Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Locker.441.origin
Downloads the following detected threats from the Web:
- Android.Locker.441.origin
Network activity:
Connecting to:
- aexcep####.####.com:8012
- and####.####.com
HTTP POST requests:
- aexcep####.####.com:8012/rqd/async
- and####.####.com/rqd/async
Modified file system:
Creates the following files:
- <Package Folder>/app_a/k.bat
- <Package Folder>/app_a/key.bat
- <Package Folder>/app_a/libStarEngine.so
- <Package Folder>/app_db/ap10.db
- <Package Folder>/app_db/ap10.db-journal
- <Package Folder>/app_db/ap10.db.mirror
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/databases/bugly_db_legu.mirror
- <Package Folder>/databases/google_analytics_v4.db-journal
- <Package Folder>/databases/google_analytics_v4.db.mirror
- <Package Folder>/databases/google_conversion_tracking.db-journal
- <Package Folder>/databases/google_conversion_tracking.db.mirror
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webview.db.mirror
- <Package Folder>/databases/wifi.db-journal
- <Package Folder>/databases/wifi.db.mirror
- <Package Folder>/databases/wl.db-journal
- <Package Folder>/databases/wl.db.mirror
- <Package Folder>/files/####/sa_82f5808a-5487-4f2b-bb3b-1af6aa20111d_1496215286215.tap
- <Package Folder>/files/####/session_analytics.tap
- <Package Folder>/files/####/session_analytics.tap.tmp
- <Package Folder>/files/.legudb
- <Package Folder>/files/AdjustIoActivityState
- <Package Folder>/files/AdjustIoPackageQueue
- <Package Folder>/files/AppEventsLogger.persistedsessioninfo
- <Package Folder>/files/gaClientId
- <Package Folder>/files/local_crash_lock
- <Package Folder>/files/native_record_lock (deleted)
- <Package Folder>/files/security_info
- <Package Folder>/mix.dex
- <Package Folder>/rpc.cmd
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/TwitterAdvertisingInfoPreferences.xml
- <Package Folder>/shared_prefs/com.crashlytics.prefs.xml
- <Package Folder>/shared_prefs/com.crashlytics.sdk.android;answers;com.a.a.a.a.xml
- <Package Folder>/shared_prefs/com.facebook.sdk.appEventPreferences.xml
- <Package Folder>/shared_prefs/com.facebook.sdk.attributionTracking.xml
- <Package Folder>/tx_shell/libnfix.so
- <Package Folder>/tx_shell/libshella-2.10.1.so
- <Package Folder>/tx_shell/libufix.so
Miscellaneous:
Executes next shell scripts:
- /data/data/com.halo.wifikey.wifilocating/lib/libnative.so rpcx com.halo.wifikey.wifilocating
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <dexopt>
- <su-internal:request>
- <su-internal:result>
- chmod 000 /system/app/Launcher2.apk
- chmod 700 /data/data/com.halo.wifikey.wifilocating/tx_shell/libnfix.so
- chmod 700 /data/data/com.halo.wifikey.wifilocating/tx_shell/libshella-2.10.1.so
- chmod 700 /data/data/com.halo.wifikey.wifilocating/tx_shell/libufix.so
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- ip a
- logcat -d -v threadtime
- ls data
- sh
- sh <Package Folder>/lib/libnative.so rpcx <Package>
- su
Uses elevated priveleges.
Uses special library to hide executable bytecode.
