Android.Packed.37815

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.DownLoader.363.origin

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) flow-us####.b0.a####.com:80
TCP(HTTP/1.1) z####.heyc####.net:80
TCP(HTTP/1.1) t####.cn:80
TCP(HTTP/1.1) d####.eventua####.com:80
TCP(HTTP/1.1) 13.75.1####.12:80

DNS requests:

d####.eventua####.com
flow3us####.mind####.com
mt####.go####.com
t####.cn
www.changli####.com
z####.heyc####.net

HTTP GET requests:

d####.eventua####.com/flow_v3_service-user/api/getActivityDetail/25
d####.eventua####.com/flow_v3_service-user/api/getActivityDetail/26
flow-us####.b0.a####.com/activity/1509008574877/1509008574877.png
flow-us####.b0.a####.com/activity/1509008891568/1509008891568.png
flow-us####.b0.a####.com/activity/1509010468512/1509010468512.png
flow-us####.b0.a####.com/activity/1509010672308/1509010672308.png
flow-us####.b0.a####.com/activity/1509420764200/1509420764200.png
flow-us####.b0.a####.com/activity/1509438230855/1509438230855.jpg
flow-us####.b0.a####.com/activity/1509442434158/1509442434158.jpg
flow-us####.b0.a####.com/activity/1509443899070/1509443899070.png
flow-us####.b0.a####.com/icon/20171027/20171027174008.png
flow-us####.b0.a####.com/icon/20171027/20171027174115.png
flow-us####.b0.a####.com/icon/20171027/20171027174151.png
flow-us####.b0.a####.com/icon/20171027/20171027174218.png
flow-us####.b0.a####.com/template/1509439192207/img/person_icon.png
flow-us####.b0.a####.com/template/1509439192207/img/time_icon.png
flow-us####.b0.a####.com/template/1509439192207/img/tip_icon.png
flow-us####.b0.a####.com/template/1509439192207/img/watch_icon.png
flow-us####.b0.a####.com/template/1509439192207/rem.js
flow-us####.b0.a####.com/template/1509439192207/reset.css
t####.cn/RWlrov3

HTTP POST requests:

d####.eventua####.com/flow_v3_service-user/api/getActivityList
z####.heyc####.net/getlist
z####.heyc####.net/xlogin

Modified file system:

Creates the following files:

/data/data/####/-1163722320-1181846058
/data/data/####/-1163722320-1580624062
/data/data/####/-1163722320-1982943584
/data/data/####/-11637223201079021024
/data/data/####/-1163722320305040684
/data/data/####/-1163722320583868386
/data/data/####/-1163722320720245634
/data/data/####/-1163722320901537022
/data/data/####/-693695955-2044285682
/data/data/####/-6936959551360407370
/data/data/####/-6936959551471229890
/data/data/####/-693695955447045101
/data/data/####/AppFirstSetting.xml
/data/data/####/accountinfo.xml
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/configs.xml
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/dpi
/data/data/####/f_000001
/data/data/####/hid.db
/data/data/####/index
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/updatedata.jar
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/media/####/.nid
/data/media/####/2009d75168a08c007254a1788bf71ae1.0.tmp
/data/media/####/4565909eacfe66832d74ffd8cd85d071.0.tmp
/data/media/####/465e69f2c29771f0affbe6b65cf86d73.0.tmp
/data/media/####/57a78d634404e1e6de4610ae3e3c98ee.0.tmp
/data/media/####/6e11b5d9a1ca14efa76e07164bfd82f9.0.tmp
/data/media/####/7987b85cf36d381cdf8aa43f62815f6d.0.tmp
/data/media/####/95af029c415d879c5f8f0a50a3eaff4a.0.tmp
/data/media/####/9703f5f7004d918be68e4a7100c09826.0.tmp
/data/media/####/98f922ccb74572a1715298e5f99e84b9.0.tmp
/data/media/####/b81d904b74a9ad0dda942f046ba2691a.0.tmp
/data/media/####/bf4a8ebf8a3bf7542833c37153c97871.0.tmp
/data/media/####/e1e04e967af8bdb2b3699d04e0f7d388.0.tmp
/data/media/####/idconfig.json
/data/media/####/journal
/data/media/####/journal.tmp

Miscellaneous:

Executes next shell scripts:

/system/bin/sh
cat /sys/class/android_usb/android0/idProduct
cat /sys/class/android_usb/android0/idVendor
getprop
ls -l /dev
ls -l /dev/block
ls -l /dev/block/vold
ls -l /dev/com.android.settings.daemon
ls -l /dev/cpuctl
ls -l /dev/cpuctl/apps
ls -l /dev/cpuctl/apps/bg_non_interactive
ls -l /dev/graphics
ls -l /dev/input
ls -l /dev/log
ls -l /dev/pts
ls -l /dev/snd
ls -l /dev/socket
ps

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about APN settings.

Displays its own windows over windows of other applications.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial