マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Android.DownLoader.4808

Added to the Dr.Web virus database: 2020-01-05

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.DownLoader.906.origin
  • Android.RemoteCode.256.origin
  • Android.Triada.4276
  • Android.Triada.477.origin
  • Android.Triada.482.origin
  • Android.Triada.483.origin
Downloads the following detected threats from the Internet:
  • Android.Triada.4276
Network activity:
Connects to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) 29e9d7b####.cdn.so####.####.com:80
  • TCP(HTTP/1.1) cdn.info####.me:80
  • TCP(HTTP/1.1) p.q####.b####.com:80
  • TCP(HTTP/1.1) c.d####.mob.com:80
  • TCP(HTTP/1.1) gd.a.s####.com:80
  • TCP(HTTP/1.1) api.s####.mob.com:80
  • TCP(HTTP/1.1) 2####.159.191.191:80
  • TCP(HTTP/1.1) d####.d####.mob.com:80
  • TCP(HTTP/1.1) a####.exc.mob.com:80
  • TCP(HTTP/1.1) st####.guantou####.com:80
  • TCP(HTTP/1.1) p####.api.adoc####.com:80
  • TCP(HTTP/1.1) and####.b####.qq.com:80
  • TCP(HTTP/1.1) s####.e.qq.com:80
  • TCP(HTTP/1.1) ping####.qq.com:80
  • TCP(HTTP/1.1) a####.al####.com:80
  • TCP(HTTP/1.1) sf1-ttc####.ps####.com:80
  • TCP(HTTP/1.1) 1####.75.92.94:80
  • TCP(HTTP/1.1) 1####.75.90.218:80
  • TCP(HTTP/1.1) ott.h####.com:8071
  • TCP(HTTP/1.1) dynamic####.sn####.com.####.com:80
  • TCP(HTTP/1.1) np.bul####.cn:6087
  • TCP(HTTP/1.1) 2####.98.33.230:8888
  • TCP(HTTP/1.1) api.lubang####.com:80
  • TCP(HTTP/1.1) m.d####.mob.com:80
  • TCP(HTTP/1.1) jp####.njt####.com:10091
  • TCP(HTTP/1.1) yq####.jn####.ltd:80
  • TCP(HTTP/1.1) android####.2####.com:80
  • TCP(HTTP/1.1) api.adoc####.com:80
  • TCP(HTTP/1.1) s.ku####.com:8071
  • TCP(HTTP/1.1) sdk.w####.com:80
  • TCP(HTTP/1.1) r.ku####.com:8071
  • TCP(HTTP/1.1) 2####.13.202.100:80
  • TCP(HTTP/1.1) awk.aoxun####.com:8199
  • TCP(HTTP/1.1) sj.i36####.com:9000
  • TCP(HTTP/1.1) s####.tc.qq.com:80
  • TCP(HTTP/1.1) www.d####.xyz:80
  • TCP(HTTP/1.1) l####.b####.com:80
  • TCP(HTTP/1.1) p.cdn.s####.####.com:80
  • TCP(HTTP/1.1) w####.pcon####.com.cn:80
  • TCP(HTTP/1.1) ny.bul####.cn:666
  • TCP(HTTP/1.1) d####.buywe####.com:80
  • TCP(HTTP/1.1) i.ku####.com:8071
  • TCP(HTTP/1.1) sgou####.b####.com:80
  • TCP(HTTP/1.1) luna-im####.qq.com.####.com:80
  • TCP(HTTP/1.1) nb.i36####.com:9000
  • TCP(HTTP/1.1) co####.ssp.adoc####.com:80
  • TCP(HTTP/1.1) vvv.focusd####.cn:80
  • TCP(HTTP/1.1) 1####.27.70.235:80
  • TCP(HTTP/1.1) gou####.b####.com:80
  • TCP(HTTP/1.1) ip.ta####.com:80
  • TCP(HTTP/1.1) tt####.vni####.com:20147
  • TCP(HTTP/1.1) hm.b####.com:80
  • TCP(HTTP/1.1) pg####.d2####.com:10273
  • TCP(HTTP/1.1) api.gug####.com:8935
  • TCP(HTTP/1.1) zgx.powerle####.com:80
  • TCP(HTTP/1.1) j.i36####.com:9000
  • TCP(HTTP/1.1) 1####.w####.cname####.com:80
  • TCP(HTTP/1.1) np.bul####.cn:666
  • TCP(HTTP/1.1) e4####.0r####.com:10293
  • UDP(NTP) 2.and####.p####.####.org:123
  • TCP(TLS/1.0) z.c####.com:443
  • TCP(TLS/1.0) s####.e.qq.com:443
  • TCP(TLS/1.0) gm.mm####.com:443
  • TCP(TLS/1.0) a####.d####.com:443
  • TCP(TLS/1.0) api.m2g.adoc####.com:443
  • TCP(TLS/1.0) www.google-####.com:443
  • TCP(TLS/1.0) gd.a.s####.com:443
  • TCP(TLS/1.0) log.mm####.com:443
  • TCP(TLS/1.0) ad####.cp####.cn:443
  • TCP(TLS/1.0) et2.wagbr####.adverti####.####.com:443
  • TCP(TLS/1.0) mobads-####.b####.com:443
  • TCP(TLS/1.0) ret####.ta####.com.####.com:443
  • TCP(TLS/1.0) aifa####.b####.com:443
  • TCP(TLS/1.0) i####.u####.cn:443
  • TCP(TLS/1.0) res####.a####.com:443
  • TCP(TLS/1.0) ap####.uc.cn:443
  • TCP(TLS/1.0) 88ec487####.cdn.so####.####.com:443
  • TCP(TLS/1.0) p####.ou####.com:4433
  • TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
