Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.589.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 52.52.2####.56:80
- TCP(HTTP/1.1) googl####.g.doublec####.net:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) newfeat####.perfect####.com:80
- TCP(HTTP/1.1) cdn.app.kac####.####.com:80
- TCP(HTTP/1.1) d####.fl####.com:80
- TCP(HTTP/1.1) pwe.3####.top:80
- TCP(HTTP/1.1) d239g0z####.cloudf####.net:80
- TCP(HTTP/1.1) f2.doodlem####.com:80
- TCP(HTTP/1.1) cdn.game####.org:80
- TCP(HTTP/1.1) 1####.76.224.67:80
- TCP(TLS/1.0) 1####.217.17.142:443
- TCP(TLS/1.0) h.online-####.net:443
- TCP(TLS/1.0) con####.ta####.com:443
- TCP(TLS/1.0) ws.tapjo####.com:443
- TCP(TLS/1.0) s3.amazo####.com:443
- TCP(TLS/1.0) ser####.sponso####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
DNS requests:
- a####.u####.com
- cdn.app.kac####.cn
- cdn.game####.org
- con####.ta####.com
- con####.ta####.com
- d####.fl####.com
- d239g0z####.cloudf####.net
- f2.doodlem####.com
- googl####.g.doublec####.net
- h.online-####.net
- newfeat####.perfect####.com
- pwe.3####.top
- s3.amazo####.com
- ser####.sponso####.com
- ssl.google-####.com
- ws.tapjo####.com
HTTP GET requests:
- cdn.app.kac####.####.com/sfile/201805/16/all/cp_V2.7.8.txt
- cdn.game####.org/strategy/base
- cdn.game####.org/strategy/loss_4.3
- cdn.game####.org/strategy/sul18
- d239g0z####.cloudf####.net/featurescreen/3DPoolnew_l.jpg
- d239g0z####.cloudf####.net/icons/icon_HighSchoolGang.png
- googl####.g.doublec####.net/mads/static/sdk/native/sdk-core-v40.js
HTTP POST requests:
- a####.u####.com/app_logs
- d####.fl####.com/aap.do
- f2.doodlem####.com/feature_server/fullScreen/get.php
- f2.doodlem####.com/feature_server/geo-ip/test.php
- newfeat####.perfect####.com/featureview/getfeatureview/
- pwe.3####.top/jzbdt/a/pjcfh
- pwe.3####.top/jzbdt/euofu/eqyb
- pwe.3####.top/jzbdt/ntjae/zpxtl/imgfb
- pwe.3####.top/jzbdt/q/ohbs/o
- pwe.3####.top/jzbdt/rx/jn
- pwe.3####.top/jzbdt/voidk/r
- pwe.3####.top/sdf/dyx
Modified file system:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/.dmgames_prefs.xml
- /data/data/####/.flurryagent.-5259b6f3
- /data/data/####/.imprint
- /data/data/####/014890c1-368a-4098-8856-44a2f3aba340
- /data/data/####/32edd79a240b5f1e461d069caab1ec3e
- /data/data/####/978c9f63-d546-482b-a6a6-1e70258d91f4
- /data/data/####/BIKERACING.xml
- /data/data/####/Matrix
- /data/data/####/SUBOXLOG_
- /data/data/####/SponsorPayAdvertiserState.xml
- /data/data/####/SponsorPayPublisherState.xml
- /data/data/####/ads671246870.jar
- /data/data/####/b9e6fba0-afad-4ea0-9256-9a9f32c64fac
- /data/data/####/checker.jar
- /data/data/####/com.bjzzt.bikeRacing.xml
- /data/data/####/d7091a12-2f73-42cc-a6e3-fecee168e0a1
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/ddexe
- /data/data/####/debuggerd
- /data/data/####/dsi.xml
- /data/data/####/e2ee1d06-7bf2-44fe-8788-ca3974035782
- /data/data/####/exchangeIdentity.json
- /data/data/####/f_000001
- /data/data/####/fileWork
- /data/data/####/gaClientId
- /data/data/####/google_analytics_v4.db-journal
- /data/data/####/ht.jar
- /data/data/####/http_googleads.g.doubleclick.net_0.localstorage-journal
- /data/data/####/index
- /data/data/####/install-recovery.sh
- /data/data/####/kl.jar
- /data/data/####/kr.xml
- /data/data/####/kr.xml (deleted)
- /data/data/####/pidof
- /data/data/####/su
- /data/data/####/subox.xml
- /data/data/####/supolicy
- /data/data/####/t_u.db-journal
- /data/data/####/tjcPrefrences.xml
- /data/data/####/toolbox
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wsroot.sh
- /data/data/####/wv.xml
- /data/media/####/V2.7.8.txt
- /data/media/####/aHR0cDovL2QyMzlnMHo2N2pjdGVkLmNsb3VkZnJvbnQubm...cucG5n
- /data/media/####/aHR0cDovL2QyMzlnMHo2N2pjdGVkLmNsb3VkZnJvbnQubm...wuanBn
Miscellaneous:
Executes next shell scripts:
- chmod 777 Matrix ddexe debuggerd fileWork install-recovery.sh pidof su supolicy toolbox wsroot.sh
- sh
Loads the following dynamic libraries:
- _mj491
- mono
- unity
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- DES
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Displays its own windows over windows of other applications.