Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Hmad.2
- Android.Backdoor.333.origin
- Android.Hmad.7.origin
- Android.Triada.74.origin
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- a####.####.com:17209
- r####.####.com
- epup####.####.com:7013
- u####.####.com
- p####.####.com
- ecup####.####.com:8013
- toptool####.com
- inter####.####.com
- p####.####.com:8080
- s####.####.com
- e####.####.com:8011
- ecup####.####.com
- gam####.com
- wsback-####.####.io
- a####.####.com
- d2h8j6q####.####.net
- ecre####.####.com:8012
- g####.####.com
- c####.####.net
- c####.####.com
- e####.####.com
- k####.####.com
- ecre####.####.com
HTTP GET requests:
- gam####.com/f6/com.fb/control.json
- u####.####.com/setting/mbr?p=####&hp=####&l=####&c=####&prod=####&svn=####
- k####.####.com/download/opacore/xcore2_1.0.3.md
- d2h8j6q####.####.net/oversea/lockad/img/1481787089203.jpg
- g####.####.com/atmp/ad.png
- a####.####.com/v3/api/nativeads?publisherid=####&slotid=####&lang=####×tamp=####&platform=####&osv=####&dpi=####&tzone=####&aid=####&nt=####&mode...
- d2h8j6q####.####.net/oversea/pushad/logo/73f37fb6-4223-4d4e-8e21-966b691a3290.png
- toptool####.com/cgi-bin-py/mobovee_cb.cgi?sv=####&pr=####&hp=####&hv=####&g=####&l=####&c=####
- d2h8j6q####.####.net/oversea/lockad/img/1481247530884.png
- a####.####.com/v3/event/impression?clickid=####&i=####&adsid=####
- u####.####.com/setting/grobal_strategy?p=####&hp=####&l=####&c=####&prod=####&svn=####
- c####.####.com/upload/apk/FastBattery2.png
- a####.####.com/upload/apk/PhoneCleaner1.png
- d2h8j6q####.####.net/oversea/lockad/img/1481880152922.jpg
- a####.####.com/platform/config?facebook=####&publisherid=####&slotid=####&root=####
- c####.####.net/games/promo_images_landscape/001/008/673/dimension_1200x627.jpg?2016062####
- d2h8j6q####.####.net/oversea/lockad/logo/1481247530897.png
- d2h8j6q####.####.net/oversea/lockad/logo/1481880152867.png
- a####.####.com:17209/v1/sdk_config?campaign=####
- d2h8j6q####.####.net/oversea/pushad/logo/18a8ec2b-621d-446d-af54-f745ee19be8a.jpg
- d2h8j6q####.####.net/oversea/lockad/logo/1481096613742.png
HTTP POST requests:
- a####.####.com/v3/event/collection_apps
- e####.####.com/pcheckvalid.do
- p####.####.com:8080/OpaService/OpaMagicCode
- wsback-####.####.io/v1/check_update
- r####.####.com/rqd/sync
- wsback-####.####.io/v1/ad_to_serve
- inter####.####.com/newservice/newopenOrSale.action
- wsback-####.####.io/v1/launch
- wsback-####.####.io/v1/profile
- a####.####.com/app_logs
- ecup####.####.com:8013/ukup.do
- e####.####.com/pgetad.do
- inter####.####.com/newservice/newgetApks.action
- inter####.####.com/newservice/newbackDatas.action
- p####.####.com:8080/OpaService/OpaStrategy
- p####.####.com/OpaService/OpaLogUpload
- epup####.####.com:7013/pkup.do
- s####.####.com/cgi-bin-py/ad_sdk.cgi?ty=####&enc=####&bt=####
- ecre####.####.com/upostdata.do
- ecup####.####.com/ppostdata.do
- ecre####.####.com:8012/upostdata.do
- e####.####.com:8011/ugetad.do
- inter####.####.com/newservice/newjsApk.action
- wsback-####.####.io/v1/get_config
- ecup####.####.com/getccontrol.do
Droppers:
Downloaded by the following detected threats from the Web:
- Android.DownLoader.847
- Android.Packed.6414
Modified file system:
Creates the following files:
- /data/data/####/files/Data/pp2/sr
- /data/data/####/files/Data/pp2/chattr
- /sdcard/.androidsystem/.files/gads.db
- /data/data/####/databases/fp.db-journal
- /data/data/####/shared_prefs/Oveead.xml
- /data/data/####/shared_prefs/com.pingstart.adsdk.preference.xml.bak
- /data/data/####/files/Data/pp2/install
- /sdcard/small/data/image/PhoneCleaner1.png
- /data/data/####/shared_prefs/data_statistical.xml.bak
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/shared_prefs/data_statistical.xml
- /data/data/####/files/.umeng/exchangeIdentity.json
- /data/data/####/app_xxx/chattr
- /data/data/####/databases/smalldb2-journal
- /data/data/####/app_xxx/install-co
- /data/data/####/app_xxx/libxapp.so
- /data/data/####/shared_prefs/presage.xml
- /sdcard/small/data/image/FastBattery2.png
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/armeabi/libmonitor.so
- /data/data/####/shared_prefs/CUID.xml
- /sdcard/Android/data/un/358851_icon.png
- /data/data/####/files/aps.rc.db
- /data/data/####/shared_prefs/fpksp.xml.bak
- /sdcard/Android/data/un/358854_imgs.png
- /data/data/####/files/Data/pp2/configopb
- /data/data/####/files/Data/pp2/install-recovery.sh
- /sdcard/sys909/sys92299
- /data/data/####/databases/fxlock.db
- /data/data/####/shared_prefs/flowapp_shared.xml.xml
- /data/data/####/files/libzllc.so
- /data/data/####/shared_prefs/bugly_data.xml.bak
- /data/data/####/files/xactLib
- /data/data/####/files/aps.db
- /data/data/####/databases/fx_kit_unlock
- /data/data/####/app_jc/tfp.jar
- /data/data/####/files/mbtict.jar
- /sdcard/Android/data/un/358851_imgs.png
- /data/data/####/files/mda.ico
- /data/data/####/app_jni/libskin
- /data/data/####/app_sgdex/dos.jar
- /data/data/####/shared_prefs/SDKIDFA.xml
- /sdcard/Android/data/un/358854_icon.png
- /data/data/####/files/umeng_it.cache
- /data/data/####/files/armeabi/temp_monitor.so
- /data/data/####/shared_prefs/fxssp.xml
- /sdcard/Android/data/shard/.UUID
- /data/data/####/cache/volley/-544838161994504838
- /data/data/####/shared_prefs/aps.xml
- /data/data/####/shared_prefs/AdsBusiness-data.xml
- /data/data/####/app_jc/tfx.jar
- /data/data/####/shared_prefs/apsad.xml
- /data/data/####/files/ylsb.db
- /data/data/####/shared_prefs/bugly_data.xml
- /data/data/####/app_xxx/sr
- /data/data/####/shared_prefs/fxkit.xml.bak
- /data/data/####/tx_shell/libshella-2.2.9.so
- /data/data/####/app_xxx/install-recovery.sh
- /data/data/####/app_jc/dfx.jar
- /sdcard/sys909/sys94299
- /data/data/####/shared_prefs/FBAdPrefs.xml
- /data/data/####/databases/fxlock.db-journal
- /data/data/####/files/wddex.jar
- /data/data/####/shared_prefs/fxkit.xml
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/shared_prefs/fpssp.xml
- /data/data/####/app_xxx/install
- /sdcard/Android/data/fp/38522.png
- /data/data/####/cache/volley/-9630878221516147435
- /data/data/####/shared_prefs/xapcinfo.xml
- /data/data/####/app_xxx/configopb
- /data/data/####/cache/volley/-382804356894059738
- /sdcard/Android/data/fp/287538.png
- /data/data/####/shared_prefs/com.pingstart.adsdk.preference.xml
- /data/data/####/databases/fpdown.db-journal
- /data/data/####/mix.dex
- /data/data/####/files/gyetii.md
- /data/data/####/files/.imprint
- /data/data/####/files/mbtict.dat
- /sdcard/Android/data/un/358859_icon.png
- /data/data/####/shared_prefs/fpksp.xml
- /sdcard/baidu/AndroidStore/http_cache/journal.tmp
- /data/data/####/app_jc/dfp.jar
- /data/data/####/fb/cb.zip
- /sdcard/baidu/.cuid
- /data/data/####/databases/fx_kit_unlock-journal
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /sdcard/Android/data/un/358859_imgs.png
- /data/data/####/app_xxx/install-recovery-co.sh
- /data/data/####/databases/bugly_db_lejiagu-journal
Sets the 'executable' attribute to the following files:
- /data/data/####/tx_shell/libshella-2.2.9.so
- /data/data/####/fb/cb.zip
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- logcat -d -v threadtime
- chmod 700 /data/data/####/tx_shell/libshella-2.2.9.so
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- su
- cufsdosck ac554db364f
- conbb od2gf04pd9
- /system/bin/sh
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- cufsmgr eb47495f7bb
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.build.rom.id
Uses elevated priveleges.
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
