Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.20
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) t.si####.net:80
- TCP(HTTP/1.1) wc.find####.cc.####.com:80
- TCP(HTTP/1.1) c####.im.qq.com:80
- TCP(HTTP/1.1) w.j####.cc:80
DNS requests:
- c####.im.qq.com
- cfg.ads####.com
- cfg.ads####.mobi
- cfg.ads####.net
- cfg.ads####.org
- t.si####.net
- w.j####.cc
- wc.find####.cc
HTTP GET requests:
- c####.im.qq.com/cgi-bin/cgi_svrtime
- wc.find####.cc.####.com/201804/bur.jar
HTTP POST requests:
- t.si####.net/t2
- w.j####.cc/kvm?requestId=####&g=####
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/Q8tFVImbNuvsmBwWwdqsPE6jsRQsSPkQ.xml
- /data/data/####/W_Key.xml
- /data/data/####/com.fatcat.MySupermaketSmallHeaded_preferences.xml
- /data/data/####/downloadswc
- /data/data/####/downloadswc-journal
- /data/data/####/libjiagu.so
- /data/data/####/st.xml
- /data/data/####/xx.xml
- /data/media/####/5.0bur.jar.t
- /data/media/####/restime.dat
Miscellaneous:
Executes next shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- libjiagu
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.