Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.907
- Android.Xiny.1513
- Android.Xiny.240.origin
Downloads the following detected threats from the Internet:
- Android.Xiny.1513
Prompts to install third-party apps.
Intercepts incoming SMS and terminates the process of their transmission to handlers of other apps.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) pa.yunj####.cn:8002
- TCP(HTTP/1.1) adl.a####.net:5285
- TCP(HTTP/1.1) a####.peiz####.cn:5285
- TCP(HTTP/1.1) 58.2####.68.98:8765
- TCP(HTTP/1.1) ap.bigb####.com:6099
- TCP(HTTP/1.1) d.angs####.com:5284
- TCP(HTTP/1.1) f.peiz####.cn:5284
- TCP(HTTP/1.1) lp.lapia####.com:6099
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) 1####.217.168.202:443
- TCP(TLS/1.2) 1####.217.168.202:443
- TCP(TLS/1.2) 1####.217.20.110:443
- TCP(TLS/1.2) 1####.217.20.106:443
- TCP d.angs####.com:9270
- TCP 2####.22.114.106:9920
DNS requests:
- a####.peiz####.cn
- adl.a####.net
- ap.bigb####.com
- d.angs####.com
- f.peiz####.cn
- instant####.google####.com
- l####.bigb####.com
- lp.lapia####.com
- nstc####.qiazhiw####.cn
- pa.yunj####.cn
- plb####.u####.com
- u####.u####.com
HTTP GET requests:
- a####.peiz####.cn:5285/dd/a/dl?appId=####
- adl.a####.net:5285/dd/a/dl?appId=####
HTTP POST requests:
- ap.bigb####.com:6099/aps/
- d.angs####.com:5284/android.frontserver/collect/error
- f.peiz####.cn:5284/android.frontserver/pcsvc?r=####
- lp.lapia####.com:6099/aps/
- pa.yunj####.cn:8002/pps
File system changes:
Creates the following files:
- /data/dalvik-cache/####/storage@emulated@0@goog1e@data@z.jar@cl...leted)
- /data/dalvik-cache/####/storage@emulated@0@goog1e@data@z.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/.imprint
- /data/data/####/0C3E1782C1F853AFwh.dex
- /data/data/####/0C3E1782C1F853AFwh.dex.flock (deleted)
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/F85C58A2196623557E8A00D8A4680702
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/XinZF.xml
- /data/data/####/XinZF_conf.xml
- /data/data/####/XinZF_conf.xml.bak
- /data/data/####/XinZFsmspay.db
- /data/data/####/XinZFsmspay.db-journal
- /data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex
- /data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex.flock (deleted)
- /data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.zip.tmp
- /data/data/####/buntutu.dex
- /data/data/####/buntutu.dex.flock (deleted)
- /data/data/####/buntutu_data_s.xml
- /data/data/####/com_android_command_buntutu_v.xml
- /data/data/####/config50496.xml
- /data/data/####/config50496.xml.bak
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTcwMzY5MTY5NTQx;
- /data/data/####/dldxym.vfbjaqu.zejnn_preferences.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/i==1.2.0&&1.0.0_1570369169525_envelope.log
- /data/data/####/info.xml
- /data/data/####/kb_idle.ini
- /data/data/####/lpbbi.dex
- /data/data/####/lpbbi.dex.flock (deleted)
- /data/data/####/lpbbi.jar
- /data/data/####/mm_nw_app.xml
- /data/data/####/new_md.dex
- /data/data/####/new_md.dex.flock (deleted)
- /data/data/####/new_md.jar
- /data/data/####/orbgi.dex
- /data/data/####/orbgi.dex.flock (deleted)
- /data/data/####/orbgi.jar
- /data/data/####/proc_auxv
- /data/data/####/uid.f
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/yunUid.f
- /data/data/####/{6109AB2B-769CFABF}_{AEF2A7F3-0EBBFE27}.P2
- /data/data/####/{AEF2A7F3-0EBBFE27}.P1
- /data/data/####/{AEF2A7F3-0EBBFE27}.P3
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.umm.dat
- /data/media/####/0C3E1782C1F853AF.jar
- /data/media/####/0C3E1782C1F853AFwh.jar
- /data/media/####/1B3A2967E5FD862EFD957606C65C8122
- /data/media/####/30592A6B8B0C769E3F7FDE6E1A033DF5
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/buntutu.jaru
- /data/media/####/cc.dat
- /data/media/####/kb_idle.ini
- /data/media/####/kv_cf.ini
- /data/media/####/log
- /data/media/####/msg
- /data/media/####/order
- /data/media/####/pConifg.ini
- /data/media/####/plugin.apk
- /data/media/####/status
- /data/media/####/z.jar
- /data/media/####/{BE2355DB-D785E335}.PC1
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/buntutu_r/buntutu.jar --oat-fd=34 --oat-location=/data/user/0/com.android.wifimanager/app__mmnwn/buntutu.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/buntutu_r/buntutu.jar --oat-fd=36 --oat-location=/data/user/0/com.android.wifimanager/app__mmnwn/buntutu.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/buntutu_r/momb/0C3E1782C1F853AFwh.jar --oat-fd=41 --oat-location=/data/user/0/com.android.wifimanager/app_momb044/0C3E1782C1F853AFwh.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_jar/lpbbi.jar --oat-fd=58 --oat-location=/data/user/0/<Package>/app_dex/lpbbi.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_jar/orbgi.jar --oat-fd=45 --oat-location=/data/user/0/<Package>/app_dex/orbgi.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/md/a4b645a09e1352ed9a43ff469655db6d_3_1_5.zip --oat-fd=74 --oat-location=/data/user/0/<Package>/app_jar/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/new_md.jar --oat-fd=65 --oat-location=/data/user/0/<Package>/files/new_md.dex --compiler-filter=speed
- /system/bin/getenforce
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3510
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3814
- /system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su 10066 /system/bin/app_process64 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su child exited
- /system/bin/log -p d -t su client exited 0
- /system/bin/log -p d -t su connecting client 3497
- /system/bin/log -p d -t su connecting client 3600
- /system/bin/log -p d -t su connecting client 3801
- /system/bin/log -p d -t su db allowed
- /system/bin/log -p d -t su remote args: 1
- /system/bin/log -p d -t su remote pid: 3497
- /system/bin/log -p d -t su remote pid: 3600
- /system/bin/log -p d -t su remote pid: 3801
- /system/bin/log -p d -t su remote pts_slave:
- /system/bin/log -p d -t su remote req pid: 3337
- /system/bin/log -p d -t su remote req pid: 3742
- /system/bin/log -p d -t su remote uid: 10065
- /system/bin/log -p d -t su remote uid: 10066
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su starting daemon client 10065 10065
- /system/bin/log -p d -t su starting daemon client 10066 10066
- /system/bin/log -p d -t su su invoked.
- /system/bin/log -p d -t su waiting for child exit
- /system/bin/log -p d -t su waiting for user
- /system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
- /system/bin/su
- app_process system/bin com.google.provider.vendor.tool.Main /storage/emulated/0/goog1e/data/plugin.apk
- cat /sys/block/mmcblk0/device/cid
- ls -l /system/bin/su
- ls /
- ls /sys/class/thermal
- sh
- sh -c cat /sys/block/mmcblk0/device/cid
- sh -c cat /sys/class/net/wlan0/address
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES
Uses the following algorithms to decrypt data:
- AES
- DES
Uses elevated priveleges.
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about running apps.
Displays its own windows over windows of other apps.
Gets information about sent/received SMS.