Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Locker.1274.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) rr16---####.g####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) 1####.250.150.94:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.2) 1####.250.150.94:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- gmscomp####.google####.com
- p####.google####.com
- pla####.google####.com
- rr16---####.g####.com
File system changes:
Creates the following files:
- /data/data/####/.dex2oatlock
- /data/data/####/.updateIV.dat
- /data/data/####/0000000lllll_0.dex
- /data/data/####/000O00ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex.flock
- /data/data/####/00O000ll111l_0.dex.flock (deleted)
- /data/data/####/0OO00l111l1l
- /data/data/####/0OO00l111l1l.lock
- /data/data/####/o0oooOO0ooOo.dat
- /data/data/####/proc_auxv
- /data/data/####/tosversion
- /data/media/####/log.x
- /data/media/####/ok.r
- /data/media/####/ok.xh
- /data/media/####/一键签到.r
- /data/media/####/全局循环.x
- /data/media/####/全局间隔.x
- /data/media/####/删除所有帖子.r
- /data/media/####/刷帖子浏览量.r
- /data/media/####/指定乞讨葫芦.r
- /data/media/####/指定板块水贴.r
- /data/media/####/指定板块点赞.r
- /data/media/####/收藏板块帖子.r
- /data/media/####/板块乞讨葫芦.r
- /data/media/####/随机一言评论.r
- /data/media/####/随机板块水贴.r
- /data/media/####/随机板块点赞.r
- /data/misc/####/primary.prof
Miscellaneous:
Loads the following dynamic libraries:
- libluajava
- libshell-super.2019
- libygsiyu
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Displays its own windows over windows of other apps.
