>/Android/####/tb_zy
- <SD-Card>/Android/####/transparent
- <SD-Card>/Android/####/zbaidu
- <SD-Card>/Android/####/zpkit
- <SD-Card>/Android/####/zpkit.jar
- <SD-Card>/qnqilskdauzhtzzqvcranlvnchmvs.jar
- <SD-Card>/system.ini
Miscellaneous:
Executes next shell scripts:
- /data/data/com.fatesky.jappka.batariapro/zbaidu -p com.fatesky.jappka.batariapro -r am start --user 0 -n com.fatesky.jappka.batariapro/x.bkq.scc.eno -a zbaidu -h http://127.0.0.1:7123/report/allData -i 2097
- <dexopt>
- chmod 777 /data/data/com.fatesky.jappka.batariapro/zbaidu
- chmod 777 <Package Folder>/zbaidu
- sh <Package Folder>/zbaidu -p <Package> -r am start --user 0 -n <Package>/x.bkq.scc.eno -a zbaidu -h http://127.0.0.1:7123/report/allData -i 2097
Uses special library to hide executable bytecode.
