Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.155.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c####.baidust####.com:80
- TCP(HTTP/1.1) a####.qq.com:80
- TCP(HTTP/1.1) 07img####.eas####.com.####.com:80
- TCP(HTTP/1.1) s####.j####.cn:80
- TCP(HTTP/1.1) tou####.eas####.com:80
- TCP(HTTP/1.1) m.tt.vip-dns####.com:80
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) 05img####.eas####.com.####.com:80
- TCP(HTTP/1.1) i.g####.cn.####.com:80
- TCP(HTTP/1.1) m####.q####.qq.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) qzones####.g####.cn.####.com:80
- TCP(HTTP/1.1) ping####.qq.com:80
- TCP(HTTP/1.1) v####.gua####.com:80
- TCP(HTTP/1.1) a####.dfshu####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) tj.gua####.com:80
- TCP(HTTP/1.1) isds####.qq.com:80
- TCP(HTTP/1.1) www.m####.com:80
- TCP(HTTP/1.1) s####.dftou####.com:80
- TCP(HTTP/1.1) 08img####.eas####.com.####.com:80
- TCP(HTTP/1.1) g####.dftou####.com:80
- TCP(HTTP/1.1) m####.eas####.com:80
- TCP(HTTP/1.1) t####.gua####.com:80
- TCP(HTTP/1.1) mobads-####.b####.com:80
- TCP(HTTP/1.1) em.b####.com:80
- TCP(HTTP/1.1) zt-adfi####.oss-cn-####.aliy####.com:80
- TCP(TLS/1.0) sslbdst####.jom####.com:443
- TCP(TLS/1.0) b.bdst####.com:443
- TCP(TLS/1.0) box.jom####.com:443
- TCP(TLS/1.0) opencdn####.jom####.com:443
- TCP(TLS/1.0) a####.b####.com:443
- TCP(TLS/1.0) tou####.eas####.com:443
- TCP(TLS/1.0) m####.eas####.com:443
- TCP(TLS/1.0) softw####.dftou####.com:443
- TCP(TLS/1.0) ssls####.jom####.com:443
- TCP(TLS/1.0) ch####.jom####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) 08img####.eas####.com.####.com:443
- TCP(TLS/1.0) wapac####.dftou####.com:443
- TCP(TLS/1.0) c####.b####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) cambria####.cdn.bc####.####.com:443
- TCP(TLS/1.0) posi####.dftou####.com:443
- TCP(TLS/1.0) sslb####.jom####.com:443
- TCP 1####.121.49.69:7001
- UDP s.j####.cn:19000
DNS requests:
- 00img####.eas####.com
- 01img####.eas####.com
- 02img####.eas####.com
- 03img####.eas####.com
- 04img####.eas####.com
- 05img####.eas####.com
- 06img####.eas####.com
- 07img####.eas####.com
- 08img####.eas####.com
- 09img####.eas####.com
- a####.b####.com
- a####.dfshu####.com
- a####.qq.com
- a####.qq.com
- b.bdst####.com
- bro####.gua####.com
- c####.b####.com
- c####.baidust####.com
- c####.jd.com
- c.c####.com
- cambria####.cdn.bc####.com
- cm.pos.b####.com
- ec####.b####.com
- em.b####.com
- f10.b####.com
- f12.b####.com
- g####.bdst####.com
- g####.dftou####.com
- g0.b####.com
- hm.b####.com
- i.g####.cn
- isds####.qq.com
- m####.eas####.com
- m####.q####.qq.com
- m.b####.com
- m.t####.cn
- mo####.b####.com
- mobads-####.b####.com
- pi####.qq.com
- ping####.qq.com
- ping####.qq.com
- pos.b####.com
- posi####.dftou####.com
- qzones####.g####.cn
- refresh####.gua####.com
- s####.dftou####.com
- s####.j####.cn
- s.bdst####.com
- s.j####.cn
- sis.j####.io
- softw####.dftou####.com
- sp1.b####.com
- ss0.b####.com
- ss0.bdst####.com
- ss1.b####.com
- ss2.b####.com
- ss3.b####.com
- t####.gua####.com
- t10.b####.com
- t12.b####.com
- t8.b####.com
- t9.b####.com
- tj.gua####.com
- tou####.eas####.com
- v####.gua####.com
- wapac####.dftou####.com
- www.b####.com
- www.m####.com
- z4.c####.com
- zt-adfi####.oss-cn-####.aliy####.com
HTTP GET requests:
- 05img####.eas####.com.####.com/mobile/20190323/2019032311_32fdd95c1de041...
- 05img####.eas####.com.####.com/mobile/20190327/20190327050608_0173c9cf99...
- 05img####.eas####.com.####.com/mobile/20190328/20190328031401_81af59fc07...
- 05img####.eas####.com.####.com/mobile/20190328/20190328105427_1cbd8d1044...
- 05img####.eas####.com.####.com/mobile/20190328/20190328161800_6d172df2ce...
- 05img####.eas####.com.####.com/video/vgaoxiao/20190325/20190325104032054...
- 05img####.eas####.com.####.com/video/vtiyu/20190120/20190120085618174729...
- 05img####.eas####.com.####.com/video/vvideo/20190326/2019032611285261409...
- 07img####.eas####.com.####.com/mobile/20190327/20190327173920_812795b874...
- 07img####.eas####.com.####.com/mobile/20190327/20190327220400_72eab33ea6...
- 07img####.eas####.com.####.com/mobile/20190328/2019032806_421a4bbbe50e42...
- 07img####.eas####.com.####.com/mobile/20190328/2019032806_a8241f4b6cc14f...
- 07img####.eas####.com.####.com/mobile/20190328/2019032806_c998bbbf31024d...
- 07img####.eas####.com.####.com/mobile/20190328/2019032813_4e4aff396f3249...
- 07img####.eas####.com.####.com/mobile/20190328/2019032813_4f74291597904e...
- 07img####.eas####.com.####.com/mobile/20190328/2019032813_afc033cea5ca44...
- 07img####.eas####.com.####.com/mobile/20190328/20190328172410_49e7ce40ae...
- 07img####.eas####.com.####.com/video/vshishang/20180823/2018082311382623...
- 08img####.eas####.com.####.com/mobile/20190326/2019032618_7a9115a4d2d44d...
- 08img####.eas####.com.####.com/mobile/20190326/2019032618_b1eeb82cc3c349...
- 08img####.eas####.com.####.com/mobile/20190326/2019032618_df12b3c25b5440...
- 08img####.eas####.com.####.com/mobile/20190326/20190326201053_e573fdf0d4...
- 08img####.eas####.com.####.com/mobile/20190327/20190327081453_3b77ba8c58...
- 08img####.eas####.com.####.com/mobile/20190327/20190327141736_1e4e5dc25d...
- 08img####.eas####.com.####.com/mobile/20190327/20190327212043_333e238ea6...
- 08img####.eas####.com.####.com/mobile/20190328/20190328004538_2dfe8b8404...
- 08img####.eas####.com.####.com/mobile/20190328/20190328163638_90d75e5b5a...
- 08img####.eas####.com.####.com/mobile/20190328/20190328170945_1e425e1e89...
- 08img####.eas####.com.####.com/mobile/20190328/20190328191955_ebbe63c882...
- 08img####.eas####.com.####.com/mobile/20190328/2019032821_455a19f879cc4e...
- 08img####.eas####.com.####.com/mobile/20190328/2019032821_74c92d8b41ac41...
- 08img####.eas####.com.####.com/mobile/20190328/2019032821_b16c9173395740...
- 08img####.eas####.com.####.com/video/vzixun/20190322/2019032212562117347...
- a####.qq.com/
- a####.qq.com/cgi-bin/mapp_apptrace?appid_via_act_net_time_sender=####&ro...
- box.jom####.com/it/u=2536571279,3987127200&fm=76
- box.jom####.com/it/u=2603571804,3625479287&fm=76
- box.jom####.com/it/u=2946573636,194237503&fm=76
- box.jom####.com/it/u=2997380628,3556853562&fm=76
- box.jom####.com/it/u=3165849387,757332650&fm=76
- box.jom####.com/it/u=3395576709,238312558&fm=76
- box.jom####.com/it/u=3554973399,1392858892&fm=76
- box.jom####.com/it/u=3617389106,1971181853&fm=76
- box.jom####.com/it/u=451148492,2179873765&fm=76
- c####.baidust####.com/cpro/ui/pr.js
- c####.baidust####.com/js/react-dom.min.js
- c####.baidust####.com/js/react.min.js
- c.c####.com/wapstat.php?siteid=####&r=####&rnd=####
- em.b####.com/pixel?dspid=####
- em.b####.com/pixel?media_sign=####&media_site=####
- g####.dftou####.com/apivbhhqw?byc=####&qcx=####&xc=####&fno=####&jmc=###...
- g####.dftou####.com/auto_ds?xc=####&fno=####&jmc=####&uhn=####&ulc=####&...
- g####.dftou####.com/lkwusv/a?c=####
- g####.dftou####.com/lkwusv/b?c=####
- g####.dftou####.com/lkwusv/l?c=####
- g####.dftou####.com/lkwusv/q?c=####
- g####.dftou####.com/m.html?mediaid=####&cookie_version=####×tamp=##...
- g####.dftou####.com/qpbwkdat?byc=####&qcx=####&xc=####&fno=####&jmc=####...
- g####.dftou####.com/qxtimdun?byc=####&qcx=####&xc=####&fno=####&jmc=####...
- g####.dftou####.com/rhaittqsz?byc=####&qcx=####&xc=####&fno=####&jmc=###...
- g####.dftou####.com/vwapepcs?byc=####&qcx=####&xc=####&fno=####&jmc=####...
- i.g####.cn.####.com/open/app_icon/04/86/82/42/1104868242_100_m.png
- i.g####.cn.####.com/open/app_icon/05/91/83/85/1105918385_100_m.png
- i.g####.cn.####.com/open/app_icon/05/91/83/85/1105918385_android_preview...
- i.g####.cn.####.com/open/app_icon/06/43/52/74/1106435274_100_m.png
- isds####.qq.com/cgi-bin/r.cgi?flag1=####&flag2=####&flag3=####&flag4=###...
- m####.eas####.com/toutiaoh5/channeljs/h5toutiao/h5toutiaocookie.js
- m####.eas####.com/toutiaoh5/channeljs/h5toutiao/null/ttlist/null.js
- m####.eas####.com/toutiaoh5/img/img_preview_h5.png
- m####.q####.qq.com/cgi-bin/mapp/mapp_info?type=####&appid=####&packageNa...
- m####.q####.qq.com/cgi-bin/mapp/mapp_search_result?keyword=####&platform...
- m.tt.vip-dns####.com/setuid.html?u=####
- mobads-####.b####.com/rs.jpg?type=####&key=####&timeCost=####&rdm=####
- mobads-####.b####.com/rs.jpg?type=####&rdm=####
- ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=cha####&ty=#...
- ping####.qq.com/pingd?tz=####&vs=####&dm=####&url=####&rdm=####&rurl=###...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&ccd=####&cja...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&cfv=####&exp...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&pis=####&cja...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&psr=####&par...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&tcn=####&ari...
- qzones####.g####.cn.####.com/open/mobile/myapp_touch/css/all.css?max_age...
- qzones####.g####.cn.####.com/open/mobile/myapp_touch/global.js?max_age=#...
- qzones####.g####.cn.####.com/open/mobile/myapp_touch/img/basic.png
- qzones####.g####.cn.####.com/open/mobile/myapp_touch/img/sprites.png
- s####.dftou####.com/avnkbsesu.js
- s####.dftou####.com/bwolctftx.js
- s####.dftou####.com/dyqnevhvg.js
- s####.dftou####.com/faspgipzx.js
- s####.dftou####.com/uoswsqsx.js
- s####.dftou####.com/uphevmyov.js
- s####.tc.qq.com/h5/stats.js
- t####.gua####.com/app/columns02?city=####&appqid=####&apptypeid=####&ver...
- t####.gua####.com/getkey/key
- tj.gua####.com/appstatistics/install?code=Mz####&key=####
- tj.gua####.com/appstatistics/online?code=Mz####&key=####
- tou####.eas####.com/
- www.a.sh####.com/search/error.html
- www.m####.com/Tools/GetWeather.aspx?try=####&mobile=####&city=####&info=...
- www.m####.com/api/RefreshSdk.aspx?channel=####
- www.m####.com/tools/getcity.aspx
- z.c####.com/stat.htm?id=1260243514&r=&iw=1&showp=0x0&lg=undefined&cnzz_e...
- zt-adfi####.oss-cn-####.aliy####.com/1512/rt/gx.bin
HTTP POST requests:
- a####.dfshu####.com/infoscollection/install
- a####.dfshu####.com/infoscollection/startover
- mobads-####.b####.com/brwhis.log
- s####.j####.cn/v2/report
- t####.gua####.com/jpush/status
- v####.gua####.com/app_video/getvideos
- v####.gua####.com/toutiao_appnew02/newspool
File system changes:
Creates the following files:
- /data/data/####/.engine.apk
- /data/data/####/.key.apk
- /data/data/####/016ef5a185f092050e19299d943848d9d44860983926d49....0.tmp
- /data/data/####/02a50ff38c73a40f43eaa70ac445497ac6bb54b36f61bdc....0.tmp
- /data/data/####/055f63aa4d143146a71d028b01ec92981f5778a7c49394e....0.tmp
- /data/data/####/062bc1c2e5c6b594898462f9746fbe0e443a8ee1ad4b16a....0.tmp
- /data/data/####/067d1e32da88e460fcb922fa0942cbb21f72ffce1fb68f7....0.tmp
- /data/data/####/0bb6e3ea731a397b2519eed5faaae938360f41e346eaac3....0.tmp
- /data/data/####/12e7055d9a1e668c261f46ce3f37cf9d9e89cdfe945d334....0.tmp
- /data/data/####/1b787630963b0dc13c08f6e50e525efa0847f6b0ff0f846....0.tmp
- /data/data/####/1f272c8109134e51844b859ef9fc11d81acf5639f650c19....0.tmp
- /data/data/####/23c5995a948fd5955903b229b2e46eac12f242f08afae4d....0.tmp
- /data/data/####/275a527b696a4e81b89c0f52de8a88d3c8ce369e1ee4497....0.tmp
- /data/data/####/29561d8e002c3a90db9f999a86120c7baa77cda5ae42445....0.tmp
- /data/data/####/2bf993fdb68a498abf4a219e5b2992b2cbd564dd80e8b62....0.tmp
- /data/data/####/2df7af6ce32ba9cbcbf11a4976acf451d6fe9156a9f53e4....0.tmp
- /data/data/####/303fa4c93bf9bc8aaab049c071c4db5eb91eb631664e891....0.tmp
- /data/data/####/3548343fa919fc4c0a9fc4937a2721474c3941a5a579fb7....0.tmp
- /data/data/####/35790003bdaec02d6bd898031ff822a088f3870a32ce5b0....0.tmp
- /data/data/####/35790003bdaec02d6bd898031ff822a088f3870a32ce5b0...921f.0
- /data/data/####/3d88943b8986c045ac9d191e90b859a3b4039fba0bfd08c....0.tmp
- /data/data/####/3e8eb138f92a024a0fccac1c40d5a919acf730b2098f269....0.tmp
- /data/data/####/3fe2e26339ee911ca1382c5edac848e7281cf3360df14ed....0.tmp
- /data/data/####/4341313df7b10bb1c7376febc415c7e69abb61449eb0910....0.tmp
- /data/data/####/4dd631149ec24cca1fbe04ed11fed7c5d3adbe791055c05....0.tmp
- /data/data/####/5058f0bef1270f84ccffb898d9df130988e24fcda1dcc50....0.tmp
- /data/data/####/51996dd5aa052a94d58eb6aabcd60c139e23614744bd6b2....0.tmp
- /data/data/####/5f676f6a513320e60c8bda569190ca88eecea345fc58eaf....0.tmp
- /data/data/####/60dca8ff695828b77ce389c87ff2d38231ff43a95f53b5d....0.tmp
- /data/data/####/6619c3d5c720f4d4baacdee76eb1695865a1f570577c8e5....0.tmp
- /data/data/####/71066e618bddb7a6d1bd4e82e181a61b3576c396a1b411e....0.tmp
- /data/data/####/80e1f3fdb8e2b2a3d5a9e5451f2fd19986da44f77ac65bd....0.tmp
- /data/data/####/818200f1718b51feb5d6d2bfbaf26a4ef2450d00a6ba7de....0.tmp
- /data/data/####/85dd7bb7a924a84f9a2b2080a608fbeffcbe3e417678bf5....0.tmp
- /data/data/####/8fc5afea1f9aeba8a4a03ff26bbe458247081633e9528f2....0.tmp
- /data/data/####/8fcf94c0adb8c9210dddfd191b259042187ca5ab823c335....0.tmp
- /data/data/####/93c9034ab5e6df3714fd6de096a612350a2781fad3bcb7b....0.tmp
- /data/data/####/9e4f53a120797a5841e33960f6b1b8f95be19cbb8f6724e....0.tmp
- /data/data/####/9f333588472095e3222f86444b1b26a780e14ca5033260c....0.tmp
- /data/data/####/SettingPreference.xml
