Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.BankBot.988.origin
Removes app icon from the screen.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ip####.com:80
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) www.dro####.com:443
- TCP(TLS/1.0) t####.in:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) 1####.194.73.94:443
- TCP(TLS/1.2) 64.2####.161.95:443
- TCP(TLS/1.2) 2####.85.233.95:443
- TCP(TLS/1.2) 1####.194.73.94:443
- TCP(TLS/1.2) 1####.177.14.104:443
- UDP p####.google####.com:443
- UDP rr14---####.g####.com:443
- UDP 74.1####.131.113:443
DNS requests:
- ip####.com
- p####.google####.com
- rr14---####.g####.com
- rr2---s####.g####.com
- t####.in
- www.dro####.com
HTTP GET requests:
- ip####.com/json/?fields=####
- www.dro####.com:443/s/s69d1ofnalhvx97/random_val.txt?dl=####
HTTP POST requests:
- t####.in:443/domain/api/api.php
File system changes:
Creates the following files:
- /data/data/####/Qg.dex
- /data/data/####/Qg.dex.flock (deleted)
- /data/data/####/Qg.json
- /data/data/####/androidx.work.workdb-journal (deleted)
- /data/data/####/sp_data.xml
- /data/data/####/sp_data.xml.bak
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- getprop ro.miui.ui.version.name
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about sent/received SMS.
Intercepts notifications.
Requests the system alert window permission.
Appears corrupted in a way typical for malicious files.
