Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.637.origin
- Android.DownLoader.596.origin
- Android.Triada.377.origin
Downloads the following detected threats from the Internet:
- Android.Backdoor.636.origin
- Android.Triada.1714
Prompts to install third-party apps.
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 36.7.1####.221:8085
- TCP(HTTP/1.1) gpu####.m####.com:8080
- TCP(HTTP/1.1) mo####.ultrapr####.com:80
- TCP(HTTP/1.1) pac####.ultrapr####.com:80
- TCP(HTTP/1.1) sm####.m####.com:80
- TCP(HTTP/1.1) adman####.android####.info:80
- TCP(HTTP/1.1) r####.hiwec####.com:8085
- TCP(HTTP/1.1) acc####.thefunn####.com:8100
- TCP(HTTP/1.1) acc####.thefunn####.com:80
- TCP(HTTP/1.1) as####.hiwec####.com:7756
- TCP(HTTP/1.1) w####.m####.in:80
- TCP(HTTP/1.1) g####.m####.com:80
- TCP(HTTP/1.1) d####.appsco####.com:80
- TCP(HTTP/1.1) b####.android####.info:80
- TCP(HTTP/1.1) r####.hiwec####.com:80
- TCP(TLS/1.0) 2####.58.212.174:443
- TCP(TLS/1.0) sett####.crashly####.com:443
- TCP 98.1####.23.24:6038
- TCP 98.1####.23.24:6024
DNS requests:
- 109.211.58.####.arpa
- 174.212.58.####.arpa
- 74.17.217.####.arpa
- 95.79.194.####.arpa
- 99.20.217.####.arpa
- acc####.thefunn####.com
- acco####.go####.com
- adman####.android####.info
- as####.hiwec####.com
- b####.android####.info
- d####.appsco####.com
- g####.m####.com
- gpu####.m####.com
- hijo####.thefunn####.com
- loading####.mids####.info
- mo####.ultrapr####.com
- p####.google####.com
- p####.hiwec####.com
- pac####.ultrapr####.com
- r####.android####.info
- r####.hiwec####.com
- sett####.crashly####.com
- sm####.m####.com
- ssl.gst####.com
- w####.m####.in
- www.google####.com
HTTP GET requests:
- acc####.thefunn####.com/soft/59b1ed77a2edd.zip
- acc####.thefunn####.com/soft/59f9b84c64333.zip
- acc####.thefunn####.com/soft/5a178918b9258.zip
- acc####.thefunn####.com/soft/5a1d192c526b3.zip
- acc####.thefunn####.com/soft/5a3b83fe10153.zip
- acc####.thefunn####.com/soft/5a7286ef127b0.zip
- acc####.thefunn####.com/soft/5a797e2b3140b.zip
- acc####.thefunn####.com/soft/5a92682bdfdbe.zip
- acc####.thefunn####.com/soft/5a964deb282bd.zip
- acc####.thefunn####.com/soft/5aec20da7ff17.zip
- acc####.thefunn####.com/soft/5bea665062a17.zip
- adman####.android####.info/OffersApi/lanjie?publisher_id=####&slot=####&...
- b####.android####.info/api/getSdk
- b####.android####.info/api/getSelfUpdate?is_test=####&version=####&
- b####.android####.info/api/getThirdPartPushApk
- b####.android####.info/api/timeInterval
- b####.android####.info/upload/Selfupdate/20171213084930.7z
- pac####.ultrapr####.com/Uploads/ThirdPartyPushApk/g36_base.apk
- pac####.ultrapr####.com/Uploads/sdk/171212_fixservice-debug_10000_2_2.0_...
- sm####.m####.com/Api/Partners/initOpen?tag=####&version=####
- w####.m####.in/api/initOpen?tag=####&version=####&game_id=####
HTTP POST requests:
- acc####.thefunn####.com:8100/Update/dystat
- acc####.thefunn####.com:8100/Update/packageLogByType
- acc####.thefunn####.com:8100/Update/packageManageUpdate
- acc####.thefunn####.com:8100/Update/packageUpdateResult
- as####.hiwec####.com:7756/goclient/gettask
- b####.android####.info/api/dystat
- b####.android####.info/api/tempLogInfo
- d####.appsco####.com/androidplus/?c=####&a=####
- g####.m####.com/Grab/ip
- g####.m####.com/Register/heart
- gpu####.m####.com:8080/go/api
- mo####.ultrapr####.com/index.php?c=####&m=####
- r####.hiwec####.com/golang/get
- r####.hiwec####.com:8085/fiddler/get
File system changes:
Creates the following files:
- /data/data/####/11454160
- /data/data/####/18345434
- /data/data/####/1b8913b707d2dbeb405ab51baa9e0c13
- /data/data/####/59b1ed77a2edd.zip
- /data/data/####/59f9b84c64333.zip
- /data/data/####/5a178918b9258.zip
- /data/data/####/5a1d192c526b3.zip
- /data/data/####/5a3b83fe10153.zip
- /data/data/####/5a7286ef127b0.zip
- /data/data/####/5a797e2b3140b.zip
- /data/data/####/5a92682bdfdbe.zip
- /data/data/####/5a964deb282bd.zip
- /data/data/####/5aec20da7ff17.zip
- /data/data/####/5bea665062a17.zip
- /data/data/####/Service.xml
- /data/data/####/TwitterAdvertisingInfoPreferences.xml
- /data/data/####/[[afollestad_heme-engine_dark_theme]].xml
- /data/data/####/[[afollestad_heme-engine_dark_theme_notoolbar]].xml
- /data/data/####/[[afollestad_heme-engine_light_theme]].xml
- /data/data/####/[[afollestad_heme-engine_light_theme_notoolbar]].xml
- /data/data/####/b7099c6058ad0283bc3e323f6f35a482
- /data/data/####/bg_sp.xml
- /data/data/####/classes.dex
- /data/data/####/com.crashlytics.prefs.xml
- /data/data/####/com.crashlytics.sdk.android;answers;settings.xml
- /data/data/####/com.lmt.register_preferences.xml
- /data/data/####/com.solo.adsdk.preference.pkg.xml
- /data/data/####/com.solo.adsdk.preference.user.xml
- /data/data/####/com.solo.adsdk.preference.user.xml.bak
- /data/data/####/config.xml
- /data/data/####/error
- /data/data/####/get_ip_file.xml
- /data/data/####/getprop_c
- /data/data/####/interval_config.xml
- /data/data/####/libfilesystem_monitor.so
- /data/data/####/libkrsdk.so
- /data/data/####/libnativeUtil.so
- /data/data/####/libso1.so
- /data/data/####/libun7z.so
- /data/data/####/log.xml
- /data/data/####/module_cache.xml
- /data/data/####/musicdb.db-journal
- /data/data/####/naman14.timber.dev_preferences.xml
- /data/data/####/naman14.timber.dev_preferences.xml.bak
- /data/data/####/naman14.timber.dev_preferences.xml.bak (deleted)
- /data/data/####/public_sp.xml
- /data/data/####/receive_time_file.xml
- /data/data/####/runtime
- /data/data/####/sa_193cc559-1954-4551-8fb1-afd4296494f7_1548299787202.tap
- /data/data/####/sbys.xml
- /data/data/####/sbysc.xml
- /data/data/####/sbysc.xml.bak
- /data/data/####/session_analytics.tap
- /data/data/####/session_analytics.tap.tmp
- /data/data/####/setprop_c
- /data/data/####/share_params.xml
- /data/data/####/source.zip
- /data/data/####/toor.xml
- /data/data/####/webview.db-journal
- /data/data/####/zlt
- /data/data/####/zlt.7z
- /data/data/####/zlt.7z_tmp
- /data/data/####/zltcheck
- /data/data/####/zltdaemon
- /data/local/####/zlt_conf
- /data/media/####/.androidID
- /data/media/####/.nomedia
- /data/media/####/.recordinterval
- /data/media/####/bart.apk
- /data/media/####/bart.apk_tmp
- /data/media/####/com.lmt.register.apk
- /data/media/####/com.lmt.register.apk_tmp
- /data/media/####/juuid.bk
- /data/media/####/pureSdk
- /system/pureSdk
Miscellaneous:
Executes the following shell scripts:
- bart 9a952b2dd32a3ca2072d3794c3129709
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.product.cpu.abi
- getprop ro.product.cpu.abi2
- grep zlt
- ping -c 3 -w 10 accounts.google.com
- ping -c 3 -w 10 android.clients.google.com
- ping -c 3 -w 10 play.googleapis.com
- ping -c 3 -w 10 ssl.gstatic.com
- ping -c 3 -w 10 www.googleapis.com
- ping -c 4 174.139.72.164
- ps
- sh
- sh /system/bin/getprop
- su
Loads the following dynamic libraries:
- RSSupportIO
- blasV8
- libkrsdk
- libnativeUtil
- librsjni
- libso1
- libun7z
- so1
Uses the following algorithms to encrypt data:
- AES-ECB-PKCS5Padding
- DES
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
- DES
Uses elevated priveleges.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.