Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.224.origin
- Android.Triada.477.origin
Downloads the following detected threats from the Internet:
- Android.RemoteCode.224.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) s.yf####.com:8088
- TCP(HTTP/1.1) c####.juduo####.com:9705
- TCP(HTTP/1.1) s.yf####.com:8089
- TCP(HTTP/1.1) a####.free-ey####.com:80
- TCP(HTTP/1.1) sd####.free-ey####.com:80
- TCP(HTTP/1.1) 1####.131.189.116:90
- TCP(HTTP/1.1) 2.z####.top:8001
- TCP(HTTP/1.1) sdkt####.free-ey####.com:80
- TCP(HTTP/1.1) 47.2####.48.205:80
- TCP(HTTP/1.1) api####.tiantia####.com:80
- TCP(HTTP/1.1) dl.u####.cn:80
- TCP(HTTP/1.1) i####.juduo####.com:9400
- TCP(HTTP/1.1) 1####.15.15.135:80
- TCP(HTTP/1.1) ad.yf####.com:8088
- TCP(HTTP/1.1) 1####.231.136.27:8090
- TCP(HTTP/1.1) 3.z####.top:80
- TCP(HTTP/1.1) cdn.abcdse####.com:8080
- TCP(TLS/1.0) s1.best####.com:9443
- TCP(TLS/1.0) im####.uc.cn:443
- TCP(TLS/1.0) utp.u####.com:443
- TCP(TLS/1.0) g.al####.com:443
- TCP(TLS/1.0) 47.1####.58.77:16006
- TCP(TLS/1.0) n####.uc.cn:443
- TCP(TLS/1.0) s.t####.cn:7777
- TCP(TLS/1.0) p####.ou####.com:4433
- TCP(TLS/1.0) c.l####.com:8888
- TCP(TLS/1.0) m.u####.cn:443
DNS requests:
- 2.z####.top
- 3.z####.top
- a####.free-ey####.com
- ad.yf####.com
- api####.tiantia####.com
- c####.juduo####.com
- c.l####.com
- cdn.abcdse####.com
- dl.u####.cn
- g.al####.com
- i####.juduo####.com
- im####.uc.cn
- m.u####.cn
- n####.uc.cn
- p####.ou####.com
- s.t####.cn
- s.yf####.com
- s1.best####.com
- sd####.free-ey####.com
- sdkt####.free-ey####.com
- utp.u####.com
HTTP GET requests:
- 3.z####.top/thirdsdk/2019-10-14/1571044512844-2830310141417.jar
- a####.free-ey####.com/index/xadnxi?idc=####
- c####.juduo####.com:9705/res/getPram?version=####&PramName=####&devId=##...
- cdn.abcdse####.com:8080/group1/M00/00/13/ChtYq12oGJKAPcL0AAFa4lKNPec3420...
- dl.u####.cn/201908/hj6Np1565950482.jar?ver=####&md5=####
- dl.u####.cn/201909/igZE71567500803.jar?ver=####&md5=####
- dl.u####.cn/201910/vK0zs1571319873.jar?ver=####&md5=####
- sd####.free-ey####.com/sdk/apkdl_cn/hot_update_0923.zip
HTTP POST requests:
- 2.z####.top:8001/v1/cinfor
- 2.z####.top:8001/v1/rsinfor
- ad.yf####.com:8088/ad/tk
- ad.yf####.com:8088/ad/uc
- api####.tiantia####.com/ads
- i####.juduo####.com:9400/daq/collect
- s.yf####.com:8089/ad/status
- sdkt####.free-ey####.com/index/actiondataencrypt
- sdkt####.free-ey####.com/index/checkupdateencrypt
File system changes:
Creates the following files:
- /data/media/####/-826955265.apk
- /data/media/####/.fankadcoas
- /data/media/####/3F333805D61790A84A790D0F91041989.jar
- /data/media/####/6ef22d3a9dc6b6a530e29aa654d68cae.xml
- /data/media/####/ad.vv.sdk.db60
- /data/media/####/ad.vv.sdk.db60-journal
- /data/media/####/com.android.jdpmobile.jdpmobile
- /data/media/####/dbversion60
- /data/media/####/ef12f5026515354bb3b08063249b2e7e190801190801.png
- /data/media/####/id60.txt
- /data/media/####/tt10181.x
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
- cat /sys/class/net/eth0/address
- cat /sys/class/net/wlan0/address
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES
- DESede
- Des-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- DES
- DESede
- Des-ECB-NoPadding
- RSA-ECB-PKCS1Padding
