Android.Packed.37098

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.DownLoader.589.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) ada####.m.ta####.com:80
TCP(HTTP/1.1) ser####.pic####.a####.com:80
TCP(HTTP/1.1) oc.u####.com:80
TCP(HTTP/1.1) zhg.ali####.com:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) v####.c####.q####.####.net:80
TCP(HTTP/1.1) pi####.qq.com:80
TCP(HTTP/1.1) ad####.m.ta####.com:80
TCP(HTTP/1.1) ser####.vid####.a####.com:80
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(HTTP/1.1) ser####.l####.a####.com:80
TCP(TLS/1.0) o####.l####.top:443
TCP(TLS/1.0) ser####.vid####.a####.com:443
TCP(TLS/1.0) f####.l####.top:443
TCP(TLS/1.0) ssl.google-####.com:443
TCP(TLS/1.0) api.t####.co:443
TCP(TLS/1.0) sh.wagbr####.ta####.com:443
TCP(TLS/1.0) sett####.crashly####.com:443
TCP c####.g####.ig####.com:5225
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a####.u####.com
ad####.m.ta####.com
ada####.m.ta####.com
api.t####.co
bcfeed####.ta####.com
c####.g####.ig####.com
cdn.v####.pic####.####.tv
f####.l####.top
o####.l####.top
oc.u####.com
pi####.qq.com
sdk.o####.i####.####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
ser####.ad.a####.com
ser####.l####.a####.com
ser####.pic####.a####.com
ser####.vid####.a####.com
sett####.crashly####.com
ssl.google-####.com
y####.al####.com

HTTP GET requests:

ad####.m.ta####.com/rest/gc2?ak=####&av=####&c=####&d=####&sv=####&t=###...
ser####.l####.a####.com/live/config?adult=####
ser####.l####.a####.com/v3/ad/bundle?position=####&app=####&iso=####&osV...
ser####.l####.a####.com/v3/ad/config?os=####&model=####&apiver=####&osve...
ser####.l####.a####.com/v3/ad/splash?app=####&iso=####&osVer=####&mcc=##...
ser####.pic####.a####.com/v1/recommend/home/float?adult=####
ser####.vid####.a####.com/v1/analytics?id=####&type=####
t####.c####.q####.####.com/tdata_gbU702
t####.c####.q####.####.com/tdata_jYz574
v####.c####.q####.####.net/5ae0378d0422087736e9526b.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae4517d042208185b8d6117.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae4517d042208185b8d6117.mp4?sign=####&t=####
v####.c####.q####.####.net/5ae480e404220818414970f4.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae48d1631f61341298cc725.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae48d6204220818829e4fb0.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae494c4042208189c2218dd.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae4ae2b31f61341298d18a3.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae4e92a04220818414a1d23.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae50583042208189c22aa59.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae590db042208188f1a707a.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae5a24531f6134178c462f2.jpg?imageMo####&sign...
v####.c####.q####.####.net/5ae5ad6d31f613415db3da52.jpg?imageMo####&sign...

HTTP POST requests:

a####.u####.com/app_logs
ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
oc.u####.com/v2/check_config_update
oc.u####.com/v2/get_update_time
pi####.qq.com/mstat/report/?index=####
sdk.o####.p####.####.com/api.php?format=####&t=####
zhg.ali####.com/saveWb.json

Modified file system:

Creates the following files:

/data/anr/traces.txt
/data/data/####/-1682015392-305713952
/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/.mta-wxop.xml
/data/data/####/.old_file_converted
/data/data/####/0a231bd8575dcf72.txt
/data/data/####/1003.dat
/data/data/####/1003prv.dat
/data/data/####/1011Dem.dat
/data/data/####/1525068257142
/data/data/####/1525068257524
/data/data/####/1636243960-1673208566
/data/data/####/1d77ea041509fe06.lock
/data/data/####/21c22f492aba3de8.lock
/data/data/####/2f4e24fe0913c4fc5fbb20395d63be3b1b86413e4ae2985....0.tmp
/data/data/####/33eb6bef0d86e3f6cd62b87c74f1d0b4cec656d2547c545....0.tmp
/data/data/####/350254700896677837
/data/data/####/3ce7ecfb0f1cc774498706796fc184d7ce660dcad3df697....0.tmp
/data/data/####/4dfbe1e87192ec42037aae25911d80cce51bec009ecff24....0.tmp
/data/data/####/5.jar
/data/data/####/5AE6B1B50162-0001-081B-A60A1B42AE17BeginSession.cls_temp
/data/data/####/5AE6B1B50162-0001-081B-A60A1B42AE17SessionApp.cls_temp
/data/data/####/5AE6B1B50162-0001-081B-A60A1B42AE17SessionDevice.cls_temp
/data/data/####/5AE6B1B50162-0001-081B-A60A1B42AE17SessionOS.cls_temp
/data/data/####/5AE6B1C20097-0001-0A52-A60A1B42AE17BeginSession.cls_temp
/data/data/####/5AE6B1C20097-0001-0A52-A60A1B42AE17SessionApp.cls_temp
/data/data/####/5AE6B1C20097-0001-0A52-A60A1B42AE17SessionDevice.cls_temp
/data/data/####/5AE6B1C20097-0001-0A52-A60A1B42AE17SessionOS.cls_temp
/data/data/####/6
/data/data/####/6.xml
/data/data/####/66ad99dec65074567b9c4035473394b363312e23a6075ce....0.tmp
/data/data/####/67caff5e503d4956f38ab5b4564771f594d283e87b581c3....0.tmp
/data/data/####/6f7f4d291f5a965e04e0c715db5a9f16c87c1b64e72dab8....0.tmp
/data/data/####/930a31b34bd52c08.lock
/data/data/####/AdvSDK.xml
/data/data/####/Alvin2.xml
/data/data/####/ContextData.xml
/data/data/####/SGMANAGER_DATA2.tmp
/data/data/####/TwitterAdvertisingInfoPreferences.xml
/data/data/####/UTCommon.xml
/data/data/####/UTCommon.xml.bak (deleted)
/data/data/####/a68c1c0451b625e8581e8ce241c9b479f6db6a5bcd2ad4f....0.tmp
/data/data/####/a810883b5c89b837ac92dc004e4afe0a34b89e528f5f132....0.tmp
/data/data/####/adk_pref.xml
/data/data/####/ap.Lock
/data/data/####/b202b90e8284186b8710f6231a5cfe70eb8e2a9230e8095....0.tmp
/data/data/####/bce6422bb845221c999a80550231ced7d187081af6cdd52....0.tmp
/data/data/####/c30e87bd6c1e4072ef88311c34f62697696ea15858211cc....0.tmp
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/com.crashlytics.prefs.xml
/data/data/####/com.crashlytics.sdk.android;answers;settings.xml
/data/data/####/com.crashlytics.settings.json
/data/data/####/com.ewstsrzt.erytyytz_preferences.xml
/data/data/####/config.conf
/data/data/####/def7d137c644e6f7dca112c7fab42a49b18fec13c1b0542....0.tmp
/data/data/####/e5329e2bc1f2860897a1fb30523b6e071bd5d9d950a5a1c....0.tmp
/data/data/####/evernote_jobs.db
/data/data/####/evernote_jobs.db-journal
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/filedownloader.db-journal
/data/data/####/gaClientId
/data/data/####/gdaemon_20151105
/data/data/####/google_analytics_v2.db-journal
/data/data/####/increment.db-journal
/data/data/####/init.pid
/data/data/####/initialization_marker
/data/data/####/io.fabric.sdk.android;fabric;io.fabric.sdk.andr...ng.xml
/data/data/####/journal.tmp
/data/data/####/kr.xml
/data/data/####/kr.xml (deleted)
/data/data/####/libjiagu.so
/data/data/####/libsgmainso-5.1.81.so.tmp
/data/data/####/live_video_res.db-journal
/data/data/####/lock.lock
/data/data/####/multidex.version.xml
/data/data/####/onlineconfig_agent_online_setting_com.ewstsrzt....tz.xml
/data/data/####/pri_wxop_tencent_analysis.db-journal
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/rc.dat
/data/data/####/run.pid
/data/data/####/sa_311bcdb6-f4d2-48ae-a540-3a93a74003a4_1525068214342.tap
/data/data/####/session_analytics.tap
/data/data/####/session_analytics.tap.tmp
/data/data/####/sp.lock
/data/data/####/splash_ads_path
/data/data/####/t_u.db-journal
/data/data/####/tdata_gbU702.jar
/data/data/####/tdata_gbU702.tmp
/data/data/####/tdata_jYz574.jar
/data/data/####/tdata_jYz574.tmp
/data/data/####/tmobi.xml
/data/data/####/tmpV1
/data/data/####/tray.db-journal
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/ut.db
/data/data/####/ut.db-journal
/data/data/####/vbz.xml
/data/data/####/wxop_tencent_analysis.db-journal
/data/media/####/.mid.txt
/data/media/####/5ae4517d042208185b8d6117.mp4.temp
/data/media/####/5ae4517d042208185b8d6117.mp4.temp.temp
/data/media/####/6c709c11d2d46a7b
/data/media/####/Alvin2.xml
/data/media/####/ContextData.xml
/data/media/####/adklwp.db
/data/media/####/adklwp.db-journal
/data/media/####/app.db
/data/media/####/com.ewstsrzt.erytyytz.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/dd7893586a493dc3
/data/media/####/hid.dat
/data/media/####/tdata_gbU702
/data/media/####/tdata_jYz574

Miscellaneous:

Executes next shell scripts:

./tmpV1
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
<Package Folder>/files/gdaemon_20151105 0 <Package>/com.igexin.sdk.PushService 25261 300 0
chmod 400 <Package Folder>/files/tmobi/config.conf
chmod 500 <Package Folder>/files/tmobi/tmpV1
chmod 700 <Package Folder>/files/gdaemon_20151105
chmod 755 <Package Folder>/.jiagu/libjiagu.so
pkill -18 <Package Folder>/files/tmobi/tmpV1
sh
sh <Package Folder>/files/gdaemon_20151105 0 <Package>/com.igexin.sdk.PushService 25261 300 0

Loads the following dynamic libraries:

adklwp
box2d
ezaction
ezbase
ezinterpolator
ezlwp
ezparticle
ezpathiterator
ezphysics
ezrt
eztransition
libjiagu
sgmainso-5.1
ut_c_api
wiengine
wiskia
wisound

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about APN settings.

Gains access to information about installed applications.

Gains access to information about running applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial