Technical information
Malicious functions:
Blocks access to graphical screen interface.
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) appinf####.ksmo####.net:80
- TCP(HTTP/1.1) p-beh####.ksmo####.net:80
- TCP(HTTP/1.1) analy####.ray####.com:80
- TCP(HTTP/1.1) d1e0ih9####.cloudf####.net:80
- TCP(HTTP/1.1) app.ady####.com:80
- TCP(HTTP/1.1) dl.cm.ksmo####.####.com:80
- TCP(HTTP/1.1) beh####.ksmo####.net:80
- TCP(HTTP/1.1) d3hqwz3####.cloudf####.net:80
- TCP(HTTP/1.1) cfg.cml.ksmo####.com:80
- TCP(HTTP/1.1) d2qmdcg####.cloudf####.net:80
- TCP(HTTP/1.1) sc####.ady####.com:80
- TCP(HTTP/1.1) s####.has####.net:80
- TCP(HTTP/1.1) cm####.did.ijin####.com:80
- TCP(HTTP/1.1) set####.ray####.com:80
- TCP(TLS/1.0) un####.ad####.com:443
- TCP(TLS/1.0) s####.ad####.com:443
- TCP(TLS/1.0) t.appsf####.com:443
- TCP(TLS/1.0) ups.ksmo####.net:443
- TCP(TLS/1.0) tea####.c####.com:443
- TCP(TLS/1.0) geo####.i2w.io:443
- TCP(TLS/1.0) dl.cm.ksmo####.####.com:443
- TCP(TLS/1.0) ms.c####.com:443
- TCP(TLS/1.0) c####.ksmo####.com:443
- TCP(TLS/1.0) ws.ksmo####.net:443
- TCP(TLS/1.0) bp.ad####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) api.face####.com:443
- TCP(TLS/1.0) s####.ad####.com:80
- TCP(TLS/1.0) api.appsf####.com:443
- TCP(TLS/1.0) d1zkodo####.cloudf####.net:443
- TCP(TLS/1.0) wea####.ksmo####.net:443
DNS requests:
- analy####.ray####.com
- and####.cli####.go####.com
- api.appsf####.com
- app.ady####.com
- appinf####.ksmo####.net
- beh####.ksmo####.net
- bp.ad####.com
- c####.ksmo####.com
- cfg.cml.ksmo####.com
- cm####.did.ijin####.com
- d1e0ih9####.cloudf####.net
- d1zkodo####.cloudf####.net
- d2qmdcg####.cloudf####.net
- d3hqwz3####.cloudf####.net
- dl.cm.ksmo####.com
- g####.face####.com
- geo####.i2w.io
- ms.c####.com
- p-beh####.ksmo####.net
- s####.ad####.com
- s####.has####.net
- sc####.ady####.com
- set####.ray####.com
- t.appsf####.com
- tea####.c####.com
- trac####.i2w.io
- un####.ad####.com
- ups.ksmo####.net
- userl####.ksmo####.net
- wea####.ksmo####.net
- ws.ksmo####.net
HTTP GET requests:
- app.ady####.com/mpapi/ad?model=####&fomat=####&mcc=####&os_v=####&direct...
- cm####.did.ijin####.com/cp/?v=####&p=####&u=####&s=####
- d1e0ih9####.cloudf####.net/cdn/assets/103_1462627045680.zip
- d2qmdcg####.cloudf####.net/cdn/ad-network/2d7bf9427c234d3b8cdb7a108b0441...
- d2qmdcg####.cloudf####.net/cdn/ad-network/2e9363f08b694c6bb429cf9e0711a0...
- d2qmdcg####.cloudf####.net/cdn/ad-network/3c4dd8825d5f43c4b6582c3ea640b9...
- d2qmdcg####.cloudf####.net/cdn/ad-network/49d8fe7980634ebb8d8182d1d07482...
- d2qmdcg####.cloudf####.net/cdn/ad-network/6a330b54fb714e6ab44c7d8d456c0f...
- d2qmdcg####.cloudf####.net/cdn/ad-network/72724b281973444f9a56ea01151f88...
- d2qmdcg####.cloudf####.net/cdn/ad-network/78d926787c4c43d1895985f93c9013...
- d2qmdcg####.cloudf####.net/cdn/ad-network/8ef08e2d2dbf46b7a8b97e169c136e...
- d2qmdcg####.cloudf####.net/cdn/ad-network/98763026208e4aa9bb565d6f2bd6c8...
- d2qmdcg####.cloudf####.net/cdn/ad-network/b330dd0c95ee4992b06a87a3775cec...
- d2qmdcg####.cloudf####.net/cdn/ad-network/b52a95b7a6d04d619126563af3c66c...
- d2qmdcg####.cloudf####.net/cdn/ad-network/f2a246a739b14f7f8c5caf16f0b631...
- d2qmdcg####.cloudf####.net/cdn/ad-network/f3a786d1e65544fb93ba1f0f5a5606...
- d2qmdcg####.cloudf####.net/cdn/ad-source-config/169b7928a122421f851bbb6b...
- d2qmdcg####.cloudf####.net/cdn/placement_hierarchy/169b7928a122421f851bb...
- d3hqwz3####.cloudf####.net/cdn/adlist/169b7928a122421f851bbb6b166d5230/3...
- dl.cm.ksmo####.####.com/static/res/06/70/2_M.png
- dl.cm.ksmo####.####.com/static/res/38/e2/whitelist_20180601.json
- dl.cm.ksmo####.####.com/static/res/6d/7e/theme_config.json
- dl.cm.ksmo####.####.com/static/res/72/ba/icon100x100.png
- dl.cm.ksmo####.####.com/static/res/78/1a/1609011wl.db
- dl.cm.ksmo####.####.com/static/res/a4/cf/chargemaster2.png
- dl.cm.ksmo####.####.com/static/res/b2/b8/tools_mobvista.png
- sc####.ady####.com/v1/scheme/app?model=####&mcc=####&os_v=####&direction...
- set####.ray####.com/appwall/setting?app_id=####&sign=####&channel=####&p...
- set####.ray####.com/setting?app_id=####&sign=####&channel=####&platform=...
HTTP POST requests:
- analy####.ray####.com/
- appinf####.ksmo####.net/gmi
- beh####.ksmo####.net/adsn
- beh####.ksmo####.net/cfcl
- beh####.ksmo####.net/ecfl
- beh####.ksmo####.net/erfl
- beh####.ksmo####.net/fcl
- cfg.cml.ksmo####.com/post
- p-beh####.ksmo####.net/cu
- s####.has####.net/api/cfg/v1?serviceid=####
Modified file system:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/.ad_list
- /data/data/####/.ad_source
- /data/data/####/.audience_geo_tags
- /data/data/####/.geographic_info
- /data/data/####/.ph_cfg
- /data/data/####/.script
- /data/data/####/.serving_cfg
- /data/data/####/1533066644127.log
- /data/data/####/;theme_config_url.xml
- /data/data/####/BatteryConfigManager.xml
- /data/data/####/CmSideProvider.xml
- /data/data/####/MultiDex.lock
- /data/data/####/RealtimeReporter_50.tmp
- /data/data/####/_assets.zip
- /data/data/####/ad_control_cfg_res.dwn
- /data/data/####/ad_icon.png
- /data/data/####/ad_sdk.db-journal
- /data/data/####/adywind.db-journal
- /data/data/####/appcpu_hf_en.db.bak
- /data/data/####/appcpu_hf_en.db.lzma.bak
- /data/data/####/apple_daily_cover.jpg
- /data/data/####/appmem_hf_en.db.bak
- /data/data/####/appmem_hf_en.db.lzma.bak
- /data/data/####/appsflyer-data.xml
- /data/data/####/appstorage.db
- /data/data/####/appstorage.db-journal
- /data/data/####/arrive_at.png
- /data/data/####/arrive_nm.png
- /data/data/####/article_border.9.png
- /data/data/####/ats2_wl_en.dat.bak
- /data/data/####/ats2_wl_en.dat.lzma.bak
- /data/data/####/audio_tutorial_btn.png
- /data/data/####/bg_label.png
- /data/data/####/bg_mask.9.png
- /data/data/####/bspatch
- /data/data/####/btn_audio_off.png
- /data/data/####/btn_audio_on.png
- /data/data/####/btn_close_at.png
- /data/data/####/btn_close_nm.png
- /data/data/####/btn_done_at.png
