Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.611.origin
- Android.Triada.417.origin
- Android.Triada.440.origin
Downloads the following detected threats from the Web:
- Android.Triada.440.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) gn.bule####.cn:6801
- TCP(HTTP/1.1) api.i####.com:80
- TCP(HTTP/1.1) d####.wos####.com:80
- TCP(HTTP/1.1) v####.5####.com:80
- TCP(HTTP/1.1) m####.jh####.cn:80
- TCP(HTTP/1.1) d.6####.com:80
- TCP(HTTP/1.1) qq.com.edges####.net:80
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) dn.tc####.com:80
- TCP(HTTP/1.1) rtf####.5do####.com:15215
- TCP(HTTP/1.1) r####.qq####.cn:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) cid.r####.cn:80
- TCP(HTTP/1.1) api.con####.kyli####.com:666
- TCP(HTTP/1.1) api.kxcon####.com:666
- TCP(HTTP/1.1) dl.api.kyli####.com:80
- TCP(HTTP/1.1) d####.bule####.com:8201
- TCP(HTTP/1.1) k####.kyli####.com.####.com:80
- TCP(HTTP/1.1) 1####.55.98.58:80
- TCP(HTTP/1.1) mag####.ks3-cn-####.k####.com:80
- TCP(HTTP/1.1) sdk.and####.com:80
- TCP(HTTP/1.1) n####.haiqi####.top:8080
- TCP(HTTP/1.1) ny.bule####.cn:6601
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) 1####.75.3.32:8881
- TCP(HTTP/1.1) ja####.huita####.com:10091
- TCP(HTTP/1.1) pre.bule####.cn:6501
- TCP(HTTP/1.1) lehoand####.star-el####.com:80
- TCP(HTTP/1.1) e4####.oi####.com:20351
- TCP(HTTP/1.1) api.unipl####.com:80
- TCP(HTTP/1.1) v3.bule####.cn:7001
- TCP(HTTP/1.1) ap####.wanyu####.com:80
- TCP(HTTP/1.1) sdk.91a####.com:80
- TCP(HTTP/1.1) down####.ydst####.com.####.com:80
- TCP(HTTP/1.1) dn.gogo####.top:80
- TCP(HTTP/1.1) kl.kyli####.com:80
- TCP(HTTP/1.1) inf.bule####.cn:6101
- TCP(HTTP/1.1) w####.5####.com:80
- TCP(TLS/1.0) gv1.x####.com:443
- UDP u4.wser####.com:40001
DNS requests:
- a####.wanyu####.com
- ap####.wanyu####.com
- api.con####.kyli####.com
- api.i####.com
- api.kxcon####.com
- api.unipl####.com
- cid.r####.cn
- d####.bule####.com
- d####.wos####.com
- d.6####.com
- dl.api.kyli####.com
- dn.gogo####.top
- dn.tc####.com
- down####.ydst####.com
- e4####.oi####.com
- gn.bule####.cn
- gv1.x####.com
- i.t####.com
- inf.bule####.cn
- int.d####.s####.####.cn
- ja####.huita####.com
- k####.kyli####.com
- kl.kyli####.com
- lehoand####.star-el####.com
- m####.jh####.cn
- mag####.ks3-cn-####.k####.com
- n####.haiqi####.top
- ny.bule####.cn
- p7rv8####.bkt.clo####.com
- pre.bule####.cn
- r####.qq####.cn
- rtf####.5do####.com
- sdk.91a####.com
- sdk.and####.com
- u4.wser####.com
- v####.5####.com
- v3.bule####.cn
- w####.5####.com
- w####.5####.com
- w####.pcon####.com.cn
- w####.qq.com
- www.b####.com
HTTP GET requests:
- ap####.wanyu####.com/v3/axp_set?appid=####&usid=####&imei=####&sim=####&...
- api.unipl####.com/phone/config.php?c=####&appid=####&pkg=####&ext=####
- api.unipl####.com/sdk/signin.php?&vsdk=####&plt=####&net=####&opt=####&p...
- d.6####.com/d/news_bg_packet.png
- d.6####.com/d/news_icon_close.png
- dn.gogo####.top/dnfile/IMG/20180521145007gk8aut.jpg
- dn.gogo####.top/dnfile/IMG/201805211450100pr568.jpg
- dn.gogo####.top/dnfile/Video/20180612150512phyvmv.mp4
- dn.tc####.com/dnfile/shengjibao/Kernalyi0728_89.jar
- down####.ydst####.com.####.com/ead/180608shanguang21s468.mp4
- k####.kyli####.com.####.com/1532689053413_utils.ttf
- lehoand####.star-el####.com/view/adSwitch.php
- m####.jh####.cn/z/2gdfdgdfvs4x.zip
- m####.jh####.cn/z/2haefrfbdv4x.zip
- m####.jh####.cn/z/2jahjgjgjt4x.zip
- m####.jh####.cn/z/2mbsfdascgk4x.zip
- m####.jh####.cn/z/2ygbfdvdsvsd4x.zip
- mag####.ks3-cn-####.k####.com/baihewang.mp4
- n####.haiqi####.top:8080/adv_platform/getJarVersion/HQB_Q_0016/23/cn
- qq.com.edges####.net/
- r####.qq####.cn/f/fdhdfvds201859
- sdk.91a####.com/static/20180803173651mod.enc
- t####.c####.q####.####.com/path_gn_q16_update20.dat
- www.a.sh####.com/
HTTP POST requests:
- ap####.wanyu####.com/v3/axp_init
- ap####.wanyu####.com/v3/g_das
- api.con####.kyli####.com:666/v1/config
- api.i####.com/Api/AdTrack/index
- api.kxcon####.com:666/v1/config
- api.unipl####.com/phone/video.php
- cid.r####.cn/api3
- d####.bule####.com:8201/data/api_data.aspx
- d####.wos####.com/upload/event.jsp
- d####.wos####.com/upload/event2.jsp
- d####.wos####.com/upload/longheartbeat.jsp
- d####.wos####.com/upload/sdklongheartbeat.jsp
- dl.api.kyli####.com/v2/load/mobile
- e4####.oi####.com:20351/ds/
- gn.bule####.cn:6801/bvmain.aspx
- inf.bule####.cn:6101/bPushPhone.aspx
- ja####.huita####.com:10091/wisdom/marking
- kl.kyli####.com/klv1/sdkkl/mobile
- ny.bule####.cn:6601/slsdk/settings.aspx
- pre.bule####.cn:6501/pre/api_settings.aspx
- rtf####.5do####.com:15215/tr/
- rtf####.5do####.com:15215/ts/
- sdk.91a####.com/api/DeviceReport.ashx
- sdk.and####.com/dow.php
- sdk.and####.com/init.php?t=####
- sdk.and####.com/n.php?t=####
- sdk.and####.com/new_add.php?t=####
- v####.5####.com/0/ca477c3b25914a5f821296be846eca73.html
- v####.5####.com/api/CheckModule.ashx
- v####.5####.com/api/GetModuleConfig.ashx
- v####.5####.com/api/GetPkNameList.ashx
- v####.5####.com/api/GetSuspendAdInfo.ashx
- v####.5####.com/api/ReportAppLog.ashx
- v3.bule####.cn:7001/v3/api_request.aspx
- v3.bule####.cn:7001/v3/api_settings.aspx
- v3.bule####.cn:7001/verrlog.aspx
- w####.5####.com/0/76179c31f5d04e21bcf7fee1debf1df1.html
- w####.pcon####.com.cn/ip.jsp
Modified file system:
Creates the following files:
- /data/data/####/.b804e46c204eb389490c6aef1419de65.jar
- /data/data/####/.oe.txt
- /data/data/####/.plversion2
- /data/data/####/.pset_data
- /data/data/####/.tmp.jar
- /data/data/####/1533524758942_2075
- /data/data/####/1533524759011_2075
- /data/data/####/1533524759059_2075
- /data/data/####/1533524759771_2075
- /data/data/####/1533524772672_2192
- /data/data/####/1533524772815_2192
- /data/data/####/1533524791428_2361
- /data/data/####/1533524791638_2361
- /data/data/####/1533524791679_2361
- /data/data/####/1533524791746_2361
- /data/data/####/1533524813275_2461
- /data/data/####/1533524813600_2461
- /data/data/####/3323003.jar
- /data/data/####/3323003.ttf
- /data/data/####/469d731f81937a3bab92f9c04a3ca370.xml
- /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log
- /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log.temp
- /data/data/####/96da6f53d7b5cda1437805c57cfc44e0
- /data/data/####/FanqieAd.xml
- /data/data/####/RSS_PL_COUNTLY_STORE.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime3.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/Uniplay.xml
- /data/data/####/VideoRes.apk
- /data/data/####/a4be9ff4668403efdb304dc0106533f6.log
- /data/data/####/a4be9ff4668403efdb304dc0106533f6.log.temp
- /data/data/####/adhmcfg-journal
- /data/data/####/adhmcfg_ke-journal
- /data/data/####/b.gif
- /data/data/####/cfg_qq_stat.xml
- /data/data/####/com.starelement.virtualmall.huawei_preferences.xml
- /data/data/####/config.cfg
- /data/data/####/config.xml
- /data/data/####/config.xml.bak
- /data/data/####/config_pre7.xml
- /data/data/####/cur_ver_file.xml
- /data/data/####/defaultpref1.xml
- /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log
- /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log.temp
- /data/data/####/e64db61cc859d4aa808dc59fa18db2ff.log
- /data/data/####/e64db61cc859d4aa808dc59fa18db2ff.log.temp
- /data/data/####/entry_ext2.xml
- /data/data/####/ff533ee364e852cd5369a6766a6f448b.log
- /data/data/####/ff533ee364e852cd5369a6766a6f448b.log.temp
- /data/data/####/gameid
- /data/data/####/gameid.zip
- /data/data/####/hm361_ds.jar
- /data/data/####/hm361_s_p297.dat
- /data/data/####/hm_ad361_hotcfg.xml
- /data/data/####/hm_ad361_hotcfg.xml.bak
- /data/data/####/hm_ad361_kecfg.xml
- /data/data/####/idc6c32571-6cc0-4103-b42f-d99d03994c2b.tmp
- /data/data/####/ljtq.xml
- /data/data/####/lmvideo_db-journal
- /data/data/####/max_pref.xml
- /data/data/####/mod.dec
- /data/data/####/mod.dex
- /data/data/####/mod.enc
- /data/data/####/ntrehnib.jar
- /data/data/####/path_gn_q16_update20.temp (deleted)
- /data/data/####/pavo
- /data/data/####/pavo-32
- /data/data/####/pavo-64
- /data/data/####/phan.xml
- /data/data/####/pl_sp.xml
- /data/data/####/popp.tm
- /data/data/####/ps_de.update
- /data/data/####/qptbccm.jar
- /data/data/####/rws_sp.xml
- /data/data/####/sp_iconfig.xml
- /data/data/####/tdid.xml
- /data/data/####/tmpbl.jar
- /data/data/####/tmpbl.jar_tmp
- /data/data/####/videokernel.apk
- /data/data/####/videokernel.dex (deleted)
- /data/data/####/videonewadtest_db
- /data/data/####/videonewadtest_db-journal
- /data/data/####/videonewadtest_db-shm (deleted)
- /data/data/####/videonewadtest_db-wal
- /data/data/####/webview.db-journal
- /data/data/####/yd_config_c.xml
- /data/media/####/-1483691683
- /data/media/####/.device_sn
- /data/media/####/.nomedia
- /data/media/####/.sys
- /data/media/####/.tcookieid
- /data/media/####/.uidoslog
- /data/media/####/1173217260
- /data/media/####/20180612150512phyvmv.mp4
- /data/media/####/6ca6c57a334f369ae2ef6e108c38aee5
- /data/media/####/8ae66b85ab2beaf679d0c7199b1f3522.tmp
- /data/media/####/Videoshell.log
- /data/media/####/config
- /data/media/####/hst2.syse494ddfc-66fc-460f-9d40-04175b33bf8a.tmp
- /data/media/####/id.tmp
- /data/media/####/id1c47102af-983d-4d45-a3eb-eeab05c9b8bd.tmp
- /data/media/####/id1cd2b8e1c-f194-4e42-bec3-5ae6039a255c.tmp
- /data/media/####/id1e7f5c8c5-5ab1-44c0-a16f-bb9018c86246.tmp
- /data/media/####/id2490f25af-ebef-4452-b9c4-6aad341d6eb1.tmp
- /data/media/####/id2b36c036e-efca-4f1f-bdd1-2515a11b2d35.tmp
- /data/media/####/id2b615e4a4-3f05-4249-8ed5-a8f53b35e4d7.tmp
- /data/media/####/kernel.dat
- /data/media/####/kernel.dat.tmp
- /data/media/####/scity.txt
Miscellaneous:
Executes next shell scripts:
- cat /proc/version
- cat /sys/class/net/wlan0/address
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
Loads the following dynamic libraries:
- cocos2dcpp
- pavo
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES
- DES-CBC-PKCS5Padding
- desede-CBC-PKCS5Padding
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Gains access to information about running applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
