Android.Triada.2609

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.DownLoader.691.origin
Android.RemoteCode.907
Android.Triada.2018
Android.Triada.373.origin

Accesses the ITelephony private interface.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) l.ace####.com:80
TCP(HTTP/1.1) img.ace####.com:80
TCP(HTTP/1.1) dw.winners####.com:80
TCP(HTTP/1.1) en####.tui####.com:80
TCP(HTTP/1.1) 1####.78.31.198:8030
TCP(HTTP/1.1) 1####.196.191.233:6700
TCP(HTTP/1.1) yun.tuit####.com.####.com:80
TCP(HTTP/1.1) q####.a####.com:80
TCP(HTTP/1.1) z####.heyc####.net:80
TCP(HTTP/1.1) pa.angs####.com:8003
TCP(HTTP/1.1) e.angs####.com:6284
TCP(HTTP/1.1) d####.top:91
TCP(HTTP/1.1) loc.map.b####.com:80
TCP(HTTP/1.1) ji####.jieme####.com:8152
TCP(HTTP/1.1) ot.bigb####.com:6099
TCP(HTTP/1.1) 1####.196.191.233:6600
TCP(HTTP/1.1) 39.1####.149.135:80
TCP(HTTP/1.1) wb.mults####.com:80
TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
TCP(TLS/1.0) and####.cli####.go####.com:443
TCP(TLS/1.0) yw.suma####.com:5600
TCP(TLS/1.0) yw.suma####.com:5500

DNS requests:

and####.cli####.go####.com
d####.top
dw.winners####.com
e.angs####.com
en####.tui####.com
img.ace####.com
ji####.dl####.com
ji####.jieme####.com
l.ace####.com
loc.map.b####.com
ot.bigb####.com
pa.angs####.com
plb####.u####.com
u####.u####.com
wb.mults####.com
yun.tuit####.com
yw.suma####.com
z####.heyc####.net

HTTP GET requests:

dw.winners####.com/img/20181123/971661/timgWCRE825V.jpg
dw.winners####.com/tem/ad.html
dw.winners####.com/tem/js/WebViewJavascriptBridge.js
dw.winners####.com/tem/js/jquery-1.8.0.min.js
en####.tui####.com/index/image?appKey=####&adslotId=####
img.ace####.com/ando-res/ads/4/20/631b3284-4282-4a0c-a490-4c2b3dc0e58d/5...
img.ace####.com/ando-res/ads/5/6/3f7084c5-2ba3-44bb-a565-c2e1cf969203/ad...
img.ace####.com/ando-res/m/9XOKuFKgaFvZ-GHoh*HK9fumDyiMoTlu-nkN118jlXTHR...
q####.a####.com/jieplginf/wchzfdat27
yun.tuit####.com.####.com/mami-media/img/xpgwb4yzhf.jpg

HTTP POST requests:

d####.top:91/d1348/b2c0
d####.top:91/o9276cf/b8f00
d####.top:91/s209/bf8
d####.top:91/s9af5eca/4e169b3
e.angs####.com:6284/android.frontserver/pcsvc
ji####.jieme####.com:8152/ryf_webserver/payment/checkupdate.html
l.ace####.com/ando/v2/ap?app_id=####&r=####
l.ace####.com/ando/v2/lv?app_id=####&r=####
l.ace####.com/ando/v2/qa?app_id=####&r=####
loc.map.b####.com/sdk.php
ot.bigb####.com:6099/aps/
pa.angs####.com:8003/pps
wb.mults####.com/a?v=####&r=####&z=####
z####.heyc####.net/getlist
z####.heyc####.net/xlogin

File system changes:

Creates the following files:

/data/data/####/-sgyC70y7gu9hx-vmFXqxQ==.new
/data/data/####/.dex
/data/data/####/.edata
/data/data/####/.imprint
/data/data/####/.jar
/data/data/####/1B3A2967E5FD862EFD957606C65C8122
/data/data/####/1sNZcPH1IItX1SzwocSgo870_pv6O5SC.new
/data/data/####/23lrXPoohkJDWV9VKuXu7g==
/data/data/####/2babizUo1pKrNnOOSEspA3Sg68o=.new
/data/data/####/2fe79d91-ab94-4e06-bcdb-0b0d038dd867.pic
/data/data/####/2tiqv8uL7O0MLrCqPZXpoj1GcIytI0wngUPUlCpYfiI=.new
/data/data/####/30592A6B8B0C769E3F7FDE6E1A033DF5
/data/data/####/41582d8e-510b-4b33-89a7-41b94151e6c8.pic.temp
/data/data/####/42a8ebe5-89fd-4a58-81e4-b82731af13e3.pic.temp
/data/data/####/4uRYRDWSi6-i-5BdWY8w3C7kU4M=.new
/data/data/####/5LFR94pj-fEu-uiv5YJDFxFvz6oPMz4FQl8jQrB8BXY=.new
/data/data/####/6OTqkhbqog1SH4_rtztSQ2x18TZUXRgN.new
/data/data/####/7GCM43by7BPciU2Irz_Qn1aJSXBHTl6M.new
/data/data/####/827152a3-ebc0-4e49-ae6e-95aef7e9f088.pic
/data/data/####/84sdt7WP9aJTiYZ-kdtQC4Olc8k=.temp
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_Ca7U33...7VDw==
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_Ca7U33...ournal
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_L7ykra...-zRw==
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_L7ykra...ournal
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_UMIKRz...ournal
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_UMIKRzNPg1_XbziS
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_tcIpDt...ournal
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_zbHT6r...Q_4As=
/data/data/####/AZrfF3398vgQuiLNk-oBWWxbpqv6FixL7JbJCg==_zbHT6r...ournal
/data/data/####/B5QzpTwaXfJg0EHYIocP0cyB-A871R9-gD_CQURlWqE=.new
/data/data/####/Cl7kL10b1rR4PxQXeg67jdsoERRcDeAF.new
/data/data/####/D99494BB10D048C393648C204AF8AA38
/data/data/####/EXXJu68nEAxkVDj5bNtt74zwjUY=.new
/data/data/####/GA1YiEaw2aba7NbU.new
/data/data/####/JiePay.xml
/data/data/####/PqYDpLHSBYU5VuBlR8V_Zgx_sqvCUwiV.new
/data/data/####/RJDCO29PVk2u2g5IHL2GCg4VxgL_N6NxqCTR4g==.new
/data/data/####/Setting.xml
/data/data/####/T7JNejsshZolAnK9UQ4Pf0yNnnc=
/data/data/####/V15-sn-T4GEwEGx1
/data/data/####/WTqi4m3_x7eAO6-8mxp_aXS9iI68T4V_19MVow==.new
/data/data/####/XinZFsmspay.db
/data/data/####/XinZFsmspay.db-journal
/data/data/####/a_tmp
/data/data/####/cJiLMF_d14NmUCmbQmjUkeLU5x8=.new
/data/data/####/classes.dex
/data/data/####/classes.dve
/data/data/####/classes.jar
/data/data/####/com.SecShell.tmp2275
/data/data/####/com.SecShell.tmp2321
/data/data/####/com.SecShell.tmp2374
/data/data/####/com.SecShell.tmp2434
/data/data/####/com.SecShell.tmp2481
/data/data/####/com.SecShell.tmp2732
/data/data/####/com.SecShell.tmp2774
/data/data/####/com.SecShell.tmp2815
/data/data/####/com.SecShell.tmp2868
/data/data/####/com.SecShell.tmp2920
/data/data/####/com.SecShell.tmp2970
/data/data/####/com.SecShell.tmp3035
/data/data/####/com.SecShell.tmp3086
/data/data/####/com.SecShell.tmp3128
/data/data/####/com.SecShell.tmp3172
/data/data/####/com.SecShell.tmp3219
/data/data/####/com.SecShell.tmp3272
/data/data/####/com.SecShell.tmp3329
/data/data/####/com.SecShell.tmp3369
/data/data/####/com.SecShell.tmp3418
/data/data/####/com.SecShell.tmp3471
/data/data/####/com.SecShell.tmp3507
/data/data/####/com.SecShell.tmp3557
/data/data/####/com.SecShell.tmp3618
/data/data/####/com.SecShell.tmp3669
/data/data/####/com.SecShell.tmp3709
/data/data/####/com.SecShell.tmp3769
/data/data/####/com.SecShell.tmp3817
/data/data/####/com.SecShell.tmp3863
/data/data/####/com.SecShell.tmp3943
/data/data/####/com.SecShell.tmp3982
/data/data/####/com.SecShell.tmp4032
/data/data/####/com.SecShell.tmp4085
/data/data/####/com.SecShell.tmp4127
/data/data/####/com.SecShell.tmp4174
/data/data/####/com.SecShell.tmp4224
/data/data/####/com.SecShell.tmp4259
/data/data/####/com.SecShell.tmp4308
/data/data/####/com.SecShell.tmp4369
/data/data/####/com.SecShell.tmp4405
/data/data/####/com.SecShell.tmp4443
/data/data/####/com.SecShell.tmp4502
/data/data/####/com.SecShell.tmp4544
/data/data/####/com.SecShell.tmp4582
/data/data/####/com.SecShell.tmp4627
/data/data/####/com.SecShell.tmp4860
/data/data/####/com.dgewxcs.grgxcv29t.com.one.sdk.c.amsg.db-journal
/data/data/####/core.jar
/data/data/####/csdksession.xml
/data/data/####/dEx3i3AsI0GZp_xZ.zip
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQzMjg3MDIxNzY3;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQzMjg3MDU1MDAz;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQzMjg3MDY2NTA1;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQzMjg3MDYwMzI4;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQzMjg3MDc3NTIw;
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/dpi
/data/data/####/ewQI8DXTpKVzSZEN63rpkw==.new
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/fE_iO8gXRBcxKz8xEdf9R_CKXPo=.new
/data/data/####/f_000001
/data/data/####/f_000002
/data/data/####/f_000003
/data/data/####/gdt_config.xml
/data/data/####/gkdfug_f.zip
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_Ca7U33...7VDw==
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_Ca7U33...ournal
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_L7ykra...-zRw==
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_L7ykra...ournal
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_UMIKRz...ournal
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_UMIKRzNPg1_XbziS
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_tcIpDt...ournal
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_zbHT6r...Q_4As=
/data/data/####/gzk84vuVuGFOMnTvEry5-lod4PM2LTtGNhTacQ==_zbHT6r...ournal
/data/data/####/h3GMnpw6JbYx8hqiHCvlfOW9mpY=.temp
/data/data/####/h4mFLkPPquUf5qJ8NuvH_Fwk9sJka48V.new
/data/data/####/hid.db
/data/data/####/hqjJGJTyxbFAOIApbSxcGsCiPnU=.new
/data/data/####/i==1.2.0&&9.0.0_1543287022339_envelope.log
/data/data/####/i==1.2.0&&9.0.0_1543287055073_envelope.log
/data/data/####/index
/data/data/####/info.xml
/data/data/####/j6RxG0aNJyOBOB3w1vWH4A==.new
/data/data/####/jiepay_config.xml
/data/data/####/jiepayplugin.apk
/data/data/####/jiepayplugin.apkdata
/data/data/####/jiepaysmspay.db
/data/data/####/jiepaysmspay.db-journal
/data/data/####/kb_idle.ini
/data/data/####/kes.xml
/data/data/####/lj9dT5A0Qjn6dw_uLLwdRiXHKJETq4JV.new
/data/data/####/nn_app.xml
/data/data/####/oCg3vszXrMeNRgUu
/data/data/####/onePay.xml
/data/data/####/playerData
/data/data/####/qYQqD88UaRxvgu4vKM3DeszfRqVUTQtb9FG8bf-aYbo=.new
/data/data/####/rdata_comauihvqiuaz.new
/data/data/####/rdata_comiznvwerohz.new
/data/data/####/runner_info.prop.new
/data/data/####/sdk_DB
/data/data/####/sdk_DB-journal
/data/data/####/tdFdNjxPORk9oGW2JguNBencr1ZyU2mw.new
/data/data/####/trckvq_f.zip
/data/data/####/twsdk.db-journal
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/uid.f
/data/data/####/um_pri.xml
/data/data/####/umdat.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_location.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/unsdQ7Wg_6Tjt6hMBCknxbsQNp_jTRMs.new
/data/data/####/userData.xml
/data/data/####/userDatas.xml
/data/data/####/webview.db
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/yFiJsKFX3u_OGeMEMB83TA==
/data/data/####/zscBTGQhxpM2U2ajiv6itrawIGKIqmqQz2RuMA==.new
/data/media/####/.a.dat
/data/media/####/.adfwe.dat
/data/media/####/.cca.dat
/data/media/####/.nid
/data/media/####/.umm.dat
/data/media/####/.uunique
/data/media/####/.uunique.new
/data/media/####/1d9e98d9-2735-4ee9-b859-80785793b178.res
/data/media/####/2c03cc74-3547-4b9d-a29c-27977856ec60.res
/data/media/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
/data/media/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
/data/media/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
/data/media/####/MP8MtaBuguN9jnuSwtN1kQ==
/data/media/####/NDID.DAT
/data/media/####/UIW.DAT
/data/media/####/eb9b15dd-2706-448c-9ff1-0d43a560f9e7.res
/data/media/####/r_pkDgN4OhnkSa0D
/data/media/####/sys.lock
/data/media/####/sysid.dat

