Android.DownLoader.5480

Technical information

Malicious functions:

Downloads the following detected threats from the Internet:

Android.Siggen.Susp.6902

Network activity:

Connects to:

UDP(DNS) 1####.0.0.1:53
UDP(DNS) 9####.9.9.9:53
UDP(DNS) 8####.8.4.4:53
UDP(DNS) <Google DNS>
TCP(HTTP/1.1) zt####.bdsuek####.com:80
TCP(HTTP/1.1) a####.ki####.com:80
TCP(HTTP/1.1) m####.le1####.com:80
TCP(HTTP/1.1) h####.cagdjdd####.click:80
TCP(HTTP/1.1) m####.owu####.com:80
TCP(HTTP/1.1) v####.loe####.com:80
UDP(NTP) t####.go####.com:123
UDP(NTP) t####.a####.com:123
UDP(NTP) t####.win####.com:123
TCP(TLS/1.0) rr2---s####.g####.com:443
TCP(TLS/1.0) v####.loe####.com:443
TCP(TLS/1.0) and####.a####.go####.com:443
TCP(TLS/1.0) gmscomp####.google####.com:443
TCP(TLS/1.0) app-mea####.com:443
TCP(TLS/1.0) rr9---s####.g####.com:443
TCP(TLS/1.0) def####.duals####.cn.####.com:443
TCP(TLS/1.0) googl####.g.doublec####.net:443
TCP(TLS/1.0) new-####.u####.com:443
TCP(TLS/1.0) er####.u####.com.####.com:443
TCP(TLS/1.0) u####.u####.com:443
TCP(TLS/1.2) 1####.194.73.139:443
TCP(TLS/1.2) 74.1####.131.94:443
TCP(TLS/1.2) gmscomp####.google####.com:443
TCP(TLS/1.2) 1####.250.150.138:443
TCP firebas####.crashly####.com:443
UDP gmscomp####.google####.com:443
TCP ms####.m.u####.com:443

DNS requests:

a####.ki####.com
a####.u####.com
amdc####.m.ta####.com
and####.a####.go####.com
and####.google####.com
app-mea####.com
dsp.ads.u####.com
er####.u####.com
firebas####.crashly####.com
gmscomp####.google####.com
googl####.g.doublec####.net
h####.cagdjdd####.click
htv.gkd####.xyz
m####.le1####.com
m####.owu####.com
of####.u####.com
p####.google####.com
rr2---s####.g####.com
rr9---s####.g####.com
t####.a####.com
t####.go####.com
t####.win####.com
u####.u####.com
umen####.m.ta####.com
umengj####.m.ta####.com
v####.loe####.com
zt####.bdsuek####.com

HTTP GET requests:

h####.cagdjdd####.click/marketdatas/apk/unitviptvmobile_3.15.0_2d7ac38a_...
m####.owu####.com/MarketServer/update?action=####&packagenamesAndVersion...
v####.loe####.com/ADServer/static/res/adsys/54e965bf-1b2e-4a63-9895-1495...
v####.loe####.com/ADServer/static/res/adsys/78d19a4e-c42f-4e96-bcb8-4b79...
v####.loe####.com/ADServer/static/res/adsys/be515808-408b-470e-a6ce-7cf9...
v####.loe####.com/ADServer/static/res/adsys/ef103d2c-8e79-4e65-a32b-44b3...

HTTP POST requests:

a####.ki####.com/api/v2/dcs/getAddr
def####.duals####.cn.####.com:443/offmsg/req
def####.duals####.cn.####.com:443/q
er####.u####.com.####.com:443/apm_cc
m####.le1####.com/api/adserver/v2/get_content
new-####.u####.com:443/api/postZdata
u####.u####.com:443/umpx_push_launch
u####.u####.com:443/umpx_push_register
u####.u####.com:443/unify_logs
u####.u####.com:443/zcfg
v####.loe####.com:443/tdc/v2/report
zt####.bdsuek####.com/api/portalCore/getThridPart
zt####.bdsuek####.com/api/portalCore/v3/snToken

File system changes:

Creates the following files:

/data/data/####/.fsgkea
/data/data/####/.imprint
/data/data/####/.jg.ac
/data/data/####/.jg.ri
/data/data/####/.jg.store.report_cf
/data/data/####/.jg.store.report_pid
/data/data/####/1598e6a4868123d552392099f33f2e09b55ee3ee204eb0a....0.tmp
/data/data/####/1598e6a4868123d552392099f33f2e09b55ee3ee204eb0a...64b4.0
/data/data/####/6617089E03D8-0001-0E34-0E0986BBEF2ABeginSession.cls
/data/data/####/6617089E03D8-0001-0E34-0E0986BBEF2ABeginSession.cls_temp
/data/data/####/6617089E03D8-0001-0E34-0E0986BBEF2ASessionApp.cls
/data/data/####/6617089E03D8-0001-0E34-0E0986BBEF2ASessionUser.cls
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ABeginSession.cls_temp
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ASessionApp.cls
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ASessionApp.cls_temp
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ASessionDevice.cls
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ASessionDevice.cls_temp
/data/data/####/661708A20180-0001-0EB2-0E0986BBEF2ASessionOS.cls_temp
/data/data/####/959a85a808c32295_0
/data/data/####/ACCS_BINDdefault.xml
/data/data/####/ACCS_SDK.xml
/data/data/####/ACCS_SDK_CHANNEL.xml
/data/data/####/AGOO_BIND.xml
/data/data/####/Agoo_AppStore.xml
/data/data/####/Alvin2.xml
/data/data/####/AndroidAria.db
/data/data/####/AndroidAria.db-journal
/data/data/####/AndroidAria.db-journal (deleted)
/data/data/####/AndroidAria.db-shm (deleted)
/data/data/####/AndroidAria.db-wal (deleted)
/data/data/####/AriaApp.cfg
/data/data/####/AriaDGroup.cfg
/data/data/####/AriaDownload.cfg
/data/data/####/AriaUpload.cfg
/data/data/####/BBDatabase.db-journal
/data/data/####/ContextData.xml
/data/data/####/Cookies-journal
/data/data/####/DomainCache.xml
/data/data/####/MessageStore.db-journal
/data/data/####/MsgLogStore.db-journal
/data/data/####/UMPushConfig.xml
/data/data/####/UM_PROBE_DATA.xml
/data/data/####/VTPIVTINU0ELIBOM0MOC.ss
/data/data/####/WebViewChromiumPrefs.xml
/data/data/####/Y29uZmlnXzVlYjI2YzVlNTcwZGYzNGEyMjAwMDFhNA.sp
/data/data/####/Y29uZmlnXzVlYjI2YzVlNTcwZGYzNGEyMjAwMDFhNA.sp.bak
/data/data/####/a887b9e54aafb176274ab4445b2d4ce54a480a699570db7....0.tmp
/data/data/####/a887b9e54aafb176274ab4445b2d4ce54a480a699570db7...3376.0
/data/data/####/accs.db-journal
/data/data/####/addb-journal
/data/data/####/admob.xml
/data/data/####/advert.xml
/data/data/####/advert.xml.bak
/data/data/####/app.json
/data/data/####/aria_config.xml
/data/data/####/bbconfig.xml
/data/data/####/cad3f576b8fddf6df1de578d43165ddf2be1ca61103cd1d....0.tmp
/data/data/####/cad3f576b8fddf6df1de578d43165ddf2be1ca61103cd1d...f788.0
/data/data/####/channel_umeng_common_config.xml
/data/data/####/channel_umeng_common_config.xml.bak
/data/data/####/classes.dex
/data/data/####/classes.dex;classes2.dex
/data/data/####/classes.dex;classes3.dex
/data/data/####/classes.dex;classes4.dex
/data/data/####/classes.dex;classes5.dex
/data/data/####/classes.oat
/data/data/####/com.crashlytics.settings.json
/data/data/####/com.google.InstanceId.properties
/data/data/####/com.google.android.datatransport.events-journal
/data/data/####/com.google.android.gms.appid-no-backup
/data/data/####/com.google.android.gms.appid.xml
/data/data/####/com.google.android.gms.measurement.prefs.xml
/data/data/####/com.google.android.gms.measurement.prefs.xml.bak
/data/data/####/com.google.firebase.crashlytics.xml
/data/data/####/com.mobile.unitviptv_preferences.xml
/data/data/####/config.xml
/data/data/####/config.xml.bak
/data/data/####/crashlytics-userlog-661708A20180-0001-0EB2-0E09...A.temp
/data/data/####/device.json
/data/data/####/dfe6b2497a7513ba_0
/data/data/####/efs_launch.xml
/data/data/####/efsid
/data/data/####/efsid3762
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/f038e94cb33282ab_0
/data/data/####/fa0ae84947a2d91014daf184524ec3fc633daf314c660b6....0.tmp
/data/data/####/fa0ae84947a2d91014daf184524ec3fc633daf314c660b6...924e.0
/data/data/####/google_app_measurement_local.db
/data/data/####/google_app_measurement_local.db-journal
/data/data/####/https_googleads.g.doubleclick.net_0.localstorage-journal
/data/data/####/i==1.2.0&&3.11.5_1712785575895_dW5pZnlfbG9ncw==;.log
/data/data/####/index
/data/data/####/initialization_marker
/data/data/####/itconfig.sp
/data/data/####/itconfig.sp.bak
/data/data/####/journal
/data/data/####/journal.tmp
/data/data/####/libjiagu.so
/data/data/####/message_accs_db
/data/data/####/message_accs_db-journal
/data/data/####/metrics_guid
/data/data/####/os.json
/data/data/####/p==6.4.5&&3.11.5_1712785577364_dW1weF9wdXNoX3Jl...y;.log
/data/data/####/p==6.4.5&&3.11.5_1712785588266_dW1weF9wdXNoX2xh...=;.log
/data/data/####/paconfig.sp
/data/data/####/paconfig.sp.bak
/data/data/####/proc_auxv
/data/data/####/report
/data/data/####/sendlock
/data/data/####/session.json
/data/data/####/share_data.xml
/data/data/####/share_data.xml.bak
/data/data/####/sp_replace_flag.sp
/data/data/####/sp_replace_flag.sp.bak
/data/data/####/t==9.4.4&&3.11.5_1712785576114_dW5pZnlfbG9ncw==;.log
/data/data/####/temp-index
/data/data/####/temp.xml
/data/data/####/the-real-index
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/um_banner.xml
/data/data/####/um_policy_grant.xml
/data/data/####/um_pri.xml
/data/data/####/um_session_id.xml
/data/data/####/um_umcrash.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_config.xml.bak
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/umeng_message_state.xml
/data/data/####/umeng_policy_result_flag
/data/data/####/umeng_push_notify.xml
/data/data/####/umeng_zcfg_flag
/data/data/####/umeng_zero_cache.db
/data/data/####/umeng_zero_cache.db-journal
/data/data/####/umzid_general_config.xml
/data/data/####/unique
/data/data/####/user_data.xml
/data/data/####/user_data.xml.bak
/data/data/####/ver
/data/data/####/z==1.2.0&&3.11.5_1712785574750_emNmZw==;.log
/data/media/####/.Uconfig
/data/media/####/.sys
/data/media/####/UMobile.apk
/data/media/####/UMobile.apk.0.part
/data/media/####/UMobile.apk.1.part
/data/media/####/UMobile.apk.2.part
/data/misc/####/primary.prof

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
cat /sys/block/mmcblk0/device/cid
cat /sys/block/mmcblk0/device/name
cat /sys/block/mmcblk0/device/type
cat proc/cpuinfo
find . -name state
getprop ro.build.version.emui
ls -l /system/bin/su
ls /
ls /sys/class/thermal
ps
sh -c cd /sys && find . -name state
sh -c type su

Loads the following dynamic libraries:

libcrashlytics
libcrashsdk
libjiagu
libranger-jni
libtnet-3.1.14
libumeng-spy

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES-ECB-PKCS5Padding
DESede-ECB-PKCS5Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
DES-ECB-NoPadding

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about installed apps.

Displays its own windows over windows of other apps.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical information

Recommandations pour le traitement

Free trial