Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.418.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) q####.c####.l####.####.com:80
- TCP(HTTP/1.1) wn.pos.b####.com:80
- TCP(HTTP/1.1) c####.c####.com:8431
- TCP(HTTP/1.1) b####.bj####.com.####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) app.adi####.com:80
- TCP(HTTP/1.1) adm.t####.com.####.com:80
- TCP(HTTP/1.1) 4####.93.84.189:81
- TCP(HTTP/1.1) b####.c####.com.####.com:80
- TCP(HTTP/1.1) z####.z####.com:10091
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) dup.baidust####.com:80
- TCP(HTTP/1.1) p.icap####.com:6088
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) cdn.1####.wang:80
- TCP(HTTP/1.1) e.zhuy####.club:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) 2####.187.226.25:80
- TCP(HTTP/1.1) up####.v.qin####.com:80
- TCP(HTTP/1.1) www.czheng####.cn:8073
- TCP(HTTP/1.1) www.pc####.com.####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) adalli####.zmen####.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(HTTP/1.1) 1####.26.76.154:80
- TCP(HTTP/1.1) cdn.abs.yunduan####.com:80
- TCP(HTTP/1.1) u####.laogeda####.com:80
- TCP(HTTP/1.1) m.zt####.net:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) c####.dns.yunduan####.com:80
- TCP(HTTP/1.1) i####.51.la:80
- TCP(HTTP/1.1) 1####.205.160.63:80
- TCP(HTTP/1.1) vas.fun.tv.####.com:80
- TCP(HTTP/1.1) w####.fun.tv:80
- TCP(HTTP/1.1) a####.do####.mobi:80
- TCP(HTTP/1.1) w####.c####.com:80
- TCP(HTTP/1.1) s####.funs####.net:80
- TCP(HTTP/1.1) p.hfm####.com:6088
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) ip.ch####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) v####.funs####.com:80
- TCP(HTTP/1.1) ap####.adi####.com:80
- TCP(HTTP/1.1) c####.c####.com:8356
- TCP(HTTP/1.1) 1####.40.20.155:80
- TCP(HTTP/1.1) w####.ta####.com:80
- TCP(TLS/1.0) st####.adhu####.com.####.com:443
- TCP(TLS/1.0) dup.baidust####.com:443
- TCP(TLS/1.0) fp.ton####.net:443
- TCP(TLS/1.0) js.u####.51.la:443
- TCP(TLS/1.0) fp.fraudme####.cn:443
- TCP(TLS/1.0) dis####.in####.com:443
- TCP(TLS/1.0) fp-st####.b0.a####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) pos.b####.com:443
- TCP(TLS/1.0) www.ta####.com:443
- TCP(TLS/1.0) w####.ta####.com:443
- TCP 1####.205.160.76:443
- TCP umengj####.m.ta####.com:80
DNS requests:
- a####.do####.mobi
- a####.u####.com
- adalli####.zmen####.com
- adm.t####.com
- ag####.m.ta####.com
- ap####.adi####.com
- app.adi####.com
- b####.bj####.com
- b####.c####.com
- c####.c####.com
- c####.dns.yunduan####.com
- c####.mm####.com
- c.c####.com
- cdn.1####.wang
- cdn.abs.yunduan####.com
- cdn.xs####.com
- dis####.in####.com
- dup.baidust####.com
- e.zhuy####.club
- f12.b####.com
- fp.fraudme####.cn
- fp.ton####.net
- h####.c####.com
- hm.b####.com
- i####.51.la
- i####.adhu####.com
- i####.com
- imgc####.qq.com
- ip.ch####.com
- js.u####.51.la
- js.x####.com.cn
- l####.tq####.com
- m.ta####.com
- m.zt####.net
- m1.laogeda####.com
- mi.g####.qq.com
- msg.umengc####.com
- oc.u####.com
- p####.x####.com.cn
- p.hfm####.com
- p.icap####.com
- pos.b####.com
- q.funs####.com
- qzones####.g####.cn
- s####.e.qq.com
- s####.funs####.net
- s11.c####.com
- s13.c####.com
- s19.c####.com
- s22.c####.com
- s4.c####.com
- s95.c####.com
- st####.adhu####.com
- st####.fraudme####.cn
- st####.funs####.com
- u####.laogeda####.com
- umengj####.m.ta####.com
- v####.fun.tv
- v####.fun.tv
- v.no####.net
- w####.c####.com
- w####.fun.tv
- w####.ta####.com
- wn.pos.b####.com
- www.czheng####.cn
- www.pc####.com.cn
- www.ta####.com
- z####.z####.com
- z1.c####.com
- z11.c####.com
- z13.c####.com
- z4.c####.com
- z7.c####.com
- z8.c####.com
HTTP GET requests:
- a####.do####.mobi/hotfix/fmsd_hotfix.jar
- adalli####.zmen####.com/zmtmobads/v1/impl.do?param=####
- adm.t####.com.####.com/unet/static/udc.js
- ap####.adi####.com/tj?key=####&rd=####&req=YWR####&token=####
- app.adi####.com/api.m?adid=####&adtype=####&width=####&height=####&pkgna...
- b####.bj####.com.####.com/d/BGHQF00161819
- b####.bj####.com.####.com/z/2paBGHQF00164x.zip
- b####.bj####.com.####.com/z/qgBGHQF00164x.zip
- b####.c####.com.####.com/d/yufather/entry/1411647
- c####.dns.yunduan####.com/pp.html
- c####.dns.yunduan####.com/pp2.html
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####
- c.c####.com/stat.php?id=####&web_id=####
- c.c####.com/z_stat.php?id=####
- cdn.1####.wang/sc_151_2
- cdn.abs.yunduan####.com/chou2.html
- cdn.abs.yunduan####.com/r3.html
- dup.baidust####.com/js/os.js
- e.zhuy####.club/1279/5497076
- gm.mm####.com/9.gif?abc=####&rnd=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?1b2a81d####
- i####.51.la/go1?id=####&rt=####&rl=####&lang=####&ct=####&pf=####&ins=##...
- ip.ch####.com/getip.aspx
- m.zt####.net/appcenter/videoControl?act=####&cpid=####&urlid=####
- m.zt####.net/appcenter/videoControl?cpid=####&urlid=####
- mi.g####.qq.com/gdt_mview.fcg?actual_width=####&count=####&r=####&templa...
- mi.g####.qq.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&data...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.appcache
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/banner.html
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/banner_close_b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/bannerbg07.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/images/tsa_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js-release/20170821/b...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android01/js/lib/require.js
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- pos.b####.com/bfp/snippetcacher.php?dpv=####&di=####
- pos.b####.com/lcvm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
- pos.b####.com/zcgm?conwid=####&conhei=####&rtbid=####&rdid=####&dc=####&...
- pos.b####.com/zcgm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
- q####.c####.l####.####.com/group/js/changspeed.js
- q####.c####.l####.####.com/group/js/picLoad.js
- q####.c####.l####.####.com/group/view_ab.php?aid=####
- s####.funs####.net/ecom-ad/ifar_all/?oc=####
- s####.funs####.net/ecom-ad/ifar_load/?rprotocol=1&fck=1525671813ce56f&mi...
- si####.jom####.com/it/u=325217858,2035764721&fm=76
- ti####.c####.l####.####.com/tools/jq/1.5.1.min.js
- u####.laogeda####.com/ads/ady182401.php?o=####
- u####.laogeda####.com/d/ad323.html
- u####.laogeda####.com/d/ad323.php?o=####
- up####.v.qin####.com/main/new/js/v8/core-min.js
- up####.v.qin####.com/main/new/js/v8/html/statIwt_www_new-min.js?v=####
- up####.v.qin####.com/open/fis/js/v11/??plugin/####
- v####.funs####.com/vasd/pa/index?sid=####&ref=####&mick=####&cvid=####
- vas.fun.tv.####.com/market/ext/udc/c68908960.html?m####
- vas.fun.tv.####.com/market/vasd/reportVv.js?v=####
- w####.c####.com/abc/xyz/point/index_single.php
- w####.fun.tv/api/javascript?js=####
- w####.fun.tv/vplay/g-118210.v-637846
- w####.ta####.com/?sprefer=####
- wn.pos.b####.com/adx.php?c=####
- www.czheng####.cn:8073/
- www.pc####.com.####.com/autox/x2.html
- www.ta####.com/
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
HTTP POST requests:
- a####.u####.com/app_logs
- c####.c####.com:8356/rtn/
- c####.c####.com:8356/rts/
- c####.c####.com:8431/drq/
- m.zt####.net/v/a/c
- m.zt####.net/v/a/t
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
- p.hfm####.com:6088/s/
- p.icap####.com:6088/s/
- s####.e.qq.com/activate
- s####.e.qq.com/err
- s####.e.qq.com/launch
- s####.e.qq.com/msg
- z####.z####.com:10091/opaService/link
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/2f83e6503daa71e64a49643c9f80efcb.log.temp
- /data/data/####/44255dc1275afefd38b859eea0ba9e5c.log
- /data/data/####/44255dc1275afefd38b859eea0ba9e5c.log.temp
- /data/data/####/61059340ea42ebc586294e576e448b8e
- /data/data/####/ACCS_BIND.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/F2A6715737C9504B2F82BDDEA960CD1B.xml
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/IP.xml
- /data/data/####/JSON.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/SDANFANGSDK.xml
- /data/data/####/SDKVersion.xml
