Technical information
Malicious functions:
Prompts to install third-party apps.
Removes app icon from the screen.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) prog-m####.com:80
- TCP(HTTP/1.1) a####.name:80
- TCP(TLS/1.0) rr3---s####.g####.com:443
- TCP(TLS/1.0) 2####.58.208.106:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) rr5---s####.g####.com:443
- TCP(TLS/1.0) 1####.217.168.234:443
- TCP(TLS/1.2) 1####.217.168.195:443
- TCP(TLS/1.2) 1####.217.168.234:443
- TCP(TLS/1.2) 1####.217.168.238:443
- UDP 2####.58.208.106:443
- UDP rr3---s####.g####.com:443
- UDP rr1---s####.g####.com:443
- UDP 1####.217.168.234:443
- UDP rr5---s####.g####.com:443
DNS requests:
- a####.name
- and####.google####.com
- m####.go####.com
- prog-m####.com
- rr1---s####.g####.com
- rr3---s####.g####.com
- rr5---s####.g####.com
HTTP GET requests:
- a####.name/monitor_checker_link.php?ver=####
- prog-m####.com/am.html
HTTP POST requests:
- a####.name/common/api.php?tp=####&type=####&count=####
- a####.name/files/com.amon/MCh.apk
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/SettingsDB
- /data/data/####/SettingsDB-journal
- /data/data/####/main.dex
- /data/data/####/main.dex.flock (deleted)
- /data/data/####/main.md
- /data/data/####/main_tools.dex
- /data/data/####/main_tools.dex.flock (deleted)
- /data/data/####/main_tools.md
- /data/media/####/log.txt
- /data/media/####/log_checker.txt
- /data/media/####/main.md
- /data/media/####/main_tools.md
- /data/media/####/mch.apk
- /data/media/####/prog_class.name
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su child exited
- /system/bin/log -p d -t su client exited 0
- /system/bin/log -p d -t su connecting client 3698
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su waiting for user
- sh
Uses elevated priveleges.
Gets information about phone status (number, IMEI, etc.).
Gets information about active device administrators.
Gets information about installed apps.
Gets information about accounts associated with the device.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Parses information from SMS.
Intercepts notifications.
Requests the system alert window permission.
