Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.682.origin
- Android.Triada.477.origin
- Android.Triada.481.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) fasl####.lk####.com:80
- TCP(HTTP/1.1) cdn.dc####.com:8080
- TCP(HTTP/1.1) cdn.dn####.com:8080
- TCP(HTTP/1.1) cdn.hw####.com:8080
- TCP(HTTP/1.1) fff.abcdse####.com:8666
- TCP(HTTP/1.1) cdn.lk####.com:8080
- TCP(TLS/1.0) abc.lk####.com:443
- TCP(TLS/1.0) s.m####.com:7777
- TCP(TLS/1.0) lp.cooktra####.com:443
- TCP(TLS/1.0) bcd.lk####.com:443
- TCP(TLS/1.0) log.lk####.com:443
DNS requests:
- a####.u####.com
- abc.lk####.com
- bcd.lk####.com
- cdn.dc####.com
- cdn.dn####.com
- cdn.hw####.com
- cdn.lk####.com
- fasl####.lk####.com
- fff.abcdse####.com
- log.lk####.com
- lp.cooktra####.com
- s.m####.com
HTTP GET requests:
- cdn.dc####.com:8080/group1/M01/00/04/ChmjBl0sityAQ2BgAAKgUc1pAPI.plugin
- cdn.dn####.com:8080/group1/M00/00/05/ChmjBl1KPVeALPkJAAHnBked9kA.plugin
- cdn.hw####.com:8080/blank.html
- cdn.lk####.com:8080/nicro/9b4e85d01b3b48aa2baefb44cca8fb35
- fasl####.lk####.com/ads/248hwkwffddsd/0627dfakjfjdmvlhrs.js
HTTP HEAD requests:
- cdn.hw####.com:8080/blank.html
- fasl####.lk####.com/ads/248hwkwffddsd/0627dfakjfjdmvlhrs.js
HTTP POST requests:
- a####.u####.com/app_logs
- fff.abcdse####.com:8666/bd/getIp
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/2078793401
- /data/data/####/2123917546.jar (deleted)
- /data/data/####/2f72ef8a6ac2b9a4c0582bc63351a7a4.d
- /data/data/####/3d18a889480add7242a274c1e934c385.d
- /data/data/####/9ed921b0a692f468ffd6861eb46bfbb6.jar
- /data/data/####/GuuSDK.xml
- /data/data/####/c1faa46625df2f44ccce4de7fea3e115.jar
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/db61e876.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f87f8be5
- /data/data/####/f9660920.jar
- /data/data/####/index
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/work_sp.xml
- /data/media/####/1b592941b8a5cf7eb050a446e2018a6e.xml
- /data/media/####/397f0f93190168b647cbc6d304c02993_69.39
- /data/media/####/3d213ed1b26c6edb8b03d653ac3b227d.temp
- /data/media/####/50c9b5e7cf3a731ea31c43f9a14c781b_70.50
- /data/media/####/7fc7330d604c9fe3daa0821e332f66b8.chche
- /data/media/####/adcd1f2a887c4696b23527325db80439.temp
- /data/media/####/ba0631d5aab029425305953886947e44
- /data/media/####/c9d865d29d8a5675e1a9ed9cfc07c847.temp
- /data/media/####/d322fd6cfd0adebd39d6b17421f31bd1.chche
- /data/media/####/e1d6e7e7ef3279fa753ebb9d944b2944.temp
- /data/media/####/global.xml
- /data/media/####/pfg.xml
- /data/media/####/selfrun.apk
- /data/media/####/web.apk
- /data/media/####/webadlist_1.cache
- /data/media/####/webadlist_1.xml
- /data/media/####/webadlist_1_last.cache
- /data/media/####/webinfo.xml
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
Uses the following algorithms to encrypt data:
- AES
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
- DESede
- Des-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS7Padding
- DES-ECB-NoPadding
- DESede
- Des-ECB-NoPadding
- RSA-ECB-PKCS1Padding
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
