Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.248.origin
- Android.Triada.464.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) a.bjsd####.com:80
- TCP(HTTP/1.1) nb.i36####.com:9000
- TCP(HTTP/1.1) sj.i36####.com:9000
- TCP(HTTP/1.1) gd.a.s####.com:80
- TCP(HTTP/1.1) a.xinxian####.com:80
- TCP(HTTP/1.1) f.ma####.mi####.####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) st####.guantou####.com:80
- TCP(HTTP/1.1) np.bul####.cn:6087
- TCP(HTTP/1.1) 2####.98.33.230:8888
- TCP(HTTP/1.1) zgx.powerle####.com:80
- TCP(HTTP/1.1) z####.heyc####.net:80
- TCP(HTTP/1.1) j.i36####.com:9000
- TCP(HTTP/1.1) cs.and####.com:80
- TCP(HTTP/1.1) ny.bul####.cn:666
- TCP(HTTP/1.1) 1####.26.106.206:8088
- TCP(TLS/1.0) sdkco####.ad.xi####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) z####.ad.xi####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) s####.d####.com:443
- TCP(TLS/1.0) s####.tc.qq.com:443
- TCP(TLS/1.0) adl.d####.com:443
- TCP(TLS/1.0) sw3####.d####.com:443
- TCP(TLS/1.0) w2.d####.com:443
- TCP(TLS/1.0) a####.d####.com:443
- TCP(TLS/1.0) i####.d####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) aliyuno####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) hm.b####.com:443
DNS requests:
- a####.d####.com
- a.bjsd####.com
- a.xinxian####.com
- adl.d####.com
- aliyuno####.oss-cn-####.aliy####.com
- and####.cli####.go####.com
- c####.mm####.com
- c.c####.com
- cs.and####.com
- f####.ma####.xi####.com
- f4.ma####.mi####.com
- f5.ma####.xi####.com
- hm.b####.com
- i####.d####.com
- j.i36####.com
- l.ace####.com
- mt####.go####.com
- nb.i36####.com
- np.bul####.cn
- ny.bul####.cn
- pi####.qq.com
- ping####.qq.com
- plb####.u####.com
- pv.s####.com
- s####.d####.com
- s23.c####.com
- sdkco####.ad.xi####.com
- sj.i36####.com
- st####.guantou####.com
- sw3####.d####.com
- u####.u####.com
- w####.d####.com
- w####.pcon####.com.cn
- w2.d####.com
- www.google-####.com
- z####.ad.xi####.com
- z####.heyc####.net
- z5.c####.com
- z9.c####.com
- zgx.powerle####.com
HTTP GET requests:
- f.ma####.mi####.####.com/download/AdCenter/06245f583f7ae480e1123dd279c90...
- f.ma####.mi####.####.com/download/AppStore/0b4693484a3504340210732df0d53...
- j.i36####.com:9000/jsonServer/Haiqibing001
- j.i36####.com:9000/jsonServer/LanMei01
- s####.tc.qq.com/h5/stats.js?v2####
- st####.guantou####.com/stat13.html
- z.c####.com/stat.htm?id=####&cnzz_eid=####
- zgx.powerle####.com/dnfile/cmm/SWrapCMM0601.jar
- zgx.powerle####.com/dnfile/sml/SWrapSml_dft.jar
HTTP POST requests:
- a.bjsd####.com/index.php?r=####
- a.xinxian####.com/encrypt/json/taokl
- cs.and####.com/ydt528/sv2
- gd.a.s####.com/cityjson
- j.i36####.com:9000/api/jadReport.do
- nb.i36####.com:9000/api/getAdInfoByDevice.do
- nb.i36####.com:9000/api/getAdInfoById.do
- nb.i36####.com:9000/api/vsp/getVspCore.do
- np.bul####.cn:6087/Sdk/reportTask
- np.bul####.cn:6087/Sdk/task
- np.bul####.cn:6087/sdk/patchPlayReport
- ny.bul####.cn:666/api_yi.aspx
- ny.bul####.cn:666/slsdk/api_report.aspx
- ny.bul####.cn:666/slsdk/api_summary.aspx
- ny.bul####.cn:666/slsdk/cmm_settings.aspx
- ny.bul####.cn:666/slsdk/exrep.aspx
- ny.bul####.cn:666/slsdk/getdata.aspx
- sj.i36####.com:9000/api/getAdInfoById.do
- w####.pcon####.com.cn/ip.jsp
- z####.heyc####.net/getlist
- z####.heyc####.net/xlogin
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/1B-8GuE3nigYAgQPZZwSxQ==.new
- /data/data/####/BYd7VjwM6k6scmS8CGfmi6GgXyc=.new
- /data/data/####/FQdTkHzv8shzzBRSI-V-roIPIeE=.new
- /data/data/####/Gu5UvmQMCljF2TxQkZ6nMq_uoTI=.new
- /data/data/####/HQUWh564OeXWOke6-m8gAw==.new
- /data/data/####/KCgicbwSSD59nlX_.new
- /data/data/####/MatchesPuzzle.db
- /data/data/####/MatchesPuzzle.db-journal
- /data/data/####/QC0Vgw17htZhO8bMj9lcOg==.new
- /data/data/####/QNfMJBu3EBslu8d0erNFNQ==.new
- /data/data/####/SVtXAw-BpFxJpXrPO2XzDtdp_0gPfM_d.new
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/_m_rec.xml
- /data/data/####/analytics.apk.tmp
- /data/data/####/analytics_api.xml
- /data/data/####/analytics_updater.xml
- /data/data/####/asduweasvq.data-journal
- /data/data/####/b49aG74RQdGLSTI9md6gZB_rxoY=.new
- /data/data/####/cmcc.xml
- /data/data/####/com.legend.matchstick.mi_preferences.xml
- /data/data/####/config.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTU5NDI5MTU0NDU4;
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/dpi
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fJOtu458p_0f03D-.zip
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/hid.db
- /data/data/####/i==1.2.0&&1.0_1559429154485_envelope.log
- /data/data/####/iR2dcXLWtlqVyxCQnTyXLf0mKlE=.new
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/kobox.0.sp.xml
- /data/data/####/kobox.0.sp.xml.bak
- /data/data/####/mimo_asset.apk
- /data/data/####/mimo_download.apk.tmp
- /data/data/####/oH-pbD2GrKXgxEkewnC2f5_vQzs=.new
- /data/data/####/plugin_updater.xml
- /data/data/####/prdopt.xml
- /data/data/####/rdata_comlegendmatch.new
- /data/data/####/runner_info.prop.new
- /data/data/####/swaesdwwuwx.xml
- /data/data/####/t==8.0.2+G&&1.0_1559429155666_envelope.log
- /data/data/####/tKI4kpDWrBJgrN0QcNGPjA==
- /data/data/####/tdargs.xml
- /data/data/####/tdargs3.xml
- /data/data/####/tkbfaa_f.zip
- /data/data/####/tmp7.xml
- /data/data/####/tools8977.xml
- /data/data/####/tools8977New.xml
- /data/data/####/u877.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/xPVOTEBSV_EpaTh8IEjggQ==
- /data/data/####/y4zwtuuJHrCPK22k
- /data/data/####/zIRzEyqrLy3KWVGLHtZ9YVpY5zDf-gsYTs16sQ==_TSwI05...ournal
- /data/data/####/zeus_crash_info.xml
- /data/data/####/zeus_pms.xml
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.cdeviceID
- /data/media/####/.nid
- /data/media/####/.umm.dat
- /data/media/####/.uunique.new
- /data/media/####/HalfMin
- /data/media/####/engc.jar
- /data/media/####/tag2.dat1fdb402d-1e02-436a-8acb-ee963458b07f.tmp
- /data/media/####/tag2.dat717fb9b8-eaab-40ab-b6f1-775b4d3893f7.tmp
- /data/media/####/tag2.dat722b0fc6-2257-47ef-a840-5553e7c8b093.tmp
- /data/media/####/tmpbl.jar
- /data/media/####/u877.jar.tmp
- /data/media/####/webengine.jar
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh
- cat /sys/class/android_usb/android0/idProduct
- cat /sys/class/android_usb/android0/idVendor
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.version
- getprop ro.yunos.version
- ls -l /dev
- ls -l /dev/block
- ls -l /dev/block/vold
- ls -l /dev/bus
- ls -l /dev/bus/usb
- ls -l /dev/bus/usb/001
- ls -l /dev/com.android.settings.daemon
- ls -l /dev/cpuctl
- ls -l /dev/cpuctl/apps
- ls -l /dev/cpuctl/apps/bg_non_interactive
- ls -l /dev/graphics
- ls -l /dev/input
- ls -l /dev/log
- ls -l /dev/pts
- ls -l /dev/snd
- ls -l /dev/socket
- ls /
- ls /sys/class/thermal
- ps
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-CFB-NOPADDING
- RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CFB-NOPADDING
- DES
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.