- /data/data/####/btn_done_nm.png
- /data/data/####/btn_download_at.jpg
- /data/data/####/btn_download_nm.jpg
- /data/data/####/btn_landscape_image_app_install_ios_at.png
- /data/data/####/btn_landscape_image_app_install_ios_nm.png
- /data/data/####/btn_landscape_image_gamecard_install_android_at.png
- /data/data/####/btn_landscape_image_gamecard_install_android_nm.png
- /data/data/####/btn_landscape_video_app_install_ios_at.png
- /data/data/####/btn_landscape_video_app_install_ios_nm.png
- /data/data/####/btn_landscape_video_install_android_at.png
- /data/data/####/btn_landscape_video_install_android_nm.png
- /data/data/####/btn_play_at.png
- /data/data/####/btn_play_nm.png
- /data/data/####/btn_portrait_image_app_install_ios_at.png
- /data/data/####/btn_portrait_image_app_install_ios_nm.png
- /data/data/####/btn_protrait_image_gamecard_android_at.png
- /data/data/####/btn_protrait_image_gamecard_android_nm.png
- /data/data/####/btn_single_close_at.png
- /data/data/####/btn_single_close_nm.png
- /data/data/####/btn_skip_at.png
- /data/data/####/btn_skip_nm.png
- /data/data/####/btn_video_done_at.png
- /data/data/####/btn_video_done_nm.png
- /data/data/####/btn_webview_back_at.png
- /data/data/####/btn_webview_back_disable.png
- /data/data/####/btn_webview_back_nm.png
- /data/data/####/btn_webview_close_at.png
- /data/data/####/btn_webview_close_nm.png
- /data/data/####/btn_webview_next_at.png
- /data/data/####/btn_webview_next_disable.png
- /data/data/####/btn_webview_next_nm.png
- /data/data/####/cc_statistics.db-journal
- /data/data/####/ce-network.db-journal
- /data/data/####/ce-repo.db-journal
- /data/data/####/cfcl_cache
- /data/data/####/charge_master_banner_url_tools
- /data/data/####/charge_master_banner_url_tools.tmp (deleted)
- /data/data/####/cleancloud_pref.xml
- /data/data/####/cleanmaster_process_list.db-journal
- /data/data/####/clearpath_other_5.9.6.db.bak
- /data/data/####/clearpath_other_5.9.6.db.lzma.bak
- /data/data/####/clearprocess_en_5.10.1.filter.bak
- /data/data/####/cloud_eng.xml
- /data/data/####/cloud_string_res_2.dwn
- /data/data/####/cloud_string_res_2.dwn.default
- /data/data/####/cloudconfig.xml
- /data/data/####/cloudmsgadv.json
- /data/data/####/cm_activate_cmc_1533066639207.ich
- /data/data/####/cm_activity_act_1533066599550.ich
- /data/data/####/cm_app_boot_time2_1533066626190.ich
- /data/data/####/cm_appdiary_overall_1533066628258.ich
- /data/data/####/cm_appdiary_overall_1533066637482.ich
- /data/data/####/cm_cert_1533066602250.ich
- /data/data/####/cm_cleancloud_querystatus_1533066628771.ich
- /data/data/####/cm_cleancloud_querystatus_1533066628785.ich
- /data/data/####/cm_cleancloud_querystatus_1533066629688.ich
- /data/data/####/cm_edgweather_condition_1533066599555.ich
- /data/data/####/cm_fb_login_1533066623982.ich
- /data/data/####/cm_game_installed_games_1533066635974.ich
- /data/data/####/cm_game_scan_1533066626691.ich
- /data/data/####/cm_homepage_card_show_1533066625992.ich
- /data/data/####/cm_homepage_card_show_1533066625998.ich
- /data/data/####/cm_homepage_card_show_1533066626023.ich
- /data/data/####/cm_homepage_card_show_1533066626043.ich
- /data/data/####/cm_homepage_card_show_1533066626084.ich
- /data/data/####/cm_homepage_card_show_1533066626092.ich
- /data/data/####/cm_homepage_card_show_1533066626147.ich
- /data/data/####/cm_homepage_card_show_1533066626168.ich
- /data/data/####/cm_homepage_card_show_1533066626172.ich
- /data/data/####/cm_homepage_card_show_1533066639024.ich
- /data/data/####/cm_homepage_card_show_1533066639075.ich
- /data/data/####/cm_homepage_card_show_1533066639079.ich
- /data/data/####/cm_homepage_card_show_1533066639084.ich
- /data/data/####/cm_homepage_card_show_1533066639091.ich
- /data/data/####/cm_homepage_card_show_1533066639097.ich
- /data/data/####/cm_homepage_card_show_1533066639108.ich
- /data/data/####/cm_homepage_card_show_1533066639112.ich
- /data/data/####/cm_homepage_card_show_1533066639125.ich
- /data/data/####/cm_homepage_card_show_1533066639133.ich
- /data/data/####/cm_homepage_card_show_1533066639140.ich
- /data/data/####/cm_homepage_card_show_1533066639147.ich
- /data/data/####/cm_iswipe_errors_1533066605419.ich
- /data/data/####/cm_iswipe_errors_1533066606142.ich
- /data/data/####/cm_junk_reddot_1533066626193.ich
- /data/data/####/cm_junkstd_first_hit_1533066627008.ich
- /data/data/####/cm_main_time_1533066623811.ich
- /data/data/####/cm_me_click2_1533066628016.ich
- /data/data/####/cm_me_click2_1533066637190.ich
- /data/data/####/cm_me_click_1533066638974.ich
- /data/data/####/cm_me_login_1533066628254.ich
- /data/data/####/cm_me_login_1533066637479.ich
- /data/data/####/cm_network_1533066623796.ich
- /data/data/####/cm_network_1533066624567.ich
- /data/data/####/cm_news_active_1533066626179.ich
- /data/data/####/cm_push_message_db.db
- /data/data/####/cm_push_message_db.db-journal
- /data/data/####/cm_start_ad_mainpage_1533066599575.ich
- /data/data/####/cm_task_onetapsuccess_1533066629198.ich
- /data/data/####/cm_tools_functionclick_1533066625754.ich
- /data/data/####/cm_tools_functionclick_1533066625771.ich
- /data/data/####/cm_tools_functionclick_1533066625801.ich
- /data/data/####/cm_tools_functionclick_1533066625814.ich
- /data/data/####/cm_tools_functionclick_1533066625822.ich
- /data/data/####/cm_tools_functionclick_1533066625830.ich
- /data/data/####/cm_tools_functionclick_1533066625845.ich
- /data/data/####/cm_tools_functionclick_1533066625876.ich
- /data/data/####/cm_tools_functionclick_1533066625904.ich
- /data/data/####/cm_tools_functionclick_1533066625905.ich
- /data/data/####/cm_tools_functionclick_1533066625907.ich
- /data/data/####/cm_tools_functionclick_1533066625908.ich
- /data/data/####/cm_tools_functionclick_1533066625923.ich
- /data/data/####/cm_tools_functionclick_1533066625933.ich
- /data/data/####/cm_tools_functionclick_1533066625946.ich
- /data/data/####/cm_wizard_cfg_res_en
- /data/data/####/cm_xiaofuction_1533066599582.ich
- /data/data/####/cm_xiaofuction_1533066599584.ich
- /data/data/####/cm_xiaofuction_1533066599593.ich
- /data/data/####/cm_xiaofuction_1533066623689.ich
- /data/data/####/cm_xiaofuction_1533066623698.ich
- /data/data/####/cmadsdk_104.xml
- /data/data/####/com.adywind.xml
- /data/data/####/com.cleanmaster.mguard_x86.update.UpdateManager.xml
- /data/data/####/com.cleanmaster.mguard_x86;uuid_sp.xml
- /data/data/####/com.cleanmaster.mguard_x86PushConfig_Pref.xml
- /data/data/####/com.cleanmaster.mguard_x86_preferences.xml
- /data/data/####/com.cleanmaster.mguard_x86_preferences.xml (deleted)
- /data/data/####/com.cleanmaster.mguard_x86_preferences.xml.bak
- /data/data/####/com.cleanmaster.mguard_x86_servicehighfreqpreferences.xml
- /data/data/####/com.cleanmaster.mguard_x86_ui_preferences.xml
- /data/data/####/com.cleanmaster.mguard_x86_ui_preferences.xml.bak
- /data/data/####/com.facebook.internal.preferences.APP_SETTINGS.xml
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml (deleted)
- /data/data/####/diskcache.db-journal
- /data/data/####/dmc_default.xml
- /data/data/####/dmc_receiver.xml
- /data/data/####/dmc_report-journal
- /data/data/####/downloads.db-journal
- /data/data/####/downloadzipsdes.dwn
- /data/data/####/e60411#419be9.png
- /data/data/####/e60737#419be9.png
- /data/data/####/e60836#419be9.png
- /data/data/####/e60912#419be9.png
- /data/data/####/e61110#419be9.png
- /data/data/####/eq_off.png
- /data/data/####/eq_on.png
- /data/data/####/eq_shadow_bottom.png
- /data/data/####/eq_shadow_top.png
- /data/data/####/false_cache.db
- /data/data/####/false_cache.db-journal
- /data/data/####/false_residual.db
- /data/data/####/false_residual.db-journal
- /data/data/####/fcl_cache
- /data/data/####/gamecache.db-journal
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/i2wapi.db-journal
- /data/data/####/image_gamecard_mask.9.png
- /data/data/####/image_landscape_app_mask.png
- /data/data/####/image_landscape_gamecard_mask.9.png
- /data/data/####/image_portrait_app_mask.png
- /data/data/####/img_bg.9.png
- /data/data/####/ips_versions.dwn
- /data/data/####/ips_versions_cn.dwn
- /data/data/####/junkwhite.db.bak
- /data/data/####/junkwhite.db.lzma.bak
- /data/data/####/kctrl.dat
- /data/data/####/kfmt.dat
- /data/data/####/libkssuenv
- /data/data/####/m_app_start_x_v2
- /data/data/####/market.db-journal
- /data/data/####/market_config.xml
- /data/data/####/market_config.xml.bak
- /data/data/####/market_config.xml.bak (deleted)
- /data/data/####/mask_bottom_.9.png
- /data/data/####/mask_top_.9.png
- /data/data/####/melib.dat.bak
- /data/data/####/melib.dat.lzma.bak
- /data/data/####/memory_cache.db
- /data/data/####/memory_cache.db-journal
- /data/data/####/memory_usage_percent#419be9.png
- /data/data/####/misc.xml
- /data/data/####/mnt_api_param_self_click_record.xml
- /data/data/####/mobvista.msdk.db-journal
- /data/data/####/mobvista.xml
- /data/data/####/mp_agent_log
- /data/data/####/multidex.version.xml
- /data/data/####/multiunused.db-journal
- /data/data/####/oen_scene_unplug
- /data/data/####/page_index_gray.png
- /data/data/####/page_index_white.png
- /data/data/####/pkgcache2_cache.db
- /data/data/####/pkgcache2_cache.db-journal
- /data/data/####/pkgcache_hf_en_5.12.3.db.bak
- /data/data/####/pkgcache_hf_en_5.12.3.db.lzma.bak
- /data/data/####/pkgquery_hf_en_5.11.6.db.bak
- /data/data/####/pkgquery_hf_en_5.11.6.db.lzma.bak
- /data/data/####/preinstall4_hf_en.db.bak
- /data/data/####/preinstall4_hf_en.db.lzma.bak
- /data/data/####/process_tips2.db.bak
- /data/data/####/process_tips2.db.lzma.bak
- /data/data/####/ps.db-journal
- /data/data/####/receiver_history_list.dat
- /data/data/####/replay_at.png
- /data/data/####/replay_nm.png
- /data/data/####/residual_dir2_cache.db
- /data/data/####/residual_dir2_cache.db-journal
- /data/data/####/residual_pkg2_cache.db
- /data/data/####/residual_pkg2_cache.db-journal
- /data/data/####/rootkeeper.jar
- /data/data/####/rp_misc.xml
- /data/data/####/sdk_data.db
- /data/data/####/sdk_data.db-journal
- /data/data/####/sdk_preferences.dat
- /data/data/####/sdk_preferences.xml
- /data/data/####/se_cloud_eng.db-journal
- /data/data/####/se_cloud_hf.db.bak
- /data/data/####/se_cloud_hf.db.lzma.bak
- /data/data/####/searchEngine.json
- /data/data/####/searchengine.dat
- /data/data/####/searchengine.xml
- /data/data/####/shadow_bottom.9.png
- /data/data/####/shadow_left.9.png
- /data/data/####/shadow_right.9.png
- /data/data/####/shadow_top.9.png
- /data/data/####/share_date.xml
- /data/data/####/sharedpreferences_mnt_settings.xml
- /data/data/####/sharedpreferences_mnt_strategy_info.xml
- /data/data/####/sharedpreferences_mnt_strategy_recordtime.xml
- /data/data/####/splash_btn_audio_off.png
- /data/data/####/splash_btn_audio_on.png
- /data/data/####/splash_btn_download_at.jpg
- /data/data/####/splash_btn_download_nm.jpg
- /data/data/####/splash_eq_off.png
- /data/data/####/splash_eq_on.png
- /data/data/####/splash_eq_shadow_bottom.png
- /data/data/####/splash_eq_shadow_top.png
- /data/data/####/stream_audio_off.png
- /data/data/####/stream_audio_on.png
- /data/data/####/stream_eq_off.png
- /data/data/####/stream_eq_on.png
- /data/data/####/stream_eq_shadow_bottom.png
- /data/data/####/stream_eq_shadow_top.png
- /data/data/####/strings2_other.db.bak
- /data/data/####/strings2_other.db.lzma.bak
- /data/data/####/sw_tools_promote_image_url
- /data/data/####/sw_tools_promote_image_url.tmp (deleted)
- /data/data/####/swipe_theme_config.json
- /data/data/####/tempblur.jpg
- /data/data/####/timewall_cache.db-journal
- /data/data/####/tmp-com.cleanmaster.mguard_x86-1.apk.classes-18...14.zip
- /data/data/####/tmp-com.cleanmaster.mguard_x86-1.apk.classes1613734423.zip
- /data/data/####/tmpfalse_e_false_cache_1533066603031
- /data/data/####/tmpfalse_e_false_residual_1533066603405
- /data/data/####/topbar.png
- /data/data/####/topbar15.png
- /data/data/####/topbar167.png
- /data/data/####/topbar178.png
- /data/data/####/versions_get.dwn
- /data/data/####/webviewCache.db
- /data/data/####/webviewCache.db-journal
- /data/data/####/whiteNotification.json
- /data/data/####/whiteNotification.tmp (deleted)
- /data/data/####/wifi_tag.png
- /data/data/####/wizd.db-journal
- /data/media/####/.nomedia
- /data/media/####/1009075405720307149
- /data/media/####/17995657901819064192
- /data/media/####/dmc.txt
Miscellaneous:
Executes next shell scripts:
- ls -l /system/bin/su
- sh
- su
Loads the following dynamic libraries:
- libkcmlzma
- libkcmutil
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses elevated priveleges.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about APN settings.
Gains access to information about installed applications.
Gains access to information about running applications.
Gains access to information about accounts (Google, Facebook, etc.) registered on the device.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.