- /data/data/####/String.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/__xadsdk__remote__final__builtin__.jar
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/baidu_gdt_dex.jar
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/com.lhyy.wl.carparkour.v2.playerprefs.xml
- /data/data/####/countClickIP.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/fmsd_sdk.jar
- /data/data/####/fmsd_sdk_standard.jar
- /data/data/####/gameid
- /data/data/####/gameid.zip
- /data/data/####/gdt_plugin.next
- /data/data/####/gdt_plugin.next.sig
- /data/data/####/gdt_plugin.tmp
- /data/data/####/gdt_plugin.tmp.sig
- /data/data/####/gdt_suid
- /data/data/####/icon.png
- /data/data/####/icon2.png
- /data/data/####/icon3.png
- /data/data/####/index
- /data/data/####/kbsoqk
- /data/data/####/libjiagu.so
- /data/data/####/libumeng.so
- /data/data/####/libumeng.so_32
- /data/data/####/libumeng.so_64
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/minigame1.png
- /data/data/####/minigame2.png
- /data/data/####/minigame3.png
- /data/data/####/minigame4.png
- /data/data/####/omaabc.png
- /data/data/####/omabuildingblocks.png
- /data/data/####/omaclock.png
- /data/data/####/omacolorking.png
- /data/data/####/omacolorshape.png
- /data/data/####/omafindnumber.png
- /data/data/####/omaflowerway.png
- /data/data/####/omagraffiti.png
- /data/data/####/omaguessing.png
- /data/data/####/omalinenumber.png
- /data/data/####/omamusic.png
- /data/data/####/omaorigami.png
- /data/data/####/omapainter.png
- /data/data/####/omapuzzle.png
- /data/data/####/omashape.png
- /data/data/####/omashapecolor.png
- /data/data/####/omasong.png
- /data/data/####/omasort.png
- /data/data/####/omasound.png
- /data/data/####/omaspaceship.png
- /data/data/####/omawatchnumber.png
- /data/data/####/omawritenumber.png
- /data/data/####/onlineconfig_agent_online_setting_com.lhyy.wl.c...ur.xml
- /data/data/####/opa_link.jar
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/showRelax.xml
- /data/data/####/standardSDKVersion.xml
- /data/data/####/standards.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_config_c.xml
- /data/data/####/um_data_info_s.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/update_lc
- /data/data/####/version_name.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/.nomedia
- /data/media/####/.uuidres
- /data/media/####/127GN267.json
- /data/media/####/2faecf93a0ca24ee5b185fe119cbd9c6
- /data/media/####/3477c77ac99248f5bf84a6dd1d44ed2b
- /data/media/####/5e90841fc0b15477592c2dfaab39c5ee
- /data/media/####/Alvin2.xml
- /data/media/####/Compat.browser
- /data/media/####/ContextData.xml
- /data/media/####/DefaultWsdlHelpGenerator.aspx
- /data/media/####/SymbolMap-ARMv7
- /data/media/####/accs_election
- /data/media/####/browscap.ini
- /data/media/####/cc1142f26be54ee9b13c025785967ef4
- /data/media/####/cfe8aac9421d42f0928b7a49bfee0d83
- /data/media/####/config
- /data/media/####/config.xml
- /data/media/####/d072d2d20d0441e88cac90a6f684d0c6
- /data/media/####/deviceToken
- /data/media/####/global-metadata.dat
- /data/media/####/inapp_20180507.log
- /data/media/####/machine.config
- /data/media/####/mscorlib.dll-resources.dat
- /data/media/####/settings.map
- /data/media/####/web.config
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:59bf7e578f4a9d08f70000b9","utdid":"Wu/nSya4HooDAGdzx1FtFp+U","sdkVersion":"212"} -I agoodm.m.taobao.com -O 80 -T -Z
- cat /proc/version
- cat /sys/class/net/wlan0/address
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- chmod 771 data/data/<Package>/shared_prefs
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- sh
Loads the following dynamic libraries:
- AudioPluginOculusSpatializer
- libAudioPluginOculusSpatializer
- libil2cpp
- libjiagu
- libumeng
- main
- tnet-3.1
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- DES
- RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- DES
- RSA-ECB-PKCS1Padding
- RSA-None-PKCS1Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Gains access to information about running applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.