Technical information
Malicious functions:
Downloads the following detected threats from the Internet:
- Android.RemoteCode.360.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) hls.nexta####.com:80
- TCP(HTTP/1.1) yd.or####.ts.####.cn:80
- TCP(HTTP/1.1) 1####.56.226.115:7001
- TCP(HTTP/1.1) 1####.57.155.33:80
- TCP(HTTP/1.1) cdn.nexta####.com:80
- TCP(HTTP/1.1) 4####.94.13.7:80
- TCP(HTTP/1.1) 47.94.1####.170:8052
- TCP(HTTP/1.1) api.cdn.nexta####.com:80
- TCP(HTTP/1.1) g3.l####.com:80
- TCP(HTTP/1.1) 39.1####.48.1:80
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) 59.82.1####.35:443
- TCP(TLS/1.0) 64.2####.162.95:443
- TCP(TLS/1.0) 59.82.1####.219:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) connect####.gst####.com:443
- TCP(TLS/1.0) 1####.250.150.102:443
- TCP(TLS/1.0) ccs.u####.com.####.com:443
- TCP(TLS/1.0) u####.u####.com:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) a####.u####.com.####.com:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- TCP(TLS/1.2) 64.2####.165.101:443
- TCP(TLS/1.2) 64.2####.162.95:443
- UDP 47.94.1####.170:8050
- UDP 1####.235.69.206:3845
- UDP 1####.254.218.33:1849
- UDP 42.2####.86.109:25879
- UDP 49.5.1####.189:8254
- UDP 60.1####.247.219:38533
- UDP 1####.199.122.84:25600
- UDP 1####.125.54.221:15863
- UDP 1####.229.106.71:6868
- UDP 1####.73.116.232:11523
- UDP 4####.94.7.87:3478
- UDP 1####.134.78.242:37888
- UDP 1####.251.43.15:13353
- UDP 1####.36.71.61:6412
- UDP 1####.0.2.254:42892
- TCP ms####.m.u####.com:443
- UDP 1####.201.50.6:3479
DNS requests:
- a####.u####.com
- amdc####.m.u####.com
- and####.b####.qq.com
- and####.google####.com
- api.cdn.nexta####.com
- ccs.u####.com
- cdn.nexta####.com
- connect####.gst####.com
- g3.l####.com
- gmscomp####.google####.com
- hls.nexta####.com
- msg.umengc####.com
- prog####.ya####.com
- u####.u####.com
- umen####.m.ta####.com
- ut####.u####.com
- www.b####.com
- yd.or####.ts.####.com
HTTP GET requests:
- api.cdn.nexta####.com/api/live/v1/pindaos?s_t=####&s_m=####
- cdn.nexta####.com/app/uploads/2024-01-25/374340bb-778c-49cc-b6d1-b20a7cb...
- cdn.nexta####.com/app/uploads/2024-01-25/59674350-3195-4258-80ff-98efeab...
- cdn.nexta####.com/app/uploads/2024-01-25/6ddbea09-c1fc-4f72-a1f7-93d3982...
- cdn.nexta####.com/app/uploads/2024-01-25/bd713a8c-f24e-4564-a2da-1fb9867...
- cdn.nexta####.com/app/uploads/2024-01-25/dcae444c-e690-4ff8-80f0-bed667f...
- cdn.nexta####.com/app/uploads/2024-03-07/2965792a-2cea-4e3a-a228-1c93338...
- cdn.nexta####.com/app/uploads/2024-03-11/718989c3-d3e2-434a-a3ab-b238a73...
- cdn.nexta####.com/app/uploads/2024-04-08/c6a21b60-6e2c-4381-8c6b-f3bc6fd...
- cdn.nexta####.com/app/uploads/2024-04-11/2d97fc75-2dbd-4ad3-b13e-f664519...
- g3.l####.com/r?format=####
- hls.nexta####.com/nxt/live/d934y6mh59ts.m3u8?isCks=####&es=####&ts=####&...
