Technical information
Malicious functions:
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.0) tcms-a####.wan####.ta####.com:443
- TCP(HTTP/1.1) haowa####.oss.aliy####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) w####.q####.dn.####.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) msg.umengc####.com:80
- TCP(HTTP/1.1) c.d####.mob.com:80
- TCP(HTTP/1.1) a####.m.ta####.com:80
- TCP(HTTP/1.1) tcms-op####.wan####.ta####.com:80
- TCP(HTTP/1.1) w####.ta####.com:80
- TCP(HTTP/1.1) s.haowa####.com:8900
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) s.haowa####.com:8008
- TCP(TLS/1.0) a####.a####.m.####.com:443
- TCP 1####.124.33.149:5222
- TCP umengj####.m.ta####.com:80
- TCP ope####.m.ta####.com:443
- TCP 2####.204.101.107:80
DNS requests:
- _ja####._####.zhizhi####.com
- _xmpp-c####._####.zhizhi####.com
- a####.exc.mob.com
- a####.m.ta####.com
- a####.m.ta####.com
- a####.u####.com
- ag####.m.ta####.com
- c.d####.mob.com
- haowa####.oss.aliy####.com
- haowa####.qin####.com
- hotp####.wan####.ta####.com
- m.d####.mob.com
- msg.umengc####.com
- s.haowa####.com
- tcms-a####.wan####.ta####.com
- tcms-op####.wan####.ta####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- w####.ta####.com
HTTP GET requests:
- haowa####.oss.aliy####.com/180d5ccb10541052b866a93015ac88e8
- haowa####.oss.aliy####.com/1882eac08a881b548c4078f2107f307e
- haowa####.oss.aliy####.com/1a225be0cf236f51966f12364b9d71b0
- haowa####.oss.aliy####.com/30c081bcf70c6c59e62da23042fc64c5
- haowa####.oss.aliy####.com/321dda6dba2a7aa5db90b0ef32ed819e
- haowa####.oss.aliy####.com/3851b2bb37d1a0a80a661d630407d98d
- haowa####.oss.aliy####.com/3ada8bf08be2661595ed3074c5fc5f9f
- haowa####.oss.aliy####.com/429f3e7658375d35d119593f91813ddd
- haowa####.oss.aliy####.com/58ac0672a2fa1e6addf83a4519d2ab3d
- haowa####.oss.aliy####.com/6d17e88bc229111250cc7ed0765763da
- haowa####.oss.aliy####.com/72f408d73c6d09f3b8252bb645de6b7b
- haowa####.oss.aliy####.com/79d982014af8c2bced0fa3438d74283b
- haowa####.oss.aliy####.com/7d582ba0f65dca3c4e620f4fd4628602
- haowa####.oss.aliy####.com/a795a88c45d030ae767b30b6b80d65fd
- haowa####.oss.aliy####.com/af9c4cb5971ca6aec6260b0c37400143
- haowa####.oss.aliy####.com/cc0c6fed95fb01d75e3b112f1ba80e72
- haowa####.oss.aliy####.com/d551542e935c93146b8f2cee28f8103f
- haowa####.oss.aliy####.com/d8e137ad8090d1a78c807af7ad453470
- haowa####.oss.aliy####.com/d8f9a54cd398a3b9e76bfa1a17f0b2b9
- haowa####.oss.aliy####.com/e64a0806b8b006f815ea63a579bd96d6
- haowa####.oss.aliy####.com/ea7c0bed36e046b69bdf5c5ca73d96c8
- haowa####.oss.aliy####.com/f39a058102a5bf5bcb38171b4ef42954
- haowa####.oss.aliy####.com/f9f121d6cad6780c5905d5d830b76860
- haowa####.oss.aliy####.com/fbe786d612678409cff86d4db0c668ef
- haowa####.oss.aliy####.com/fdf4e21a469d6966a4482f86ed11068e
- haowa####.oss.aliy####.com/fe09c46831ced261a519d535f5883766
- m.d####.mob.com/v3/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetAppreClassInfo?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/GetAppreciation?jid=####&acti...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetForumInfo?forumid=####&jid...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetForumList?reqid=####&jid=#...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetGoodNote?currentnum=####&n...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetInvcode?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/GetNewsList?jid=####&newsid=#...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetPostList?forumid=####&comt...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetRecomUser?page=####&subtyp...
- s.haowa####.com:8900/RegisterDemo1/servlet/GetUserInfo?jid=####&vsjid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/SyncSp?jid=####
- s.haowa####.com:8900/RegisterDemo1/servlet/UpLoadUmToken?jid=####&passwd...
- tcms-a####.wan####.ta####.com:443/imlogingw/tcp60login?devid=####&ver=####
- tcms-op####.wan####.ta####.com/getapprule?appkey=####&appId=####
- w####.q####.dn.####.com/0a7df88cf579c1045761d5519ab283df
- w####.q####.dn.####.com/19c2ad8493752481d29ee32c959bb771
- w####.q####.dn.####.com/2018-03-23-16-38-36pk2m0nol-0.png
- w####.q####.dn.####.com/29c8b184aa6e5897bf07ff4b31c4d788
- w####.q####.dn.####.com/2e841a4ae718f39ed96a783dbf420f1c
- w####.q####.dn.####.com/3cd27ddeb6de3dc5fa90583bd4eaa069
- w####.q####.dn.####.com/403f2a7e22b4208c888bbeafa3cc2b1e
- w####.q####.dn.####.com/4fcb6b90bc3011cd722199d2729b3159
- w####.q####.dn.####.com/58089e31c090a413928eeab1e8efd6b0
- w####.q####.dn.####.com/598adffabf43f29b733695ebadc7f2e0
- w####.q####.dn.####.com/80cd15493cd6a3ed3056bb98967b1cbc
- w####.q####.dn.####.com/8ce623e740d867c0c8fda394e0308590
- w####.q####.dn.####.com/90ec46bbb5eefad3b5e437bb9fb3e948
- w####.q####.dn.####.com/a1c093a35a0cbf112d97f2dac69554d8
- w####.q####.dn.####.com/bae0891f2b3fff707375c5a26d85ba8e
- w####.q####.dn.####.com/c5930b2e561357e1f77c0ef7888b9fb1
- w####.q####.dn.####.com/d62f2115fae54cd7967941d2da8a5b96
- w####.q####.dn.####.com/d8e2bf1f05ddcef724f5b134b54c3c10
HTTP POST requests:
- a####.exc.mob.com/errconf
- a####.m.ta####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=##...
- a####.m.ta####.com/rest/gc?dd=3Lw8####&nsgs=####&ak=####&av=####&c=####&...
- a####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&...
- a####.u####.com/app_logs
- c.d####.mob.com/v2/cdata
- msg.umengc####.com/register
- w####.ta####.com/api/user/getUser.json
Modified file system:
Creates the following files:
- /data/data/####/-AqIoTCyYWJBC-7PZ3RUc0Hl3yo.38549957.tmp
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/00d5c0bcd8f4c73c5ffc55dfc98e6034.0.tmp
- /data/data/####/00d5c0bcd8f4c73c5ffc55dfc98e6034.1.tmp
- /data/data/####/026480a531d276b9e9ebb68b7e996fc1.0.tmp
- /data/data/####/026480a531d276b9e9ebb68b7e996fc1.1.tmp
- /data/data/####/0442e003116bff6257a004df5f7ccc72.0.tmp
- /data/data/####/0442e003116bff6257a004df5f7ccc72.1.tmp
- /data/data/####/04d15df0b5348bac52eefd33e8afb89b.0.tmp
- /data/data/####/04d15df0b5348bac52eefd33e8afb89b.1.tmp
- /data/data/####/08bda745d3c48f301aca23978ad6c006.0.tmp
- /data/data/####/08bda745d3c48f301aca23978ad6c006.1.tmp
- /data/data/####/0a320abc17b0b40ae393116131d8c3dc.0.tmp
- /data/data/####/0a320abc17b0b40ae393116131d8c3dc.1.tmp
- /data/data/####/0bc738496c0e94796dc5c820b9420c6c.0.tmp
- /data/data/####/0bc738496c0e94796dc5c820b9420c6c.1.tmp
- /data/data/####/0ce798dfefd9e5ee03ccc0ec05ca454b.0.tmp
- /data/data/####/0ce798dfefd9e5ee03ccc0ec05ca454b.1.tmp
- /data/data/####/11ac33b27e3e10713b5ee8f584a887e7.0.tmp
- /data/data/####/11ac33b27e3e10713b5ee8f584a887e7.1.tmp
- /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
- /data/data/####/22b42df1627aa53fb42b19868df630b6.0.tmp
- /data/data/####/22b42df1627aa53fb42b19868df630b6.1.tmp
- /data/data/####/24c110e1f76093b35c3c2df1927aab79.0
- /data/data/####/2cdda0857248d527c950f6f5abfbbcb4.0.tmp
- /data/data/####/2cdda0857248d527c950f6f5abfbbcb4.1.tmp
- /data/data/####/2e556b69e0ef348ad08e3c7677d486bd.0.tmp
- /data/data/####/2e556b69e0ef348ad08e3c7677d486bd.1.tmp
- /data/data/####/30ea8120077ef83e7faf3236be048a1a.0.tmp
- /data/data/####/30ea8120077ef83e7faf3236be048a1a.1.tmp
- /data/data/####/3180cd12306cc783bb4f6bbd47a8d787.0.tmp
- /data/data/####/3180cd12306cc783bb4f6bbd47a8d787.1.tmp
- /data/data/####/374c687e08a3c0b42143a9bba077a58c.0.tmp
- /data/data/####/374c687e08a3c0b42143a9bba077a58c.1.tmp
- /data/data/####/3dcbd5f711156d7be5859332eb0a5389.0.tmp
- /data/data/####/3dcbd5f711156d7be5859332eb0a5389.1.tmp
- /data/data/####/3f366fe7f06fd27779988334464b8c0e.0.tmp
- /data/data/####/3f366fe7f06fd27779988334464b8c0e.1.tmp
- /data/data/####/45130cea4ef94238a216b8968eaeb3ef.0.tmp
- /data/data/####/45130cea4ef94238a216b8968eaeb3ef.1.tmp
- /data/data/####/462f8b94f118345e60bdeb346a94f8c9.0.tmp
- /data/data/####/462f8b94f118345e60bdeb346a94f8c9.1.tmp
- /data/data/####/48d03f22c66d0bc11e59ddc897913a73.0.tmp
- /data/data/####/48d03f22c66d0bc11e59ddc897913a73.1.tmp
- /data/data/####/4b74e3e0a2bb0fbe5a882da1052f60ed.0.tmp
- /data/data/####/4b74e3e0a2bb0fbe5a882da1052f60ed.1.tmp
- /data/data/####/4e2ad48544e9675b190661b55c4fea94.0.tmp
- /data/data/####/4e2ad48544e9675b190661b55c4fea94.1.tmp
- /data/data/####/52b72b6c8e1d31c7c4e4f19272ab6a6c.0.tmp
- /data/data/####/52b72b6c8e1d31c7c4e4f19272ab6a6c.1.tmp
- /data/data/####/5779635352e5a032cd658abaa42de371.0.tmp
- /data/data/####/5779635352e5a032cd658abaa42de371.1.tmp
- /data/data/####/57P0kXvz4y90li5VFJNi-X18IzY.458412710.tmp
- /data/data/####/583a26899f3054a1171b309f2408cabf.0.tmp
- /data/data/####/583a26899f3054a1171b309f2408cabf.1.tmp
- /data/data/####/59UWhOh4MAKl8h-La-W4y57gPVw.-257015366.tmp
- /data/data/####/5fdd86e09afbb6720d0a2d0dd0f24b33.0.tmp
- /data/data/####/5fdd86e09afbb6720d0a2d0dd0f24b33.1.tmp
- /data/data/####/60ecd2be19c5b2d292a655d50ac6d42a.0.tmp
- /data/data/####/60ecd2be19c5b2d292a655d50ac6d42a.1.tmp
- /data/data/####/647f77701195d53525a2366649bd4473.0.tmp
- /data/data/####/647f77701195d53525a2366649bd4473.1.tmp
- /data/data/####/6NYMwcQJ736WeHBRM9aI0KvUdAs.904544492.tmp
- /data/data/####/6c0e7ad689afdc91f67be00eec706e4a.0.tmp
- /data/data/####/6c0e7ad689afdc91f67be00eec706e4a.1.tmp
- /data/data/####/75faacc6d47ddb0a6f16f0a452637368.0.tmp
- /data/data/####/75faacc6d47ddb0a6f16f0a452637368.1.tmp
- /data/data/####/779fb5c0f5b1753db79aeb67feb8f88a.0.tmp
- /data/data/####/779fb5c0f5b1753db79aeb67feb8f88a.1.tmp
- /data/data/####/848a48e0d8e9f8fb5d9c9a5b116061b6.0.tmp
- /data/data/####/848a48e0d8e9f8fb5d9c9a5b116061b6.1.tmp
- /data/data/####/88c8f1c4ddb3969f8b1fffea32325b9e.0.tmp
- /data/data/####/88c8f1c4ddb3969f8b1fffea32325b9e.1.tmp
- /data/data/####/94CFJdzOMDuHiBVowlTgzTSgjTg.-432189936.tmp
- /data/data/####/96038b66bbff61c5f5461968515556de.0.tmp
- /data/data/####/96038b66bbff61c5f5461968515556de.1.tmp
- /data/data/####/ACCS_BINDumeng;52a0242156240b5b4a0104f9.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/AJ-zpStIvnhON-rKSq2vQ0M_8c8.-147013182.tmp
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/Ao7snHqHMrvPgdy59NrBTl2Iwuo.96351177.tmp
- /data/data/####/Az7zX6MUdCetTl6A1BUKgH3lsow.1954034756.tmp
- /data/data/####/BIKeWIS33ZDSM7m-bK9RIXfHtEk.96351177.tmp
- /data/data/####/BK-ZmjVMQFVGR91gP7kRJD_urV0.777285068.tmp
- /data/data/####/BaB4ST7Q762WsCejODVerfIuw7Q.304101901.tmp
- /data/data/####/ContextData.xml
- /data/data/####/D40xFPiDk1wxZYGe9IlQ4DD3Bsc.-633720303.tmp
- /data/data/####/DaemonServer
- /data/data/####/EVZIbpodTlIygBqy6w5OEmgKBvo.1270291234.tmp
- /data/data/####/Hox1C2uTSnbRf76n-k_gxmrMcsY.-492889298.tmp
- /data/data/####/JwqyfKSU_mnYunlYpWTQoROCQc8.-492889298.tmp
- /data/data/####/KeyStore.bks
- /data/data/####/Kk9vr4uSGzTxbE3EklI3FGJ3jns.-477321477.tmp
- /data/data/####/MXa1iHmTtCIg40F9TM3vwAsy6mU.-145082846.tmp
- /data/data/####/MessageStore.db
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/NGQGCjVfqUq1ftnpPpVtIIJWPb0.38549957.tmp
- /data/data/####/NL5alAq8XEd4tmCpk0j439VeNHE.cnt
- /data/data/####/PZuxrrda6Te9Ycq850S6FxVVI7o.-180227130.tmp
- /data/data/####/PcgZ6nMjszOAxyAKFU9Lr2-Wmuk.1503204923.tmp
- /data/data/####/SjFfUJWBTavuKEoCwqCQeLjj1kU.1265501953.tmp
- /data/data/####/T6x2HdNr7ZGiHX2tqtPwEfgUpfM.-633720303.tmp
- /data/data/####/ThrowalbeLog.db
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/UTCommon.xml
- /data/data/####/UTMCConf-818791854.xml
- /data/data/####/UTMCLog-818791854.xml
- /data/data/####/XoWHMn5ChwH08LUZLdwSr13-yi4.-180227130.tmp
- /data/data/####/YUAMXN3AUTUrHcnLd1Je6ZTf6a4.-1668114747.tmp
- /data/data/####/Ys4cgNNoawRF3lNVQ9xBaOQ3V_k.1265501953.tmp
- /data/data/####/ZPZbdNWo_N3tdS5VEHC0_vj7QBM.-217780376.tmp
- /data/data/####/a39eb9000e9da98cf2e11ab2dbbe5754.0.tmp
- /data/data/####/a39eb9000e9da98cf2e11ab2dbbe5754.1.tmp
- /data/data/####/ac4c49766b1956618f3be811d393c87f.0.tmp
- /data/data/####/ac4c49766b1956618f3be811d393c87f.1.tmp
- /data/data/####/accs.db
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/bd1cfef5793af09c562b0dcdecef1a55.0.tmp
- /data/data/####/bd1cfef5793af09c562b0dcdecef1a55.1.tmp
