Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.226.origin
- Android.Triada.248.origin
Downloads the following detected threats from the Web:
- Android.Triada.226.origin
- Android.Triada.248.origin
Network activity:
Connecting to:
- 1####.####.71
- 1####.####.71:9500
- a####.####.com
- c####.####.com
- c####.####.net
- d####.####.com
HTTP GET requests:
- d####.####.com/adcms/source/api/getSourceConfig.jhtm?channelName=####
HTTP POST requests:
- 1####.####.71/
- 1####.####.71:9500/
- a####.####.com/app_logs
- c####.####.com/show.aspx?Key=####
- c####.####.net/config/update
Modified file system:
Creates the following files:
- <Package Folder>/cache/####/-4868286551313215627
- <Package Folder>/cache/####/1231988341480546792
- <Package Folder>/cache/####/1300569233264210743
- <Package Folder>/cache/####/1749498288602585700
- <Package Folder>/cache/####/1797091980-2077045867
- <Package Folder>/cache/####/17970919801522004504
- <Package Folder>/cache/####/428543214-552710976
- <Package Folder>/cache/####/497066232-584448580
- <Package Folder>/databases/adshower.db-journal
- <Package Folder>/databases/dataeye_database_2EF785C554D89BC286F31874A83E2448.db
- <Package Folder>/databases/dataeye_database_2EF785C554D89BC286F31874A83E2448.db-journal
- <Package Folder>/databases/vi_db_pay-journal
- <Package Folder>/files/####/-NjZhDMKKFH71UH_tO09TQ==
- <Package Folder>/files/####/-NjZhDMKKFH71UH_tO09TQ==.new
- <Package Folder>/files/####/399xfjIsjG9gvTPoUOPIgw==
- <Package Folder>/files/####/4uX_BHyViiBnq1kr
- <Package Folder>/files/####/RPpRdK3feMXToqiB.zip
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/dxXq9shniA5wOuC_uZZnxw==
- <Package Folder>/files/####/gexvvw_f.zip
- <Package Folder>/files/libexec.so
- <Package Folder>/files/libexecmain.so
- <Package Folder>/files/mobclick_agent_cached_<Package>
- <Package Folder>/files/paylib.jar
- <Package Folder>/files/rdata_comwonczow.new
- <Package Folder>/shared_prefs/PreferanceUtil.xml
- <Package Folder>/shared_prefs/PreferanceUtil.xml.bak
- <Package Folder>/shared_prefs/dc.2EF785C554D89BC286F31874A83E2448.preferences.xml
- <Package Folder>/shared_prefs/dc.2EF785C554D89BC286F31874A83E2448.preferences.xml.bak
- <Package Folder>/shared_prefs/game_state_file.xml
- <Package Folder>/shared_prefs/mobclick_agent_header_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml.bak
- <SD-Card>/.SystemService/####/uid
- <SD-Card>/.system_temp/.cfg
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh
- <dexopt>
- <su-internal:request>
- <su-internal:result>
- cat /sys/block/mmcblk0/device/cid
- dumpsys activity
- getprop ro.product.cpu.abi
- grep mFocusedActivity
- ls -l /sbin/su
- ls -l /system/bin/su
- ls -l /system/sbin/su
- ls -l /system/xbin/su
- ls -l /vendor/bin/su
- sh
- su
Uses elevated priveleges.
Uses special library to hide executable bytecode.
