Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.417.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sda.r.longy####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) yun.t####.cn:80
- TCP(HTTP/1.1) s.a.longy####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) d####.uc.cn:80
- TCP(HTTP/1.1) u####.2####.com:80
- TCP(HTTP/1.1) dsp.b####.s####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) 08.img####.eas####.com:80
- TCP(HTTP/1.1) sr.r.longy####.com:80
- TCP(HTTP/1.1) u####.2####.com.####.cn:80
- TCP(HTTP/1.1) co####.91####.cn:8100
- TCP(HTTP/1.1) wifip####.i####.ali####.com:80
- TCP(HTTP/1.1) wifip####.f####.ali####.com:80
- TCP(HTTP/1.1) f####.91####.cn:9999
- TCP(TLS/1.0) av1.x####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
DNS requests:
- 00.img####.eas####.com
- 03.img####.eas####.com
- 04.img####.eas####.com
- 07.img####.eas####.com
- 08.img####.eas####.com
- 09.img####.eas####.com
- a####.u####.com
- and####.b####.qq.com
- and####.cli####.go####.com
- av1.x####.com
- co####.91####.cn
- d####.uc.cn
- dsp.b####.s####.com
- f####.91####.cn
- fb.u####.com
- i.t####.com
- l####.tbs.qq.com
- s.a.longy####.com
- sda.r.longy####.com
- sr.r.longy####.com
- u####.2####.com
- u####.2####.com
- wifip####.f####.ali####.com
- wifip####.i####.ali####.com
- yun.t####.cn
HTTP GET requests:
- 08.img####.eas####.com/mobile/20180615/20180615221127_e14e6fd829c05a8a6e...
- 08.img####.eas####.com/mobile/20180615/20180615221155_ec9d8a5122f2074e4f...
- 08.img####.eas####.com/mobile/20180615/20180615221156_6e9139b09620d15314...
- 08.img####.eas####.com/mobile/20180615/20180615_3785801e39ea2d29464a923c...
- 08.img####.eas####.com/mobile/20180615/20180615_39edd398465ac5f0dcb0bb7f...
- 08.img####.eas####.com/mobile/20180615/20180615_4454b5052bc7022be16b013e...
- 08.img####.eas####.com/mobile/20180615/20180615_6d123f9d4c8ec24db18309c0...
- 08.img####.eas####.com/mobile/20180615/20180615_99f54d762085b4e0c209bff3...
- 08.img####.eas####.com/mobile/20180615/20180615_a2b23219df8f538f18bfdb23...
- 08.img####.eas####.com/mobile/20180615/20180615_bd19418b1eb1c35783aa5b36...
- 08.img####.eas####.com/mobile/20180615/20180615_d13c25b01e0b1881f93db9a5...
- 08.img####.eas####.com/mobile/20180615/20180615_fa555b52a710987feeaba068...
- co####.91####.cn:8100/interface/get_config?appid=####&version=####&vn=##...
- d####.uc.cn/wandj/down.php?id=####&pub=####
- f####.91####.cn:9999/toutiao?qid=####&category=####&page_no=####&page_si...
- sda.r.longy####.com/?id=####&ic=####&as=####&at=####&dn=####&db=####&os=...
- sr.r.longy####.com/?id=####&ic=####&as=####&at=####&dn=####&db=####&os=#...
- u####.2####.com.####.cn/fs01/union_pack/Wandoujia_283184_xy1_hl.apk
- u####.2####.com/Wandoujia_xy1_hl.apk
- wifip####.f####.ali####.com/luyou/db/mac_company.zip
- wifip####.i####.ali####.com/wifisig/ad/zhibobanner.jpg?t=####
- wifip####.i####.ali####.com/wifisig/feedad/LB0908-2.jpg?t=####
- wifip####.i####.ali####.com/wifisig/news/fuli-icon.png?t=####
- wifip####.i####.ali####.com/wifisig/news/joke_icon_pengfuwang.png
- wifip####.i####.ali####.com/wifisig/news/joke_icon_qiushibaike.png
- wifip####.i####.ali####.com/wifisig/news/meizi.jpg?t=####
- wifip####.i####.ali####.com/wifisig/news/toutiao.png
- wifip####.i####.ali####.com/wifisig/news/yaoyuedu_logo.jpg
- yun.t####.cn/mami-media/img/t1dsdrfx5g.gif
HTTP POST requests:
- a####.u####.com/app_logs
- and####.b####.qq.com/rqd/async
- dsp.b####.s####.com/ldsbid?dspsrc=####
- l####.tbs.qq.com/ajax?c=####&k=####
- s.a.longy####.com/
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/094598efe425db1d06a50cd8f4d3bb0e.0.tmp
- /data/data/####/094598efe425db1d06a50cd8f4d3bb0e.1.tmp
- /data/data/####/1529083193754_2058
- /data/data/####/1529083193814_2058
- /data/data/####/1529083193893_2058
- /data/data/####/1529083193995_2058
- /data/data/####/1529083194111_2058
- /data/data/####/1529083194123_2058
- /data/data/####/1529083194149_2058
- /data/data/####/1529083195597_2058
- /data/data/####/1529083195801_2058
- /data/data/####/1529083196743_2058
- /data/data/####/1529083197472_2058
- /data/data/####/1529083199358_2242
- /data/data/####/1529083199379_2242
- /data/data/####/1529083201383_2242
- /data/data/####/1529083212740_2058
- /data/data/####/1529083212846_2058
- /data/data/####/1529083212876_2058
- /data/data/####/1529083212892_2058
- /data/data/####/1529083212904_2058
- /data/data/####/1529083212914_2058
- /data/data/####/1529083212938_2058
- /data/data/####/1529083212963_2058
- /data/data/####/1529083212999_2058
- /data/data/####/1529083213062_2058
- /data/data/####/1529083213081_2058
- /data/data/####/1529083216114_2058
- /data/data/####/1529083216891_2058
- /data/data/####/1529083216924_2058
- /data/data/####/1529083217019_2058
- /data/data/####/1529083217051_2058
- /data/data/####/1529083217107_2058
- /data/data/####/1529083217137_2058
- /data/data/####/1529083226445_2058
- /data/data/####/1529083226482_2058
- /data/data/####/1529083226516_2058
- /data/data/####/1529083226556_2058
- /data/data/####/1529083226586_2058
- /data/data/####/1529083226603_2058
- /data/data/####/1529083226690_2058
- /data/data/####/1529083226727_2058
- /data/data/####/1529083226776_2058
- /data/data/####/1529083226811_2058
- /data/data/####/1529083226867_2058
- /data/data/####/1529083238063_2058
- /data/data/####/1529083238084_2058
- /data/data/####/1529083238122_2058
- /data/data/####/1529083238176_2058
- /data/data/####/1529083245614_2058
- /data/data/####/1529083245715_2058
- /data/data/####/1529083245747_2058
- /data/data/####/1529083245774_2058
- /data/data/####/1529083245795_2058
- /data/data/####/1529083245834_2058
- /data/data/####/1529083245846_2058
- /data/data/####/1529083245868_2058
- /data/data/####/1529083245876_2058
- /data/data/####/1529083245897_2058
- /data/data/####/1529083245904_2058
- /data/data/####/1529083248681_2058
- /data/data/####/1529083248699_2058
- /data/data/####/1529083248796_2058
- /data/data/####/1529083248858_2058
- /data/data/####/1529083248916_2058
- /data/data/####/1529083248966_2058
- /data/data/####/1529083259516_2242
