Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) c####.g####.com:80
- TCP(HTTP/1.1) gs.g####.com:80
- TCP(TLS/1.0) 2####.107.1.97:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 1####.217.20.110:443
DNS requests:
- a####.man.aliy####.com
- c####.g####.com
- gs.g####.com
- plb####.u####.com
- u####.u####.com
HTTP POST requests:
- c####.g####.com/api.php?format=####&t=####
- gs.g####.com/encryption/key/fetch
- gs.g####.com/geshu/sdkStatistics/bindInfo
- gs.g####.com/geshu/sdkStatistics/uploadBI
- sh.wagbr####.aliyun####.com/man/api?ak=####&s=####
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/ACCS_SDK.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/MessageStore.db
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/_nohttp_cookies_db.db
- /data/data/####/_nohttp_cookies_db.db-journal
- /data/data/####/accs.db
- /data/data/####/accs.db-journal
- /data/data/####/config.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/getui_sp.xml
- /data/data/####/gtc.db-journal
- /data/data/####/i==1.2.0&&3.8.14.251_1538430180570_envelope.log
- /data/data/####/ias.db-journal
- /data/data/####/ias_sp.xml
- /data/data/####/ias_sp.xml.bak
- /data/data/####/info.xml
- /data/data/####/init_c1.pid
- /data/data/####/libjiagu-1087609770.so
- /data/data/####/multidex.version.xml
- /data/data/####/orayremote.conf
- /data/data/####/pushsdk.db-journal
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/um_pri.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/client_week1.log
- /data/media/####/com.oray.sunlogin.service_.db
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- chmod 755 <Package Folder>/.jiagu/libjiagu-1087609770.so
- logcat -v time -s SunloginClient:I -s LocalSocketSunlogin:I
- ls /sys/class/thermal
Loads the following dynamic libraries:
- OraySunloginService
- getuiext2
- libjiagu-1087609770
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
