Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.433.origin
Network activity:
Connecting to:
- oranges####.cn
- 2####.####.108:443
- v####.####.com
- ub####.####.com
- hotp####.####.com
- c####.####.com
- f####.####.com
- w####.####.com
- 6####.####.66
- y####.####.com
- 6####.####.66:9001
- l####.####.com
- m####.####.com
- m####.####.com:6088
- f####.####.cn
- a####.####.com
HTTP GET requests:
- w####.####.com/adx.php?c=####
- l####.####.com/log.gif?bt=####&m_os=####&m_osv=####&m1=####&m2=####&m3=#...
- ub####.####.com/media/v1/0f000nNTGnyL3WYihKqESs.webp
- hotp####.####.com/patch?version=####&patchver=####&platform=####&appId=#...
- y####.####.com/m/um.htm?c=####
- f####.####.com/it/u=726051427,1109824974&fm=76
- f####.####.cn/focus/conf?device_type=####&height=####&dpi=####&android_i...
- v####.####.com/ax?v=####&bt=####&m_os=####&m_osv=####&m1=####&m2=####&m3...
- 2####.####.108:443/imlogingw/tcp60login?devid=####&ver=####
- f####.####.cn/focus/st?status=####&cid=####&source=####&requestid=####
- oranges####.cn/n/s?v####
- oranges####.cn/n/p.wca.c?v####
- f####.####.com/it/u=3585320268,3818709183&fm=76
- m####.####.com/c/1493732211054
- c####.####.com/update/check?pkey=####&ts=####&data=####&secret=####
HTTP POST requests:
- 6####.####.66/advtj/RemoteAction
- m####.####.com/t/1493732226697
- m####.####.com/t/1493732222199
- a####.####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=####&s...
- f####.####.cn/focus/req
- y####.####.com/saveWb.json
- a####.####.com/monitorlog/dex
- a####.####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&sv=#...
- 6####.####.66:9001/advtj/RemoteAction
- f####.####.cn/focus/atex
- m####.####.com/p/1493732211287
- w####.####.com/adx.php?c=####&ext=####
- a####.####.com/app_logs
- w####.####.com/api/update.do
- m####.####.com:6088/s/
- m####.####.com/t/1493732221722
- m####.####.com/t/1493732220131
- m####.####.com/t/1493732218267
Modified file system:
Creates the following files:
- /data/data/####/files/0a231bd8575dcf72.txt
- /data/data/####/shared_prefs/SGMANAGER_DATA.xml
- /data/data/####/databases/cc.db-journal
- /data/data/####/shared_prefs/SDK20161728051220964dw6hvenlv7pf_instl.xml
- /data/data/####/app_imyaxy/175CAB4B2DA7FEF6503A8207784903BE.jar.tmp
- /data/data/####/shared_prefs/SGMANAGER_DATA.xml.bak
- /data/data/####/shared_prefs/SDK201611151111099i28b7xr47d7gbz_instl.xml
- /sdcard/XTrader/log/2017_05_02_13_36_46.log
- /data/data/####/databases/ua.db
- /data/data/####/shared_prefs/####.xml
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/shared_prefs/SDK20161728051220964dw6hvenlv7pf_banner.xml
- /data/data/####/cache/WXOPENIM/openim/####_TcmsService_2042
- /sdcard/####/WXOPENIM/tcmslog/userTrack/2_20170502_r
- /data/data/####/shared_prefs/Alvin2.xml
- /data/data/####/databases/cc.db
- /data/data/####/shared_prefs/device_id.xml.xml
- /data/data/####/shared_prefs/tcms_setting_sp.xml
- /sdcard/Android/filter/.res/F498A9412CECB022C6F895D2077527A9.tmp
- /sdcard/Android/tmp/7ABE753A17BEEE1BA17A662DA460503B
- /data/data/####/databases/ua.db-journal
- /sdcard/Android/filter/master
- /data/data/####/files/iakmip
- /data/data/####/databases/xUtils_http_cookie.db-journal
- /sdcard/Android/filter/.res/C5029758A037A0FDE0CCA7177E89AA74.tmp
- /data/data/####/files/yw.db
- /data/data/####/app_dex/7ABE753A17BEEE1BA17A662DA460503B.jar.tmp
- /sdcard/.com.taobao.dp/dd7893586a493dc3
- /data/data/####/shared_prefs/SDK20161728051220964dw6hvenlv7pf_native.xml
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/shared_prefs/SDK201611151111099i28b7xr47d7gbz_spread.xml
- /data/data/####/shared_prefs/UTMCConf-1369071460.xml
- /data/data/####/files/.umeng/exchangeIdentity.json
- /data/data/####/files/.imprint
- /sdcard/.UTSystemConfig/Global/Alvin2.xml
- /data/data/####/shared_prefs/ContextData.xml
- /sdcard/Android/filter/deviceId
- /data/data/####/files/libexecmain.so
- /sdcard/Android/filter/config
- /sdcard/Download/images/journal.tmp
- /data/data/####/files/1d77ea041509fe06.lock
- /sdcard/.DataStorage/ContextData.xml
- /sdcard/Android/filter/P46237A31D756F15DA82F6617D1D8CFE4/trace/t_1493732211036_E95ECC3D2E11DCAF08A56A94D961632B
- /data/data/####/files/exid.dat
- /sdcard/Android/filter/adv
- /data/data/####/databases/download_file.db-journal
- /data/data/####/shared_prefs/UTCommon.xml
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/libsecuritysdkx-3.1.27.so
- /data/data/####/shared_prefs/ywAccount.xml.bak
- /data/data/####/databases/data.db-journal
- /data/data/####/cache/WXOPENIM/openim/####_2001
- /data/data/####/shared_prefs/SDK201611151111099i28b7xr47d7gbz_native.xml
- /data/data/####/shared_prefs/config.xml
- /data/data/####/shared_prefs/SDK201611151111099i28b7xr47d7gbz_banner.xml
- /sdcard/Android/filter/master.lock
- /data/data/####/databases/data.db
- /data/data/####/shared_prefs/ywAccount.xml
- /data/data/####/shared_prefs/SDK20161728051220964dw6hvenlv7pf_spread.xml
- /data/data/####/files/umeng_it.cache
- /sdcard/Android/filter/sys_install
- /sdcard/Android/filter/.res/F23F3D9C3DA847729E7DCCEF2727481F.tmp
- /data/data/####/files/49814c4f5ac2f2f9.lock
- /data/data/####/code_cache/secondary-dexes/####-1.apk.classes721905061.zip
- /data/data/####/databases/xUtils_http_cookie.db
- /data/data/####/shared_prefs/UTMCLog-1369071460.xml
- /data/data/####/temp.dex
- /data/data/####/shared_prefs/ZKMonitorSave.xml
- /sdcard/.com.taobao.dp/6c709c11d2d46a7b
- /data/data/####/files/libexec.so
- /data/data/####/shared_prefs/multidex.version.xml
- /data/data/####/files/sp.lock
Sets the 'executable' attribute to the following files:
- /data/data/####/files/49814c4f5ac2f2f9.lock
- /data/data/####/files/1d77ea041509fe06.lock
Miscellaneous:
Executes next shell scripts:
- cat /proc/cpuinfo | grep Serial
- /system/bin/dexopt --dex 27 64 40 129580 /data/data/####/temp.dex 1493732206 -66006894 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar /sy
- cat /proc/cpuinfo
- getprop ro.product.cpu.abi
- ls -l /system/xbin/su
- ping -c 2 -w 5 f####.####.cn
- cat /sys/class/net/wlan0/address
- /system/bin/dexopt --dex 27 46 40 332804 /data/data/####/app_imyaxy/175CAB4B2DA7FEF6503A8207784903BE.jar 1252163928 -1562747267 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ex
- /system/bin/dexopt --dex 27 42 40 2080592 /data/data/####/code_cache/secondary-dexes/####-1.apk.classes2.zip 1249997687 260690701 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/f
- /system/bin/dexopt --dex 27 54 40 508744 /data/data/####/app_dex/7ABE753A17BEEE1BA17A662DA460503B.jar 1234468548 -687676036 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.ja
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.