Technical information
Malicious functions:
Downloads the following detected threats from the Internet:
- Android.RemoteCode.8274
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 4####.94.13.7:80
- TCP(HTTP/1.1) cdn.nexta####.com:80
- TCP(HTTP/1.1) g3.l####.com:80
- TCP(HTTP/1.1) 39.1####.224.153:80
- TCP(HTTP/1.1) 1####.57.217.238:80
- TCP(HTTP/1.1) 1####.56.226.115:7001
- TCP(HTTP/1.1) 1####.57.155.33:80
- TCP(HTTP/1.1) api.cdn.nexta####.com:80
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) u####.u####.com:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) 59.82.1####.219:443
- TCP(TLS/1.0) ccs.u####.com.####.com:443
- TCP(TLS/1.0) a####.u####.com.####.com:443
- TCP(TLS/1.0) 1####.194.73.94:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) connect####.gst####.com:443
- TCP(TLS/1.0) worldti####.org:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.2) 1####.177.14.99:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- TCP(TLS/1.2) 64.2####.162.94:443
- UDP 1####.68.2.119:3924
- UDP 1####.99.111.197:3924
- UDP 1####.68.2.119:13
- UDP 1####.201.50.6:3479
- UDP 4####.94.7.87:2345
- UDP 1####.99.111.197:3923
- UDP 4####.94.7.87:3478
- UDP 1####.201.50.6:2345
- UDP 64.2####.52.138:3923
- TCP ms####.m.u####.com:443
- UDP 64.2####.52.138:13
- UDP 2####.255.255.250:1900
- UDP p####.google####.com:443
- UDP 1####.166.120.250:3923
- UDP 64.2####.162.94:443
- UDP 1####.100.243.133:15255
- UDP 1####.99.43.67:13
- UDP 1####.248.3.56:13
- UDP 74.1####.131.139:443
DNS requests:
- a####.u####.com
- amdc####.m.u####.com
- and####.b####.qq.com
- api.cdn.nexta####.com
- ccs.u####.com
- cdn.nexta####.com
- connect####.gst####.com
- g3.l####.com
- gmscomp####.google####.com
- msg.umengc####.com
- p####.google####.com
- rr2---s####.g####.com
- u####.u####.com
- umen####.m.ta####.com
- ut####.u####.com
- worldti####.org
- www.b####.com
HTTP GET requests:
- api.cdn.nexta####.com/api/live/v1/pindaos?s_t=####&s_m=####
- cdn.nexta####.com/app/config/live/app_conf_global.json
- cdn.nexta####.com/app/config/live/source_parse_track_conf.json
- cdn.nexta####.com/app/config/live/splayer_d_c.txt
- cdn.nexta####.com/app/config/playback/config_support_ts.json
- cdn.nexta####.com/app/config/third/jar/hdp_0429.jar
- cdn.nexta####.com/app/config/upgrade/xingkong/apk_upgrade_config_v2.json...
- cdn.nexta####.com/app/uploads/2024-04-26/7249dc4d-0b74-41b7-bc08-61febe1...
- cdn.nexta####.com/app/uploads/2024-06-11/14bd20fb-8caa-47ec-a3db-77c48c7...
- cdn.nexta####.com/app/uploads/2024-06-17/f316e378-e082-4fe1-8895-0afa085...
- cdn.nexta####.com/app/uploads/2024-06-19/121409e7-e2b6-425d-b8ac-d926b74...
- cdn.nexta####.com/app/uploads/2024-06-25/4dfaeb89-1106-4d19-aff8-b5d93c0...
- g3.l####.com/r?format=####
- worldti####.org:443/api/ip
- www.a.sh####.com:443/
HTTP POST requests:
- a####.u####.com.####.com:443/v3/a/audid/req
- and####.b####.qq.com:443/rqd/async?aid=####
- ccs.u####.com.####.com:443/aa
- msg.umengc####.com:443/v3/tag/add
- new-####.u####.com:443/anti/postZdata
- u####.u####.com:443/umpx_push_launch
- u####.u####.com:443/umpx_push_register
- u####.u####.com:443/unify_logs
- u####.u####.com:443/zcfg
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/.imprint
- /data/data/####/1004
- /data/data/####/64db2a4fa8654c764c24ff8d2ab24a77.0.tmp
- /data/data/####/64db2a4fa8654c764c24ff8d2ab24a77.1
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AD_REC_PLAY_DATA.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Agoo_AppStore.xml.bak
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/CONFIG_orther.xml
- /data/data/####/CP_cache.xml
- /data/data/####/FAVORITE.xml
- /data/data/####/LIVE_CONFIG.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/PERMANENT_DATA.xml
- /data/data/####/PLAY.xml
- /data/data/####/Sb_Cn.xml
- /data/data/####/Splayer_config.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a==9.5.2&&1.0.119(dev)_1719289797586_dW5pZnlfbG9ncw==;.log
- /data/data/####/accs.db-journal
- /data/data/####/advertisement.xml
- /data/data/####/api.prefs.xml
- /data/data/####/api.prefs.xml.bak
- /data/data/####/b128703cd3a465203f3b09db2a628f3b.0.tmp
- /data/data/####/b128703cd3a465203f3b09db2a628f3b.1
- /data/data/####/b78355431fbe71f8bd51f9fb04924c8f.0.tmp
- /data/data/####/b78355431fbe71f8bd51f9fb04924c8f.1
- /data/data/####/b78355431fbe71f8bd51f9fb04924c8f.1.tmp
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.0.tmp
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_last_us_up_tm
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.0.tmp
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.1
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.1.tmp
- /data/data/####/crashrecord.xml
- /data/data/####/cuuid.xml
- /data/data/####/db4cc779f4f82a5625bfbeed79d74d2e.0.tmp
- /data/data/####/db4cc779f4f82a5625bfbeed79d74d2e.1.tmp
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/e0ac4835485a5f153641b6e06ecd715d.0
- /data/data/####/e0ac4835485a5f153641b6e06ecd715d.0.tmp
- /data/data/####/e0ac4835485a5f153641b6e06ecd715d.1
- /data/data/####/e0ac4835485a5f153641b6e06ecd715d.1.tmp
- /data/data/####/event_db
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f3bbab682f39a5e2e9dfe56b1baf7e49.0.tmp
- /data/data/####/f3bbab682f39a5e2e9dfe56b1baf7e49.1
- /data/data/####/f3bbab682f39a5e2e9dfe56b1baf7e49.1.tmp
- /data/data/####/hdl_0429.jar
- /data/data/####/i==1.2.0&&1.0.119(dev)_1719289799118_dW5pZnlfbG9ncw==;.log
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/kk.xml
- /data/data/####/kk.xml.bak
- /data/data/####/libvaci_tvcore.so
- /data/data/####/local_crash_lock
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/native_record_lock
- /data/data/####/p==6.6.2&&1.0.119(dev)_1719289798267_dW1weF9wdX...y;.log
- /data/data/####/p==6.6.2&&1.0.119(dev)_1719289807719_dW1weF9wdX...=;.log
- /data/data/####/player.tmp
- /data/data/####/proc_auxv
- /data/data/####/risk_user_info.xml
- /data/data/####/settings.prefs.xml
- /data/data/####/spider_prefs.xml
- /data/data/####/t==9.5.2&&1.0.119(dev)_1719289795933_dW5pZnlfbG9ncw==;.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_push_ut.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_push.xml
- /data/data/####/umeng_push.xml.bak
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/umzid_general_config.xml.bak (deleted)
- /data/data/####/vaci_epg.dex
- /data/data/####/vaci_epg.dex.flock (deleted)
- /data/data/####/vaci_epg.jar
- /data/data/####/vaci_plugin.dex
- /data/data/####/vaci_plugin.dex.flock (deleted)
- /data/data/####/vaci_plugin.tmp
- /data/data/####/vaci_plugin_config.xml
- /data/data/####/vaci_pp.dex
- /data/data/####/vaci_pp.dex.flock (deleted)
- /data/data/####/vaci_pp.tmp
- /data/data/####/z==1.2.0&&1.0.119(dev)_1719289791819_emNmZw==;.log
- /data/media/####/conf.dat
- /data/media/####/uuid.data
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_max_freq
- /system/bin/sh -c getprop
- LD_LIBRARY_PATH=/vendor/lib:/system/lib
- getprop
- getprop ro.product.brand
- getprop ro.product.model
- getprop ro.system.build.id
- ls /
- ls /sys/class/thermal
- sh
- su
Loads the following dynamic libraries:
- libBugly_Native
- libmmkv
- libplayer
- libtnet-3.1.14
- libumeng-spy
- libvaci_tvcore
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Uses elevated priveleges.
Accesses the ITelephony private interface.
Gets information about installed apps.
Displays its own windows over windows of other apps.