- www.a.sh####.com:443/
- yd.or####.ts.####.cn/dncj/8g00_lz-3566-1713165098.ts
- yd.or####.ts.####.cn/dncj/8g00_lz-3567-1713165102.ts
- yd.or####.ts.####.cn/dncj/8g00_lz-3568-1713165106.ts
HTTP POST requests:
- a####.u####.com.####.com:443/v3/a/audid/req
- and####.b####.qq.com:443/rqd/async?aid=####
- ccs.u####.com.####.com:443/aa
- msg.umengc####.com:443/v3/tag/add
- new-####.u####.com:443/anti/postZdata
- u####.u####.com:443/umpx_push_launch
- u####.u####.com:443/umpx_push_register
- u####.u####.com:443/unify_logs
- u####.u####.com:443/zcfg
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/0e9fb6677ec30bf8f35ad03ba7939990.0.tmp
- /data/data/####/0e9fb6677ec30bf8f35ad03ba7939990.1
- /data/data/####/0e9fb6677ec30bf8f35ad03ba7939990.1.tmp
- /data/data/####/1004
- /data/data/####/1ae3410fe731d22bff27bce3f50565f7.0.tmp
- /data/data/####/1ae3410fe731d22bff27bce3f50565f7.1
- /data/data/####/1ae3410fe731d22bff27bce3f50565f7.1.tmp
- /data/data/####/1b6da929ed56de51a296b4edefefeb03.0.tmp
- /data/data/####/1b6da929ed56de51a296b4edefefeb03.1
- /data/data/####/1b6da929ed56de51a296b4edefefeb03.1.tmp
- /data/data/####/3f83e4935ac4481ba4049c754171d93a405f35583b35de8...83b9.0
- /data/data/####/701992c109623c91e92852581bbbbb2e.0.tmp
- /data/data/####/701992c109623c91e92852581bbbbb2e.1.tmp
- /data/data/####/7b6931eeb0a9060aa4f9c75399c0c019.0.tmp
- /data/data/####/7b6931eeb0a9060aa4f9c75399c0c019.1
- /data/data/####/7b6931eeb0a9060aa4f9c75399c0c019.1.tmp
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Agoo_AppStore.xml.bak
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/CONFIG.xml
- /data/data/####/CP_cache.xml
- /data/data/####/HISTORY.xml
- /data/data/####/LIVE_CONFIG.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/PLAY.xml
- /data/data/####/Splayer_config.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a==9.5.2&&1.0.115_1713165162196_dW5pZnlfbG9ncw==;.log
- /data/data/####/ac6c636f5894f913fd2d1dffb4eeaed9708ddf3840b1147....0.tmp
- /data/data/####/ac6c636f5894f913fd2d1dffb4eeaed9708ddf3840b1147...5d33.0
- /data/data/####/accs.db-journal
- /data/data/####/advertisement.xml
- /data/data/####/api.prefs.xml
- /data/data/####/api.prefs.xml.bak
- /data/data/####/b128703cd3a465203f3b09db2a628f3b.0
- /data/data/####/b128703cd3a465203f3b09db2a628f3b.1
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.0.tmp
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_last_us_up_tm
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.0.tmp
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.1
- /data/data/####/cctv02.0
- /data/data/####/channel---9301c905f23823ec31e26b75a39cb07b-3724...leted)
- /data/data/####/channel---9301c905f23823ec31e26b75a39cb07b-372423.block
- /data/data/####/channel---9301c905f23823ec31e26b75a39cb07b-372424.block
- /data/data/####/channel---9a144c247a43b5bac3ecf3b43610240c-3724...leted)
- /data/data/####/channel---9a144c247a43b5bac3ecf3b43610240c-372422.block
- /data/data/####/conf.dat
- /data/data/####/crashrecord.xml
- /data/data/####/cuuid.xml
- /data/data/####/d92ff2deb3afb780d0ec0358fdf829a7c04132b364f59dc....0.tmp
- /data/data/####/d92ff2deb3afb780d0ec0358fdf829a7c04132b364f59dc...8842.0
- /data/data/####/d96bf35c388f040a416534b296ed2176.0.tmp
- /data/data/####/d96bf35c388f040a416534b296ed2176.1
- /data/data/####/d96bf35c388f040a416534b296ed2176.1.tmp
- /data/data/####/db4cc779f4f82a5625bfbeed79d74d2e.0.tmp
- /data/data/####/db4cc779f4f82a5625bfbeed79d74d2e.1.tmp
- /data/data/####/dce875ab9112348070e82dcbdab8d9cd4cdc52da73d10c0...266b.0
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/event_db
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/i==1.2.0&&1.0.115_1713165165182_dW5pZnlfbG9ncw==;.log
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/libplayer.so
- /data/data/####/local_crash_lock
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/native_record_lock
- /data/data/####/native_record_lock (deleted)
- /data/data/####/p==6.6.2&&1.0.115_1713165163681_dW1weF9wdXNoX3J...y;.log
- /data/data/####/p==6.6.2&&1.0.115_1713165171480_dW1weF9wdXNoX2x...=;.log
- /data/data/####/proc_auxv
- /data/data/####/risk_user_info.xml
- /data/data/####/settings.prefs.xml
- /data/data/####/spider_prefs.xml
- /data/data/####/t==9.5.2&&1.0.115_1713165160263_dW5pZnlfbG9ncw==;.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_push_ut.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_push.xml
- /data/data/####/umeng_push.xml.bak
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/umzid_general_config.xml.bak
- /data/data/####/vaci_epg.dex
- /data/data/####/vaci_epg.dex.flock (deleted)
- /data/data/####/vaci_epg.jar
- /data/data/####/vaci_epg.tmp
- /data/data/####/vaci_plugin.dex
- /data/data/####/vaci_plugin.dex.flock (deleted)
- /data/data/####/vaci_plugin.jar
- /data/data/####/vaci_plugin.tmp
- /data/data/####/vaci_pp.dex
- /data/data/####/vaci_pp.dex.flock (deleted)
- /data/data/####/vaci_pp.jar
- /data/data/####/z==1.2.0&&1.0.115_1713165149856_emNmZw==;.log
- /data/data/####/zijian-douniucaijing.0
- /data/media/####/uuid.data
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/sh -c getprop
- chmod 777 /data/user/0/<Package>/files/pull/1.0.127.apk
- getprop
- getprop ro.product.brand
- getprop ro.product.model
- getprop ro.system.build.id
- ls /
- ls /sys/class/thermal
Loads the following dynamic libraries:
- libBugly_Native
- libmmkv
- libplayer
- libtnet-3.1.14
- libumeng-spy
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
Displays its own windows over windows of other apps.
