Android.Triada.4091

Android.Triada.4091

Added to the Dr.Web virus database: 2019-08-17

Virus description added: 2019-08-17

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Backdoor.682.origin
Android.Triada.477.origin
Android.Triada.481.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) fasl####.lk####.com:80
TCP(HTTP/1.1) cdn.dc####.com:8080
TCP(HTTP/1.1) cdn.dn####.com:8080
TCP(HTTP/1.1) cdn.hw####.com:8080
TCP(HTTP/1.1) fff.abcdse####.com:8666
TCP(HTTP/1.1) cdn.lk####.com:8080
TCP(TLS/1.0) abc.lk####.com:443
TCP(TLS/1.0) s.m####.com:7777
TCP(TLS/1.0) lp.cooktra####.com:443
TCP(TLS/1.0) bcd.lk####.com:443
TCP(TLS/1.0) log.lk####.com:443

DNS requests:

a####.u####.com
abc.lk####.com
bcd.lk####.com
cdn.dc####.com
cdn.dn####.com
cdn.hw####.com
cdn.lk####.com
fasl####.lk####.com
fff.abcdse####.com
log.lk####.com
lp.cooktra####.com
s.m####.com

HTTP GET requests:

cdn.dc####.com:8080/group1/M01/00/04/ChmjBl0sityAQ2BgAAKgUc1pAPI.plugin
cdn.dn####.com:8080/group1/M00/00/05/ChmjBl1KPVeALPkJAAHnBked9kA.plugin
cdn.hw####.com:8080/blank.html
cdn.lk####.com:8080/nicro/9b4e85d01b3b48aa2baefb44cca8fb35
fasl####.lk####.com/ads/248hwkwffddsd/0627dfakjfjdmvlhrs.js

HTTP HEAD requests:

cdn.hw####.com:8080/blank.html
fasl####.lk####.com/ads/248hwkwffddsd/0627dfakjfjdmvlhrs.js

HTTP POST requests:

a####.u####.com/app_logs
fff.abcdse####.com:8666/bd/getIp

File system changes:

Creates the following files:

/data/data/####/.imprint
/data/data/####/2078793401
/data/data/####/2123917546.jar (deleted)
/data/data/####/2f72ef8a6ac2b9a4c0582bc63351a7a4.d
/data/data/####/3d18a889480add7242a274c1e934c385.d
/data/data/####/9ed921b0a692f468ffd6861eb46bfbb6.jar
/data/data/####/GuuSDK.xml
/data/data/####/c1faa46625df2f44ccce4de7fea3e115.jar
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/db61e876.xml
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/f87f8be5
/data/data/####/f9660920.jar
/data/data/####/index
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/work_sp.xml
/data/media/####/1b592941b8a5cf7eb050a446e2018a6e.xml
/data/media/####/397f0f93190168b647cbc6d304c02993_69.39
/data/media/####/3d213ed1b26c6edb8b03d653ac3b227d.temp
/data/media/####/50c9b5e7cf3a731ea31c43f9a14c781b_70.50
/data/media/####/7fc7330d604c9fe3daa0821e332f66b8.chche
/data/media/####/adcd1f2a887c4696b23527325db80439.temp
/data/media/####/ba0631d5aab029425305953886947e44
/data/media/####/c9d865d29d8a5675e1a9ed9cfc07c847.temp
/data/media/####/d322fd6cfd0adebd39d6b17421f31bd1.chche
/data/media/####/e1d6e7e7ef3279fa753ebb9d944b2944.temp
/data/media/####/global.xml
/data/media/####/pfg.xml
/data/media/####/selfrun.apk
/data/media/####/web.apk
/data/media/####/webadlist_1.cache
/data/media/####/webadlist_1.xml
/data/media/####/webadlist_1_last.cache
/data/media/####/webinfo.xml

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /proc/cpuinfo

Uses the following algorithms to encrypt data:

AES
AES-CBC-PKCS7Padding
DES-ECB-NoPadding
DESede
Des-ECB-NoPadding

Uses the following algorithms to decrypt data:

AES
AES-CBC-PKCS7Padding
DES-ECB-NoPadding
DESede
Des-ECB-NoPadding
RSA-ECB-PKCS1Padding

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Displays its own windows over windows of other apps.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial