Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Was.1.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) commo####.gamesve####.com:80
- TCP(HTTP/1.1) cdn.gamesve####.com:80
- TCP(HTTP/1.1) api.colorpl####.art:80
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.0) c.amazon-####.com:443
- TCP(TLS/1.0) rt.appl####.com:443
- TCP(TLS/1.0) firebas####.crashly####.com:443
- TCP(TLS/1.0) kvinit-####.api.koc####.com:443
- TCP(TLS/1.0) 64.2####.164.94:443
- TCP(TLS/1.0) con####.koc####.com:443
- TCP(TLS/1.0) g####.face####.com:443
- TCP(TLS/1.0) ms.appl####.com:443
- TCP(TLS/1.0) app-mea####.com:443
- TCP(TLS/1.0) 64.2####.161.102:443
- TCP(TLS/1.0) d.appl####.com:443
- TCP(TLS/1.0) rr9---s####.g####.com:443
- TCP(TLS/1.0) d####.fl####.com:443
- TCP(TLS/1.2) 64.2####.164.94:443
- TCP(TLS/1.2) firebas####.google####.com:443
- UDP firebas####.google####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- api.colorpl####.art
- app-mea####.com
- c.amazon-####.com
- cdn.gamesve####.com
- commo####.gamesve####.com
- con####.koc####.com
- d####.fl####.com
- d.appl####.com
- firebas####.crashly####.com
- firebas####.google####.com
- g####.face####.com
- kvinit-####.api.koc####.com
- md####.google####.com
- ms.appl####.com
- rr9---s####.g####.com
- rt.appl####.com
HTTP GET requests:
- api.colorpl####.art/v1/clpnt/img/recommend/finish/expanding?data=####&sk...
- api.colorpl####.art/v1/clpnt/img_item/u1/top_card?data=####&skv=####&sig...
- c.amazon-####.com:443/aps_mobile_client_config.json
- cdn.gamesve####.com/apps/art.color.planet.paint.by.number.game.puzzle.fr...
- firebas####.crashly####.com:443/spi/v2/platforms/android/gmp/1:625079828...
HTTP POST requests:
- commo####.gamesve####.com/api/v1/user/u2/register
- commo####.gamesve####.com/v1/poseidon/api/behavior/u2/get_next
- commo####.gamesve####.com/v1/poseidon/api/service/apple
- con####.koc####.com:443/track/json
- con####.koc####.com:443/track/kvquery
- d####.fl####.com:443/aap.do
- d.appl####.com:443/2.0/device?p=####
- firebas####.google####.com:443/v1/projects/saori-ff14c/installations
- kvinit-####.api.koc####.com:443/track/kvinit
- ms.appl####.com:443/5.0/i?p=####
- rt.appl####.com:443/4.0/pix?p=####
File system changes:
Creates the following files:
- /data/data/####/.YFlurrySenderIndex.info.AnalyticsData_P4CDY9G8...7N_281
- /data/data/####/.YFlurrySenderIndex.info.AnalyticsMain
- /data/data/####/.dex2oatlock
- /data/data/####/.nomedia
- /data/data/####/.updateIV.dat
- /data/data/####/.updateIV.dat_0
- /data/data/####/.updateIV.dat_1
- /data/data/####/.updateIV.dat_2
- /data/data/####/.updateIV.dat_3
- /data/data/####/.updateIV.dat_4
- /data/data/####/.yflurrydatasenderblock.2d124e2f-b963-4c70-90a5...9ebc80
- /data/data/####/0000000lllll_0.dex
- /data/data/####/0000000lllll_1.dex
- /data/data/####/0000000lllll_2.dex
- /data/data/####/0000000lllll_3.dex
- /data/data/####/0000000lllll_4.dex
- /data/data/####/000O00ll111l_0.dex
- /data/data/####/000O00ll111l_1.dex
- /data/data/####/000O00ll111l_2.dex
- /data/data/####/000O00ll111l_3.dex
- /data/data/####/000O00ll111l_4.dex
- /data/data/####/00O000ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex (deleted)
- /data/data/####/00O000ll111l_0.dex.flock
- /data/data/####/00O000ll111l_0.dex.flock (deleted)
- /data/data/####/00O000ll111l_1.dex
- /data/data/####/00O000ll111l_1.dex (deleted)
- /data/data/####/00O000ll111l_1.dex.flock
- /data/data/####/00O000ll111l_1.dex.flock (deleted)
- /data/data/####/00O000ll111l_2.dex
- /data/data/####/00O000ll111l_2.dex (deleted)
- /data/data/####/00O000ll111l_2.dex.flock
