Android.DownLoader.4683

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.RemoteCode.242.origin
Android.Xiny.1513
Android.Xiny.240.origin

Downloads the following detected threats from the Internet:

Android.Xiny.1513

Prompts to install third-party apps.

Intercepts incoming SMS and terminates the process of their transmission to handlers of other apps.

Network activity:

Connects to:

UDP(DNS) 8####.8.4.4:53
TCP(HTTP/1.1) adl.a####.net:5285
TCP(HTTP/1.1) lp.lapia####.com:6099
TCP(HTTP/1.1) pa.yunj####.cn:8002
TCP(HTTP/1.1) ap.bigb####.com:6099
TCP(HTTP/1.1) d.angs####.com:5284
TCP(HTTP/1.1) 58.2####.68.98:8765
TCP(HTTP/1.1) f.peiz####.cn:5284
TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
TCP(TLS/1.0) 1####.217.20.106:443
TCP(TLS/1.0) 1####.217.17.46:443
TCP(TLS/1.0) instant####.google####.com:443
TCP(TLS/1.0) 1####.217.17.74:443
TCP(TLS/1.0) 1####.217.17.138:443
TCP(TLS/1.2) 1####.217.17.74:443
TCP(TLS/1.2) 1####.217.17.138:443
TCP(TLS/1.2) 1####.217.17.46:443
TCP d.angs####.com:9270

DNS requests:

adl.a####.net
ap.bigb####.com
d.angs####.com
dd.bigb####.com
f.peiz####.cn
instant####.google####.com
l####.bigb####.com
lp.lapia####.com
m####.go####.com
pa.yunj####.cn
plb####.u####.com
u####.u####.com

HTTP GET requests:

adl.a####.net:5285/dd/a/dl?appId=####

HTTP POST requests:

ap.bigb####.com:6099/aps/
d.angs####.com:5284/android.frontserver/collect/error
f.peiz####.cn:5284/android.frontserver/pcsvc?r=####
lp.lapia####.com:6099/aps/
pa.yunj####.cn:8002/pps

File system changes:

Creates the following files:

/data/dalvik-cache/####/storage@emulated@0@goog1e@data@z.jar@cl...leted)
/data/dalvik-cache/####/storage@emulated@0@goog1e@data@z.jar@classes.dex
/data/dalvik-cache/####/system@framework@am.jar@classes.dex
/data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
/data/data/####/.imprint
/data/data/####/Alvin2.xml
/data/data/####/ContextData.xml
/data/data/####/F85C58A2196623557E8A00D8A4680702
/data/data/####/UM_PROBE_DATA.xml
/data/data/####/XinZF.xml
/data/data/####/XinZF_conf.xml
/data/data/####/XinZF_conf.xml.bak
/data/data/####/XinZFsmspay.db
/data/data/####/XinZFsmspay.db-journal
/data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex
/data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex.flock (deleted)
/data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.zip
/data/data/####/a4b645a09e1352ed9a43ff469655db6d_3_1_5.zip.tmp
/data/data/####/buntutu.dex
/data/data/####/buntutu.dex.flock (deleted)
/data/data/####/buntutu_data_s.xml
/data/data/####/bwwpjfz.tpduit.cezles_preferences.xml
/data/data/####/com_android_command_buntutu_v.xml
/data/data/####/dW1weF9pbnRlcm5hbF8xNTcwNTcxNDYyNDQ3;
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/i==1.2.0&&1.0.0_1570571462450_envelope.log
/data/data/####/info.xml
/data/data/####/kb_idle.ini
/data/data/####/lpeg.dex
/data/data/####/lpeg.dex.flock (deleted)
/data/data/####/lpeg.jar
/data/data/####/mm_nw_app.xml
/data/data/####/orbgi.dex
/data/data/####/orbgi.dex.flock (deleted)
/data/data/####/orbgi.jar
/data/data/####/proc_auxv
/data/data/####/uid.f
/data/data/####/um_pri.xml
/data/data/####/umdat.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_location.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/yunUid.f
/data/data/####/{6109AB2B-769CFABF}_{AEF2A7F3-0EBBFE27}.P2
/data/data/####/{AEF2A7F3-0EBBFE27}.P1
/data/data/####/{AEF2A7F3-0EBBFE27}.P3
/data/media/####/.a.dat
/data/media/####/.adfwe.dat
/data/media/####/.cca.dat
/data/media/####/.umm.dat
/data/media/####/1B3A2967E5FD862EFD957606C65C8122
/data/media/####/30592A6B8B0C769E3F7FDE6E1A033DF5
/data/media/####/Alvin2.xml
/data/media/####/ContextData.xml
/data/media/####/buntutu.jaru
/data/media/####/cc.dat
/data/media/####/kb_idle.ini
/data/media/####/kv_cf.ini
/data/media/####/plugin.apk
/data/media/####/z.jar
/data/media/####/{BE2355DB-D785E335}.PC1
/data/misc/####/primary.prof

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /proc/cpuinfo
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/buntutu_r/buntutu.jar --oat-fd=34 --oat-location=/data/user/0/com.android.wifimanager/app__mmnwn/buntutu.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/storage/emulated/0/buntutu_r/buntutu.jar --oat-fd=36 --oat-location=/data/user/0/com.android.wifimanager/app__mmnwn/buntutu.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_jar/lpeg.jar --oat-fd=58 --oat-location=/data/user/0/<Package>/app_dex/lpeg.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_jar/orbgi.jar --oat-fd=52 --oat-location=/data/user/0/<Package>/app_dex/orbgi.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/md/a4b645a09e1352ed9a43ff469655db6d_3_1_5.zip --oat-fd=68 --oat-location=/data/user/0/<Package>/app_jar/a4b645a09e1352ed9a43ff469655db6d_3_1_5.dex --compiler-filter=speed
/system/bin/log -p d -t su /dev/com.android.settings/.socket3428
/system/bin/log -p d -t su /dev/com.android.settings/.socket3735
/system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
/system/bin/log -p d -t su 10066 /system/bin/app_process64 executing 0 /system/bin/sh using binary /system/bin/sh : sh
/system/bin/log -p d -t su child exited
/system/bin/log -p d -t su client exited 0
/system/bin/log -p d -t su connecting client 3415
/system/bin/log -p d -t su connecting client 3514
/system/bin/log -p d -t su connecting client 3719
/system/bin/log -p d -t su db allowed
/system/bin/log -p d -t su remote args: 1
/system/bin/log -p d -t su remote pid: 3415
/system/bin/log -p d -t su remote pid: 3514
/system/bin/log -p d -t su remote pid: 3719
/system/bin/log -p d -t su remote pts_slave:
/system/bin/log -p d -t su remote req pid: 3278
/system/bin/log -p d -t su remote req pid: 3663
/system/bin/log -p d -t su remote uid: 10065
/system/bin/log -p d -t su remote uid: 10066
/system/bin/log -p d -t su sending code
/system/bin/log -p d -t su starting daemon client 10065 10065
/system/bin/log -p d -t su starting daemon client 10066 10066
/system/bin/log -p d -t su su invoked.
/system/bin/log -p d -t su waiting for child exit
/system/bin/log -p d -t su waiting for user
/system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
/system/bin/su
app_process system/bin com.google.provider.vendor.tool.Main /storage/emulated/0/goog1e/data/plugin.apk
cat /sys/block/mmcblk0/device/cid
ls -l /system/bin/su
ls /
ls /sys/class/thermal
sh
sh -c cat /sys/block/mmcblk0/device/cid
sh -c cat /sys/class/net/wlan0/address

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding

Uses elevated priveleges.

Accesses the ITelephony private interface.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Displays its own windows over windows of other apps.

Gets information about sent/received SMS.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical information

Recommandations pour le traitement

Free trial