Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.613.origin
Prompts to install third-party applications.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) m####.v####.i####.com:80
- TCP(HTTP/1.1) 1####.42.157.151:8080
- TCP(HTTP/1.1) yysd####.hsou####.com:80
- TCP(HTTP/1.1) contr####.i####.com:80
- TCP(HTTP/1.1) c####.v####.i####.com:80
- TCP(HTTP/1.1) www.36####.com:80
- TCP(HTTP/1.1) i####.qiy####.com:80
- TCP(HTTP/1.1) terr####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) t7z.c####.i####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) 1####.43.175.120:40000
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) i####.i####.com:80
- TCP(HTTP/1.1) 1####.43.175.120:30000
- TCP(HTTP/1.1) secu####.i####.com:80
- TCP(HTTP/1.1) 1####.55.89.238:8977
- TCP(HTTP/1.1) subscri####.i####.com:80
- TCP(HTTP/1.1) b.scoreca####.com.####.net:80
- TCP(HTTP/1.1) m####.71.am:80
- TCP(HTTP/1.1) cf.gdata####.net:80
- TCP(HTTP/1.1) d####.v####.i####.com:80
- TCP(HTTP/1.1) qiy####.com.edg####.net:80
- TCP(HTTP/1.1) d####.b####.com:80
- TCP(HTTP/1.1) 1####.129.132.111:8001
- TCP(HTTP/1.1) 1####.43.175.120:8080
- TCP(HTTP/1.1) sdk.qipa####.cn:8088
- TCP(HTTP/1.1) v####.api.eeric####.com:80
- TCP(HTTP/1.1) a####.i####.com:80
- TCP(HTTP/1.1) i####.com.edg####.net:80
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) secu####.i####.com:443
- TCP(TLS/1.0) c####.i####.com:443
- TCP 1####.168.69.254:36244
- TCP 1####.168.69.254:36079
DNS requests:
- a####.i####.com
- api.s####.b####.com
- b.scoreca####.com
- c####.i####.com
- c####.v####.i####.com
- cf.gdata####.net
- contr####.i####.com
- d####.b####.com
- d####.v####.i####.com
- hm.b####.com
- i####.api.eji####.com
- i####.i####.com
- i####.qiy####.com
- m####.71.am
- m####.v####.i####.com
- m.i####.com
- m.qiy####.com
- msg.v####.q####.com
- mzy####.hz####.com
- mzyb####.hz####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.qiy####.com
- p####.zhanz####.b####.com
- pay.9####.com
- pub.m.i####.com
- pv.s####.com
- rd.gdata####.net
- re####.api.eji####.com
- sdk.qipa####.cn
- secu####.i####.com
- st####.i####.com
- subscri####.i####.com
- t7z.c####.i####.com
- terr####.oss-cn-####.aliy####.com
- v####.a####.eeric####.com
- v####.api.eeric####.com
- www.36####.com
- www.go####.com
- www.qiy####.com
- yi.iy####.cn
- yysd####.hsou####.com
HTTP GET requests:
- a####.i####.com/qx_api/comment/get_batch_count?res_type=####&cmt_types=#...
- a####.i####.com/qx_api/comment/query_configfile?type=####&usecache=####&...
- a####.i####.com/qx_api/framework/all_in_one?data=####&antiCsrf=####&auth...
- b.scoreca####.com.####.net/beacon.js
- c####.v####.i####.com/jp/othlist/684031000/3/?src=####&idType=####&_=###...
- c####.v####.i####.com/jp/pc/684031000/?qyid=####&_=####&callback=####
- c####.v####.i####.com/jp/pc/pr/684031000/?src=####&qyid=####&_=####&call...
- contr####.i####.com/control/content_config?business=####&is_iqiyi=####&i...
- d####.b####.com/x.js?si=####&dm=####
- d####.v####.i####.com/v.mp4?_=####&callback=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?5df871a####
- i####.com.edg####.net/api/cloud/code?_tv_id_=####&vfm=####&_=####&callba...
- i####.com.edg####.net/css/2017071712/h5-v4-comment.css
- i####.com.edg####.net/css/20171114/h5-v4-paopao-play.css
- i####.com.edg####.net/css/2018030117/h5-play-v4.css
- i####.com.edg####.net/ext/common/fontIcon/iconfont.ttf
- i####.com.edg####.net/js/common/7d183edd03bc4414b315e8964fb41826.js
- i####.com.edg####.net/js/common/ares-4-1-3-5736cc10d013836c38f6.min.js?
- i####.com.edg####.net/js/html5/js/lib/clipboard.min.js
- i####.com.edg####.net/js/html5/js/lib/lib.2.0.5.min.js?sea1.2.####
- i####.com.edg####.net/js/html5/js/lib/qoe.min.js?v=####
- i####.com.edg####.net/js/html5/js/page/playVip/4d5ffe0392!app.js
- i####.com.edg####.net/v_19rr7ek778.html?vfm=####
- i####.i####.com/irt?_iwt_t=####&_iwt_id=####&_iwt_UA=####&r=####
- i####.qiy####.com/passport/20170905/b3/64/pp_2511502391_150462495592145_...
- m####.71.am/cp2.gif?p=####&rd=####&rc=####&t=####&e=####&y=####&u=####&a...
- m####.71.am/cp2.gif?p=####&t=####&rc=####&rd=####&ai=####&e=####&y=####&...
- m####.71.am/cp2.gif?p=v&t=s&lc=http://m.iqiyi.com/v_19rr7ek778.html?vfm=...
- m####.71.am/jpb.gif?rdm=1495115&qtcurl=http://m.iqiyi.com/v_19rr7ek778.h...
- m####.71.am/tmpstats.gif?type=####&des=####&mse=####&p2p=####&p=####
- m####.71.am/v5/aqy/secsdk?sdk=####&s_v=####&sys=####&s_d=####&s_e=####&s...
- m####.v####.i####.com/jp/recommend/videos?type=####&page=####&size=####&...
- qiy####.com.edg####.net/common/20171106/ac/1b/vip_100000_v_601_0_60.png
- qiy####.com.edg####.net/common/fix/h5-aura/foot.png
- qiy####.com.edg####.net/common/fix/h5-aura/picicon-bg-20171011.png
- qiy####.com.edg####.net/common/fix/h5-aura/player-bg.png
- qiy####.com.edg####.net/common/fix/h5-aura/player-default-logo.png
- qiy####.com.edg####.net/common/fix/h5-v3/iqiyi-logo.png
- qiy####.com.edg####.net/common/fix/h5-v3/logoH5_v-2x.png
- qiy####.com.edg####.net/common/fix/h5-v3/loveChannel-new.png
- qiy####.com.edg####.net/common/fix/h5-v3/player-tip-bg.jpg
- qiy####.com.edg####.net/common/fix/h5-v3/privilege-gold-icon.png
- qiy####.com.edg####.net/common/fix/headicons/female06-130.png
- qiy####.com.edg####.net/common/fix/headicons/male-70.png
- qiy####.com.edg####.net/image/20141210/a4/03/v_108692975_m_601_m4_180_23...
- qiy####.com.edg####.net/image/20150328/29/b0/39/v_50209623_m_601_m8_180_...
- qiy####.com.edg####.net/image/20151230/37/ed/v_108739609_m_601_m7_180_23...
- qiy####.com.edg####.net/image/20160213/32/c7/v_110024292_m_601_m1_180_23...
- qiy####.com.edg####.net/image/20160426/4a/21/a_100024574_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20160511/2f/66/v_105087120_m_601_m5_180_23...
- qiy####.com.edg####.net/image/20160512/28/5b/v_50233838_m_601_m3_180_236...
- qiy####.com.edg####.net/image/20160625/52/29/v_110582187_m_601_180_236.jpg
- qiy####.com.edg####.net/image/20170702/0b/65/a_100058449_m_601_m1_195_26...
- qiy####.com.edg####.net/image/20170715/ed/a7/a_100013977_m_601_m9_195_26...
- qiy####.com.edg####.net/image/20170725/de/54/v_231636007_l_601_195_260.jpg
- qiy####.com.edg####.net/image/20170901/86/11/a_100042872_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20171005/08/55/v_113636204_m_601_195_260.jpg
- qiy####.com.edg####.net/image/20171102/32/36/a_100104204_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20171222/20/9d/a_100117057_m_601_m1_195_26...
- qiy####.com.edg####.net/image/20180129/07/b8/a_100025409_m_601_m5_195_26...
- qiy####.com.edg####.net/image/20180129/79/f5/a_100041454_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180129/d8/51/a_100039926_m_601_m6_195_26...
- qiy####.com.edg####.net/image/20180209/4a/2b/a_100094385_m_601_m8_195_26...
- qiy####.com.edg####.net/image/20180209/fb/24/a_100107370_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180210/d6/c9/a_100123540_m_601_m5_195_26...
- qiy####.com.edg####.net/image/20180218/33/b2/v_110289934_m_601_m13_195_2...
- qiy####.com.edg####.net/image/20180218/5a/f5/v_110718068_m_601_m4_195_26...
- qiy####.com.edg####.net/image/20180219/08/a7/v_111477167_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180219/6a/df/v_112138938_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180219/de/8c/v_111470440_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180220/26/73/v_112779219_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/2d/ba/v_112762509_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/4a/6a/v_112377276_m_601_m1_480_27...
- qiy####.com.edg####.net/image/20180220/4c/f8/v_114618572_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/4e/21/v_112878913_m_601_m7_195_26...
- qiy####.com.edg####.net/image/20180220/5c/49/v_113554121_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180220/7f/1b/v_112874857_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180220/93/eb/v_113763212_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/ab/03/v_113897388_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/ab/cc/v_114498204_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/bb/b8/v_112870244_m_601_m1_195_26...
- qiy####.com.edg####.net/image/20180220/d1/92/v_113526747_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/e1/10/v_113766567_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180220/e9/7c/v_112876061_m_601_m4_195_26...
- qiy####.com.edg####.net/image/20180220/ec/15/v_114709119_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180220/f2/88/v_114544659_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180222/93/eb/a_100048851_m_601_m8_195_26...
- qiy####.com.edg####.net/image/20180301/16/16/a_100124019_m_601_m5_195_26...
- qiy####.com.edg####.net/image/20180301/6f/0b/v_113673625_m_601_m5_195_26...
- qiy####.com.edg####.net/image/20180303/42/01/v_114271068_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180305/70/11/v_115095851_m_601_195_260.jpg
- qiy####.com.edg####.net/image/20180305/e9/8f/v_112879818_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180307/12/9f/v_112881168_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180308/03/40/v_112858190_m_601_m1_195_26...
- qiy####.com.edg####.net/image/20180308/82/2d/v_112850590_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180308/93/05/v_115049919_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180308/f5/7a/v_114719881_m_601_m2_195_26...
- qiy####.com.edg####.net/image/20180309/61/de/a_100093613_m_601_m4_195_26...
- qiy####.com.edg####.net/image/20180311/31/3c/v_115155471_m_601_195_260.jpg
- qiy####.com.edg####.net/image/20180312/53/0a/v_113551634_m_601_m6_195_26...
- qiy####.com.edg####.net/image/20180312/91/8c/v_112883434_m_601_m4_195_26...
- qiy####.com.edg####.net/image/20180312/b6/33/v_115054861_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180313/89/e4/v_115040753_m_601_m3_195_26...
- qiy####.com.edg####.net/image/20180314/22/4b/v_112874974_m_601_m3_195_26...
- s####.jom####.com/push.js
- s####.jom####.com/s.gif?l=/m.iqiyi.com/v_19rr7ek778.html?vfm=####
- secu####.i####.com/jp/h5/count/play/684031000?_=####&callback=####
- subscri####.i####.com/dingyue/api/isSubscribed.action?agent_type=####&su...
- t####.c####.q####.####.com/20170512/1c67d24e-376c-4190-8d30-bac9875769b3...
- t####.c####.q####.####.com/20170512/6bb86d92-674f-45c6-bf39-b6e657756d0e...
- t####.c####.q####.####.com/20180211/2d77dfb3-78d9-404f-bfb1-470ba5ae8ebf...
- t####.c####.q####.####.com/20180211/6b958151-0f6c-4a96-a404-99e4a6e8ef9f...
- t####.c####.q####.####.com/20180309/e8adb210-ebdb-46af-b1e4-568689de14e3...
- t####.c####.q####.####.com/20180312/68f46fb5-743e-4856-9073-8873d1805087...
- t7z.c####.i####.com/show2?e=AF48R####&h=####&a=####&u=####&p=####&s=####...
- t7z.c####.i####.com/track2?w=####&dts=####&nr=####&c=####&f=####&g=####&...
- terr####.oss-cn-####.aliy####.com/1/load.bat
- yysd####.hsou####.com/mzyb-cps/appUpgrade.service?isAppStore=####&isSmsP...
- yysd####.hsou####.com/mzyb-cps/bannerInfo.service?cid=####&uuid=####&ime...
- yysd####.hsou####.com/mzyb-cps/hotword.service?pageNo=####&pageSize=####...
- yysd####.hsou####.com/mzyb-cps/icon/loading.gif
- yysd####.hsou####.com/mzyb-cps/qryAllChnl.service?uuid=####&imei=####&im...
- yysd####.hsou####.com/mzyb-cps/qryVideoChannelContentList.service?cid=##...
- yysd####.hsou####.com/mzyb-cps/videoDtl.service?id=####&uuid=####&imei=#...
- yysd####.hsou####.com/mzyb-cps/zdy_video_dist4.js
- yysd####.hsou####.com/yysd-cps/upList.service?uuid=####&imei=####&imsi=#...
HTTP POST requests:
- cf.gdata####.net/config/update
- cf.gdata####.net/dc/sync_adr
- sdk.qipa####.cn:8088/a.do
- v####.api.eeric####.com/api/payment/updateInit
- www.36####.com/andsdk/api/usaction.php?
- yysd####.hsou####.com/mzyb-cps/lookVideoStat.service?videoId=####&isRmd=...
- yysd####.hsou####.com/mzyb-cps/userActivation.service?uuid=####&imei=###...
- yysd####.hsou####.com/mzyb-cps/userVisit.service?uuid=####&imei=####&ims...
Modified file system:
Creates the following files:
- /data/data/####/dc.3EA938CF2CEDD9C4966B2627E9D1F734.preferences.xml
- /data/data/####/jmsdk.dat.xml
- /data/data/####/onib_clz.jar
- /data/data/####/twc.xml
- /data/data/####/wyzf_config20360606.xml
- <Package Folder>/cache/####/033cacbbddf912e5b27ce70e68d484c4.0.tmp
- <Package Folder>/cache/####/033cacbbddf912e5b27ce70e68d484c4.1.tmp
- <Package Folder>/cache/####/08d1c8c8004ee56b43a5fe29a58b9eb9.0.tmp
- <Package Folder>/cache/####/08d1c8c8004ee56b43a5fe29a58b9eb9.1.tmp
- <Package Folder>/cache/####/33500be1e0fe3e6a166a89534b45d0a8.0.tmp
- <Package Folder>/cache/####/33500be1e0fe3e6a166a89534b45d0a8.1.tmp
- <Package Folder>/cache/####/4fcfa56cd5ce29818a408e7e5f202a3c.0.tmp
- <Package Folder>/cache/####/4fcfa56cd5ce29818a408e7e5f202a3c.1.tmp
- <Package Folder>/cache/####/5db56c9574d8342d382e9636d0e43093.0.tmp
- <Package Folder>/cache/####/5db56c9574d8342d382e9636d0e43093.1.tmp
- <Package Folder>/cache/####/6a75654c815327c14b6c74b0885fba88.0.tmp
- <Package Folder>/cache/####/6a75654c815327c14b6c74b0885fba88.1.tmp
- <Package Folder>/cache/####/77b9fed48b13871d57f34261906a99a6.0.tmp
- <Package Folder>/cache/####/77b9fed48b13871d57f34261906a99a6.1.tmp
- <Package Folder>/cache/####/7921a3bcab35b90b12043ea46f61f4ea.0.tmp
- <Package Folder>/cache/####/7921a3bcab35b90b12043ea46f61f4ea.1.tmp
- <Package Folder>/cache/####/7bf4e97b39dea4617d39e852c17d8d10.0.tmp
- <Package Folder>/cache/####/7bf4e97b39dea4617d39e852c17d8d10.1.tmp
- <Package Folder>/cache/####/be30f6269556cf722ad2dd6e19e01c8d.0.tmp
- <Package Folder>/cache/####/be30f6269556cf722ad2dd6e19e01c8d.1.tmp
- <Package Folder>/cache/####/d281057221cfbdaff2933c995ae6df3e.0.tmp
- <Package Folder>/cache/####/d281057221cfbdaff2933c995ae6df3e.1.tmp
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/fe3c27efab5f38bd2068f9ced4bfe587.0.tmp
- <Package Folder>/cache/####/fe3c27efab5f38bd2068f9ced4bfe587.1.tmp
- <Package Folder>/cache/####/feb873092c46d76c08ca2138d3bb9e16.0.tmp
- <Package Folder>/cache/####/feb873092c46d76c08ca2138d3bb9e16.1.tmp
- <Package Folder>/cache/####/index
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/cache/####/myTempJsFile.js
- <Package Folder>/databases/MF_CFG-journal
- <Package Folder>/databases/MF_SQdb-journal
- <Package Folder>/databases/MF_STATS-journal
- <Package Folder>/databases/recommend_app-journal
- <Package Folder>/databases/sy_video_data_cache-journal
- <Package Folder>/databases/upgrade_app-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/shared_prefs/id.xml
- <Package Folder>/shared_prefs/initdata.xml
- <Package Folder>/shared_prefs/recommend.xml
- <Package Folder>/shared_prefs/setPlayRecord.xml
- <Package Folder>/shared_prefs/sy_pay.xml
- <Package Folder>/shared_prefs/time.xml
- <Package Folder>/shared_prefs/userName.xml
- <Package Folder>/shared_prefs/uuid.xml
- <SD-Card>/.4d02db8e14/####/4cc2f6f1a742469991b3658bf5a4fcaf
- <SD-Card>/.4d02db8e14/####/62be3648aeda47b480b1ca1a69256663
- <SD-Card>/.4d02db8e14/####/6baa986e1a2f46bfb72592c891937dbb
- <SD-Card>/.4d02db8e14/####/71d367b1843d4a339242c8a70de9e3a6
- <SD-Card>/.4d02db8e14/####/8004b3225dbc4aed81d84b444a728a5d
- <SD-Card>/.4d02db8e14/####/8fe31b92a0e44d3dbb2620ed77815c49
- <SD-Card>/.4d02db8e14/####/a9f0971079d544bfa2bd4145989be53b
- <SD-Card>/.4d02db8e14/####/b5257c47561f4518b039a60e95f768eb
- <SD-Card>/.4d02db8e14/####/b54bcc6c1ac44a6eabd671992dc8c4e3
- <SD-Card>/.4d02db8e14/####/c19f04103a384e86a70731e554de3372
- <SD-Card>/.4d02db8e14/####/com.ewfcbg.gsfggh.YyYm007_r3.tmp
- <SD-Card>/.4d02db8e14/####/com.kybc.scsd009_r1004.tmp
- <SD-Card>/.4d02db8e14/####/db4de41106984e14a85e6076c97c112e
- <SD-Card>/.4d02db8e14/####/e53ae753c7ea4afaa6494fb0dc64a4ce
- <SD-Card>/.4d02db8e14/####/f418aca5fee44993829e142c7158f572
- <SD-Card>/.4d02db8e14/####/fb99c34a7a8f4752be8ef9d2daacc0c0
- <SD-Card>/.4d02db8e14/####/fc23e7dfddbb46cc9ae45380755f45cc
- <SD-Card>/.4d02db8e14/.init
- <SD-Card>/.SystemService/####/uid
- <SD-Card>/.twservice/qshp_3001_2274.zip
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh
- ls -l /system/bin/su
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- DES-ECB-NoPadding
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Displays its own windows over windows of other applications.