Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.192.origin
Network activity:
Connecting to:
- d####.####.com
- s####.####.pub:6374
- s####.####.pub
HTTP GET requests:
- s####.####.pub/?zxrpg=####
- d####.####.com/assets/j_close.png
- s####.####.pub:6374/?zxrpg=####
Modified file system:
Creates the following files:
- /data/data/####/shared_prefs/ki.xml
- /data/data/####/.lib/libexec.so
- /data/data/####/databases/Downloado
- /data/data/####/shared_prefs/configo.xml.bak
- /data/data/####/shared_prefs/vgp_id.xml
- /data/data/####/.lib/libexecmain.so
- /data/data/####/shared_prefs/vgp_id.xml.bak
- /data/data/####/databases/Downloado-journal
- /data/data/####/shared_prefs/apppr.xml
- /sdcard/Download/cxc/time.dat
- /sdcard/Android/data/####/files/logo.png
- /sdcard/.android/files3/com.kksoft.Capi.dex
- /data/data/####/shared_prefs/configo.xml
- /sdcard/Android/####/z.jar
- /sdcard/.android/files1/com.jjsoft.Papi.dex
- /data/data/####/database/201306.db
- /sdcard/Android/data/####/files/id
- /sdcard/Android/data/.nomedia
- /sdcard/Android/data/code/CX.DAT
- /data/data/####/databases/cxcdownloads
- /sdcard/Android/data/####/files/filter
- /data/data/####/databases/Logo
- /data/data/####/databases/Logo-journal
- /data/data/####/shared_prefs/class com.nngwecaf.a.a.xml
- /data/data/####/databases/cxcdownloads-journal
Miscellaneous:
Executes next shell scripts:
- /system/bin/dexopt --dex 27 42 40 4108 /data/app/####-1.apk 1193774325 -301411587 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar /s
- getprop ro.product.cpu.abi
- /system/bin/dexopt --dex 27 45 40 322248 /storage/emulated/0/Android/####/z.jar 1189569920 1867374655 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framew
- /system/bin/dexopt --dex 27 44 40 173156 /storage/emulated/0/.android/files3/com.kksoft.Capi.dex 1191531160 40225959 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framew
- /system/bin/dexopt --dex 27 42 40 154600 /storage/emulated/0/.android/files1/com.jjsoft.Papi.dex 1191530138 -729726761 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/fram
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
