Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.443.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sl.zhang####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) gp.sh####.com:80
- TCP(TLS/1.0) api.face####.com:443
- TCP(TLS/1.0) 1####.217.17.78:443
- TCP(TLS/1.0) api.appsf####.com:443
- TCP(TLS/1.0) 1####.217.20.110:443
- TCP(TLS/1.0) t.appsf####.com:443
DNS requests:
- a####.u####.com
- api.appsf####.com
- g####.face####.com
- gp.sh####.com
- gp.sj####.com
- sl.zhang####.com
- t.appsf####.com
HTTP GET requests:
- gp.sh####.com/cr/sv/getGoFile?name=####
- gp.sh####.com/cr/sv/getRltNew?eid=####&estatus=####&appkey=####&pid=####...
- sl.zhang####.com/apk/des_v171204_32.zip
- sl.zhang####.com/apk/goplaysdk_v171201_sp2.dat
- sl.zhang####.com/rtf/408b845b63828fe074b39ecd1cba374c.slze
- sl.zhang####.com/rtf/42108637bf1aa8173608aa9259693c1b.slze
- sl.zhang####.com/rtf/43048420199e0767a10a7a1a25e65e32.slze
- sl.zhang####.com/rtf/611939f8c2ec5798458a1b43c5d12c08.slze
- sl.zhang####.com/rtf/6172e4a32338b1deed308f899acf3ce1.slze
- sl.zhang####.com/rtf/640adb88b11aaa31cef58f201f381b03.slze
- sl.zhang####.com/rtf/8063d9d8538ce6248951fd430b6c7632.slze
- sl.zhang####.com/rtf/95039bf01df7c9832986cba2bad47076.slze
HTTP POST requests:
- a####.u####.com/app_logs
- gp.sh####.com/cr/sv/getEPList
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.md
- /data/data/####/13F13A8FE3851930102D46172D173B07
- /data/data/####/1414D41B9FB5150C694D363EC07A1CFD
- /data/data/####/1537816054819_beta32.so
- /data/data/####/2189860E89878C788A7BF7AE556AA743
- /data/data/####/30827CF33BF0EE5525A20A262016B7FF
- /data/data/####/408.jar
- /data/data/####/421.jar
- /data/data/####/430.jar
- /data/data/####/5game2DB8520H46
- /data/data/####/611.jar
- /data/data/####/617.jar
- /data/data/####/640.jar
- /data/data/####/6F63EC76EDDE969BF60DE07DC739CD88
- /data/data/####/806.jar
- /data/data/####/831519E55ADA2491F95EEB9889D5A5C4
- /data/data/####/8F5FC4DD213CDB1484635BA2D2EF967A
- /data/data/####/950.jar
- /data/data/####/AppEventsLogger.persistedevents
- /data/data/####/F19C5491F5934B77513A71744AF767B1
- /data/data/####/appsflyer-data.xml
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.facebook.sdk.attributionTracking.xml
- /data/data/####/com.gameker.sudoku.game12golden2
- /data/data/####/com.gameker.sudoku.game_preferences.xml
- /data/data/####/com.gameker.sudoku.game_preferences.xml.bak
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.net.uutils.prefs.xml
- /data/data/####/device_gpid.xml.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/gpdu
- /data/data/####/hftJcw46N.jar
- /data/data/####/ntmp22992351
- /data/data/####/samsung112.jar
- /data/data/####/test
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- /data/media/####/GPMID.bin
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/files/.play/test <Package Folder>/files/.play/ b075121dcc0c431bbf10418808c27e75
- <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h b075121dcc0c431bbf10418808c27e75 <Package Folder>/.syslib-
- chmod 0771 <Package Folder>/.syslib-
- chmod 770 <Package Folder>/files/.play/test
- getenforce
- rm -f <Package Folder>/files/hftJcw46N.dex
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm <Package Folder>/files/hftJcw46N.dex
- rm <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh <Package Folder>/files/.play/test <Package Folder>/files/.play/ b075121dcc0c431bbf10418808c27e75
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h b075121dcc0c431bbf10418808c27e75 <Package Folder>/.syslib-
Loads the following dynamic libraries:
- 1537816054819_beta32
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- DES
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.