Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.BankBot.703.origin
Removes app icon from the screen.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) cereala####.top:80
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) safebro####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) 1####.217.17.138:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.2) 1####.217.17.138:443
- TCP(TLS/1.2) 1####.217.168.206:443
- TCP(TLS/1.2) 1####.217.19.195:443
DNS requests:
- and####.cli####.go####.com
- and####.google####.com
- android####.go####.com
- cereala####.top
- instant####.google####.com
- m####.go####.com
- md####.google####.com
- p####.google####.com
- safebro####.google####.com
HTTP POST requests:
- cereala####.top/api144/_ping.php
File system changes:
Creates the following files:
- /data/data/####/SharedData.xml
- /data/data/####/SharedData.xml.bak
- /data/data/####/mi.dex
- /data/data/####/mi.dex.flock (deleted)
- /data/data/####/mi.json
Miscellaneous:
Executes the following shell scripts:
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86_64 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86_64 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_DynamicOptDex/mi.json --oat-fd=33 --oat-location=/data/user/0/<Package>/app_DynamicOptDex/mi.dex --compiler-filter=speed
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Gets information about sent/received SMS.
Intercepts notifications.