- /data/data/####/00O000ll111l_2.dex.flock (deleted)
- /data/data/####/00O000ll111l_3.dex
- /data/data/####/00O000ll111l_3.dex (deleted)
- /data/data/####/00O000ll111l_3.dex.flock
- /data/data/####/00O000ll111l_3.dex.flock (deleted)
- /data/data/####/00O000ll111l_4.dex
- /data/data/####/00O000ll111l_4.dex (deleted)
- /data/data/####/00O000ll111l_4.dex.flock
- /data/data/####/00O000ll111l_4.dex.flock (deleted)
- /data/data/####/0OO00l111l1l
- /data/data/####/0OO00l111l1l.lock
- /data/data/####/64960FEE01A400010DCA26A0760DACCCuser.meta
- /data/data/####/ConfigCache.xml
- /data/data/####/FirebaseAppHeartBeat.xml
- /data/data/####/Kochava_SharedPreference.xml
- /data/data/####/PersistedInstallation.W0RFRkFVTFRd+MTo2MjUwNzk4...l.json
- /data/data/####/PersistedInstallation2025677420tmp
- /data/data/####/T-ConfigCache.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/androidx.work.workdb-journal (deleted)
- /data/data/####/aps_mobile_client_config.json
- /data/data/####/art.color.planet.paint.by.number.game.puzzle.fr...es.xml
- /data/data/####/art.color.planet.paint.by.number.game.puzzle.fr...fo.xml
- /data/data/####/art.color.planet.paint.by.number.game.puzzle.fr...ig.xml
- /data/data/####/art.color.planet.paint.by.number.game.puzzle.fr...ml.bak
- /data/data/####/audience_network.dex
- /data/data/####/audience_network.dex.flock (deleted)
- /data/data/####/behavior.db-journal
- /data/data/####/billing-journal
- /data/data/####/billing-journal (deleted)
- /data/data/####/com.amazon.device.ads.dtb.preferences.xml
- /data/data/####/com.applovin.sdk.1.xml
- /data/data/####/com.applovin.sdk.impl.postbackQueue.domain.xml
- /data/data/####/com.applovin.sdk.impl.postbackQueue.domain.xml.bak
- /data/data/####/com.applovin.sdk.preferences.zk3-7snveKaZ19-gQR...dx.xml
- /data/data/####/com.applovin.sdk.shared.xml
- /data/data/####/com.applovin.sdk.shared.xml.bak
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.facebook.sdk.USER_SETTINGS.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.google.android.datatransport.events-journal
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.firebase.crashlytics.xml
- /data/data/####/com.mopub.privacy.xml
- /data/data/####/crashlytics-userlog-64960FEE01A400010DCA26A0760DACCC.temp
- /data/data/####/fileslaunchinfoupdateflag
- /data/data/####/generatefid.lock
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/initialization_marker
- /data/data/####/installationNum
- /data/data/####/kodb
- /data/data/####/kodb-journal
- /data/data/####/kosp.xml
- /data/data/####/kosp.xml.bak
- /data/data/####/libshellx-super.2019.so
- /data/data/####/metrics_guid
- /data/data/####/o0oooOO0ooOo.dat
- /data/data/####/paint-journal (deleted)
- /data/data/####/poseidon_u3.db-journal
- /data/data/####/report
- /data/data/####/secret.xml
- /data/data/####/svg_head_list_data
- /data/data/####/temp1285770718json
- /data/data/####/tosversion
- /data/data/####/user
- /data/media/####/085870b736a59fcf2666877f7568cb0c.0.tmp
- /data/media/####/085870b736a59fcf2666877f7568cb0c.1.tmp
- /data/media/####/253a6a3684029cfd612328cc7b6e5575.0.tmp
- /data/media/####/253a6a3684029cfd612328cc7b6e5575.1
- /data/media/####/253a6a3684029cfd612328cc7b6e5575.1.tmp
- /data/media/####/d61525f6efea8ec6d786fb32ba64ed98.0.tmp
- /data/media/####/d61525f6efea8ec6d786fb32ba64ed98.1.tmp
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- getprop ro.product.cpu.abi
- ls /data/local
Loads the following dynamic libraries:
- libshellx-super.2019
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-NoPadding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.