Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.222.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) 1####.79.62.117:8080
- TCP(HTTP/1.1) l####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(TLS/1.0) 1####.55.32.160:9050
DNS requests:
- and####.b####.qq.com
- cdn.joy-r####.com
- h####.c####.com
- l####.oss-cn-####.aliy####.com
HTTP GET requests:
- d####.c####.l####.####.com/033e15e8-156d-4cbc-8ece-46129635ef5dbdco_20025
- l####.oss-cn-####.aliy####.com/ssssssssssss.ttf
- z.c####.com/stat.htm?id=####&cnzz_eid=####
HTTP POST requests:
- and####.b####.qq.com/rqd/async?aid=####
Modified file system:
Creates the following files:
- /data/data/####/1004
- /data/data/####/3018798.dex
- /data/data/####/3018798.dex (deleted)
- /data/data/####/3018798.jar
- /data/data/####/3323003.jar
- /data/data/####/3323003.ttf
- /data/data/####/ads2017
- /data/data/####/bdco
- /data/data/####/bdco.cf
- /data/data/####/bugly_db_-journal
- /data/data/####/crashrecord.xml
- /data/data/####/ljtq.xml
- /data/data/####/local_crash_lock
- /data/data/####/multidex.version.xml
- /data/data/####/security_info
- /data/data/####/ssssssssssss.temp (deleted)
- /data/data/####/webview.db-journal
- /data/media/####/YvscMPs.xml
- /data/media/####/webinfo.xml
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- getprop
Loads the following dynamic libraries:
- Bugly
Uses the following algorithms to encrypt data:
- AES-GCM-NoPadding
- DES-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES
- AES-GCM-NoPadding
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.