- /data/data/####/cb729e876f0479ed297f8b2af14f8c21.0.tmp
- /data/data/####/cb729e876f0479ed297f8b2af14f8c21.1.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/channel_pre.xml
- /data/data/####/cn_feng_skin_pref.xml
- /data/data/####/com.haowan.huabar_2077
- /data/data/####/com.haowan.huabar_2489
- /data/data/####/com.haowan.huabar_TcmsService_2129
- /data/data/####/com.haowan.huabar_preferences.xml
- /data/data/####/com.haowan.huabar_preferences.xml (deleted)
- /data/data/####/crash-1510835433916.cr
- /data/data/####/d0bb9a82bde1b53cbf07f70796774aa2.0.tmp
- /data/data/####/d0bb9a82bde1b53cbf07f70796774aa2.1.tmp
- /data/data/####/d0g8MlpuOPf7gjaB7uC9xxZZx18.-209356049.tmp
- /data/data/####/d611f8697fdb715db73c8ad1bc820480.0.tmp
- /data/data/####/d611f8697fdb715db73c8ad1bc820480.1.tmp
- /data/data/####/dcbc3c3134f1db78635edb9472b83047
- /data/data/####/dcbc3c3134f1db78635edb9472b83047-journal
- /data/data/####/e4deff0be395f25a70b61e5e838c9cf7.0.tmp
- /data/data/####/e4deff0be395f25a70b61e5e838c9cf7.1.tmp
- /data/data/####/e74ef1f7c5bbfd79cd5be2d4acf770ca.0.tmp
- /data/data/####/e74ef1f7c5bbfd79cd5be2d4acf770ca.1.tmp
- /data/data/####/e974228f7a71a2b8a939f4e1f9302e27.0.tmp
- /data/data/####/e974228f7a71a2b8a939f4e1f9302e27.1.tmp
- /data/data/####/efa55a5c69db58552c01946e895afbf5.0.tmp
- /data/data/####/efa55a5c69db58552c01946e895afbf5.1.tmp
- /data/data/####/efdd3c631f778abe22d14bea1920a196.0.tmp
- /data/data/####/efdd3c631f778abe22d14bea1920a196.1.tmp
- /data/data/####/eudemon
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/ezfgbmM-mUZHs9LTauGY0NLM_p4.458412710.tmp
- /data/data/####/f3b261b2b7a1851116d360099a419f5b.0.tmp
- /data/data/####/f3b261b2b7a1851116d360099a419f5b.1.tmp
- /data/data/####/f5cdeb691dd17eefee3f5ba95c1f1b0d.0.tmp
- /data/data/####/f5cdeb691dd17eefee3f5ba95c1f1b0d.1.tmp
- /data/data/####/f804b1d49680272e4107a4166df4c973.0.tmp
- /data/data/####/f804b1d49680272e4107a4166df4c973.1.tmp
- /data/data/####/fbFXK2N6wl6X80gCHGTWGpIV4pE.1715816160.tmp
- /data/data/####/fd1ab4e083fa1c5c8822854dc52d4a55.0.tmp
- /data/data/####/fd1ab4e083fa1c5c8822854dc52d4a55.1.tmp
- /data/data/####/fdc0f4dc4fdc0371d2ed5940e59c8ec6.0.tmp
- /data/data/####/fdc0f4dc4fdc0371d2ed5940e59c8ec6.1.tmp
- /data/data/####/gLidwwSp5F0-iAZZVn-1KuwYufg.-1585085383.tmp
- /data/data/####/gQt-Op28eHGxE3j4mVl7OGd42js.-1585085383.tmp
- /data/data/####/gaM5DjpbEOuF2rAMfDvgY-x2XBs.886345201.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/ilJv-F9vWrIaxHZm7kZDyGfa-5I.-1251266678.tmp
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/kdAw3B8HDmWPSCBKTWAm8Glz5uM.-1668114747.tmp
- /data/data/####/libjiagu.so
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/m86qt_byeZsVeVDc_S0xuL75Urc.-217780376.tmp
- /data/data/####/mENugsV8nWkHW-XPwDs3zPYGNh8.1496771218.tmp
- /data/data/####/meRjMCGs6hHOZTtMVOoHEWff2Lw.-325964827.tmp
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mob_commons_1.xml
- /data/data/####/mob_sdk_exception_1.xml
- /data/data/####/mob_sdk_exception_1.xml (deleted)
- /data/data/####/multidex.version.xml
- /data/data/####/oDYy7ufHRA6-wg7T737OJe_s9Lw.-257015366.tmp
- /data/data/####/paintgame.db
- /data/data/####/paintgame.db-journal
- /data/data/####/qigIQlzDnTELNrGLHm99KsfvyyM.-1912868622.tmp
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/sp.lock
- /data/data/####/tcms_setting_sp.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/v78UbdA7LSE_VRrfFy6vguthp6A.1503204923.tmp
- /data/data/####/webview.db
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/whoamP0DT-Hd7Gt20UC-rBnI_VA.-147013182.tmp
- /data/data/####/xBJbgwJ5fKg9vwNQcNEfCQ-eC4k.904544492.tmp
- /data/data/####/yAPCZAuhhc2Gcs1TcM4e2bfauHQ.-1912868622.tmp
- /data/data/####/ywAccount.xml
- /data/data/####/ywPrefsTools.xml
- /data/data/####/z06cU2HD_OnfiLaNtcbRFCBLDCI.-466044239.tmp
- /data/data/####/zm9HS39wijCYF8ALAWXiF1GAGSE.2141756253.tmp
- /data/data/####/zxu3znWtavy65ni2wu4rMJwzKOo.959179670.tmp
- /data/media/####/.al
- /data/media/####/.bar
- /data/media/####/.dh
- /data/media/####/.dh-journal
- /data/media/####/.dhlock
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.nomedia
- /data/media/####/.nulal
- /data/media/####/.nulplt
- /data/media/####/.pkg_lock
- /data/media/####/.plst
- /data/media/####/.rcTag
- /data/media/####/.rc_lock
- /data/media/####/.serveruuid
- /data/media/####/14a2b8f74bda4de0b9ceca079cba64c6
- /data/media/####/1510835412485.db
- /data/media/####/1510835416123.db
- /data/media/####/1510835422996.db
- /data/media/####/1510835440918.db
- /data/media/####/20171116123033.txt
- /data/media/####/2_20171116_r
- /data/media/####/6c709c11d2d46a7b
- /data/media/####/8741646330124bb8b9150b1e69bbedfa
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/alsn20170807.db
- /data/media/####/alsn20170807.db-journal
- /data/media/####/dd7893586a493dc3
- /data/media/####/deviceToken
- /data/media/####/inapp_20171116.log
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:52a0242156240b5b4a0104f9","utdid":"Wg2E0vRyvjEDAGdzx1G/HMtA","sdkVersion":"220"} -I agoodm.m.taobao.com -O 80 -T -Z
- app_process /system/bin com.android.commands.pm.Pm list packages
- cat /proc/cpuinfo | grep Serial
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop
- getprop ro.product.cpu.abi
- grep -E -v root|shell|system
- ls -l /system/xbin/su
- pm list packages
- sh
- top -d 0 -n 1
Loads the following dynamic libraries:
- fb_jpegturbo
- imagepipeline
- inet.2.0
- libjiagu
- neh
- securitysdk-3.1
- tnet-3.1
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about running applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.