Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Android.Triada.5000

Added to the Dr.Web virus database: 2021-05-08

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.Click.345.origin
  • Android.Click.378.origin
  • Android.DownLoader.1007.origin
  • Android.RemoteCode.283.origin
  • Android.RemoteCode.314.origin
  • Android.Triada.4567
  • Android.Triada.482.origin
  • Android.Triada.510.origin
  • Android.Triada.534.origin
Network activity:
Connects to:
  • UDP(DNS) 8####.8.4.4:53
  • TCP(HTTP/1.1) api.40088####.com:8181
  • TCP(HTTP/1.1) api.z####.com:80
  • TCP(HTTP/1.1) res####.a####.top:80
  • TCP(HTTP/1.1) mto####.hvf####.com:10259
  • TCP(HTTP/1.1) 14.17.1####.182:80
  • TCP(HTTP/1.1) cn.f####.top:8080
  • TCP(HTTP/1.1) alldo####.linx####.com.####.com:80
  • TCP(HTTP/1.1) u####.a####.top:80
  • TCP(HTTP/1.1) l####.tbs.qq.com:80
  • TCP(HTTP/1.1) 47.1####.59.53:900
  • TCP(HTTP/1.1) 1####.zhit####.com:99
  • TCP(HTTP/1.1) www.f####.com:80
  • TCP(HTTP/1.1) adx####.hvf####.com:10259
  • TCP(HTTP/1.1) c####.zhit####.com:99
  • TCP(HTTP/1.1) 47.1####.211.73:80
  • TCP(HTTP/1.1) c####.jumen####.com:80
  • TCP(HTTP/1.1) co####.ssp.adoc####.com:80
  • TCP(HTTP/1.1) ip####.com:80
  • TCP(HTTP/1.1) p####.api.adoc####.com:80
  • TCP(HTTP/1.1) jp####.njt####.com:10091
  • TCP(HTTP/1.1) t####.a####.top:80
  • TCP(HTTP/1.1) 1####.76.103.4:28018
  • TCP(HTTP/1.1) 1####.77.67.185:28018
  • TCP(HTTP/1.1) adx####.hvf####.com:10317
  • TCP(HTTP/1.1) 58.2####.92.50:808
  • TCP(HTTP/1.1) gd.a.s####.com:80
  • TCP(HTTP/1.1) ycb####.slj####.com:17002
  • TCP(HTTP/1.1) 1####.201.175.19:80
  • TCP(HTTP/1.1) gn####.f####.top:8080
  • TCP(HTTP/1.1) res####.a####.com:80
  • TCP(HTTP/1.1) www.pc####.com.####.cn:80
  • TCP(HTTP/1.1) filt####.a####.top:80
  • TCP(HTTP/1.1) and####.b####.qq.com:80
  • TCP(HTTP/1.1) flf####.aog####.com:19001
  • TCP(HTTP/1.1) 1####.zhit####.com:808
  • TCP(HTTP/1.1) api.yunco####.com:80
  • TCP(HTTP/1.1) lla####.slj####.com:17002
  • TCP(HTTP/1.1) 60d28e6####.cdscd####.com:80
  • TCP(HTTP/1.1) cw####.mintl####.cn:80
  • TCP(HTTP/1.1) api####.quta####.com:80
  • TCP(HTTP/1.1) 2####.73.129.195:28018
  • TCP(HTTP/1.1) api.a####.ads####.cn:80
  • TCP(HTTP/1.1) hm.b####.com:80
  • TCP(HTTP/1.1) 1####.74.90.25:38018
  • TCP(TLS/1.0) i.gridsum####.com:443
  • TCP(TLS/1.0) a####.d####.com:443
  • TCP(TLS/1.0) wtc.d####.com:443
  • TCP(TLS/1.0) sw4.d####.com:443
  • TCP(TLS/1.0) 1####.194.220.95:443
  • TCP(TLS/1.0) md####.google####.com:443
  • TCP(TLS/1.0) ne####.x####.com.cn:443
  • TCP(TLS/1.0) al####.u####.com:443
  • TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
  • TCP(TLS/1.0) 2####.107.1.100:443
  • TCP(TLS/1.0) hm.b####.com:443
  • TCP(TLS/1.0) 1####.74.90.25:31828
  • TCP(TLS/1.0) i####.d####.com:443
  • TCP(TLS/1.0) 1####.194.221.113:443
  • TCP(TLS/1.0) p####.google####.com:443
  • TCP(TLS/1.0) res####.a####.com:443
  • TCP(TLS/1.0) 1####.217.168.234:443
  • TCP(TLS/1.0) api.g####.vip:443
  • TCP(TLS/1.0) s.fou####.com:443
  • TCP(TLS/1.0) dxp.b####.com:443
  • TCP(TLS/1.0) android####.go####.com:443
  • TCP(TLS/1.0) lhyysdk####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.0) api.fou####.com:443
  • TCP(TLS/1.0) and####.google####.com:443
  • TCP(TLS/1.0) c####.x####.com.####.com:443
  • TCP(TLS/1.0) jingtai####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.2) 64.2####.161.94:443
  • TCP(TLS/1.2) 1####.217.168.234:443
DNS requests:
  • 1####.zhit####.com
  • 10####.admast####.com
  • 602.a####.top
  • 602.a####.top.####.8
  • 653.a####.top
  • 653.a####.top.####.8
  • a####.d####.com
  • a####.man.aliy####.com
  • adx####.hvf####.com
  • amo####.aog####.com
  • and####.b####.qq.com
  • and####.google####.com
  • android####.go####.com
  • api####.quta####.com
  • api.40088####.com
  • api.a####.ads####.cn
  • api.fou####.com
  • api.g####.vip
  • api.yunco####.com
  • api.z####.com
  • app.a####.top
  • c####.f####.top
  • c####.jumen####.com
  • c####.x####.com.cn
  • c####.x####.com.cn
  • c####.zhit####.com
  • cn.f####.top
  • co####.ssp.adoc####.com
  • cw####.mintl####.cn
  • dic####.hnn####.com
  • dup.baidust####.com
  • dwf.linx####.com
  • dxp.b####.com
  • filt####.a####.top
  • flf####.aog####.com
  • geb####.slj####.com
  • gn####.f####.top
  • h####.b####.com
  • hm.b####.com
  • i####.d####.com
  • i.gridsum####.com
  • instant####.google####.com
  • ip####.com
  • jingtai####.oss-cn-####.aliy####.com
  • jp####.njt####.com
  • jxs####.slj####.com
  • l####.tbs.qq.com
  • lhyysdk####.oss-cn-####.aliy####.com
  • lla####.slj####.com
  • md####.google####.com
  • mto####.hvf####.com
  • ne####.x####.com.cn
  • p####.api.adoc####.com
  • p####.google####.com
  • p####.hfc####.com
  • plb####.u####.com
  • pv.s####.com
  • res####.a####.com
  • res####.a####.top
  • s####.x####.com.cn
  • s.fou####.com
  • s4.c####.com
  • s5.c####.com
  • s96.c####.com
  • sdk.ka####.com
  • sw4.d####.com
  • t####.a####.top
  • u####.a####.top
  • u####.u####.com
  • v1.c####.com
  • wtc.d####.com
  • www.f####.com
  • www.pc####.com.cn
  • ycb####.slj####.com
  • ysr####.hpi####.com
HTTP GET requests:
  • 1####.zhit####.com:808/1020p/index.html
  • 1####.zhit####.com:808/1020p/yrc_001pc.js
  • 1####.zhit####.com:99/1020yy/index.html
  • 1####.zhit####.com:99/wap/index.html
  • 60d28e6####.cdscd####.com/p28_09.ttf
  • alldo####.linx####.com.####.com/rhsdk/ZH502/xdt.jar
  • c####.jumen####.com/init.php
  • c####.zhit####.com:99/newcar/index.html
  • c####.zhit####.com:99/pctja.html
  • c####.zhit####.com:99/wts/index.html?1####
  • co####.ssp.adoc####.com/api/v2/SDKActiveConfig?version=####&channelCode=...
  • co####.ssp.adoc####.com/api/v2/SDKCommonConfig?channelCode=####&version=...
  • cw####.mintl####.cn/c/12Y7TDHJSTY.zip
  • cw####.mintl####.cn/c/aisudnfasd.zip
  • cw####.mintl####.cn/c/jz/elqsydt.zip
  • cw####.mintl####.cn/c/l/4Y23xbsgsjqlie.zip
  • cw####.mintl####.cn/two/SOI349RED8EO35RE98FE359E844T9R.zip
  • cw####.mintl####.cn/zz/503krenjgboy.zip
  • filt####.a####.top/filter_control_602.json
  • gd.a.s####.com/cityjson?ie=####
  • gn####.f####.top:8080/qsad/api/getAd/wdJSeJSmZd27yccMeVSmKQ==
  • hm.b####.com/hm.js?6058df4####
  • ip####.com/json/?lang=####
  • p####.api.adoc####.com/ip
  • res####.a####.top/LHYY.png
  • res####.a####.top/sdk13_2.png
  • res####.a####.top/sdk16.png
  • res####.a####.top/sdk18.png
  • res####.a####.top/sdk2.png
  • res####.a####.top/sdk24.png
  • t####.a####.top/anshua.json
  • t####.a####.top/channl_haoqi1.png
  • t####.a####.top/req.json
  • u####.a####.top/602.html
  • www.f####.com/search/e4b880e4b896e5a5bde591bd_1.html
  • www.pc####.com.####.cn/autox/6a976e56b61b2febd215f6cbe5186f5f.htm
HTTP POST requests:
  • adx####.hvf####.com:10259/7471fc/
  • adx####.hvf####.com:10259/7peta8/
  • adx####.hvf####.com:10317/widlth/
  • adx####.hvf####.com:10317/xkeila/
  • and####.b####.qq.com/rqd/async?aid=####
  • api####.quta####.com/ads
  • api.40088####.com:8181/v3/entry/list
  • api.a####.ads####.cn/thirdparty/sapi/chn
  • api.yunco####.com/service/rest
  • api.z####.com/app/version/android-upgrade
  • api.z####.com/pc/news/get-article-category
  • api.z####.com/tab-conf/app-column-conf
  • api.z####.com/tab-conf/app-sys-conf
  • api.z####.com/tips/index
  • api.z####.com/v1/advert/list
  • cn.f####.top:8080/qsad/api/c/c
  • flf####.aog####.com:19001/tchvohfkyf/
  • flf####.aog####.com:19001/tkvvxnvrvy/
  • jp####.njt####.com:10091/wisdom/marking
  • l####.tbs.qq.com/ajax?c=####&k=####
  • lla####.slj####.com:17002/6a4it/
  • lla####.slj####.com:17002/jw1pw/
  • mto####.hvf####.com:10259/7471fc/
  • mto####.hvf####.com:10259/xhzsud/
  • res####.a####.com/v3/weather/weatherInfo
  • ycb####.slj####.com:17002/5rhxg/
  • ycb####.slj####.com:17002/6a4it/
  • ycb####.slj####.com:17002/jw1pw/
File system changes:
Creates the following files:
  • /data/data/####/.cl
  • /data/data/####/.jg.ic
  • /data/data/####/.jgck
  • /data/data/####/.kkid
  • /data/data/####/.usdis
  • /data/data/####/0634ddfd759f6044_0
  • /data/data/####/0634ddfd759f6044_1
  • /data/data/####/1002
  • /data/data/####/1004
  • /data/data/####/10a1d1deb4cdf7f0_0 (deleted)
  • /data/data/####/1227430957db1725_0
  • /data/data/####/13_2.dex
  • /data/data/####/13_2.dex.flock (deleted)
  • /data/data/####/13_2.jar
  • /data/data/####/1593945871296.0
  • /data/data/####/16.dex
  • /data/data/####/16.dex.flock (deleted)
  • /data/data/####/16.jar
  • /data/data/####/1714af51f380b9f7_0
  • /data/data/####/18.dex
  • /data/data/####/18.dex.flock (deleted)
  • /data/data/####/18.jar
  • /data/data/####/1b70047867a0c35e_0
  • /data/data/####/1b8098763bce33ea_0
  • /data/data/####/1c8ba3ac67b6e06a_0
  • /data/data/####/1s.dex
  • /data/data/####/1s.dex.flock (deleted)
  • /data/data/####/1s.jar
  • /data/data/####/2.dex (deleted)
  • /data/data/####/2.dex.flock (deleted)
  • /data/data/####/2.jar
  • /data/data/####/22d34f1bd9020b4d_0
  • /data/data/####/24.dex
  • /data/data/####/24.dex.flock (deleted)
  • /data/data/####/24.jar
  • /data/data/####/24733fadba49d4d5_0
  • /data/data/####/24733fadba49d4d5_1
  • /data/data/####/2662c018c68ae12a_0
  • /data/data/####/27dac8705e581c47_0 (deleted)
  • /data/data/####/2b0d7f4c9a892e37_0
  • /data/data/####/2b1957827fe67dce_0 (deleted)
  • /data/data/####/2bb51011981679ff_0
  • /data/data/####/2c41edcbc3621810_0
  • /data/data/####/306FA3F0A104985E3C7626619F8FB1F9
  • /data/data/####/306FA3F0A104985E3C7626619F8FB1F9.dex
  • /data/data/####/306FA3F0A104985E3C7626619F8FB1F9.dex.flock (deleted)
  • /data/data/####/306FA3F0A104985E3C7626619F8FB1F9.jar
  • /data/data/####/306FA3F0A104985E3C7626619F8FB1F9.temp
  • /data/data/####/3236707ab33bbec7_0
  • /data/data/####/3236707ab33bbec7_0 (deleted)
  • /data/data/####/368329eed6ed9768_0
  • /data/data/####/424961eba0ff4faf_0
  • /data/data/####/441681f9d08bfcf0_0 (deleted)
  • /data/data/####/44367F39739CCD6BBF960E91E7DB78B2.xml
  • /data/data/####/49ad4c7c0ce4c59f_0
  • /data/data/####/49ad4c7c0ce4c59f_1
  • /data/data/####/4B8DB6B83129A65A2EF4DCFC1393C3B0.xml
  • /data/data/####/4aa200d86c7e98d2_0
  • /data/data/####/4b09426396d532230c4a0442abfa3966.db
  • /data/data/####/50cc2d0a862e557b_0
  • /data/data/####/51a84cbd38cd44ae_0
  • /data/data/####/58837f87a0bc315b_0
  • /data/data/####/58837f87a0bc315b_1
  • /data/data/####/5ee34b61bf04d841_0
  • /data/data/####/61c490d6d27b31f6_0 (deleted)
  • /data/data/####/61cd7b22101a540303b15398fa2aa231.db
  • /data/data/####/61cd7b22101a540303b15398fa2aa231.dex
  • /data/data/####/61cd7b22101a540303b15398fa2aa231.dex.flock (deleted)
  • /data/data/####/61cd7b22101a540303b15398fa2aa231.jar
  • /data/data/####/67f9f9d59f4331f4_0
  • /data/data/####/68525aca86d6d82f_0
  • /data/data/####/6E97E5851812F20B9487F262218488CC
  • /data/data/####/724103452ee0114d_0
  • /data/data/####/7256A17995AA65F989B6622B9B448418
  • /data/data/####/74a2e7bbcf90778c_0
  • /data/data/####/74d334e92f1698cc_0
  • /data/data/####/79a7adfc3930feb5_0
  • /data/data/####/7c99b6955eb2950a_0
  • /data/data/####/81F55C555DD12C293B55BC411F167598
  • /data/data/####/81F55C555DD12C293B55BC411F167598.dex
  • /data/data/####/81F55C555DD12C293B55BC411F167598.dex.flock (deleted)
  • /data/data/####/81F55C555DD12C293B55BC411F167598.temp
  • /data/data/####/81F55C555DD12C293B55BC411F167598.zip
  • /data/data/####/8293106949590.0
  • /data/data/####/8E9A20EC5272B8CE23E7EA5D5F8ABBFE
  • /data/data/####/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.dex
  • /data/data/####/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.dex.flock (deleted)
  • /data/data/####/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.temp
  • /data/data/####/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.zip
  • /data/data/####/8EAD111D030291821E19A80E344C340A.xml
  • /data/data/####/8a715f802941746e43b3e0f32694c5ae.db
  • /data/data/####/8be546bf03ddce82_0 (deleted)
  • /data/data/####/8c57a20f3959ec2f_0
  • /data/data/####/93678d69142594b9_0
  • /data/data/####/96f65ed5af8b99cb_0
  • /data/data/####/985958d976619751_0
  • /data/data/####/985958d976619751_1
  • /data/data/####/9cdf8e397c1dc061_0
  • /data/data/####/9cdf8e397c1dc061_1
  • /data/data/####/9edf11af3e976ca0_0
  • /data/data/####/9ef98f07e8de0ef4_0 (deleted)
  • /data/data/####/9f04b57be51383c6_0
  • /data/data/####/Alvin2.xml
  • /data/data/####/BUGLY_COMMON_VALUES.xml
  • /data/data/####/BUGLY_COMMON_VALUES.xml.bak
  • /data/data/####/CCCC5B8911BBCB224E5317F7FB929A12
  • /data/data/####/CCCC5B8911BBCB224E5317F7FB929A12.dex
  • /data/data/####/CCCC5B8911BBCB224E5317F7FB929A12.dex.flock (deleted)
  • /data/data/####/CCCC5B8911BBCB224E5317F7FB929A12.jar
  • /data/data/####/CCCC5B8911BBCB224E5317F7FB929A12.temp
  • /data/data/####/ContextData.xml
  • /data/data/####/Cookies-journal
  • /data/data/####/D75E99C9A338D24A1F840F280B0877ED
  • /data/data/####/D75E99C9A338D24A1F840F280B0877ED.dex
  • /data/data/####/D75E99C9A338D24A1F840F280B0877ED.dex.flock (deleted)
  • /data/data/####/D75E99C9A338D24A1F840F280B0877ED.temp
  • /data/data/####/D75E99C9A338D24A1F840F280B0877ED.zip
  • /data/data/####/DA1B1B0D58964CAF022F73C96468E9E9
  • /data/data/####/DA1B1B0D58964CAF022F73C96468E9E9.dex
  • /data/data/####/DA1B1B0D58964CAF022F73C96468E9E9.dex.flock (deleted)
  • /data/data/####/DA1B1B0D58964CAF022F73C96468E9E9.temp
  • /data/data/####/DA1B1B0D58964CAF022F73C96468E9E9.zip
  • /data/data/####/Ix132mMskey1.xml
  • /data/data/####/MessageStore.db-journal
  • /data/data/####/MsgLogStore.db-journal
  • /data/data/####/UM_PROBE_DATA.xml
  • /data/data/####/WebViewChromiumPrefs.xml
  • /data/data/####/XkdjsIx132mM356507059351895comm.xml
  • /data/data/####/XkdjsIx132mMskey1.xml
  • /data/data/####/ZH502.dex
  • /data/data/####/ZH502.dex.flock (deleted)
  • /data/data/####/ZH502.jar
  • /data/data/####/__Baidu_Stat_SDK_SendRem.xml
  • /data/data/####/__Baidu_Stat_SDK_SendRem.xml.bak
  • /data/data/####/___rb.p12___
  • /data/data/####/__cid__v1__.dat
  • /data/data/####/__local_ap_info_cache.json
  • /data/data/####/__local_last_session.json
  • /data/data/####/__local_stat_cache.json
  • /data/data/####/__rbpr_up18__
  • /data/data/####/__send_data_1620469048323
  • /data/data/####/_p.xml
  • /data/data/####/_pn
  • /data/data/####/_sh.xml
  • /data/data/####/_shn
  • /data/data/####/a1fd7c3272b09c56_0
  • /data/data/####/appuserid.xml
  • /data/data/####/b704bc6006131134_0
  • /data/data/####/b716dea34989f43b_0
  • /data/data/####/b75058728ee5d442_0 (deleted)
  • /data/data/####/baidu_mtj_sdk_record.xml
  • /data/data/####/baidu_mtj_sdk_record.xml.bak
  • /data/data/####/bce53bbc561a8b8b_0 (deleted)
  • /data/data/####/bugly_db_-journal
  • /data/data/####/c0586a10777146560765a69231d89beb.xml
  • /data/data/####/c5d32ffb4a444680_0
  • /data/data/####/c86849d310f2ab5ceacf35110cc4078e.db
  • /data/data/####/cb3b1fb966282620_0
  • /data/data/####/cbebc00221693673_0
  • /data/data/####/cf54681216.apk
  • /data/data/####/cf54681216_o
  • /data/data/####/cf54681216_o.flock (deleted)
  • /data/data/####/cfb253d6ccd43a63_0
  • /data/data/####/classes.dex
  • /data/data/####/classes.dex;classes2.dex
  • /data/data/####/classes.dex;classes3.dex
  • /data/data/####/classes.dex;classes4.dex
  • /data/data/####/classes.dex;classes5.dex
  • /data/data/####/com.wzcx.hacf.BETA_VALUES.xml
  • /data/data/####/com.wzcx.hacf_preferences.xml
  • /data/data/####/core_info
  • /data/data/####/countIp.xml
  • /data/data/####/crashrecord.xml
  • /data/data/####/d8e492db29444168_0
  • /data/data/####/dW1weF9pbnRlcm5hbF8xNjIwNDY5MDQyNzcz;
  • /data/data/####/da16f7c07344520b_0
  • /data/data/####/da16f7c07344520b_1
  • /data/data/####/download_upload
  • /data/data/####/dso_deps
  • /data/data/####/dso_lock
  • /data/data/####/dso_manifest
  • /data/data/####/dso_state
  • /data/data/####/e1d1b3ce343e43c8ac97700d4a9f3042.db
  • /data/data/####/e3111e35fd1fe55a_0
  • /data/data/####/e4e0feea884ac6e9_0
  • /data/data/####/e4f5d29fea93a112_0
  • /data/data/####/e5135bfe53e80a89_0
  • /data/data/####/e5873100130d781b_0
  • /data/data/####/eHhkX3Nw.xml
  • /data/data/####/ee497c9f4f3d9af8_0 (deleted)
  • /data/data/####/ef3c178b16b5d90c_0
  • /data/data/####/ef3c178b16b5d90c_1
  • /data/data/####/efe0232fcaa5e56d_0 (deleted)
  • /data/data/####/efff4a2e5cf1ffa4_0
  • /data/data/####/efff4a2e5cf1ffa4_1
  • /data/data/####/exchangeIdentity.json
  • /data/data/####/exid.dat
  • /data/data/####/f11f48255bbace6d_0 (deleted)
  • /data/data/####/f31ab76d39cd189eebefbe3cc0bba088.db
  • /data/data/####/f4b4a5360702a9a1_0
  • /data/data/####/f71229f082fdd91c_0
  • /data/data/####/f8c3add21d112f42_0
  • /data/data/####/fas.xml
  • /data/data/####/fas.xml.bak
  • /data/data/####/gameid
  • /data/data/####/gameid.zip
  • /data/data/####/http_1020p.zhitouip.com_808.localstorage-journal
  • /data/data/####/http_1020yy.admasterto.com_99.localstorage-journal
  • /data/data/####/httpdns_config_cache.xml
  • /data/data/####/httpdns_config_cache.xml.bak
  • /data/data/####/hxdata.xml
  • /data/data/####/i==1.2.0&&1.0_1620469042705_envelope.log
  • /data/data/####/index
  • /data/data/####/info.xml
  • /data/data/####/journal
  • /data/data/####/journal.tmp
  • /data/data/####/kk_datas_info.xml
  • /data/data/####/kk_datas_info.xml.bak
  • /data/data/####/km01
  • /data/data/####/km09_4620.so
  • /data/data/####/km09_4620.so_tmp
  • /data/data/####/km13
  • /data/data/####/kms_02ext
  • /data/data/####/kw_133485
  • /data/data/####/kw_133485_tmp (deleted)
  • /data/data/####/libCtaApiLib.so
  • /data/data/####/libMMANDKSignature.so
  • /data/data/####/libcocklogic-1.1.3.so
  • /data/data/####/libcuid.so
  • /data/data/####/libgifimage.so
  • /data/data/####/libimagepipeline.so
  • /data/data/####/libjiagu.so
  • /data/data/####/libkm05.so
  • /data/data/####/libkm05_64.so
  • /data/data/####/libnative-filters.so
  • /data/data/####/libnative-imagetranscoder.so
  • /data/data/####/libpl_droidsonroids_gif.so
  • /data/data/####/libqzwmfb.so
  • /data/data/####/libqzwmfb.so-32
  • /data/data/####/libqzwmfb.so-64
  • /data/data/####/libtnet-3.1.14.so
  • /data/data/####/libturingau.so
  • /data/data/####/libyaqcore_gdtadv.so
  • /data/data/####/libyaqstub_gdtadv.so
  • /data/data/####/local_crash_lock
  • /data/data/####/logdb.db
  • /data/data/####/logdb.db-journal
  • /data/data/####/lrxsflwp.dex
  • /data/data/####/lrxsflwp.dex.flock (deleted)
  • /data/data/####/lrxsflwp.jar
  • /data/data/####/metrics_guid
  • /data/data/####/mp28.tmp
  • /data/data/####/mtj_autoTracker.js
  • /data/data/####/native_record_lock (deleted)
  • /data/data/####/proc_auxv
  • /data/data/####/qqsz_file.xml
  • /data/data/####/qqsz_file.xml.bak
  • /data/data/####/security_info
  • /data/data/####/sp28.dex
  • /data/data/####/sp28.dex.flock (deleted)
  • /data/data/####/sp28.jar
  • /data/data/####/spUtils.xml
  • /data/data/####/spUtils.xml.bak
  • /data/data/####/sp_name.xml
  • /data/data/####/sp_name.xml.bak
  • /data/data/####/spu_gz.xml
  • /data/data/####/szsh.xml
  • /data/data/####/t==8.1.2&&1.0_1620469043885_envelope.log
  • /data/data/####/tbs_download_config.xml
  • /data/data/####/tbs_download_config.xml.bak
  • /data/data/####/tbs_download_stat.xml
  • /data/data/####/tbs_pv_config
  • /data/data/####/tbscoreinstall.txt
  • /data/data/####/tbslock.txt
  • /data/data/####/the-real-index
  • /data/data/####/trace_circle.data
  • /data/data/####/tsmbyr.png
  • /data/data/####/ua.db
  • /data/data/####/ua.db-journal
  • /data/data/####/um_pri.xml
  • /data/data/####/umengDB.db
  • /data/data/####/umengDB.dex
  • /data/data/####/umengDB.dex.flock (deleted)
  • /data/data/####/umengDB.jar
  • /data/data/####/umeng_common_config.xml
  • /data/data/####/umeng_common_location.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_general_config.xml.bak (deleted)
  • /data/data/####/umeng_it.cache
  • /data/data/####/umeng_message_state.xml
  • /data/data/####/umengc.db
  • /data/data/####/upz_5
  • /data/data/####/xdtversion.xml
  • /data/data/####/yd_config_c.xml
  • /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
  • /proc/4620/exe
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
  • /system/bin/dex2oat --instruction-set=x86 --dex-file=<Package Folder>/.jiagu/classes.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes2.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes3.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes4.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes5.dex --oat-file=<Package Folder>/.jiagu/classes.oat --inline-depth-limit=0 --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/.bgnwh/lrxsflwp.jar --oat-fd=198 --oat-location=/data/user/0/<Package>/.bgnwh/lrxsflwp.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_cachedata/files/81F55C555DD12C293B55BC411F167598.zip --oat-fd=203 --oat-location=/data/user/0/<Package>/files/81F55C555DD12C293B55BC411F167598.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_cachedata/files/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.zip --oat-fd=195 --oat-location=/data/user/0/<Package>/files/8E9A20EC5272B8CE23E7EA5D5F8ABBFE.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_cachedata/files/D75E99C9A338D24A1F840F280B0877ED.zip --oat-fd=169 --oat-location=/data/user/0/<Package>/files/D75E99C9A338D24A1F840F280B0877ED.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_cachedata/files/DA1B1B0D58964CAF022F73C96468E9E9.zip --oat-fd=205 --oat-location=/data/user/0/<Package>/files/DA1B1B0D58964CAF022F73C96468E9E9.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_xddd/p28/sp28.jar --oat-fd=61 --oat-location=/data/user/0/<Package>/app_xddd/p28/sp28.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/1s.jar --oat-fd=105 --oat-location=/data/user/0/<Package>/app_dex/1s.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/1s.jar --oat-fd=198 --oat-location=/data/user/0/<Package>/app_dex/1s.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/data/<Package>/files/306FA3F0A104985E3C7626619F8FB1F9.jar --oat-fd=170 --oat-location=/data/user/0/<Package>/files/306FA3F0A104985E3C7626619F8FB1F9.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/cache/data/<Package>/files/CCCC5B8911BBCB224E5317F7FB929A12.jar --oat-fd=169 --oat-location=/data/user/0/<Package>/files/CCCC5B8911BBCB224E5317F7FB929A12.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/13_2.jar --oat-fd=76 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/13_2.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/16.jar --oat-fd=104 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/16.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/18.jar --oat-fd=196 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/18.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/2.jar --oat-fd=90 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/2.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/24.jar --oat-fd=192 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/24.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/61cd7b22101a540303b15398fa2aa231.jar --oat-fd=168 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/61cd7b22101a540303b15398fa2aa231.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cache/cacheUmeng/oatCache/downUmeng/umengDB.jar --oat-fd=71 --oat-location=/data/user/0/<Package>/files/cache/cacheUmeng/oatCache/downUmeng/umengDB.dex --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/cf54681216.apk --oat-fd=169 --oat-location=/data/user/0/<Package>/files/cf54681216_o --compiler-filter=speed
  • /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tda/ZH502.jar --oat-fd=103 --oat-location=/data/user/0/<Package>/files/tda/ZH502.dex --compiler-filter=speed
  • /system/lib/arm/houdini /data/user/0/<Package>/files/kms_02ext /data/user/0/<Package>/files/kms_02ext --ru89 0 /data/user/0/<Package>/files/debuggerd_real
  • /system/lib/arm/houdini <Package Folder>/files/kw_133485 <Package Folder>/files/kw_133485 3 267556
  • cat /proc/version
  • cat /sys/class/net/wlan0/address
  • getprop
  • getprop ro.board.platform
  • getprop ro.build.display.id
  • getprop ro.build.version.emui
  • getprop ro.build.version.opporom
  • getprop ro.miui.ui.version.name
  • getprop ro.product.cpu.abi
  • getprop ro.smartisan.version
  • getprop ro.vivo.os.version
  • getprop ro.yunos.build.version
  • ls /
  • ls /sys/class/thermal
  • sh -c <Package Folder>/files/kw_133485 3 267556 &
  • sh -c cat /proc/4635/maps
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-GCM-NoPadding
  • DES
  • RSA-ECB-NoPadding
  • RSA-ECB-PKCS1Padding
  • RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES
  • AES-CBC-NoPadding
  • AES-CBC-PKCS5Padding
  • AES-ECB-PKCS5Padding
  • DES
  • RSA-None-PKCS1Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Requests the system alert window permission.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android