- /data/data/####/__x_adsdk_agent_header__.xml
- /data/data/####/__xadsdk__remote__final__builtin__.jar
- /data/data/####/a33404476a6379f0be1d72a08b0b41b7ea1b7cf5e6c799a....0.tmp
- /data/data/####/a3f87ab5ef93e25e360662e0a29a71200fcebe0d4416621....0.tmp
- /data/data/####/a4993ae82e28e18cebed2a5768f98d2724f390d632e91f9....0.tmp
- /data/data/####/a70439db6d86120eac0371c3be92bcd2e878b182afbe877....0.tmp
- /data/data/####/a75f725fe33eefe14b6f03935d3a2ad7c04f2257323e969....0.tmp
- /data/data/####/aafe3167dd95bcfe3283f5995f55b704191c333ed0706e2....0.tmp
- /data/data/####/b561c109301f6b2b2f23cfb8187464098b7f1e3cf254102....0.tmp
- /data/data/####/b76691bd2eeeccb785e5b2a8486664261838e150e6f84ac....0.tmp
- /data/data/####/b932462a0d0cbd4e811043040d59633c83e2d8595d2d0e1....0.tmp
- /data/data/####/bee452b75651a35c10c7fc4b5c800a47bdc44541f0bbb9e....0.tmp
- /data/data/####/c4d68f27785513326833030bec3e6318fd17eca9dd6f05a....0.tmp
- /data/data/####/c635d202a8647325b4ee10f4fa851a5cf57ce7437bec04f....0.tmp
- /data/data/####/c8ce55ccbf0c2edf28a24025cb66e7af098fa30ab1fac3d....0.tmp
- /data/data/####/cb4596ac356be0ff916edb29bcaa9f87b12ef054122919d....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cd4ac2d0ff26f30e146b22eb8687ea9fd4d35c39a5b5481....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.baidu.mobads.loader.xml
- /data/data/####/config.xml
- /data/data/####/core_info
- /data/data/####/d032bf0cc9ce94d1a8cec7f36c8b4786a5da9fab7d3ca77....0.tmp
- /data/data/####/d29e499401360568497e63abd0ad8f80785946eabea2e72....0.tmp
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/database.db
- /data/data/####/database.db-journal
- /data/data/####/e4e21f162954b8c1d528851221f051c434fe256cf0d4588....0.tmp
- /data/data/####/e745872430eb4dc3745111f156b7406680a4efb8906d765....0.tmp
- /data/data/####/east_news_db
- /data/data/####/east_news_db-journal
- /data/data/####/ecf93c38b7cb70c477e00db8982a790d16a79886f996fcb....0.tmp
- /data/data/####/ef92e45a82f8189a2cce606ce274b59bcd29b831d7c2faf....0.tmp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/fa7ac1ca63ee3b70a3ebcc86f62796f6d8760c4c6773256....0.tmp
- /data/data/####/fb1edd481b989966d89490c21af1945e68b00dc995d536b....0.tmp
- /data/data/####/gx
- /data/data/####/icon_east.png
- /data/data/####/imei.xml
- /data/data/####/index
- /data/data/####/itheima58.xml
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_local_notification.db
- /data/data/####/jpush_local_notification.db-journal
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/launcher.db-journal
- /data/data/####/libcrypt.so
- /data/data/####/libloader.so
- /data/data/####/mobclick_agent_cached_com.guangsu.browser21
- /data/data/####/tbs_download_config.xml
- /data/data/####/temp.jar
- /data/data/####/umeng_general_config.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal (deleted)
- /data/media/####/.push_deviceid
- /data/media/####/sys_nicholas.txt
Miscellaneous:
Executes the following shell scripts:
- chmod 777 <Package Folder>/files/gxTmp
- chmod 777 <Package Folder>/files/gxTmp/gx
- getprop ro.product.cpu.abi
Loads the following dynamic libraries:
- jpush210
- libloader
- msc
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
- DES
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.