Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.477.origin
Threat detection based on machine learning.
Contains typical banking trojan/virus code.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) 1####.75.121.210:443
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) 1####.29.29.29:80
- TCP(HTTP/1.1) 2####.119.207.251:443
- TCP(HTTP/1.1) www.qq####.top:80
- TCP(HTTP/1.1) 2####.119.214.124:443
- TCP(HTTP/1.1) www.d####.xyz:80
- TCP(HTTP/1.1) 47.1####.99.84:443
- TCP(HTTP/1.1) 1####.33.11.88:443
- TCP(HTTP/1.1) 1####.40.217.60:9190
- TCP(HTTP/1.1) 47.2####.48.227:443
- TCP(HTTP/1.1) 8.2####.35.113:443
- TCP(TLS/1.0) 2####.119.214.124:443
- TCP(TLS/1.0) 2####.58.208.106:443
- TCP(TLS/1.0) 1####.33.11.88:443
- TCP(TLS/1.0) 47.1####.99.84:443
- TCP(TLS/1.0) 47.2####.48.227:443
- TCP(TLS/1.0) 1####.40.217.60:9190
- TCP(TLS/1.0) 1####.75.121.210:443
- TCP(TLS/1.0) 8.2####.35.113:443
- TCP(TLS/1.0) ad1.azh####.com:9190
- TCP(TLS/1.0) 2####.119.207.251:443
- TCP(TLS/1.2) 1####.250.179.195:443
- UDP 1####.217.19.202:443
- TCP 1####.190.120.79:11675
- TCP 1####.190.120.79:11645
DNS requests:
- ad1.azh####.com
- api.xima####.com
- api.ximala####.com
- azh####.com
- is.sn####.com
- l####.tbs.qq.com
- log.u####.com
- m####.go####.com
- plb####.u####.com
- tj.youza####.com
- u####.u####.com
- www.d####.xyz
- www.qq####.top
HTTP GET requests:
- 1####.33.11.88:443/ximalayaos-skill/getToken?&deviceId=####&deviceType=#...
- 47.1####.99.84:443/fmxos/api/app/getChannelList?paramSt####&clientOsType...
- www.qq####.top//CID009/md5.txt
HTTP POST requests:
- 1####.40.217.60:9190/attrAddressConfig
- 1####.40.217.60:9190/attrPlugConfig
- 1####.75.121.210:443/v3/log
- 2####.119.207.251:443/umpx_internal
- 2####.119.214.124:443/umpx_share
- 47.2####.48.227:443/api/ad/union/sdk/settings/
- 47.2####.48.227:443/api/ad/union/sdk/upload/app_info/
- 8.2####.35.113:443/unify_logs
- l####.tbs.qq.com/ajax?c=####&k=####
- www.d####.xyz/Orders/getlive?channel=####&Slevi=####
- www.d####.xyz/Orders/getliveshua?channel=####&Slevi=####
- www.d####.xyz/Orders/pigchannel?channel=####&nochannel=####
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/2021_08_04read.xml
- /data/data/####/23eeac33cae2b0c9859d13f46b744328.0.tmp
- /data/data/####/23eeac33cae2b0c9859d13f46b744328.1
- /data/data/####/23eeac33cae2b0c9859d13f46b744328.1.tmp
- /data/data/####/3062850.dex
- /data/data/####/3062850.dex.flock (deleted)
- /data/data/####/3062850.jar
- /data/data/####/3063022.dex
- /data/data/####/3063022.dex.flock (deleted)
- /data/data/####/3063022.jar
- /data/data/####/56a5c1888d51a76961ded6281b2c0848.xml
- /data/data/####/56a5c1888d51a76961ded6281b2c0848.xml.bak
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/FMXOS_INSTALLATION_ID
- /data/data/####/KEY
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/app_config.xml
- /data/data/####/birddownloader.db-journal
- /data/data/####/birdopensdk.db-journal
- /data/data/####/cc.db-journal
- /data/data/####/com.youzan.mobile.AnalyticsPrefs.xml
- /data/data/####/com.youzan.mobile.AnalyticsPrefs.xml.bak
- /data/data/####/core_info
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjI4MDcxNjc1NjI0;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjI4MDcxNjcyODkx;
- /data/data/####/dW1weF9zaGFyZV8xNjI4MDcxNzA0NjA4;
- /data/data/####/dW1weF9zaGFyZV8xNjI4MDcxNzA0ODAz;
- /data/data/####/dlvideo.db-journal
- /data/data/####/downloader.db-journal
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/events
- /data/data/####/events-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fmxos_voice_sdk.xml
- /data/data/####/i==1.2.0&&6.1.4_1628071672903_envelope.log
- /data/data/####/idaddy_sdk.xml
- /data/data/####/info.xml
- /data/data/####/journal.tmp
- /data/data/####/proc_auxv
- /data/data/####/read.xml
- /data/data/####/share.db-journal
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tt_sdk_settings.xml
- /data/data/####/ttopenadsdk.xml
- /data/data/####/ttopenadsdk.xml.bak
- /data/data/####/ttopensdk.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/2021_08_04
- /data/media/####/isread
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- getprop ro.build.version.emui
- getprop ro.letv.release.version
- getprop ro.product.cpu.abi
- getprop ro.vivo.os.build.display.id
- ls /
- ls /sys/class/thermal
- which su
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- Des-ECB-NoPadding
- RSA-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES-CBC-PKCS5Padding
- Des-ECB-NoPadding
- RSA
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
Requests the system alert window permission.