Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Panda.5.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) rd####.f####.com:8080
- TCP(HTTP/1.1) www.md####.cn:80
- TCP(HTTP/1.1) gdv.a.s####.com:80
- TCP(HTTP/1.1) cdn.zs####.cn.####.com:8080
DNS requests:
- cdn.zs####.cn
- chan####.s####.com
- rd####.f####.com
- www.md####.cn
HTTP GET requests:
- cdn.zs####.cn.####.com:8080/resource/gis/45
- gdv.a.s####.com/api/2/topic/load?page_size=####&s####&hot_size=####&topi...
- gdv.a.s####.com/stat/uvstat?platform=####&uuid=####&client_id=####
- rd####.f####.com:8080/GaoXiao/upload/00368bf68e469a589ccd49d44fa52470.gif
- rd####.f####.com:8080/GaoXiao/upload/091c50bbe231cb32257705cd7af1e134.jpg
- rd####.f####.com:8080/GaoXiao/upload/10145811e22f4a7a8e1277ec38d1ca8c.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449672295535.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732526635.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732563176.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732599855.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732636532.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732680540.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732732452.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732746722.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732764232.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732841871.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732920266.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732943655.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732961531.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449732984766.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449733021436.jpg
- rd####.f####.com:8080/GaoXiao/upload/1449733043628.jpg
- rd####.f####.com:8080/GaoXiao/upload/19589e42020caaecca60061070c8a2dd.jpg
- rd####.f####.com:8080/GaoXiao/upload/30e57eeb507bdfd5d42cc3235f83b263.jpg
- rd####.f####.com:8080/GaoXiao/upload/48409abea2e46810cef1b2d3411b9a2f.gif
- rd####.f####.com:8080/GaoXiao/upload/4f65434cdeb83caeb3dcc14dad8d000f.jpg
- rd####.f####.com:8080/GaoXiao/upload/6a86072cf83797f4596eae8b62c92668.jpg
- rd####.f####.com:8080/GaoXiao/upload/6da7cde76f2028588df3f149dd424a55.jpg
- rd####.f####.com:8080/GaoXiao/upload/82a20e797d08018cad838b679eebff71.jpg
- rd####.f####.com:8080/GaoXiao/upload/843ed881c34c6152d3c89ecd88eb20cc.jpg
- rd####.f####.com:8080/GaoXiao/upload/86ca58d955b7e397fb7fba6958d90dd0.gif
- rd####.f####.com:8080/GaoXiao/upload/8ef01db43b09e619b8d5e84b2593e323.jpg
- rd####.f####.com:8080/GaoXiao/upload/92dffba8ea85207d84e62633807bebee.jpg
- rd####.f####.com:8080/GaoXiao/upload/99d9ee57e2661ee6e21b8913a92bf0e1.jpg
- rd####.f####.com:8080/GaoXiao/upload/9dac6dc1eb9eb83100ca7f0e71691dce.jpg
- rd####.f####.com:8080/GaoXiao/upload/aa34028ec258f8416d5c459f5e9709d9.gif
- rd####.f####.com:8080/GaoXiao/upload/af50e6cf7a7ecef9b4943fc61ceeff45.gif
- rd####.f####.com:8080/GaoXiao/upload/dfaa39e192d4e52c3e0952c5f7ecc361.gif
- rd####.f####.com:8080/GaoXiao/upload/ec73bceb8b13594d052838795574b8c0.gif
- rd####.f####.com:8080/GaoXiao/upload/f0d162285cf154d787bd40ee133a644f.jpg
- rd####.f####.com:8080/GaoXiao/upload/f378dcf24a8a20e36be496fa2462aac1.gif
- www.md####.cn/pservers/loadgis?token=####
HTTP POST requests:
- rd####.f####.com:8080/GaoXiao/interface/getModelList
- rd####.f####.com:8080/GaoXiao/interface/getParentList
- rd####.f####.com:8080/GaoXiao/interface/getThreeClassList
- rd####.f####.com:8080/GaoXiao/interface/getUpdateInfo
- rd####.f####.com:8080/GaoXiao/interface/getgoods
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/aDv.zip
- /data/data/####/gaoxiao.rd.vz.gaoxiao.zip
- /data/data/####/libjiagu939956596.so
- /data/data/####/news.db-journal
- /data/data/####/register.xml
- /data/data/####/silename.xml
- /data/data/####/uuid.xml
- /data/data/####/webview.db-journal
- /data/media/####/-1054533677.tmp
- /data/media/####/-1148295792.tmp
- /data/media/####/-128680631
- /data/media/####/-1327461559.tmp
- /data/media/####/-1422904668.tmp
- /data/media/####/-1439022582.tmp
- /data/media/####/-1529886997.tmp
- /data/media/####/-1534351372.tmp
- /data/media/####/-1604014133.tmp
- /data/media/####/-1621238415.tmp
- /data/media/####/-1697888536.tmp
- /data/media/####/-1737220887.tmp
- /data/media/####/-1748132200.tmp
- /data/media/####/-1776140052.tmp
- /data/media/####/-1789506865.tmp
- /data/media/####/-216832110.tmp
- /data/media/####/-286926158.tmp
- /data/media/####/-356849009.tmp
- /data/media/####/-41041165.tmp
- /data/media/####/-41161564.tmp
- /data/media/####/-427948344.tmp
- /data/media/####/-440703611.tmp
- /data/media/####/-881955739.tmp
- /data/media/####/-9658422.tmp
- /data/media/####/091c50bbe231cb32257705cd7af1e134.jpg
- /data/media/####/10169691.tmp
- /data/media/####/1057573610.tmp
- /data/media/####/1141678927.tmp
- /data/media/####/1411527043.tmp
- /data/media/####/1449732841871.jpg
- /data/media/####/1449732943655.jpg
- /data/media/####/1449733043628.jpg
- /data/media/####/1449834712.tmp
- /data/media/####/1551955841.tmp
- /data/media/####/1684100630.tmp
- /data/media/####/2033045793.tmp
- /data/media/####/2067202296.tmp
- /data/media/####/2077914754.tmp
- /data/media/####/337170877.tmp
- /data/media/####/702431716.tmp
- /data/media/####/900447563.tmp
- /data/media/####/960021473.tmp
- /data/media/####/aa34028ec258f8416d5c459f5e9709d9.gif
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /proc/cpuinfo
- chmod 755 <Package Folder>/.jiagu/libjiagu939956596.so
Loads the following dynamic libraries:
- libjiagu939956596
- pl_droidsonroids_gif
Uses the following algorithms to encrypt data:
- AES
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Displays its own windows over windows of other applications.