- /data/data/####/99ff7cddc3e74dcf9db48d5fb178b5bc.0.tmp
- /data/data/####/99ff7cddc3e74dcf9db48d5fb178b5bc.1.tmp
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime0.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime0.xml
- /data/data/####/bmconfig.xml
- /data/data/####/bugly_db_legu-journal
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cd30bf2eeae751b6da3df6d1f31927f3.0.tmp
- /data/data/####/cd30bf2eeae751b6da3df6d1f31927f3.1.tmp
- /data/data/####/com.baymax.wifipoint_preferences.xml
- /data/data/####/config.xml
- /data/data/####/core_info
- /data/data/####/download.db
- /data/data/####/download.db-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/journal.tmp
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.8.so
- /data/data/####/local_crash_lock
- /data/data/####/longyun_sdk.xml
- /data/data/####/mac_company
- /data/data/####/mix.dex
- /data/data/####/native_record_lock
- /data/data/####/security_info
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdid.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_feedback_user_info.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/media/####/.nomedia
- /data/media/####/.tcookieid
- /data/media/####/0beda299801e4f335e7c2b658744a57fcfba45bb0dcbf3....0.tmp
- /data/media/####/0fa5db6fbc4a2f99c6137c96b8ea9554d7dcc8460e1f1c....0.tmp
- /data/media/####/171087c56323f6c40172df9f00c725ac8e6f0d9dc5307e....0.tmp
- /data/media/####/27157054639364861a73573e987ec0f63a7fbc7c135946....0.tmp
- /data/media/####/37363b6805610d5887bc7a7e837fc996d779bb59583130....0.tmp
- /data/media/####/39bf005eb760f19150a934408745355a7c26662aa87a67....0.tmp
- /data/media/####/49beea6e72633d35ed2b6a7deee80473a75a91f17287cb....0.tmp
- /data/media/####/5c5b5d00c2cffcde4b93aad3b60008ff696fe5078469ad....0.tmp
- /data/media/####/68c2f3f0f735dea405ef11225cdee2b043f261fbb68288....0.tmp
- /data/media/####/7700a480459b99ac9f9a84c8d985a3a95f4f72e16340d6....0.tmp
- /data/media/####/7bfca646224742f01512c64e02cd18a175be71a0133a19....0.tmp
- /data/media/####/877af09487695a4a72d94339ccaecc2586502743d8da6b....0.tmp
- /data/media/####/9b9d2b5d973193c86b3ca23c8c47bbd72ed447912e08e1....0.tmp
- /data/media/####/a074d6ae3b8c74f3e6f6bed2a1546f3c118fa0c4d92205....0.tmp
- /data/media/####/a9b62cc7aaa6203374f163268964cb1c20ca9b5c9deb8d....0.tmp
- /data/media/####/af7e8737718f2cfd05e3b1c63ad0e72c4f1f6626a44845....0.tmp
- /data/media/####/b7599578a8e3f6896792ffdc79160f3e4e928cb37e3a36....0.tmp
- /data/media/####/ca4f53c4086f71f5a7cc24ccd66ab362a184b2827e105a....0.tmp
- /data/media/####/cc4c38ac16dda3d30ec17e1d37ad8393f1960a284ca9f8....0.tmp
- /data/media/####/ce49e5a72b01f0e57f91d796260d217959dc50e597ca05....0.tmp
- /data/media/####/d2280f8e8279d5042f5448d4e6c3e6518f2902856664e7....0.tmp
- /data/media/####/dc03ed1e7302e3abcf4f6ec79f38ffbe6f787bfc342c77....0.tmp
- /data/media/####/down.php
- /data/media/####/e1c14799860092fee388804e975b31826bca8e91abd95b....0.tmp
- /data/media/####/eadb9984de13d3b3bc9bc2fd6a47b2bad22022bc0e1a49....0.tmp
- /data/media/####/ed3a63c4fb9688e244f55c936f44842443224e46b3e49d....0.tmp
- /data/media/####/journal.tmp
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.8.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
Loads the following dynamic libraries:
- Bugly
- libnfix
- libshella-2.8
- libufix
- nfix
- ufix
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- DES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Displays its own windows over windows of other applications.