Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Gexin.1
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) www.caim####.com:80
- TCP(TLS/1.0) e.crashly####.com:443
- TCP(TLS/1.0) rep####.crashly####.com:443
- TCP(TLS/1.0) sett####.crashly####.com:443
DNS requests:
- a####.u####.com
- e.crashly####.com
- rep####.crashly####.com
- sett####.crashly####.com
- www.caim####.com
HTTP POST requests:
- a####.u####.com/app_logs
- www.caim####.com/api_250/user/getUserInfo
- www.caim####.com/api_250/user/uploadDeviceToken
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jiagu.ls
- /data/data/####/5EA0475B0088-0001-0863-06D2762D51B7BeginSession.cls_temp
- /data/data/####/5EA0475B0088-0001-0863-06D2762D51B7SessionApp.cls_temp
- /data/data/####/5EA0475B0088-0001-0863-06D2762D51B7SessionDevice.cls_temp
- /data/data/####/5EA0475B0088-0001-0863-06D2762D51B7SessionOS.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410BeginSession.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410SessionApp.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410SessionCrash.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410SessionDevice.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410SessionOS.cls_temp
- /data/data/####/5EA0475B01CE-0001-087E-0D25F0D49410SessionUser.cls_temp
- /data/data/####/5EA0475E0070-0002-087E-0D25F0D49410BeginSession.cls_temp
- /data/data/####/5EA0475E0070-0002-087E-0D25F0D49410SessionApp.cls_temp
- /data/data/####/5EA0475E0070-0002-087E-0D25F0D49410SessionDevice.cls_temp
- /data/data/####/5EA0475E0070-0002-087E-0D25F0D49410SessionOS.cls_temp
- /data/data/####/5EA0475E0070-0002-087E-0D25F0D49410SessionUser.cls_temp
- /data/data/####/5EA0475E02C4-0002-0863-06D2762D51B7BeginSession.cls_temp
- /data/data/####/5EA0475E02C4-0002-0863-06D2762D51B7SessionApp.cls_temp
- /data/data/####/5EA0475E02C4-0002-0863-06D2762D51B7SessionDevice.cls_temp
- /data/data/####/5EA0475E02C4-0002-0863-06D2762D51B7SessionOS.cls_temp
- /data/data/####/5EA0475E02C4-0002-0863-06D2762D51B7SessionUser.cls_temp
- /data/data/####/5EA04769008C-0001-08FC-06D2762D51B7BeginSession.cls_temp
- /data/data/####/5EA04769008C-0001-08FC-06D2762D51B7SessionApp.cls_temp
- /data/data/####/5EA04769008C-0001-08FC-06D2762D51B7SessionDevice.cls_temp
- /data/data/####/5EA04769008C-0001-08FC-06D2762D51B7SessionOS.cls_temp
- /data/data/####/TwitterAdvertisingInfoPreferences.xml
- /data/data/####/androidBrand.json
- /data/data/####/app_prefer.xml
- /data/data/####/com.crashlytics.prefs.xml
- /data/data/####/com.crashlytics.prefs.xml.bak
- /data/data/####/com.crashlytics.sdk.android;answers;com.crashly...rs.xml
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.ilikelabsapp.MeiFu_preferences.xml
- /data/data/####/crash_marker
- /data/data/####/funclist.json
- /data/data/####/initialization_marker
- /data/data/####/io.fabric.sdk.android;fabric;io.fabric.sdk.andr...ng.xml
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.ilikelabsapp.MeiFu39
- /data/data/####/multidex.version.xml
- /data/data/####/pricelist.json
- /data/data/####/product_type_list
- /data/data/####/protectskin.json
- /data/data/####/questions.json
- /data/data/####/sa_14e0a73e-a11b-40ef-81a9-96269c5246d3_1587562334279.tap
- /data/data/####/session_analytics.tap
- /data/data/####/session_analytics.tap.tmp
- /data/data/####/skin_data.json
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/media/####/1.app.log
Miscellaneous:
Loads the following dynamic libraries:
- bitmaps
- libjiagu
- memchunk
Uses the following algorithms to encrypt data:
- AES-ECB-PKCS7Padding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.