Miscellaneous:

Executes the following shell scripts:

./im_arthc
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/sh
<Package Folder>/code-4238569/oCg3vszXrMeNRgUu -p <Package> -c com.iznvw.erohz.sugus.KiwiReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
<Package Folder>/code-5476231/oCg3vszXrMeNRgUu -p <Package> -c com.auihv.qiuaz.pencil.ChrysanthemumReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
cat /sys/class/android_usb/android0/idProduct
cat /sys/class/android_usb/android0/idVendor
chmod 777 <Package Folder>/files/im_arthc
chmod 777 <Package Folder>/im7563814389_o
chmod 777 <Package Folder>/im7563814389_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o_o_o_o_o
chmod 777 <Package Folder>/im7563814389_o_o_o_o_o_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o_o_o_o_o
dd if=<Package Folder>/files/im_arthc of=<Package Folder>/im7563814389_o_o_o_o_o_o_o_o_o
getprop
ls -l /dev
ls -l /dev/block
ls -l /dev/block/vold
ls -l /dev/bus
ls -l /dev/bus/usb
ls -l /dev/bus/usb/001
ls -l /dev/com.android.settings.daemon
ls -l /dev/cpuctl
ls -l /dev/cpuctl/apps
ls -l /dev/cpuctl/apps/bg_non_interactive
ls -l /dev/graphics
ls -l /dev/input
ls -l /dev/log
ls -l /dev/pts
ls -l /dev/snd
ls -l /dev/socket
ls /sys/class/thermal
ps
sh
sh <Package Folder>/code-4238569/oCg3vszXrMeNRgUu -p <Package> -c com.iznvw.erohz.sugus.KiwiReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
sh <Package Folder>/code-5476231/oCg3vszXrMeNRgUu -p <Package> -c com.auihv.qiuaz.pencil.ChrysanthemumReceiver -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung

Loads the following dynamic libraries:

SecShell

Uses the following algorithms to encrypt data:

AES
AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES-CBC-PKCS5Padding

Uses the following algorithms to decrypt data:

AES
AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES
DES-CBC-PKCS5Padding

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Parses information from SMS.

Gets information about sent/received SMS.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial