Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.433.origin
- Android.BackDoor.312
- Android.Backdoor.547.origin
Downloads the following detected threats from the Web:
- Android.Triada.150.origin
- Android.Triada.78.origin
- Android.Triada.213.origin
- Android.Triada.167.origin
Prompts to install third-party applications.
Network activity:
Connecting to:
- oranges####.cn
- j####.####.cn
- v####.####.com
- j####.####.com
- r####.####.com
- d####.####.net:6677
- c####.####.com
- p####.####.cn
- d####.####.net
- m####.####.com
- m####.####.com:6088
- f####.####.cn
- j####.####.com:20000
HTTP GET requests:
- r####.####.com/ads/img/8237c9d203e845d5bd4d0750c9713744.png
- r####.####.com/ads/img/86c49ff12f0e46afb88513523a1d85be.png
- r####.####.com/ads/img/2377d8cdcc2a43d59dc0df392170da6b.png
- r####.####.com/ads/img/35a063a8123a49219d0c1d5327bb7530.png
- r####.####.com/ads/pri/8678fc1b293c4a5e8b6404f86de7e5d6.apk
- r####.####.com/ads/img/756f5a922efa45f38d9edb2b9dda80a0.png
- r####.####.com/ads/img/8c2b5a0146b74f0b8046fae274dbefb1.png
- v####.####.com/yc199.txt
- r####.####.com/ads/img/51996ac952164885a0d27048d116d432.png
- r####.####.com/ads/pri/5bacc58a017549dbadf52ce1a7f24a27.apk
- r####.####.com/ads/pri/1459226725432.slz
- r####.####.com/ads/pri/8ad839a8350641909b68b48a5d1cf720.apk
- p####.####.cn/gdt/0/transformer_14195250499972767764_80.jpg/0?ck=####
- m####.####.com/c/1485418497846
- r####.####.com/ads/img/fdc728bc379c48e898e849ee936fbd5c.png
- f####.####.cn/focus/conf?device_type=####&height=####&dpi=####&android_id=####&width=####&cid=####&networkType=####&version=####&conn=####&imei=####&o...
- oranges####.cn/n/p.wca.c?v####
- r####.####.com/ads/img/02f5688107c1436b800424b762c74634.png
- r####.####.com/ads/img/1e6f5939c5a54664923d435438aad226.png
- r####.####.com/ads/img/7a7d0ce5ced44fbe9852e7636db82900.png
- oranges####.cn/m/AC6ECA4EB1E9FFA399C2C3A69844DBA9A2
- r####.####.com/ads/img/782595e7826a45b782d1c6f0a785832e.png
- oranges####.cn/m/AC568CDF52764B53AEF1498003A3C53C70
- oranges####.cn/n/p.dyd.c
- oranges####.cn/m/AC046D1A6FB640A4B62BB6CF9E6F6F7B6C
- f####.####.cn/focus/st?count=####&status=####&cid=####&source=####&viewid0=####
- oranges####.cn/n/s?v####
- r####.####.com/ads/img/10f1a3e9c44947b0897f50b7cdb1024d.png
- r####.####.com/ads/pri/f4a47a64e5ce44d4aefa9b275734deef.apk
HTTP POST requests:
- m####.####.com/m/
- d####.####.net/
- v####.####.com/gdt_stats.fcg
- c####.####.com/show.aspx?Key=####
- f####.####.cn/focus/req
- m####.####.com/p/1485418498089
- j####.####.cn/e5/l09
- m####.####.com/t/1485418504795
- d####.####.net:6677/
- f####.####.cn/focus/atex
- j####.####.com/
- j####.####.com:20000/
- m####.####.com:6088/s/
- j####.####.cn/e5/gg10
- m####.####.com/t/1485418502434
Modified file system:
Creates the following files:
- /data/data/####/databases/MF_CFG-journal
- /data/anr/traces.txt
- /data/data/####/files/myfvu.jar
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/files/libexec.so
- /data/data/####/shared_prefs/initdata.xml
- /data/data/####/files/libexecmain.so
Miscellaneous:
Executes next shell scripts:
- chmod -R 777 /data/data/####/files/
- dumpsys meminfo
- /data/data/com.diplu.popb.plg/files/test /data/data/com.diplu.popb.plg/files/ 77cb2f178f4a415bbca45b44e5174ec9
- /data/data/####/files/test /data/data/####/files/ 77cb2f178f4a415bbca45b44e5174ec9
- cat /data/anr/traces.txt
- chmod -R 777 /data/data/com.diplu.popb.plg/files/
- getprop ro.product.cpu.abi
- sh
- ping -c 2 -w 5 f####.####.cn
- chmod -R 777 /data/data/com.diplu.popb.plg/files/test
- chmod -R 777 /data/data/####/files/test
- procrank
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
