Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.84.origin
Downloads the following detected threats from the Web:
- Android.Xiny.84.origin
Network activity:
Connecting to:
- 1####.####.14
- 1####.####.14:8888
- a####.####.com
- aexcep####.####.com:8012
- amap####.####.com
- and####.####.com
- api####.####.com
- c####.####.com
- dl####.####.com
- imgc####.####.com
- m####.####.com
- p####.####.cn
- s####.####.com
HTTP GET requests:
- 1####.####.14/api/v1/user/refresh?mainId=####&ver=####
- 1####.####.14:8888/api/v1/app_config?data=####&ver=####
- a####.####.com/dev/api/adlist/adlist.php?device_id=####&imsi=####&device...
- amap####.####.com/sdkcoor/android/x86/libJni_wgs2gcj.so
- c####.####.com/diy/e5668bc5a048773f5c9257fddc40350a-yiqiniubanner.jpg
- dl####.####.com/dev/upload/ad_url/201605/1_b7adff39678ecb9571299492e2101...
- imgc####.####.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his...
- m####.####.com/gdt_mview.fcg?posw=####&posh=####&count=####&r=####&datat...
- p####.####.cn/gdt/0/transformer_3993147534561993302_80.jpg/0?ck=####
HTTP POST requests:
- a####.####.com/app_logs
- aexcep####.####.com:8012/rqd/async
- and####.####.com/rqd/async
- api####.####.com/v3/log/init
- s####.####.com/msg
Modified file system:
Creates the following files:
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.jar.sig
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp
- <Package Folder>/app_e_qq_com_plugin/gdt_plugin.tmp.sig
- <Package Folder>/app_e_qq_com_plugin/update_lc
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/devCloudSetting.sig
- <Package Folder>/app_e_qq_com_setting/gdt_suid
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.cfg
- <Package Folder>/app_e_qq_com_setting/sdkCloudSetting.sig
- <Package Folder>/cache/####/d05786b4988e48033aa275bb2a31f89c
- <Package Folder>/databases/GDTSDK.db
- <Package Folder>/databases/GDTSDK.db-journal
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/databases/db
- <Package Folder>/databases/db-journal
- <Package Folder>/databases/dynamicamapfile.db
- <Package Folder>/databases/dynamicamapfile.db-journal
- <Package Folder>/databases/jpush_local_notification.db
- <Package Folder>/databases/jpush_local_notification.db-journal
- <Package Folder>/databases/jpush_statistics.db
- <Package Folder>/databases/jpush_statistics.db-journal
- <Package Folder>/databases/okhttputils_cache.db
- <Package Folder>/databases/okhttputils_cache.db-journal
- <Package Folder>/databases/rep.db-journal
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/libwgs2gcj.so
- <Package Folder>/files/####/tempfile
- <Package Folder>/files/.imprint
- <Package Folder>/files/.tz.ttf
- <Package Folder>/files/PrefsFile
- <Package Folder>/files/app_black_list
- <Package Folder>/files/jpush_stat_cache.json
- <Package Folder>/files/jpush_stat_cache_history.json
- <Package Folder>/files/libtangzhuane.so
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/native_record_lock (deleted)
- <Package Folder>/files/prop.dat
- <Package Folder>/files/security_info
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml
- <Package Folder>/shared_prefs/JPushSA_Config.xml.bak (deleted)
- <Package Folder>/shared_prefs/cn.jpush.serverconfig.xml
- <Package Folder>/shared_prefs/cn.jpush.serverconfig.xml.bak
- <Package Folder>/shared_prefs/jpush_device_info.xml
- <Package Folder>/shared_prefs/multidex.version.xml
- <Package Folder>/shared_prefs/preferences.xml
- <Package Folder>/shared_prefs/statistics_config.xml
- <Package Folder>/shared_prefs/tzhuan_pref.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/tx_shell/libshella-2.10.4.1.so
- <Package Folder>/tx_shell/libufix.so
- <SD-Card>/.system/####/.74356655435.bat
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/1akds076wtiyhbezrl32iiygj0.tmp
- <SD-Card>/Android/####/1bx2tu9irehrkybbxxsqvb7so0.tmp
- <SD-Card>/Android/####/1ebuhwus85nawgshmxf4s1kmx0.tmp
- <SD-Card>/Android/####/1iwlk0onmdfv55vr0cfx9596z0.tmp
- <SD-Card>/Android/####/1x5m1x4phjv8jn3wh2gqaah3s0.tmp
- <SD-Card>/Android/####/1z44vweouxai67fixu45ch6uj0.tmp
- <SD-Card>/Android/####/22p4wdw52h26p61ylv3gz09kz0.tmp
- <SD-Card>/Android/####/27er9iiedio3qtx9tn7wzosm90.tmp
- <SD-Card>/Android/####/2czuowzw6h5jfrwkz54wuuc510.tmp
- <SD-Card>/Android/####/2oz0kzhqvy4eejkgviodhwrx0.tmp
- <SD-Card>/Android/####/2x8s3hy9eigkn4hd9s47ts6110.tmp
- <SD-Card>/Android/####/3ooafmcd8rxsrz03h58kmmgep0.tmp
- <SD-Card>/Android/####/402x2v3zg2xff28sprqb48e5v0.tmp
- <SD-Card>/Android/####/44ih902yl1c4zk7gfppzlltuo0.tmp
- <SD-Card>/Android/####/4bq9blee9dee6xd2pbuqp5m0v0.tmp
- <SD-Card>/Android/####/4ek5iepv97x5mm5izi9f3pfpi0.tmp
- <SD-Card>/Android/####/4fcg9n2aftiru3lyvqw2bnu4z0.tmp
- <SD-Card>/Android/####/4ne7ias74lbjit9831ah7xnmj0.tmp
- <SD-Card>/Android/####/4quek09icjwfrqylsjooctlus0.tmp
- <SD-Card>/Android/####/4tjutrlef7mo9h569ghbatd9v0.tmp
- <SD-Card>/Android/####/4vvm6bvg6gmjgml0c2zxhsgm00.tmp
- <SD-Card>/Android/####/54tzng6pw6o3xrwpail538zm00.tmp
- <SD-Card>/Android/####/5h1e2h7d7qbj3yb7397p42u9r0.tmp
- <SD-Card>/Android/####/5ktfdihpb28zbwrdzik7081e60.tmp
- <SD-Card>/Android/####/5nvkbli64z8dmvh378y7wktpj0.tmp
- <SD-Card>/Android/####/5xz4iplopm7m01gpoozml6ra0.tmp
- <SD-Card>/Android/####/6et3xkl3nk3uldbrb7qrkvbh20.tmp
- <SD-Card>/Android/####/6h4cylvbyridoqybdgi9ar19j0.tmp
- <SD-Card>/Android/####/6ol6vcx4mzus9qd18rzukmtvu0.tmp
- <SD-Card>/Android/####/6xhs6gr46d8sbviyxsn9xel3a0.tmp
- <SD-Card>/Android/####/73s82ako6oteugi9wvoqqadih0.tmp
- <SD-Card>/Android/####/75io6qvr11rzgb1dpcx7fcisp0.tmp
- <SD-Card>/Android/####/7gdljtzfctjgrills2ljc2fis0.tmp
- <SD-Card>/Android/####/8furfse4kb8em9q7fnc36exh0.tmp
- <SD-Card>/Android/####/h6pjub26kef8j7ck9n1zp3ap0.tmp
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/Android/####/ppckk22sfsaqc6vx6fglwhhc0.tmp
- <SD-Card>/Android/####/zwd0irm6ptogz9perbo8kifm0.tmp
- <SD-Card>/Android/djaof.dll
- <SD-Card>/DCIM/####/IMG_70160801_9238332423432.jpg
- <SD-Card>/Tencent/msg_micro_yuyuyu.ttf
- <SD-Card>/data/.push_deviceid
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <dexopt>
- chmod 700 /data/data/com.aishion.tzhuan/tx_shell/libnfix.so
- chmod 700 /data/data/com.aishion.tzhuan/tx_shell/libshella-2.10.4.1.so
- chmod 700 /data/data/com.aishion.tzhuan/tx_shell/libufix.so
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.4.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- sh -c getprop > <Package Folder>/files/prop.dat
Uses special library to hide executable bytecode.
