Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.127.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(TLS/1.0) 2####.107.1.97:443
- TCP(TLS/1.0) api.s####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) hy####.foll####.com:443
- TCP openj####.m.ta####.com:80
DNS requests:
- a####.man.aliy####.com
- ag####.m.ta####.com
- amdc####.m.ta####.com
- and####.b####.qq.com
- api.s####.com
- hy####.foll####.com
- log.u####.com
- oc.u####.com
- plb####.u####.com
- u####.u####.com
- umengj####.m.ta####.com
HTTP POST requests:
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- and####.b####.qq.com/rqd/async?aid=####
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
File system changes:
Creates the following files:
- /data/anr/traces.txt
- /data/com.followme.followme/####/share.db-journal
- /data/data/####/.imprint
- /data/data/####/1004
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/MessageStore.db
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/SP_AROUTER_CACHE.xml
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/bugly_db_-journal
- /data/data/####/com.sensorsdata.analytics.android.sdk.SensorsDataAPI.xml
- /data/data/####/crashrecord.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTUwMzc1OTI2MDI0;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTUwMzc1OTQwNjM3;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTUwMzc1OTc5MzEw;
- /data/data/####/data.mdb
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/flag_cache.xml
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/httpdns_config_cache.xml.bak
- /data/data/####/i==1.2.0&&4.1.11_1550375942072_envelope.log
- /data/data/####/info.xml
- /data/data/####/libjiagu1872919743.so
- /data/data/####/local_crash_lock
- /data/data/####/lock.mdb
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/onlineconfig_agent_online_setting_com.followme....me.xml
- /data/data/####/security_info
- /data/data/####/sensorsdata.xml
- /data/data/####/share.db-journal
- /data/data/####/sobot_chat_20190217_log.txt
- /data/data/####/sobot_config.xml
- /data/data/####/spUtils.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/c6b29b4c19e443b187ae576cdad30c65
- /data/media/####/f060bb0e42494e53bbbebaac64f4ea3e
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:556d1a0667e58ead9d001881","utdid":"XGjb5nnyQgsDAGdzx1Hz0P8b","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
- chmod 500 <Package Folder>/files/DaemonServer
- getprop
- grep 3702
- ls /sys/class/thermal
- ps
- sh
Loads the following dynamic libraries:
- Bugly
- libjiagu1872919743
- objectbox
- tnet-3.1
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Adds tasks to the system scheduler.
