Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.685.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) r3---sn####.g####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) 64.2####.161.95:443
- TCP(TLS/1.0) 1####.194.222.95:443
- TCP(TLS/1.2) 1####.194.222.95:443
- TCP(TLS/1.2) 74.1####.131.100:443
- TCP(TLS/1.2) 64.2####.161.95:443
- TCP(TLS/1.2) 1####.194.220.94:443
- UDP 1####.194.222.95:443
DNS requests:
- android####.go####.com
- r3---sn####.g####.com
- r3---sn####.g####.com.####.8
- www.go####.com
- x.e####.net
HTTP GET requests:
- www.go####.com:443/
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/classes.dex
- /data/data/####/classes.dve
- /data/data/####/cmf0.c3b5bm90zq.patch_preferences.xml
- /data/data/####/proc_auxv
- /data/media/####/config04-12-2021.log
Miscellaneous:
Executes the following shell scripts:
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3505
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3517
- /system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su child exited
- /system/bin/log -p d -t su client exited 0
- /system/bin/log -p d -t su connecting client 3481
- /system/bin/log -p d -t su connecting client 3717
- /system/bin/log -p d -t su connecting client 3802
- /system/bin/log -p d -t su db allowed
- /system/bin/log -p d -t su remote args: 1
- /system/bin/log -p d -t su remote pid: 3481
- /system/bin/log -p d -t su remote pid: 3491
- /system/bin/log -p d -t su remote pid: 3717
- /system/bin/log -p d -t su remote pid: 3802
- /system/bin/log -p d -t su remote pts_slave:
- /system/bin/log -p d -t su remote req pid: 3429
- /system/bin/log -p d -t su remote req pid: 3619
- /system/bin/log -p d -t su remote uid: 10065
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su starting daemon client 10065 10065
- /system/bin/log -p d -t su su invoked.
- /system/bin/log -p d -t su waiting for child exit
- /system/bin/log -p d -t su waiting for user
- /system/bin/log -p e -t su select failed with 2: No such file or directory
- /system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
- /system/bin/log -p w -t su request rejected (10065->0 /system/bin/sh)
- sh
- su
Uses elevated priveleges.
Uses administrator priveleges.
Uses special library to hide executable bytecode.
Accesses camera interface.
Gets information about location.
Gets information about phone status (number, IMEI, etc.).
Gets information about active device administrators.
Gets information about installed apps.
Displays its own windows over windows of other apps.
Requests the system alert window permission.