Android.Triada.4727

Android.Triada.4727

Added to the Dr.Web virus database: 2020-07-09

Virus description added: 2020-07-09

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Triada.248.origin
Android.Triada.464.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) rq####.sp####.mig.####.net:80
TCP(TLS/1.0) m####.top:443
TCP(TLS/1.0) p####.go####.com:443
TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
TCP a####.b####.qq.com:8011

DNS requests:

a####.b####.qq.com
and####.b####.qq.com
l.ace####.com
m####.top
p####.go####.com
plb####.u####.com
u####.u####.com

HTTP POST requests:

rq####.sp####.mig.####.net/rqd/async?aid=####

File system changes:

Creates the following files:

/data/data/####/-EbWIt6jhUOzO9B0oO688vrKLsk=.new
/data/data/####/.imprint
/data/data/####/.updateIV.dat
/data/data/####/00O000ll111l_0.dex
/data/data/####/0OO00l111l1l
/data/data/####/0OO00l111l1l.lock
/data/data/####/1004
/data/data/####/AdgaIs26r4L1B_vM4lpgEILwiTc=.new
/data/data/####/EsGpgxswuj9QDbyp5Ef6FQ==.new
/data/data/####/FMRw7ws_-QNGAOemyracwGtY_N-6311i.new
/data/data/####/FVmKZpQz097SA-DLqwcNBi5H2Kw=.new
/data/data/####/GSiNAWxk753DFmSbEBuHPQ==
/data/data/####/JsLhtMSfd_n2uh3VV2iFWFgQgpA=.new
/data/data/####/KdePgr5kGFAzUopEk7qCaQ==.new
/data/data/####/Kqt6EgZew2qBlmsdyuJrcT7VwUE=.new
/data/data/####/KrZzpQ9kVXl27lh8hedQ27lc6fU=.new
/data/data/####/QLlG-Ektrz3fKDDqYB48Vg==.new
/data/data/####/a==7.5.3&&1.1_1594303839819_envelope.log
/data/data/####/bugly_db_yaq-journal
/data/data/####/crashrecord.xml
/data/data/####/dW1weF9pbnRlcm5hbF8xNTk0MzAzODM3MjI4;
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/gjd8sDaCCXURr6ZYI9kYRQ==
/data/data/####/hianalytics_global_v2_com.igame.xxdkq4.huawei.xml
/data/data/####/hmLEOv04K28U_wMt.new
/data/data/####/hrvbaq_f.zip
/data/data/####/i==1.2.0&&1.1_1594303837247_envelope.log
/data/data/####/info.xml
/data/data/####/krcCHDj1umECcDBk.zip
/data/data/####/libshellx-super.2019.so
/data/data/####/local_crash_lock
/data/data/####/native_record_lock
/data/data/####/o0oooOO0ooOo.dat
/data/data/####/rdata_comxsQ6huawei.new
/data/data/####/runner_info.prop.new
/data/data/####/security_info
/data/data/####/tNxRnPApkUYssuSa
/data/data/####/tosversion
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/um_pri.xml
/data/data/####/umdat.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_location.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/vF-rDXW9RF-2UTiytCOpFw==.new
/data/data/####/wxNceZ-w_VnnhFCAsIJOIJhKjJr1FZ8yDeBkmrqXwg8=_oY...ournal
/data/media/####/.a.dat
/data/media/####/.adfwe.dat
/data/media/####/.cca.dat
/data/media/####/.umm.dat
/data/media/####/.uunique.new

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/sh -c getprop
getprop
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.miui.ui.version.name
getprop ro.product.cpu.abi
getprop ro.vivo.os.version
getprop ro.yunos.version
ls /
ls /sys/class/thermal

Loads the following dynamic libraries:

Bugly-yaq
libshellx-super.2019
main

Uses the following algorithms to encrypt data:

AES-CBC-PKCS7Padding
AES-GCM-NoPadding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-GCM-NoPadding

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Displays its own windows over windows of other apps.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial