Technical information
Malicious functions:
Executes code of the following detected threats:
- Tool.SilentInstaller.3.origin
Downloads the following detected threats from the Web:
- Tool.SilentInstaller.3.origin
Network activity:
Connecting to:
- a####.####.com
- bookweb####.####.com
- h####.####.com
- l####.####.com
- t####.####.com
- t####.####.com:8900
HTTP GET requests:
- a####.####.com/api/bookapp/hotSearchWords.m?cid=####&version=####&os=###...
- bookweb####.####.com/v12/contentExtract.m?udid=####&os=####&osv=####&av=...
HTTP POST requests:
- a####.####.com/apksupload
- h####.####.com/app.gif
- l####.####.com/sdk.php
- t####.####.com/up
- t####.####.com:8900/up
Modified file system:
Creates the following files:
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/cache/####/-177429983-2134109409
- <Package Folder>/cache/####/-3878871811142782204
- <Package Folder>/cache/####/1318250002399078911
- <Package Folder>/cache/####/222123251-923630284
- <Package Folder>/cache/####/902404261-1305208574
- <Package Folder>/database/pushinfo.db
- <Package Folder>/database/pushinfo.db-journal
- <Package Folder>/databases/easouBook.db
- <Package Folder>/databases/easouBook.db-journal
- <Package Folder>/databases/es.db
- <Package Folder>/databases/es.db-journal
- <Package Folder>/databases/es.db-shm (deleted)
- <Package Folder>/databases/es.db-wal
- <Package Folder>/databases/eventInfo.db
- <Package Folder>/databases/eventInfo.db-journal
- <Package Folder>/databases/local.db
- <Package Folder>/databases/local.db-journal
- <Package Folder>/databases/localEasouBook.db
- <Package Folder>/databases/localEasouBook.db-journal
- <Package Folder>/databases/pushstat_5.5.0.db
- <Package Folder>/databases/pushstat_5.5.0.db-journal
- <Package Folder>/databases/u.dbv5
- <Package Folder>/databases/u.dbv5-journal
- <Package Folder>/files/####/.jg.ic
- <Package Folder>/files/####/firll.dat
- <Package Folder>/files/####/hst.db
- <Package Folder>/files/####/hst.db-journal
- <Package Folder>/files/__local_ap_info_cache.json
- <Package Folder>/files/__local_last_session.json
- <Package Folder>/files/__local_stat_cache.json
- <Package Folder>/files/__send_data_1496218582861
- <Package Folder>/files/epay.jar
- <Package Folder>/files/libcuid.so
- <Package Folder>/files/user_log_0_016f9_1496218585596
- <Package Folder>/files/user_log_3_bbf40_1496218583778
- <Package Folder>/shared_prefs/.xml
- <Package Folder>/shared_prefs/<Package>.push_sync.xml
- <Package Folder>/shared_prefs/<Package>.self_push_sync.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/__Baidu_Stat_SDK_SendRem.xml
- <Package Folder>/shared_prefs/authStatus_<Package>;remote.xml
- <Package Folder>/shared_prefs/com.baidu.pushservice.BIND_CACHE.xml
- <Package Folder>/shared_prefs/common_prefs.xml
- <Package Folder>/shared_prefs/epay_share.xml
- <Package Folder>/shared_prefs/es_a_f_pref.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/pst.xml
- <Package Folder>/shared_prefs/pushclient.xml
- <SD-Card>/backups/####/.confd
- <SD-Card>/backups/####/.confd-journal
- <SD-Card>/backups/####/.cuid
- <SD-Card>/backups/####/.cuid2
- <SD-Card>/backups/####/.timestamp
- <SD-Card>/easou_book/####/alipay_msp.apk
Miscellaneous:
Executes next shell scripts:
- <dexopt>
- cat /sys/class/net/wlan0/address
- chmod /data/data/com.esbook.reader 777&& busybox chmod /data/data/com.esbook.reader 777
- chmod 755 /data/data/com.esbook.reader/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod <Package Folder> 777&& busybox chmod <Package Folder> 777
Uses special library to hide executable bytecode.
