Adware.Batmobi.6

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Batmobi.4

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
TCP(HTTP/1.1) api.mo####.sdk.####.com:80
TCP(HTTP/1.1) net.ray####.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) 1####.205.160.63:80
TCP(HTTP/1.1) a####.b####.qq.com:8011
TCP(HTTP/1.1) sts.bat####.net:80
TCP(HTTP/1.1) set####.ray####.com:80
TCP(TLS/1.0) api.face####.com:443

DNS requests:

a####.b####.qq.com
aexcep####.b####.qq.com
ag####.m.ta####.com
and####.b####.qq.com
api.mo####.sdk.####.com
g####.face####.com
net.ray####.com
rts.mo####.sdk.####.com
set####.ray####.com
sts.bat####.net
u####.bat####.net

HTTP GET requests:

api.mo####.sdk.####.com/adunion/slot/getSrcPrio?h=####&w=####&model=####...
net.ray####.com/openapi/ad/v3?app_id=####&unit_id=####&category=####&req...
set####.ray####.com/appwall/setting?app_id=####&sign=####&platform=####&...
set####.ray####.com/setting?app_id=####&sign=####&platform=####&os_versi...
sts.bat####.net/log?partner_id=####&p_name=####&aid=####&local=####&time...

HTTP POST requests:

a####.b####.qq.com:8011/rqd/async
aexcep####.b####.qq.com:8012/rqd/async
and####.b####.qq.com/rqd/async
api.mo####.sdk.####.com/orts/rpb?h=####&w=####&model=####&vendor=####&sd...

Modified file system:

Creates the following files:

/data/anr/traces.txt
<Package Folder>/databases/####/cc.db
<Package Folder>/databases/####/cc.db-journal
<Package Folder>/databases/MessageStore.db-journal
<Package Folder>/databases/MsgLogStore.db-journal
<Package Folder>/databases/accs.db-journal
<Package Folder>/databases/bat_statistics.db-journal
<Package Folder>/databases/bugly_db_legu-journal
<Package Folder>/databases/du_ad_ts.db-journal
<Package Folder>/databases/message_accs_db
<Package Folder>/databases/message_accs_db-journal
<Package Folder>/databases/mobvista.msdk.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/databases/webviewCookiesChromium.db-journal
<Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
<Package Folder>/files/DaemonServer
<Package Folder>/files/agoo.pid
<Package Folder>/files/local_crash_lock
<Package Folder>/files/native_record_lock
<Package Folder>/files/security_info
<Package Folder>/mix.dex
<Package Folder>/shared_prefs/ACCS_SDK.xml
<Package Folder>/shared_prefs/ACCS_SDK_CHANNEL.xml
<Package Folder>/shared_prefs/ACCS_SDK_CHANNEL.xml.bak (deleted)
<Package Folder>/shared_prefs/Agoo_AppStore.xml
<Package Folder>/shared_prefs/Alvin2.xml
<Package Folder>/shared_prefs/ContextData.xml
<Package Folder>/shared_prefs/VideoEditor.xml
<Package Folder>/shared_prefs/_toolbox_prefs.xml
<Package Folder>/shared_prefs/com.facebook.sdk.appEventPreferences.xml
<Package Folder>/shared_prefs/com.facebook.sdk.attributionTracking.xml
<Package Folder>/shared_prefs/mobvista.xml
<Package Folder>/shared_prefs/multidex.version.xml
<Package Folder>/shared_prefs/share_date.xml
<Package Folder>/shared_prefs/sharedpreferences_batmobi_settings.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/shared_prefs/user_info.xml
<Package Folder>/tx_shell/libnfix.so
<Package Folder>/tx_shell/libshella-2.10.6.0.so
<Package Folder>/tx_shell/libufix.so
<SD-Card>/.1Videoshow/newuser.bin
<SD-Card>/.DataStorage/ContextData.xml
<SD-Card>/.UTSystemConfig/####/Alvin2.xml
<SD-Card>/1Videoshow/####/journal
<SD-Card>/1Videoshow/####/journal.tmp
<SD-Card>/Android/####/.nomedia
<SD-Card>/Android/####/91bb0e2fee4f4a59ae95f427ccf9ccdd

Miscellaneous:

Executes next shell scripts:

/system/bin/sh -c getprop ro.aa.romver
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.build.rom.id
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.version.emui
/system/bin/sh -c getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.lenovo.series
/system/bin/sh -c getprop ro.lewa.version
/system/bin/sh -c getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.vivo.os.build.display.id
/system/bin/sh -c type su
<Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:5220512856240b310f00ab4b","utdid":"Wg2EYEwvPw8DAGdzx1FJZXI7","sdkVersion":"212"} -I agoodm.m.taobao.com -O 80 -T -Z
chmod 500 <Package Folder>/files/DaemonServer
chmod 700 <Package Folder>/tx_shell/libnfix.so
chmod 700 <Package Folder>/tx_shell/libshella-2.10.6.0.so
chmod 700 <Package Folder>/tx_shell/libufix.so
getprop ro.aa.romver
getprop ro.board.platform
getprop ro.build.fingerprint
getprop ro.build.nubia.rom.name
getprop ro.build.rom.id
getprop ro.build.tyd.kbstyle_version
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.gn.gnromvernumber
getprop ro.lenovo.series
getprop ro.lewa.version
getprop ro.meizu.product.model
getprop ro.miui.ui.version.name
getprop ro.vivo.os.build.display.id
getprop ro.yunos.version
logcat -d -v threadtime
sh

Loads the following dynamic libraries:

Bugly
MobileFXV2
libnfix
libshella-2.10.6.0
libufix
nfix
tnet-3.1
ufix

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-GCM-NoPadding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-GCM-NoPadding

Uses special library to hide executable bytecode.

Gains access to camera interface.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial