Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.84.origin
Downloads the following detected threats from the Web:
- Android.Xiny.84.origin
Network activity:
Connecting to:
- a####.####.com
- c####.####.com
- d####.####.com
- m####.####.com
- n####.####.com
- up####.####.cn
HTTP GET requests:
- m####.####.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&ne...
- n####.####.com/appimg/guide_1.jpg
HTTP POST requests:
- a####.####.com/snsconf
- c####.####.com/v2/cdata
- d####.####.com/dsign
- up####.####.cn/v1/push/sdk/postlist
Modified file system:
Creates the following files:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/cache/####/0d4f8e17b9b31f19874fee6a57269026.0.tmp
- <Package Folder>/cache/####/0d4f8e17b9b31f19874fee6a57269026.1.tmp
- <Package Folder>/cache/####/8b71b777a451dd4a4de9446fe77e02e0.0.tmp
- <Package Folder>/cache/####/8b71b777a451dd4a4de9446fe77e02e0.1.tmp
- <Package Folder>/cache/####/9dcd4678ec0922b84896fa9dd404f8be.0.tmp
- <Package Folder>/cache/####/9dcd4678ec0922b84896fa9dd404f8be.1.tmp
- <Package Folder>/cache/####/e556dc41f0a4d8b01bc8d77479e12834.0
- <Package Folder>/cache/####/e556dc41f0a4d8b01bc8d77479e12834.1
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/ThrowalbeLog.db-journal
- <Package Folder>/databases/jpush_local_notification.db
- <Package Folder>/databases/jpush_local_notification.db-journal
- <Package Folder>/databases/jpush_local_notification.db-journal (deleted)
- <Package Folder>/databases/jpush_local_notification.db-wal
- <Package Folder>/databases/jpush_statistics.db
- <Package Folder>/databases/jpush_statistics.db-journal
- <Package Folder>/databases/jpush_statistics.db-journal (deleted)
- <Package Folder>/databases/jpush_statistics.db-shm (deleted)
- <Package Folder>/databases/jpush_statistics.db-wal
- <Package Folder>/databases/jpush_statistics.db-wal (deleted)
- <Package Folder>/databases/sharesdk.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal (deleted)
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/.mrlock
- <Package Folder>/files/.lock
- <Package Folder>/files/.mrecord
- <Package Folder>/files/.mrecord (deleted)
- <Package Folder>/files/.statistics
- <Package Folder>/files/appPackageNames
- <Package Folder>/files/jpush_stat_cache.json
- <Package Folder>/files/jpush_stat_cache_history.json
- <Package Folder>/shared_prefs/JPushSA_Config.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml.bak
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml
- <Package Folder>/shared_prefs/cn.jpush.android.user.profile.xml.bak
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.rid.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml
- <Package Folder>/shared_prefs/cn.jpush.preferences.v2.xml.bak
- <Package Folder>/shared_prefs/firstRun.xml
- <Package Folder>/shared_prefs/jpush_device_info.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml
- <Package Folder>/shared_prefs/mob_commons_1.xml.bak
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml
- <Package Folder>/shared_prefs/share_sdk_1.xml.bak
- <SD-Card>/Mob/####/.al
- <SD-Card>/Mob/####/.dh-journal
- <SD-Card>/Mob/####/.dhlock
- <SD-Card>/Mob/####/.dic_lock
- <SD-Card>/Mob/####/.duid
- <SD-Card>/Mob/####/.globalLock
- <SD-Card>/Mob/####/.nulal
- <SD-Card>/Mob/####/.nulplt
- <SD-Card>/Mob/####/.pkg_lock
- <SD-Card>/Mob/####/.plst
- <SD-Card>/Mob/####/.rcTag
- <SD-Card>/Mob/####/.rc_lock
- <SD-Card>/data/.push_deviceid
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.pm.Pm list packages
- chmod 755 /data/data/com.zwwl.sjwz/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- grep -E -v root|shell|system
- pm list packages
- sh
- top -d 0 -n 1
Uses special library to hide executable bytecode.
