Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.337.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(TLS/1.0) rr6---s####.g####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) rr9---s####.g####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) 1####.217.21.163:443
- TCP(TLS/1.2) 1####.250.74.164:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- TCP(TLS/1.2) 1####.217.21.163:443
- UDP p####.google####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- gmscomp####.google####.com
- p####.google####.com
- pla####.google####.com
- rr6---s####.g####.com
- rr9---s####.g####.com
File system changes:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/.bundledXX
- /data/data/####/.fsgkea
- /data/data/####/.jg.ri
- /data/data/####/.jg.store.report_cf
- /data/data/####/.jg.store.report_pid
- /data/data/####/.set_app_data.zip
- /data/data/####/000003.log
- /data/data/####/67ED35CE0380-0001-419A-888973CD4F44BeginSession.cls
- /data/data/####/67ED35CE0380-0001-419A-888973CD4F44SessionApp.cls
- /data/data/####/67ED35CE0380-0001-419A-888973CD4F44SessionDevice.cls
- /data/data/####/67ED35CE0380-0001-419A-888973CD4F44SessionOS.cls
- /data/data/####/AAAAAAAAAAAAAAAAAA (deleted)
- /data/data/####/AAAAAAAAAAAAAAAAAAAAAAAA (deleted)
- /data/data/####/AwOriginVisitLoggerPrefs.xml
- /data/data/####/BrowserMetrics-67ED35CF-419A.pma
- /data/data/####/BrowserMetrics-spare.pma
- /data/data/####/CURRENT
- /data/data/####/Cookies
- /data/data/####/Cookies-journal
- /data/data/####/FirebaseAppHeartBeat.xml
- /data/data/####/LOCK
- /data/data/####/LOG
- /data/data/####/LOG.old
- /data/data/####/MANIFEST-000001
- /data/data/####/PAYU_CRASHLYTICS_APP_PREF.xml
- /data/data/####/PersistedInstallation.W0RFRkFVTFRd+MToyMTQ5MjY4...2.json
- /data/data/####/Web Data
- /data/data/####/Web Data-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/admob.xml
- /data/data/####/androidx.work.workdb
- /data/data/####/androidx.work.workdb-shm
- /data/data/####/androidx.work.workdb-wal
- /data/data/####/cdi.videostreaming.app.client_cast_analytics_data.xml
- /data/data/####/cdi.videostreaming.app.nui2.downloadService.Dow...db-shm
- /data/data/####/cdi.videostreaming.app.nui2.downloadService.Dow...db-wal
- /data/data/####/cdi.videostreaming.app.nui2.downloadService.Dow...ice.db
- /data/data/####/cdi.videostreaming.app_preferences.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/classes2.dex
- /data/data/####/classes3.dex
- /data/data/####/classes4.dex
- /data/data/####/classes5.dex
- /data/data/####/cloneSettings.json
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.facebook.internal.MODEL_STORE.xml
- /data/data/####/com.facebook.internal.preferences.APP_GATEKEEPERS.xml
- /data/data/####/com.facebook.internal.preferences.APP_SETTINGS.xml
- /data/data/####/com.facebook.sdk.USER_SETTINGS.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.facebook.sdk.attributionTracking.xml
- /data/data/####/com.google.android.datatransport.events
- /data/data/####/com.google.android.datatransport.events-journal
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.firebase.crashlytics.xml
- /data/data/####/com.google.firebase.remoteconfig_legacy_settings.xml
- /data/data/####/crashlytics-userlog-67ED33D9029C-0001-5424-8889...4.temp
- /data/data/####/crashlytics-userlog-67ED35CE0380-0001-419A-8889...4.temp
- /data/data/####/data.mdb
- /data/data/####/db
- /data/data/####/db-journal
- /data/data/####/frc_1;214926846727;android;14c751cc01592256_fir...e.json
- /data/data/####/frc_1;214926846727;android;14c751cc01592256_fir...gs.xml
- /data/data/####/frc_1;214926846727;android;14c751cc01592256_fir...s.json
- /data/data/####/generatefid.lock
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/hook1048045619.dex
- /data/data/####/hook1048045619.dex.flock (deleted)
- /data/data/####/hook1076729932.dex
- /data/data/####/hook1076729932.dex.flock
- /data/data/####/hook1100786867.dex
- /data/data/####/hook1100786867.dex.flock (deleted)
- /data/data/####/hook1163075661.dex
- /data/data/####/hook1163075661.dex.flock (deleted)
- /data/data/####/hook1188515061.dex
- /data/data/####/hook1188515061.dex.flock (deleted)
- /data/data/####/hook1347572888.dex
- /data/data/####/hook1347572888.dex.flock (deleted)
- /data/data/####/hook1375836358.dex
- /data/data/####/hook1375836358.dex.flock (deleted)
- /data/data/####/hook1469938362.dex
- /data/data/####/hook1469938362.dex.flock (deleted)
- /data/data/####/hook1666367750.dex
- /data/data/####/hook1666367750.dex.flock (deleted)
- /data/data/####/hook1759051707.dex
- /data/data/####/hook1759051707.dex.flock (deleted)
- /data/data/####/hook1826028664.dex
- /data/data/####/hook1826028664.dex.flock (deleted)
- /data/data/####/hook1928781824.dex
- /data/data/####/hook1928781824.dex.flock (deleted)
- /data/data/####/hook1964148075.dex
- /data/data/####/hook1964148075.dex.flock (deleted)
- /data/data/####/hook2069220618.dex
- /data/data/####/hook2069220618.dex.flock (deleted)
- /data/data/####/hook290895877.dex
- /data/data/####/hook290895877.dex.flock (deleted)
- /data/data/####/hook291857500.dex
- /data/data/####/hook291857500.dex.flock (deleted)
- /data/data/####/hook293173722.dex
- /data/data/####/hook293173722.dex.flock (deleted)
- /data/data/####/hook305272793.dex
- /data/data/####/hook305272793.dex.flock (deleted)
- /data/data/####/hook4642696.dex
- /data/data/####/hook471884391.dex
- /data/data/####/hook471884391.dex.flock (deleted)
- /data/data/####/hook526741508.dex
- /data/data/####/hook526741508.dex.flock (deleted)
- /data/data/####/hook604835656.dex
- /data/data/####/hook604835656.dex.flock (deleted)
- /data/data/####/hook612115236.dex
- /data/data/####/hook612115236.dex.flock (deleted)
- /data/data/####/hook638678235.dex
- /data/data/####/hook638678235.dex.flock (deleted)
- /data/data/####/hook763154633.dex
- /data/data/####/hook763154633.dex.flock (deleted)
- /data/data/####/hook872969546.dex
- /data/data/####/hook872969546.dex.flock (deleted)
- /data/data/####/hook920714502.dex
- /data/data/####/hook920714502.dex.flock (deleted)
- /data/data/####/hook92157497.dex
- /data/data/####/hook92157497.dex.flock (deleted)
- /data/data/####/index
- /data/data/####/jgobfppppp
- /data/data/####/jgobfppppp (deleted)
- /data/data/####/last-exit-info
- /data/data/####/libjiagu.so
- /data/data/####/lock.mdb
- /data/data/####/paid_storage_sp.xml
- /data/data/####/pcam.jar
- /data/data/####/pcam.vdex
- /data/data/####/pcbc
- /data/data/####/pcvmspf.xml
- /data/data/####/perf_img_scale.xml
- /data/data/####/phc_vh4xlse2R4VybrpkIrOQG08LZBuFSh8B0FDhioBtTWq
- /data/data/####/posthog-android-phc_vh4xlse2R4VybrpkIrOQG08LZBu...Wq.xml
- /data/data/####/pref_store
- /data/data/####/report
- /data/data/####/tavas-android-.xml
- /data/data/####/the-real-index
- /data/data/####/variations_seed
- /data/data/####/variations_stamp
- /data/data/####/webview_data.lock
Miscellaneous:
Loads the following dynamic libraries:
- libjiagu
Uses special library to hide executable bytecode.
Attempts to detect sandbox environment.
