Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.336.origin
- Android.Triada.144.origin
Downloads the following detected threats from the Web:
- Android.Backdoor.336.origin
- Android.Triada.144.origin
Network activity:
Connecting to:
- a####.####.com
- d####.####.com
- e####.####.com
- m####.####.com
- t####.####.com
HTTP GET requests:
- d####.####.com/thinking/group/rtt0620_663.apk
- e####.####.com/thinking/group/test4
HTTP POST requests:
- a####.####.com/oversea_adjust_and_download_write_redis/notify/download/app
- m####.####.com/errorview/api/601
- t####.####.com/ggview/rsddateindex
Modified file system:
Creates the following files:
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.catr.apk
- <Package Folder>/files/####/.center.tapk
- <Package Folder>/files/####/.client
- <Package Folder>/files/####/.dg
- <Package Folder>/files/####/.dico.apk
- <Package Folder>/files/####/.dlme.apk
- <Package Folder>/files/####/.dlsb.apk
- <Package Folder>/files/####/.dsmt.apk
- <Package Folder>/files/####/.e0.data
- <Package Folder>/files/####/.ir
- <Package Folder>/files/####/.p.apk
- <Package Folder>/files/####/.rshs
- <Package Folder>/files/####/.service
- <Package Folder>/files/####/.ukd
- <Package Folder>/files/####/.uks
- <Package Folder>/files/####/.uok
- <Package Folder>/files/####/5f79d63143102423ac148986c2ae37a0.data.temp
- <Package Folder>/files/####/a.xml
- <Package Folder>/files/####/b.png
- <Package Folder>/files/####/boy
- <Package Folder>/files/####/busybox
- <Package Folder>/files/####/checkFile0
- <Package Folder>/files/####/checkFile13
- <Package Folder>/files/####/checkFile3
- <Package Folder>/files/####/checkFile5
- <Package Folder>/files/####/checkFile7
- <Package Folder>/files/####/checkFile9
- <Package Folder>/files/####/ex0
- <Package Folder>/files/####/exp
- <Package Folder>/files/####/mkdevsh
- <Package Folder>/files/####/myshell
- <Package Folder>/files/####/post.sh
- <Package Folder>/files/####/postroot.sh
- <Package Folder>/files/####/r1
- <Package Folder>/files/####/r2
- <Package Folder>/files/####/r3
- <Package Folder>/files/####/r4
- <Package Folder>/files/####/rsh
- <Package Folder>/files/####/rt8
- <Package Folder>/files/####/supolicy
- <Package Folder>/files/####/ym
- <Package Folder>/files/5f79d63143102423ac148986c2ae37a0.data
- <Package Folder>/files/iphoto.dex
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <SD-Card>/.windy/49f19b1b089f018a1792a4c581f93d58.tmp
- <SD-Card>/.windy/508e8558f784e3a21d3368e4763e2693.dat
- <SD-Card>/.windy/508e8558f784e3a21d3368e4763e2693.tmp
- <SD-Card>/.windy/65288c96bb8cefd3d531a278a6ac5862.tmp
- <SD-Card>/.windy/d2c2edbfd23c0e2279a83417a7e3c0db.dat
- <SD-Card>/.windy/d2c2edbfd23c0e2279a83417a7e3c0db.tmp
Miscellaneous:
Executes next shell scripts:
- /data/data/sd.g.fs/files/.snow/exp /data/data/sd.g.fs/files/.snow /data/data/sd.g.fs/files/.work
- /system/bin/sh ./mkdevsh
- /system/bin/sh <Package Folder>/files/.snow/.zip/rsh
- <dexopt>
- <error:2>
- app_process /system/bin com.android.commands.pm.Pm disable com.android.tools.receiver
- app_process /system/bin com.android.commands.pm.Pm disable com.android.upon.hash
- app_process /system/bin com.android.commands.pm.Pm disable com.master.main.yaogirl.longe.wei
- app_process /system/bin com.android.commands.pm.Pm disable com.qiu.qing.bing.shuo.tu
- app_process /system/bin com.android.commands.pm.Pm disable com.setting.dysdtool
- app_process /system/bin com.android.commands.pm.Pm disable com.slave.wuw.yiyi.ranran.fang
- app_process /system/bin com.android.commands.pm.Pm enable com.android.tools.receiver
- app_process /system/bin com.android.commands.pm.Pm enable com.android.upon.hash
- app_process /system/bin com.android.commands.pm.Pm enable com.master.main.yaogirl.longe.wei
- app_process /system/bin com.android.commands.pm.Pm enable com.qiu.qing.bing.shuo.tu
- app_process /system/bin com.android.commands.pm.Pm enable com.setting.dysdtool
- app_process /system/bin com.android.commands.pm.Pm enable com.slave.wuw.yiyi.ranran.fang
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- chcon u:object_r:system_file:s0 /system/xbin/supolicy
- chmod 777 <Package Folder>/files/.snow/.catr.apk
- chmod 777 <Package Folder>/files/.snow/.client
- chmod 777 <Package Folder>/files/.snow/.dg
- chmod 777 <Package Folder>/files/.snow/.rshs
- chmod 777 <Package Folder>/files/.snow/.service
- chmod 777 <Package Folder>/files/.snow/.ukd
- chmod 777 <Package Folder>/files/.snow/.uks
- chmod 777 <Package Folder>/files/.snow/.uok
- chmod 777 <Package Folder>/files/.snow/.zip/
- chmod 777 <Package Folder>/files/.snow/.zip/boy
- chmod 777 <Package Folder>/files/.snow/.zip/mkdevsh
- chmod 777 <Package Folder>/files/.snow/.zip/post.sh
- chmod 777 <Package Folder>/files/.snow/.zip/r1
- chmod 777 <Package Folder>/files/.snow/.zip/r2
- chmod 777 <Package Folder>/files/.snow/.zip/r3
- chmod 777 <Package Folder>/files/.snow/.zip/r4
- chmod 777 <Package Folder>/files/.snow/.zip/rsh
- chmod 777 <Package Folder>/files/.snow/.zip/rt8
- chmod 777 <Package Folder>/files/.snow/a.xml
- chmod 777 <Package Folder>/files/.snow/b.png
- chmod 777 <Package Folder>/files/.snow/busybox
- chmod 777 <Package Folder>/files/.snow/ex0
- chmod 777 <Package Folder>/files/.snow/exp
- chmod 777 <Package Folder>/files/.snow/myshell
- chmod 777 <Package Folder>/files/.snow/supolicy
- chmod 777 <Package Folder>/files/.work/postroot.sh
- chown 0.0 /system/app/Dingps.apk
- chown 0.0 /system/app/Linkcai.apk
- chown 0.0 /system/app/Lowerp.apk
- chown 0.0 /system/app/WelSlave.apk
- chown 0.0 /system/bin/.author
- chown 0.0 /system/xbin/.ci.pm
- chown 0.0 /system/xbin/.cp
- chown 0.0 /system/xbin/.rainin
- chown 0.0 /system/xbin/supolicy
- chown 0:0 /data/local/tmp/.catr.apk
- chown 0:0 /data/local/tmp/busybox
- chown 0:0 /system/app/Dingps.apk
- chown 0:0 /system/app/Linkcai.apk
- chown 0:0 /system/app/Lowerp.apk
- chown 0:0 /system/app/MainMaster.apk
- chown 0:0 /system/app/WelSlave.apk
- chown 0:0 /system/app/oneshs.apk
- chown 0:0 /system/bin/.author
- chown 0:0 /system/bin/debuggerd
- chown 0:0 /system/lib/libsoon.so
- chown 0:0 /system/xbin/.ci.pm
- chown 0:0 /system/xbin/.cp
- chown 0:0 /system/xbin/.rainin
- chown 0:0 /system/xbin/supolicy
- df /system
- mount -o remount ro /system
- mount -o remount rw /system
- mount -o remount,ro /system
- mount -o remount,rw /system
- mount -ro remount ro /system
- mount -ro remount,ro /system
- mount -wo remount rw /system
- mount -wo remount,rw /system
- rm <Package Folder>/files/.snow/ex0
- sh
- sh <Package Folder>/files/.snow/exp <Package Folder>/files/.snow <Package Folder>/files/.work