  • TCP(TLS/1.0) is.sn####.com:443
  • TCP(TLS/1.0) analy####.map.qq.com:443
  • TCP(TLS/1.0) s####.d####.com:443
  • TCP(TLS/1.0) ims-####.sm.cn:443
  • TCP(TLS/1.0) na61-####.wagbr####.ali####.####.com:443
  • TCP(TLS/1.0) c.c####.com:443
  • TCP(TLS/1.0) mi.g####.qq.com:443
  • TCP(TLS/1.0) abc.abcdse####.com:8888
  • TCP(TLS/1.0) hm.b####.com:443
  • TCP(TLS/1.0) dynamic####.sn####.com.####.com:443
  • TCP(TLS/1.0) mipst####.s####.cn:443
  • TCP(TLS/1.0) woodpe####.uc.cn:443
  • TCP(TLS/1.0) t####.m.qq.com:443
  • TCP(TLS/1.0) api.adoc####.com:443
  • TCP(TLS/1.0) i####.d####.com:443
  • TCP(TLS/1.0) api.info####.me:443
  • TCP(TLS/1.0) st3.wagbr####.adverti####.####.com:443
  • TCP(TLS/1.0) bj####.j####.cn:443
  • TCP(TLS/1.0) gs.a.s####.com:443
  • TCP(TLS/1.0) ad1.azh####.com:9190
  • TCP(TLS/1.0) g.al####.com:443
  • TCP 1####.232.25.189:21005
  • UDP s.j####.cn:19000
  • TCP 1####.230.236.43:7002
DNS requests:
  • 2.and####.p####.####.org
  • 4s####.8c####.com
  • 88ec487####.cdn.so####.com
  • a####.al####.com
  • a####.d####.com
  • a####.exc.mob.com
  • a####.m.sm.cn
  • abc.abcdse####.com
  • ad####.cp####.cn
  • ad1.azh####.com
  • aifa####.b####.com
  • analy####.map.qq.com
  • and####.b####.qq.com
  • android####.2####.com
  • ap####.uc.cn
  • api.adoc####.com
  • api.gug####.com
  • api.info####.me
  • api.lubang####.com
  • api.m2g.adoc####.com
  • api.s####.mob.com
  • awk.aoxun####.com
  • bj####.j####.cn
  • c####.mm####.com
  • c.c####.com
  • c.d####.mob.com
  • cdn.info####.me
  • co####.ssp.adoc####.com
  • d####.buywe####.com
  • d####.d####.mob.com
  • de####.s####.com
  • e4####.0r####.com
  • easytom####.com
  • ex####.sn####.com
  • fou####.ta####.com
  • g.al####.com
  • gm.mm####.com
  • gou####.b####.com
  • hm.b####.com
  • htt####.so####.com
  • i####.d####.com
  • i####.u####.cn
  • i####.uc.cn
  • i.ku####.com
  • i.sn####.com
  • imgc####.qq.com
  • imp.op####.com
  • ims-####.sm.cn
  • ip.ta####.com
  • is.sn####.com
  • j.i36####.com
  • jp####.njt####.com
  • l####.b####.com
  • l####.m.sm.cn
  • log.mm####.com
  • m.d####.mob.com
  • m.yny####.cn
  • mi.g####.qq.com
  • mipst####.s####.cn
  • mo####.b####.com
  • mobads-####.b####.com
  • nb.i36####.com
  • np.bul####.cn
  • ny.bul####.cn
  • ott.h####.com
  • p####.api.adoc####.com
  • p####.ou####.com
  • p.cdn.s####.com
  • p.q####.b####.com
  • pg####.d2####.com
  • pi####.qq.com
  • ping####.qq.com
  • plb####.u####.com
  • pv.s####.com
  • r.ku####.com
  • res####.a####.com
  • ret####.ta####.com
  • s####.d####.com
  • s####.d####.com
  • s####.e.qq.com
  • s####.m.sm.cn
  • s.j####.cn
  • s.ku####.com
  • s2.z####.cn
  • s23.c####.com
  • sdk.w####.com
  • sf1-ttc####.ps####.com
  • sgou####.b####.com
  • sis.j####.io
  • sj.i36####.com
  • st####.guantou####.com
  • t####.m.qq.com
  • t####.r.ads.####.com
  • t####.s.ads.####.com
  • t####.t.ads.####.com
  • tm.ads.s####.com
  • tst.pass####.s####.com
  • tt####.vni####.com
  • u####.u####.com
  • vvv.focusd####.cn
  • w####.pcon####.com.cn
  • woodpe####.uc.cn
  • www.d####.xyz
  • www.google-####.com
  • www.yny####.cn
  • x1.go.s####.com
  • y####.m.sm.cn
  • yq####.jn####.ltd
  • z5.c####.com
  • zgx.powerle####.com
HTTP GET requests:
  • 1####.w####.cname####.com/
  • 1####.w####.cname####.com//uploads/190108/1_131I0641.jpg
  • 1####.w####.cname####.com//uploads/190108/1_132012405.jpg
  • 1####.w####.cname####.com//uploads/190108/1_132346454.jpg
  • 1####.w####.cname####.com//uploads/190108/1_132639255.jpg
  • 1####.w####.cname####.com//uploads/190108/1_132951B9.jpg
  • 1####.w####.cname####.com//uploads/190108/1_13333L93.jpg
  • 1####.w####.cname####.com//uploads/190108/1_13355H32.jpg
  • 1####.w####.cname####.com//uploads/190108/1_1340223A.jpg
  • 1####.w####.cname####.com//uploads/allimg/180805/20235CN4-0_lit.jpg
  • 1####.w####.cname####.com//uploads/allimg/180805/2024016324-0_lit.jpg
  • 1####.w####.cname####.com/?security_verify_data=####
  • 1####.w####.cname####.com/ORG7188_templets/001//js/ScrollText.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/1.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/188_min.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/checklogin_v6.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/comm_v6.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/jquery.slides.min.js
  • 1####.w####.cname####.com/ORG7188_templets/001/js/search.js
  • 1####.w####.cname####.com/ORG7188_templets/001/style/home_index.css
  • 1####.w####.cname####.com/ORG7188_templets/001/style/home_style.css
  • 1####.w####.cname####.com/images/548a222e0f3ce3f9d88d763ac18fe7ef.png
  • 1####.w####.cname####.com/images/8130a24a52f43e219a9ec3a2b18b6ff2.png
  • 1####.w####.cname####.com/images/base.css
  • 1####.w####.cname####.com/images/bbe563345972de33905ac4137ca79775.png
  • 1####.w####.cname####.com/images/footer.css
  • 1####.w####.cname####.com/images/header.css
  • 1####.w####.cname####.com/images/index.css
  • 1####.w####.cname####.com/images/jquery.min.js
  • 1####.w####.cname####.com/images/layer.css
  • 1####.w####.cname####.com/images/layer.m.js
  • 1####.w####.cname####.com/images/lib-flexible.js
  • 1####.w####.cname####.com/images/lxb.js
  • 1####.w####.cname####.com/images/main.css
  • 1####.w####.cname####.com/images/menu_ico01.png
  • 1####.w####.cname####.com/images/menu_ico02.png
  • 1####.w####.cname####.com/images/menu_ico03.png
  • 1####.w####.cname####.com/images/menu_ico09.png
  • 1####.w####.cname####.com/images/menu_ico11.png
  • 1####.w####.cname####.com/images/menu_ico12.png
  • 1####.w####.cname####.com/images/menu_no_ico.png
  • 1####.w####.cname####.com/images/need/layer.css
  • 1####.w####.cname####.com/images/phone-float.png
  • 1####.w####.cname####.com/images/st_bottom_ico1.png
  • 1####.w####.cname####.com/images/st_bottom_ico2.png
  • 1####.w####.cname####.com/images/st_bottom_ico3.png
  • 1####.w####.cname####.com/images/st_bottom_ico4.png
  • 1####.w####.cname####.com/images/swiper.min.css
  • 1####.w####.cname####.com/images/swiper.min.js
  • 1####.w####.cname####.com/images/template.js
  • 1####.w####.cname####.com/images/user-center-home-icon.png
  • 1####.w####.cname####.com/include/ajax188.js
  • 1####.w####.cname####.com/uploads/161014/1_12245N93.jpg
  • 1####.w####.cname####.com/uploads/161014/1_1244525L.jpg
  • 1####.w####.cname####.com/uploads/161014/1_125321Z8.jpg
  • 1####.w####.cname####.com/uploads/161014/1_13010SF.jpg
  • 1####.w####.cname####.com/uploads/161014/1_130254911.jpg
  • 1####.w####.cname####.com/uploads/161014/1_130T94V.jpg
  • 1####.w####.cname####.com/uploads/161014/1_13123SB.jpg
  • 1####.w####.cname####.com/uploads/161014/1_132Ib21.jpg
  • 1####.w####.cname####.com/uploads/allimg/161014/1_13303HU4.jpg
  • 1####.w####.cname####.com/uploads/litimg/171014/16411G5033.jpg
  • 29e9d7b####.cdn.so####.####.com/<Package>/v0.1.0
  • a####.al####.com/static/oss/aliyun-hz-sm-o2o01/launching_platform/425045...
  • android####.2####.com/fs08/2019/12/24/11/110_c0ab15200b5ad409a708f25f722...
  • api.adoc####.com/titan/monitor/device_info
  • cdn.info####.me/files/68d806886a89a0a3f6e392e19a049e7f
  • co####.ssp.adoc####.com/api/v2/SDKCommonConfig?channelCode=####&version=...
  • co####.ssp.adoc####.com/api/v2/mgmConfig?channelCode=####&version=####
  • co####.ssp.adoc####.com/api/v2/mgmWebviewRatioConfig?channelCode=####&ve...
  • d####.buywe####.com/Dock/getDYToken
  • dynamic####.sn####.com.####.com/s/wemedia/s/upload/2018/1be2d41009977238...
  • gd.a.s####.com/201503/ca6d44e698cba0bd139936d7472f0d80.php?o=####&100000...
  • gou####.b####.com/site/350/51cfebfb4e8a08f990367d30dce5c1c2/b.js?siteId=...
  • hm.b####.com/h.js?51cfebf####
  • hm.b####.com/hm.gif?cc=1&ck=1&cl=16-bit&ds=600x800&vl=928&et=0&ja=0&ln=e...
  • ip.ta####.com/service/getIpInfo.php?ip=####
  • j.i36####.com:9000/jsonServer/LanMei01
  • j.i36####.com:9000/jsonServer/tc003
  • l####.b####.com/newFloat/_l.js?siteid=####&bdclickid=####&bdcbid=####&re...
  • l####.b####.com/newFloat/log.gif?fType=####&name=####&t=####&uuid=####
  • luna-im####.qq.com.####.com/qzone/biz/gdt/mod/android/AndroidAllInOne/pr...
  • m.d####.mob.com/v3/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
  • p####.api.adoc####.com/ip
  • p.cdn.s####.####.com/app/entrance/icon_7MU7r3qJQu96omFb9ZOz.png
  • p.cdn.s####.####.com/o_convert,f_webp,c_fill,w_165,h_120,q_70/images/202...
  • p.cdn.s####.####.com/o_convert,f_webp,c_fill,w_508,h_246,q_70/570d99e4/3...
  • p.cdn.s####.####.com/o_convert,f_webp,c_fill,w_508,h_246,q_70/570d99e4/c...
  • p.cdn.s####.####.com/o_convert,f_webp,c_fill,w_508,h_246,q_70/570d99e4/d...
  • p.cdn.s####.####.com/o_convert,f_webp,c_fill,w_508,h_246,q_70/570d99e4/f...
  • p.q####.b####.com/cps4/site/auth?cb=####&op=####&dev=####&ser=####&s_inf...
  • p.q####.b####.com/cps4/site/poll?cb=####&l=####&sign=####&v=####&s=####&...
  • p.q####.b####.com/cps4/site/st?cb=####&op=####&s_info=####&url=####&sign...
  • ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=####&ty=####...
  • s####.tc.qq.com/h5/stats.js?v2####
  • sf1-ttc####.ps####.com/img/mosaic-legacy/2ebc600003a5d26c80754~c1_600x80...
  • sgou####.b####.com/embed/1577778099/asset/embed/css/mobile/main.css
  • sgou####.b####.com/embed/1577778099/asset/embed/css/mobile/mimg/module-b...
  • sgou####.b####.com/embed/1577778099/asset/embed/mobile_nb.js
  • sgou####.b####.com/embed/1577778099/asset/embed/mobilelite/main.js
  • sgou####.b####.com/eye/log/js/stat.gif?cncttype=####&uuid=####&brgeyemid...
  • sgou####.b####.com/eye/log/js/stat.gif?uuid=####&brgeyemid=####&t=####&i...
  • st####.guantou####.com/stat13.html
  • vvv.focusd####.cn/ad/v1/log.action?action=v_initial&package=<Package>&ch...
  • yq####.jn####.ltd/sy/hjwuzj
  • yq####.jn####.ltd/zz/445gjrjrtwyf.zip
  • zgx.powerle####.com/dnfile/cmm/PWrap191331N.jar
HTTP POST requests:
  • a####.exc.mob.com/errconf
  • and####.b####.qq.com/rqd/async?aid=####
  • api.gug####.com:8935/
  • api.lubang####.com/domain.php
  • api.lubang####.com/srp.php
  • api.s####.mob.com/conf5
  • api.s####.mob.com/conn
  • api.s####.mob.com/log4
  • api.s####.mob.com/snsconf
  • awk.aoxun####.com:8199/awk
  • c.d####.mob.com/v3/cdata
  • d####.d####.mob.com/dinfo
  • d####.d####.mob.com/dsign
  • e4####.0r####.com:10293/widlth/
  • e4####.0r####.com:10293/xkeila/
  • gd.a.s####.com/ad/get
  • gd.a.s####.com/cityjson
  • gd.a.s####.com/config/ads/getAds
  • gd.a.s####.com/config/getConfigByVer
  • gd.a.s####.com/config/hotwords/get
  • gd.a.s####.com/config/showActivitiesInfo
  • gd.a.s####.com/engine/ad
  • gd.a.s####.com/engine/recommend
  • gd.a.s####.com/log/report
  • gd.a.s####.com/point/getRewardRules
  • gd.a.s####.com/point/getWithdrawRulesNew
  • gd.a.s####.com/receive/reyun
  • gd.a.s####.com/tab/getTabs
  • gd.a.s####.com/update/a/app/zixunRecall
  • gd.a.s####.com/user/task/rewardNotice
  • i.ku####.com:8071/4/1510864978/1
  • i.ku####.com:8071/4/1510864978/2
  • i.ku####.com:8071/4/163832107/2
  • j.i36####.com:9000/api/jadReport.do
  • jp####.njt####.com:10091/wisdom/marking
  • nb.i36####.com:9000/api/getAdInfoByDevice.do
  • nb.i36####.com:9000/api/getAdInfoById.do
  • nb.i36####.com:9000/api/vsp/getVspCore.do
  • np.bul####.cn:6087/Sdk/patchPlayReport
  • np.bul####.cn:6087/Sdk/reportTask
  • np.bul####.cn:6087/Sdk/task
  • np.bul####.cn:666/slsdk/api_report.aspx
  • ny.bul####.cn:666/slsdk/getdata.aspx
  • ott.h####.com:8071/10
  • pg####.d2####.com:10273/dvjnzt/
  • pg####.d2####.com:10273/rnggno/
  • pg####.d2####.com:10273/tzvntp/
  • r.ku####.com:8071/4/163832107/2
  • s####.e.qq.com/activate
  • s####.e.qq.com/getad
  • s.ku####.com:8071/4/3562354862/1
  • sdk.w####.com/rest/pt
  • sj.i36####.com:9000/api/getAdInfoById.do
  • tt####.vni####.com:20147/dijc1v/
  • w####.pcon####.com.cn/ip.jsp
  • www.d####.xyz/Orders/getlive?channel=####&Slevi=####
  • www.d####.xyz/Orders/getliveshua?channel=####&Slevi=####&codeimei=####
  • www.d####.xyz/Orders/pigchannel?channel=####&nochannel=####
  • www.d####.xyz/Orders/setpnum?pnum=####&channel=####
File system changes:
Creates the following files:
  • /data/data/####/.__id_
  • /data/data/####/.__mob_ad_data.xml
  • /data/data/####/.imprint
  • /data/data/####/.jg.ic
  • /data/data/####/.lock
  • /data/data/####/.mrecord
  • /data/data/####/.mrlock
  • /data/data/####/.quicknews_turn
  • /data/data/####/.statistics
  • /data/data/####/.turing.dat
  • /data/data/####/.zeg.xml
  • /data/data/####/0000210291
  • /data/data/####/004329a0-43a4-4c43-9a6d-2f25976fb37c
  • /data/data/####/01852d97-0949-4879-ae18-aeb73304dfa5
  • /data/data/####/1002
  • /data/data/####/1004
  • /data/data/####/1368100323.jar (deleted)
  • /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
  • /data/data/####/2020_01_05.xml
  • /data/data/####/2020_01_05read.xml
  • /data/data/####/2020_01_05shuareads.xml
  • /data/data/####/2740.yaqcookie
  • /data/data/####/44367F39739CCD6BBF960E91E7DB78B2.xml
  • /data/data/####/4B8DB6B83129A65A2EF4DCFC1393C3B0.xml
  • /data/data/####/5666b6ff9ea3d750069da409c54809534b9847064f1e8ae....0.tmp
  • /data/data/####/6901029832
  • /data/data/####/6ff4b7bd-d8de-4935-b73a-e9e945413f53
  • /data/data/####/8285687079f726e81979764e271ed349
  • /data/data/####/8EAD111D030291821E19A80E344C340A.xml
  • /data/data/####/9177236772096401732
  • /data/data/####/9392467833000.0
  • /data/data/####/9618302918.xml
  • /data/data/####/9be5f572f32d76037f67dbee1944c211f834a509b031157....0.tmp
  • /data/data/####/BuglySdkInfos.xml
  • /data/data/####/GDTSDK.db
  • /data/data/####/GDTSDK.db-journal
  • /data/data/####/HttpDNSConstantsJson.xml
  • /data/data/####/IM.xml
  • /data/data/####/IpInfos.xml
  • /data/data/####/MultiDex.lock
  • /data/data/####/Push_Page_Config.xml
  • /data/data/####/SWENOFNI0UHOS0MOC.anrtmp
  • /data/data/####/SWENOFNI0UHOS0MOC.bati
  • /data/data/####/SWENOFNI0UHOS0MOC.end
  • /data/data/####/SWENOFNI0UHOS0MOC.hdr
  • /data/data/####/SWENOFNI0UHOS0MOC.meminfo
  • /data/data/####/SWENOFNI0UHOS0MOC.pid
  • /data/data/####/SWENOFNI0UHOS0MOC.ps
  • /data/data/####/SWENOFNI0UHOS0MOC.ss
  • /data/data/####/SWENOFNI0UHOS0MOC.st
  • /data/data/####/SWENOFNI0UHOS0MOC.start
  • /data/data/####/SWENOFNI0UHOS0MOC.status
  • /data/data/####/SWENOFNI0UHOS0MOC.time
  • /data/data/####/SWENOFNI0UHOS0MOC.uptime
  • /data/data/####/ThrowalbeLog.db
  • /data/data/####/ThrowalbeLog.db-journal
  • /data/data/####/UM_PROBE_DATA.xml
  • /data/data/####/WebViewBasePrefs.xml
  • /data/data/####/__x_adsdk_agent_header__.xml
  • /data/data/####/_p.xml
  • /data/data/####/_sh.xml
  • /data/data/####/a75fe7b8-b2c5-4fa7-8273-2e63511e0a11
  • /data/data/####/a7cffb8fb1e3715b7957968db98926178152b16f57c52c9...7497.0
  • /data/data/####/a7dba1774f6be2eee633235b748049fa5438e37d9177c0e....0.tmp
  • /data/data/####/apkseparate.DoubleBackUpDB.db
  • /data/data/####/apkseparate.DoubleBackUpDB.db-journal
  • /data/data/####/app.manager-journal
  • /data/data/####/app_crash_copy.xml
  • /data/data/####/article-db
  • /data/data/####/article-db-journal
  • /data/data/####/bal.catch
  • /data/data/####/bb8ed296-5992-4b51-8b01-f41ba204e271
  • /data/data/####/be0c7fd90a94d0e8203c2d47001ac7c257f097f6fb87355....0.tmp
  • /data/data/####/bhnadben.jar
  • /data/data/####/bugly_db_
  • /data/data/####/bugly_db_-journal
  • /data/data/####/bvu
  • /data/data/####/bwc.catch
  • /data/data/####/c0586a10777146560765a69231d89beb.xml
  • /data/data/####/cc029bf37257758c50ab9770d6c1fd6cbbc77ed88fedddf....0.tmp
  • /data/data/####/cca.xml
  • /data/data/####/cdt.wa (deleted)
  • /data/data/####/clyjkk.png
  • /data/data/####/cn.jiguang.common.xml
  • /data/data/####/cn.jiguang.sdk.address.xml
  • /data/data/####/cn.jiguang.sdk.share.profile.xml
  • /data/data/####/cn.jiguang.sdk.user.profile.xml
  • /data/data/####/cn.jpush.android.user.profile.xml
  • /data/data/####/cn.jpush.config.xml
  • /data/data/####/cn.jpush.config.xml.bak
  • /data/data/####/cn.jpush.config.xml.bak (deleted)
  • /data/data/####/cn.jpush.preferences.v2.rid.xml
  • /data/data/####/cn.jpush.preferences.v2.xml
  • /data/data/####/com.admaster.sdk.other.xml
  • /data/data/####/com.admaster.sdk.sdkconfig.xml
  • /data/data/####/com.baidu.mobads.loader.xml
  • /data/data/####/com.qq.e.sdkconfig.xml
  • /data/data/####/com.sohu.infonews.BETA_VALUES.xml
  • /data/data/####/com.sohu.infonews.db
  • /data/data/####/com.sohu.infonews.db-journal
  • /data/data/####/com.sohu.infonews.xml
  • /data/data/####/com.util.sputil.xml
  • /data/data/####/com_sohu_infonews.txt
  • /data/data/####/common-db
  • /data/data/####/common-db-journal
  • /data/data/####/config.service.xml
  • /data/data/####/cr.wa (deleted)
  • /data/data/####/crashrecord.xml
  • /data/data/####/dW1weF9pbnRlcm5hbF8xNTc4MTc3MjcxMDcx;
  • /data/data/####/dW1weF9pbnRlcm5hbF8xNTc4MTc3MjgzNzc1;
  • /data/data/####/da3c8740-d4b9-4595-a82f-cdb19804ccc8
  • /data/data/####/data.zip
  • /data/data/####/data_0
  • /data/data/####/data_1
  • /data/data/####/data_2
  • /data/data/####/data_3
  • /data/data/####/db3e5a07-e912-4dfa-9897-4ac0728ab2f9
  • /data/data/####/devCloudSetting.cfg
  • /data/data/####/devCloudSetting.sig
  • /data/data/####/dn_config.db
  • /data/data/####/dn_config.db-journal
  • /data/data/####/download.info
  • /data/data/####/download.tmp
  • /data/data/####/downloader.db
  • /data/data/####/downloader.db-journal
  • /data/data/####/dt.wa (deleted)
  • /data/data/####/ed5bfe4bdbec3416c956d017ae73c00a
  • /data/data/####/eef21ce350bf77bf2627ce2e10343caa21154ffbdc054bc....0.tmp
  • /data/data/####/exchangeIdentity.json
  • /data/data/####/exid.dat
  • /data/data/####/f153b6ff0d295d1caa6f051bbd831347d5b7d689f478353....0.tmp
  • /data/data/####/f4f45ce462e1561d488b8e700bb7e669.xml
  • /data/data/####/f_000001
  • /data/data/####/f_000002
  • /data/data/####/f_000003
  • /data/data/####/f_000004
  • /data/data/####/f_000005
  • /data/data/####/f_000006
  • /data/data/####/f_000007
  • /data/data/####/f_000008
  • /data/data/####/f_000009
  • /data/data/####/f_00000a
  • /data/data/####/f_00000b
  • /data/data/####/f_00000c
  • /data/data/####/f_00000d
  • /data/data/####/f_00000e
  • /data/data/####/f_00000f
  • /data/data/####/f_000010
  • /data/data/####/f_000011
  • /data/data/####/f_000012
  • /data/data/####/f_000013
  • /data/data/####/f_000014
  • /data/data/####/f_000015
  • /data/data/####/f_000016
  • /data/data/####/f_000017
  • /data/data/####/f_000018
  • /data/data/####/f_000019
  • /data/data/####/f_00001a
  • /data/data/####/f_00001b
  • /data/data/####/f_00001c
  • /data/data/####/f_00001d
  • /data/data/####/f_00001e
  • /data/data/####/f_00001f
  • /data/data/####/f_000020
  • /data/data/####/f_000021
  • /data/data/####/f_000022
  • /data/data/####/f_000023
  • /data/data/####/f_000024
  • /data/data/####/f_000025
  • /data/data/####/f_000026
  • /data/data/####/f_000027
  • /data/data/####/f_000028
  • /data/data/####/f_000029
  • /data/data/####/f_00002a
  • /data/data/####/f_00002b
  • /data/data/####/f_00002c
  • /data/data/####/f_00002d
  • /data/data/####/f_00002e
  • /data/data/####/f_00002f
  • /data/data/####/f_000030
  • /data/data/####/f_000031
  • /data/data/####/f_000032
  • /data/data/####/fc.xml
  • /data/data/####/gameid
  • /data/data/####/gameid.zip
  • /data/data/####/gdt_config.cfg
  • /data/data/####/gdt_plugin.dex
  • /data/data/####/gdt_plugin.tmp
  • /data/data/####/gdt_plugin.tmp.sig
  • /data/data/####/gdt_stat.db
  • /data/data/####/gdt_stat.db-journal
  • /data/data/####/gdt_suid
  • /data/data/####/hianalytics_global_v2_com.sohu.infonews.xml
  • /data/data/####/hmdb
  • /data/data/####/hmdb-journal
  • /data/data/####/hxdata.xml
  • /data/data/####/i==1.2.0&&3.10.3_1578177271074_envelope.log
  • /data/data/####/i==1.2.0&&3.10.3_1578177283781_envelope.log
  • /data/data/####/im.database.ad-journal
  • /data/data/####/index
  • /data/data/####/info.xml
  • /data/data/####/jni_log_1578177270515.txt
  • /data/data/####/journal
  • /data/data/####/journal.tmp
  • /data/data/####/jpush_local_notification.db
  • /data/data/####/jpush_local_notification.db-journal
  • /data/data/####/jpush_local_notification.db-wal
  • /data/data/####/k.store
  • /data/data/####/kobox.0.sp.xml
  • /data/data/####/libMMANDKSignature.e6bed4a9.so
  • /data/data/####/libjiagu1859141543.so
  • /data/data/####/libsvdigk.so
  • /data/data/####/libsvdigk.so-32
  • /data/data/####/libsvdigk.so-64
  • /data/data/####/libturingau.e6bed4a9.so
  • /data/data/####/libyaqbasic.e6bed4a9.so
  • /data/data/####/libyaqpro.e6bed4a9.so
  • /data/data/####/local_crash_lock
  • /data/data/####/logdb.db
  • /data/data/####/logdb.db-journal
  • /data/data/####/m1.jar
  • /data/data/####/m2.jar
  • /data/data/####/m3.jar
  • /data/data/####/m_config.json
  • /data/data/####/mob_commons_1
  • /data/data/####/mob_sdk_exception_1
  • /data/data/####/mpdc1
  • /data/data/####/multidex.version.xml
  • /data/data/####/mzSdkProfilePrefs.xml
  • /data/data/####/mzmonitor
  • /data/data/####/mzmonitor-journal
  • /data/data/####/native_record_lock
  • /data/data/####/prdopt.xml
  • /data/data/####/pref.xml
  • /data/data/####/pref.xml.bak
  • /data/data/####/pref.xml.bak (deleted)
  • /data/data/####/preload_news_ad.db
  • /data/data/####/preload_news_ad.db-journal
  • /data/data/####/push_stat_cache.json
  • /data/data/####/pv.wa
  • /data/data/####/read.xml
  • /data/data/####/rl.catch
  • /data/data/####/sc_preload_resource.xml
  • /data/data/####/sc_tracking.db
  • /data/data/####/sc_tracking.db-journal
  • /data/data/####/scadsdk_collection.xml
  • /data/data/####/sdkCloudSetting.cfg
  • /data/data/####/sdkCloudSetting.sig
  • /data/data/####/security_info
  • /data/data/####/share_sdk_1
  • /data/data/####/sharesdk.db
  • /data/data/####/sharesdk.db-journal
  • /data/data/####/sys_log_1578177270515.txt
  • /data/data/####/t20200105.dat
  • /data/data/####/t==8.0.2&&3.10.3_1578177271598_envelope.log
  • /data/data/####/tmp7.xml
  • /data/data/####/tools8977.xml
  • /data/data/####/tools8977New2.xml
  • /data/data/####/tt_materialMeta.xml
  • /data/data/####/tt_sdk_settings.xml
  • /data/data/####/tt_splash.xml
  • /data/data/####/ttff.xml
  • /data/data/####/ttopenadsdk.xml
  • /data/data/####/ttopensdk.db
  • /data/data/####/ttopensdk.db-journal
  • /data/data/####/turingfd_conf_105498_auMini.xml
  • /data/data/####/turingfd_protect_105498_39_auMini.xml
  • /data/data/####/ua.db
  • /data/data/####/ua.db-journal
  • /data/data/####/um_pri.xml
  • /data/data/####/umdat.xml
  • /data/data/####/umeng_common_config.xml
  • /data/data/####/umeng_common_location.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_general_config.xml.bak (deleted)
  • /data/data/####/umeng_it.cache
  • /data/data/####/unique
