Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.337.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) safebro####.google####.com:443
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.0) app-mea####.com:443
- TCP(TLS/1.0) 64.2####.164.94:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) 64.2####.161.95:443
- TCP(TLS/1.2) 64.2####.161.95:443
- TCP(TLS/1.2) pla####.google####.com:443
- TCP(TLS/1.2) 64.2####.164.94:443
- TCP 1####.220.236.173:12682
- TCP 1####.13.31.66:12682
- TCP 1####.220.139.132:12682
- TCP 13.1####.114.180:12682
- TCP 1####.28.242.143:12682
- TCP 1####.232.174.26:12682
- TCP 1####.232.174.30:12682
- UDP safebro####.google####.com:443
- TCP 42.1####.160.231:12682
- TCP 42.1####.160.235:12682
- TCP 2####.24.92.194:12682
- TCP 2####.14.81.240:12682
- TCP 1####.117.102.188:12682
- TCP 42.2####.196.35:12682
- TCP 1####.63.103.14:12682
- TCP 20.2####.168.120:12682
- TCP 1####.212.61.92:12682
- TCP 1####.30.145.132:12682
- TCP 20.1####.223.125:12682
- TCP 1####.99.132.4:12682
- TCP 1####.212.61.89:12682
- TCP 1####.9.54.243:12682
- TCP 20.2####.217.220:12682
- TCP 1####.143.33.66:12682
- TCP 1####.3.123.48:12682
- TCP 42.1####.160.239:12682
- TCP 1####.3.123.20:12682
- TCP 1####.14.47.218:12682
- UDP www.gst####.com:443
- TCP 20.2####.225.63:12682
- TCP 1####.3.123.45:12682
- TCP 66.70.1####.131:12682
- TCP 1####.143.34.228:12682
- TCP firebas####.crashly####.com:443
- TCP 20.1####.112.117:12682
- TCP 1####.99.79.204:12682
- TCP 1####.9.54.79:12682
- TCP 1####.247.239.27:12682
- TCP 1####.232.198.8:12682
- TCP 1####.240.99.172:12682
- TCP 1####.9.54.172:12682
- TCP 1####.232.197.229:12682
- TCP 42.2####.196.58:12682
- TCP 1####.30.145.131:12682
- TCP 42.1####.160.234:12682
- TCP 61.2####.202.198:12682
- TCP 20.2####.98.222:12682
- TCP 1####.9.54.87:12682
- TCP 1####.28.242.145:12585
- TCP 1####.9.62.137:12682
- TCP 1####.212.61.91:12682
- TCP 52.2####.69.180:12682
- TCP 42.1####.160.236:12682
- TCP 1####.232.174.27:12682
- TCP 1####.9.62.113:12682
- TCP 20.1####.118.55:12682
- TCP 2####.112.227.72:12682
- TCP 1####.232.174.24:12682
- TCP 1####.63.103.32:12682
- TCP 1####.170.73.17:12682
- TCP 1####.170.73.16:12682
- TCP 13.1####.179.174:12682
- TCP 61.2####.202.187:12682
- TCP 42.1####.160.233:12682
- TCP 42.1####.160.237:12682
- TCP 1####.28.242.142:12585
- TCP 1####.232.174.17:12682
- TCP 38.94.1####.133:12682
- TCP 2####.22.180.63:12682
- TCP 42.1####.160.230:12682
- TCP 59.1####.101.238:12682
- TCP 1####.136.127.48:12585
- TCP 1####.28.242.147:12682
- TCP 1####.99.79.25:12682
- TCP 1####.212.61.163:12682
- TCP 1####.103.4.78:12682
- TCP 1####.104.45.71:12682
- TCP 2####.107.30.120:12682
- TCP arm.lc####.cn:10007
- TCP 2####.22.180.64:12682
- TCP 1####.212.61.88:12682
- TCP 1####.175.177.12:12682
- TCP 1####.61.191.52:12682
- TCP 1####.129.253.58:12682
- TCP 1####.208.82.199:12682
- TCP 1####.9.54.152:12682
- TCP 46.29.1####.82:12682
- TCP 1####.170.73.29:12682
- TCP 1####.240.40.119:12682
- TCP 1####.9.62.104:12682
- TCP 1####.232.174.29:12682
- TCP 2####.107.30.121:12682
- TCP 1####.170.73.25:12682
- TCP 1####.9.54.12:12682
- TCP 1####.232.174.28:12682
- TCP 1####.212.61.9:12682
- TCP 1####.117.102.219:13682
- TCP 1####.9.62.80:12682
- TCP 1####.232.198.28:12682
- UDP 64.2####.161.95:443
- TCP 1####.240.55.153:12682
- TCP 1####.122.175.10:12682
- TCP 54.39.2####.20:12682
- TCP 1####.170.73.15:12682
- TCP 1####.9.54.11:12682
- TCP 1####.170.73.28:12682
- TCP 31.1####.235.17:12682
- TCP 1####.28.242.146:12682
- TCP 42.2####.196.56:12585
- TCP 1####.28.242.150:12682
- TCP 1####.3.123.22:12682
- TCP 1####.175.177.24:12682
- TCP 1####.3.123.52:12682
- TCP 2####.112.227.71:12682
- TCP 1####.63.103.56:12682
- TCP 1####.170.73.26:12682
- TCP 1####.232.174.16:12682
- TCP 1####.74.6.62:12682
- TCP 2####.188.208.90:12682
- TCP 1####.59.61.100:12682
- TCP 1####.103.7.17:12682
- TCP 61.2####.202.170:12682
- TCP 36.1####.73.56:12682
- TCP 1####.22.195.95:22485
- TCP 1####.232.197.225:12585
- TCP 59.1####.101.250:12682
- TCP 61.2####.202.251:12682
- TCP 1####.212.61.90:12682
- TCP 1####.99.133.132:12682
- TCP 1####.247.212.54:12682
- TCP s####.xinxic####.org:12682
- TCP 1####.232.198.6:12682
- TCP 2####.112.227.68:12682
- TCP 82.1####.29.5:12385
- TCP 1####.9.54.68:12682
- TCP 42.2####.196.73:12682
- TCP 1####.28.242.141:12682
- TCP 2####.14.81.247:12682
- TCP 1####.28.242.148:12585
- TCP 61.2####.202.240:12682
- TCP 1####.232.174.23:12682
- TCP 1####.240.54.94:12682
- TCP 1####.232.174.21:12682
- TCP 1####.13.31.197:12682
- TCP 1####.9.54.164:12682
- TCP 51.1####.222.13:12682
- TCP 1####.143.209.15:12682
- TCP 1####.143.143.201:12682
- TCP 1####.212.61.165:12682
- TCP 42.1####.160.232:12682
- TCP 1####.122.174.31:12682
- TCP 1####.143.143.37:12682
- TCP 1####.170.73.27:12682
- TCP 1####.232.174.22:12682
- TCP 1####.28.242.144:12682
- TCP 1####.232.174.18:12682
- TCP 1####.232.174.25:12682
- TCP 2####.10.194.232:12682
- TCP 1####.143.221.143:12682
- TCP 20.2####.14.26:12682
- TCP 2####.24.92.5:12585
- TCP 1####.9.62.138:12682
- TCP 1####.63.103.30:12682
- TCP 1####.103.7.25:12682
- TCP 61.2####.202.167:12682
- TCP 1####.28.55.144:12682
- TCP arm.lc####.cn:10011
- TCP 1####.136.127.174:12682
- TCP 1####.9.54.52:12585
- TCP 1####.14.47.206:12682
- TCP 1####.63.103.31:12682
- TCP 1####.232.198.27:12682
DNS requests:
- and####.a####.go####.com
- and####.cfhfl1####.com
- and####.google####.com
- app-mea####.com
- arm.lc####.cn
- firebas####.crashly####.com
- firebas####.google####.com
- gmscomp####.google####.com
- p####.google####.com
- pla####.google####.com
- s####.xinxic####.org
- safebro####.google####.com
- www.gst####.com
- ytts####.mana####.com
HTTP POST requests:
- firebas####.google####.com:443/v1/projects/you-tu-99f54/installations
File system changes:
Creates the following files:
- /data/data/####/.fsgkea
- /data/data/####/.jg.ac
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jg.store.report_pid
- /data/data/####/6307AFF00158-0001-0E7D-FBD6C8E85C06BeginSession.cls
- /data/data/####/6307AFF00158-0001-0E7D-FBD6C8E85C06SessionApp.cls
- /data/data/####/6307AFF00158-0001-0E7D-FBD6C8E85C06SessionDevice.cls
- /data/data/####/6307AFF00158-0001-0E7D-FBD6C8E85C06SessionOS.cls
- /data/data/####/6307AFF00158-0001-0E7D-FBD6C8E85C06SessionUser.cls_temp
- /data/data/####/6307AFF40225-0001-0F10-FBD6C8E85C06BeginSession.cls
- /data/data/####/6307AFF40225-0001-0F10-FBD6C8E85C06SessionApp.cls_temp
- /data/data/####/6307AFF40225-0001-0F10-FBD6C8E85C06SessionDevice.cls
- /data/data/####/6307AFF40225-0001-0F10-FBD6C8E85C06SessionOS.cls
- /data/data/####/FirebaseAppHeartBeat.xml
- /data/data/####/FirebaseAppHeartBeat.xml.bak
- /data/data/####/PersistedInstallation.W0RFRkFVTFRd+MTo0MDUzMzU4...i.json
- /data/data/####/PersistedInstallation106665286tmp
- /data/data/####/PersistedInstallation468472446tmp
- /data/data/####/PersistedInstallation573555445tmp
- /data/data/####/WebViewChromiumConfig.xml
- /data/data/####/WebViewChromiumConfig.xml.bak
- /data/data/####/app.json
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.oat
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.google.android.datatransport.events-journal
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak
- /data/data/####/com.google.firebase.crashlytics.xml
- /data/data/####/crashlytics-userlog-6307AFF00158-0001-0E7D-FBD6...6.temp
- /data/data/####/crashlytics-userlog-6307AFF40225-0001-0F10-FBD6...6.temp
- /data/data/####/device.json
- /data/data/####/generatefid.lock
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/initialization_marker
- /data/data/####/libjiagu.so
- /data/data/####/notice.xml
- /data/data/####/os.json
- /data/data/####/proc_auxv
- /data/data/####/report
- /data/data/####/session.json
- /data/misc/####/primary.prof
Miscellaneous:
Loads the following dynamic libraries:
- libc_lib
- libcrashlytics
- libjiagu
Uses the following algorithms to encrypt data:
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-NoPadding
- RSA-ECB-PKCS1Padding
Uses special library to hide executable bytecode.
Displays its own windows over windows of other apps.
