Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.433.origin
Network activity:
Connecting to:
- oranges####.cn
- 6####.####.66
- m####.####.com:6088
- 2####.####.108:443
- f####.####.com
- w####.####.com
- y####.####.com
- 6####.####.66:9001
- m####.####.com
- hotp####.####.com
- f####.####.cn
- a####.####.com
HTTP GET requests:
- w####.####.com/adx.php?c=####
- f####.####.com/it/u=3415944910,4184563645&fm=76
- hotp####.####.com/patch?version=####&patchver=####&platform=####&appId=#...
- y####.####.com/m/um.htm?c=####
- f####.####.cn/focus/conf?device_type=####&height=####&dpi=####&android_i...
- f####.####.com/it/u=3551235436,3523853201&fm=76
- 2####.####.108:443/imlogingw/tcp60login?devid=####&ver=####
- oranges####.cn/n/s?v####
- oranges####.cn/n/p.wca.c?v####
- m####.####.com/c/1495017075262
HTTP POST requests:
- 6####.####.66/advtj/RemoteAction
- a####.####.com/rest/gc?dd=####&nsgs=####&ak=####&av=####&c=####&v=####&s...
- m####.####.com/t/1495017077453
- m####.####.com/t/1495017082189
- m####.####.com/t/1495017081608
- a####.####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=####&sv=#...
- m####.####.com/t/1495017078975
- 6####.####.66:9001/advtj/RemoteAction
- f####.####.cn/focus/atex
- y####.####.com/saveWb.json
- a####.####.com/app_logs
- w####.####.com/api/update.do
- m####.####.com/t/1495017086556
- m####.####.com/p/1495017075502
- m####.####.com:6088/s/
Modified file system:
Creates the following files:
- <Package Folder>/shared_prefs/ywAccount.xml.bak
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/shared_prefs/SDK20161728051220964dw6hvenlv7pf_banner.xml
- <Package Folder>/files/exid.dat
- <Package Folder>/shared_prefs/SDK201611151111099i28b7xr47d7gbz_banner.xml
- <Package Folder>/files/.imprint
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/code_cache/secondary-dexes/<Package>-1.apk.classes964475711.zip
- <Package Folder>/shared_prefs/UTMCConf-1369071460.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/tcms_setting_sp.xml
- <Package Folder>/files/amwbsa
- <Package Folder>/files/libexec.so
- <Package Folder>/shared_prefs/UTCommon.xml
- <Package Folder>/app_dex/7ABE753A17BEEE1BA17A662DA460503B.jar.tmp
- <Package Folder>/files/sp.lock
- <Package Folder>/files/1d77ea041509fe06.lock
- <Package Folder>/shared_prefs/SDK201611151111099i28b7xr47d7gbz_instl.xml
- <Package Folder>/cache/WXOPENIM/openim/<Package>_2111
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/cache/WXOPENIM/openim/<Package>_TcmsService_2151
- <Package Folder>/files/.umeng/exchangeIdentity.json
- <Package Folder>/shared_prefs/device_id.xml.xml
- <Package Folder>/shared_prefs/SDK201611151111099i28b7xr47d7gbz_spread.xml
- <Package Folder>/app_weliyo/87826196127A57D7C11D4317FAD00F96.jar.tmp
- <Package Folder>/files/0a231bd8575dcf72.txt
- <Package Folder>/databases/ua.db
- <Package Folder>/files/libexecmain.so
- <Package Folder>/files/yw.db
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/files/libsecuritysdkx-3.1.27.so
- <Package Folder>/shared_prefs/SDK20161728051220964dw6hvenlv7pf_native.xml
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/SGMANAGER_DATA.xml
- <Package Folder>/shared_prefs/SDK20161728051220964dw6hvenlv7pf_spread.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/SDK20161728051220964dw6hvenlv7pf_instl.xml
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/shared_prefs/UTMCLog-1369071460.xml
- <Package Folder>/shared_prefs/ywAccount.xml
- <Package Folder>/files/49814c4f5ac2f2f9.lock
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/SDK201611151111099i28b7xr47d7gbz_native.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/databases/download_file.db-journal
Miscellaneous:
Executes next shell scripts:
- getprop ro.product.cpu.abi
- cat /proc/cpuinfo | grep Serial
- ls -l /system/xbin/su
- <dexopt>
- ping -c 2 -w 5 f####.####.cn
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
