Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.86.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(DNS) 8####.8.4.4:53
- TCP(DNS) <Google DNS>
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) api.wos####.com:80
- TCP(HTTP/1.1) wos####.b0.a####.com:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) hotfix####.aliy####.com:80
- TCP(HTTP/1.1) api.mob####.mob.com:80
- TCP(TLS/1.0) idu####.qini####.com:443
- TCP(TLS/1.0) ap####.uc.cn:443
- TCP(TLS/1.0) gd-s####.j####.cn:443
- TCP(TLS/1.0) wos####.b0.a####.com:443
- TCP(TLS/1.0) ali-s####.j####.cn:443
- TCP(TLS/1.0) p-fas####.j####.cn:443
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 1####.250.27.95:443
- TCP(TLS/1.0) api.mob####.mob.com:443
- TCP(TLS/1.0) api.wos####.com:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) bj####.j####.cn:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) hotfix####.aliy####.com:443
- TCP(TLS/1.0) ce3e####.j####.cn:443
- TCP(TLS/1.2) 1####.250.102.94:443
- TCP(TLS/1.2) 1####.250.102.138:443
- UDP 1####.196.118.23:19000
- TCP zb-cent####.m.ta####.com:443
- TCP i####.j####.cn:7004
- UDP easytom####.com:19000
- UDP 1####.229.215.60:19000
- UDP 1####.121.49.100:19000
DNS requests:
- a####.fc.mob.com
- a####.man.aliy####.com
- acc####.m.ta####.com
- ali-s####.j####.cn
- amdc####.m.ta####.com
- and####.b####.qq.com
- android####.go####.com
- ap####.uc.cn
- api.mob####.mob.com
- api.s####.mob.com
- api.wos####.com
- beacon####.aliy####.com
- bj####.j####.cn
- ce3e####.j####.cn
- d####.d####.mob.com
- easytom####.com
- gd-s####.j####.cn
- hotfix####.aliy####.com
- httpdn####.aliy####.com
- i####.j####.cn
- i####.wos####.com
- mpush####.al####.com
- norma-e####.m####.com
- p-fas####.j####.cn
- plb####.u####.com
- s.j####.cn
- sis.j####.io
- st####.wos####.com
- t####.j####.cn
- u####.u####.com
- umen####.m.ta####.com
- wen.wos####.com
HTTP GET requests:
- api.wos####.com/author/V4/recommendList.html?PS=####&PN=####&_cT=####&_c...
- api.wos####.com/config/activeV4.html?_cS=####&_cT=####&_cV=####&_cP=####...
- api.wos####.com/config/menu/topics.html?_cT=####&_cV=####&_cP=####&_cA=#...
- api.wos####.com/config/popV4.html?_cT=####&_cV=####&_cP=####&_cA=####
- api.wos####.com/config/tips.html?_cT=####&_cV=####&_cP=####&_cA=####
- api.wos####.com/news/v4/activeList.html?PS=####&type=####&key=####<ime...
- api.wos####.com/news/v4/index/timeline.html?PN=####&PS=####<ime=####&_...
- api.wos####.com/recommend/indexV4.html?_cS=####&_cT=####&_cV=####&_cP=##...
- api.wos####.com/recommend/liveVideo.html?_cT=####&_cV=####&_cP=####&_cA=...
- api.wos####.com/user/userAppTags.html?_cT=####&_cV=####&_cP=####&_cA=####
- d####.d####.mob.com/privacy/policy?type=####&appkey=####&apppkg=####&ppV...
- wos####.b0.a####.com/wp-files/2021/06/00J9LsHHshZyYQYkBI0Q.jpg!/both/690...
- wos####.b0.a####.com/wp-files/2021/06/R8iu5dvTpaCHXSHPm8H4.jpg!/both/690...
- wos####.b0.a####.com/wp-files/2021/06/qEas62FwyB16DtBlIxPs.jpg!/both/690...
HTTP POST requests:
- and####.b####.qq.com/rqd/async?aid=####
- api.mob####.mob.com/conf
- d####.d####.mob.com/conf5
- d####.d####.mob.com/conn
- hotfix####.aliy####.com/beacon/fetch/config/byappkey
File system changes:
Creates the following files:
- /data/data/####/.6838c58d1695833d1f37ce908e16f206
- /data/data/####/.artc_lock
- /data/data/####/.at_lock
- /data/data/####/.cl
- /data/data/####/.dic_lock
- /data/data/####/.du_lock
- /data/data/####/.duid
- /data/data/####/.dvcv_lock
- /data/data/####/.extConfig.xml
- /data/data/####/.globalLock
- /data/data/####/.im_lock
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.lesd_lock
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrecord (deleted)
- /data/data/####/.mrlock
- /data/data/####/.pkg_lock
- /data/data/####/.pkgs_lock
- /data/data/####/.slw
- /data/data/####/.statistics
- /data/data/####/.vpl_lock
- /data/data/####/056d4024ab33e12db232b3b32fb93bad.0.tmp
- /data/data/####/056d4024ab33e12db232b3b32fb93bad.1
- /data/data/####/07bd9e6a7e88682cd10d504973f28f66.0.tmp
- /data/data/####/07bd9e6a7e88682cd10d504973f28f66.1
- /data/data/####/07bd9e6a7e88682cd10d504973f28f66.1.tmp
- /data/data/####/0a7faaab9f50877928db0133cfe4c12f.0.tmp
- /data/data/####/0a7faaab9f50877928db0133cfe4c12f.1.tmp
- /data/data/####/0c027e680ce57a647a1b566e4006262a.0.tmp
- /data/data/####/0c027e680ce57a647a1b566e4006262a.1.tmp
- /data/data/####/1004
- /data/data/####/14c9b2dff703c29455a6e0b494de8a4866ca0a4f3464f77....0.tmp
- /data/data/####/1c884b055969b165712f2ebda5603566a50a2fb8c71ee3a....0.tmp
- /data/data/####/23338ffee95907e919ebd27e3063ba2d13a732c8b079b89....0.tmp
- /data/data/####/329e516a-7e67-4824-ab7e-b195d61d30c1
- /data/data/####/334cd88fa40467418e19eb1cb19ee1bf.0.tmp
- /data/data/####/334cd88fa40467418e19eb1cb19ee1bf.1
- /data/data/####/334cd88fa40467418e19eb1cb19ee1bf.1.tmp
- /data/data/####/348cb830205243d20f5d656114e4f6e3.0.tmp
- /data/data/####/348cb830205243d20f5d656114e4f6e3.1.tmp
- /data/data/####/36d6c0f27543b6113df512076c87b2ab.0.tmp
- /data/data/####/36d6c0f27543b6113df512076c87b2ab.1.tmp
- /data/data/####/37231e7d-4c68-4fb8-a03d-1fbe24da7d4a
- /data/data/####/37CF018B.dex
- /data/data/####/37CF018B.dex.flock (deleted)
- /data/data/####/3eeafbc7e41c385877aa730162b7f37d8c272a8077d7741....0.tmp
- /data/data/####/4511c813371535c7756b9fe453b4be24df64de7cfd6a553....0.tmp
- /data/data/####/4a3012ec-f6f0-4517-91a4-b56ca79dfcd7
- /data/data/####/53b2e4ace5e79c19f51917c8da471475.0.tmp
- /data/data/####/53b2e4ace5e79c19f51917c8da471475.1
- /data/data/####/53b2e4ace5e79c19f51917c8da471475.1.tmp
- /data/data/####/73819c6e-31ca-4495-a2d2-fec7c355e59d
- /data/data/####/7b4a31783a95bc3802d59c3f3de3f98b802d6dd7fd36c47....0.tmp
- /data/data/####/84b765f1497f03676b761dc90b92ba27e70fdc501e4b3c5....0.tmp
- /data/data/####/85512f1a-3cd7-48ee-b9df-e6224ee2a004
- /data/data/####/8f61bb57bea87b905a51cb03a78963db01c032a9e5cc44d....0.tmp
- /data/data/####/9983c160aa044115
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK.xml.bak (deleted)
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/IpInfos.xml
- /data/data/####/MOBGUARD_100
- /data/data/####/MOBLINK_1
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/PmPush.xml
- /data/data/####/ResumeActHelper.xml
- /data/data/####/SP_AROUTER_CACHE.xml
- /data/data/####/SWEN0MPIHSOW0MOC.st
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/UTCommon.xml
- /data/data/####/a325712a39bd320a
- /data/data/####/a3affe1e87a015e0e75a9ae1dbf91b05d892a086a6793ee....0.tmp
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/ap.Lock
- /data/data/####/b2ba770feceac4756a9587b22ea22f90.0.tmp
- /data/data/####/b2ba770feceac4756a9587b22ea22f90.1.tmp
- /data/data/####/bal.catch
- /data/data/####/ban.catch
- /data/data/####/bugly_db_-journal
- /data/data/####/bwc.catch
- /data/data/####/c869e3256434df5f86525879f2eba7bd.0.tmp
- /data/data/####/c869e3256434df5f86525879f2eba7bd.1.tmp
- /data/data/####/cdt.wa
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/cn.jiguang.common.xml
- /data/data/####/cn.jiguang.common.xml.bak
- /data/data/####/cn.jiguang.prefs.xml
- /data/data/####/cn.jiguang.prefs.xml.bak
- /data/data/####/cn.jiguang.sdk.address.xml
- /data/data/####/cn.jiguang.sdk.report.xml
- /data/data/####/cn.jiguang.sdk.user.profile.xml
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.config.xml
- /data/data/####/cn.jpush.config.xml.bak
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.woshipm.news.xml
- /data/data/####/com.x.y.1.xml
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info
- /data/data/####/cr.wa
- /data/data/####/crashrecord.xml
- /data/data/####/dW1weF9wdXNoX2xhdW5jaF8xNjI0NjcwMjE2NTgz;
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/dt.wa
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f46c58b951329a58b6d5453b0c8c260d.0.tmp
- /data/data/####/f46c58b951329a58b6d5453b0c8c260d.1.tmp
- /data/data/####/f6c712af-351a-4ea5-9861-0f2dc8ca24ab
- /data/data/####/f8669176-a063-4437-a220-6735899551cb
- /data/data/####/f9dadf81c735ce39a7ecfc6b5f97a6de53aa80bc8850479....0.tmp
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/httpdns_config_cache.xml.bak
- /data/data/####/httpdns_config_enable.xml
- /data/data/####/i==1.2.0&&4.3.8_1624670157664_envelope.log
- /data/data/####/i==1.2.0&&4.3.8_1624670180191_envelope.log
- /data/data/####/info.xml
- /data/data/####/journal.bkp
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/local_crash_lock
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mob_commons_1
- /data/data/####/mz_push_preference.xml
- /data/data/####/native_record_lock (deleted)
- /data/data/####/proc_auxv
- /data/data/####/rl.catch
- /data/data/####/security_info
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/sp_sophix.xml
- /data/data/####/sp_sophix.xml.bak
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak (deleted)
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_it_sl.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_sp_zdata.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/unique
- /data/data/####/update.xml
- /data/data/####/ut.db-journal
- /data/data/####/ver
- /data/data/####/woshipm.db-journal
- /data/data/####/z==1.2.0&&4.3.8_1624670131819_envelope.log
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.miui.ui.version.name
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
- logcat -d time -s tag:W
- ls /
- ls /sys/class/thermal
- sh -c type su
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-OAEPWithSHA256AndMGF1Padding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