  • /data/data/####/update_lc
  • /data/data/####/ver
  • /data/data/####/webview.db-journal
  • /data/data/####/webviewCookiesChromium.db-journal
  • /data/data/####/webviewCookiesChromium.db-journal (deleted)
  • /data/data/####/yaq.e6bed4a9.sec
  • /data/data/####/yaq2.e6bed4a9.sec
  • /data/data/####/yaq3_0.e6bed4a9.sec
  • /data/data/####/yaqsdkcookie
  • /data/data/####/yd_config_c.xml
  • /data/media/####/.YiAds.log
  • /data/media/####/.YiAds_Net.log
  • /data/media/####/.a.dat
  • /data/media/####/.adfwe.dat
  • /data/media/####/.cca.dat
  • /data/media/####/.cdeviceID
  • /data/media/####/.dh
  • /data/media/####/.dh-journal
  • /data/media/####/.dhlock
  • /data/media/####/.di
  • /data/media/####/.di (deleted)
  • /data/media/####/.dic_lock
  • /data/media/####/.duid
  • /data/media/####/.globalLock
  • /data/media/####/.mps
  • /data/media/####/.nomedia
  • /data/media/####/.nulplt
  • /data/media/####/.pkg_lock
  • /data/media/####/.push_deviceid
  • /data/media/####/.rcTag
  • /data/media/####/.rc_lock
  • /data/media/####/.turing.dat
  • /data/media/####/.umm.dat
  • /data/media/####/.usdis
  • /data/media/####/.zjl
  • /data/media/####/1578177301959.db
  • /data/media/####/1AF278535C486DC18070D7F86A7F22DB.temp
  • /data/media/####/2020_01_05
  • /data/media/####/33353eefadbc883cddd55ea132ba2e47.xml
  • /data/media/####/DBE6A9C2BD7AE80EDFEF46878DB0B843.jar
  • /data/media/####/DBE6A9C2BD7AE80EDFEF46878DB0B843.temp
  • /data/media/####/E7ACE756EA704D1F1FB4769319831648
  • /data/media/####/INSTALLATION
  • /data/media/####/_pn
  • /data/media/####/_shn
  • /data/media/####/alsn20170807.db
  • /data/media/####/alsn20170807.db-journal
  • /data/media/####/com.sohu.infonews.log
  • /data/media/####/com.sohu.infonews3.10.3apkseparate.DoubleBackU...ournal
  • /data/media/####/com.sohu.infonews3.10.3apkseparate.DoubleBackUpDB.db
  • /data/media/####/com_sohu_infonews.txt
  • /data/media/####/date40003000700
  • /data/media/####/dn_config.db
  • /data/media/####/dn_config.db-journal
  • /data/media/####/engc.jar
  • /data/media/####/isread
  • /data/media/####/pidfile.txt
  • /data/media/####/plug.status
  • /data/media/####/session.dat
  • /data/media/####/sysid.dat
  • /data/media/####/tmpbl.jar
  • /data/media/####/tt_splash_image_cache
  • /data/media/####/webengine.jar
Miscellaneous:
Executes the following shell scripts:
  • /system/bin/cat /proc/cpuinfo
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
  • /system/bin/df
  • /system/bin/getprop
  • /system/bin/sh -c getprop
  • cat /proc/cpuinfo
  • cat /proc/version
  • cat /sys/class/net/wlan0/address
  • getprop
  • getprop ro.board.platform
  • getprop ro.build.version.emui
  • getprop ro.build.version.opporom
  • getprop ro.letv.release.version
  • getprop ro.miui.ui.version.name
  • getprop ro.product.cpu.abi
  • getprop ro.smartisan.version
  • getprop ro.vivo.os.build.display.id
  • getprop ro.vivo.os.version
  • ls -l /system/bin/su
  • ls /
  • ls /sys/class/thermal
  • ps
  • sh
  • sh -c type su
Loads the following dynamic libraries:
  • Bugly
  • GNaviMapex
  • X86Bridge
  • crashsdk
  • libMMANDKSignature.e6bed4a9
  • libjiagu1859141543
  • libsvdigk
  • libturingau.e6bed4a9
  • libyaqbasic.e6bed4a9
  • libyaqpro.e6bed4a9
  • neh
  • sc_security
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • AES-GCM-NoPadding
  • DES
  • DES-CBC-PKCS5Padding
  • Des-ECB-NoPadding
  • RSA-ECB-PKCS1Padding
  • RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-NoPadding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • AES-GCM-NoPadding
  • DES
  • DES-CBC-PKCS5Padding
  • Des-ECB-NoPadding
  • RSA-ECB-PKCS1Padding
  • RSA-None-PKCS1Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about running apps.
Gets information about accounts associated with the device (Google, Facebook, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android