Technical information
Malicious functions:
Removes its shortcut from the home screen.
Network activity:
Connecting to:
- UDP(DNS) <Google Host>
- TCP(Google Services) <Google Host>
- TCP(Google Services) <Google Host>
- TCP(HTTP/1.1) syndica####.ex####.com:80
- TCP(HTTP/1.1) tub####.org:80
- TCP(HTTP/1.1) 1.grav####.com:80
- TCP(HTTP/1.1) b.axc####.store:80
- TCP(HTTP/1.1) w####.d.ybos####.us:80
- TCP(HTTP/1.1) www.google-####.com:80
- TCP(HTTP/1.1) jan####.nl:80
- TCP(TLS/1.1) api.ero-adv####.com:443
- TCP(TLS/1.1) syndica####.ex####.com:443
DNS requests:
- 0.grav####.com
- 1.grav####.com
- api.ero-adv####.com
- b.axc####.store
- jan####.nl
- syndica####.ex####.com
- tub####.org
- w####.c.ybos####.us
- w####.d.ybos####.us
- www.google-####.com
HTTP GET requests:
- 1.grav####.com/avatar/2ae633a6d08c2914d6229764ab808b19?s=####&d=####&r=#...
- 1.grav####.com/avatar/470d3b1934a2b069ddb31092be1038f7?s=####&d=####&r=#...
- 1.grav####.com/avatar/519ba18e92320fe43fca01ada29c9a12?s=####&d=####&r=#...
- 1.grav####.com/avatar/521ae9079b447d116a42cf164072a12c?s=####&d=####&r=#...
- 1.grav####.com/avatar/6aa364e572983c9ce5710b6be4a30265?s=####&d=####&r=#...
- 1.grav####.com/avatar/6cc82aa08db5a220a429e9bd6b0ef9b8?s=####&d=####&r=#...
- 1.grav####.com/avatar/85d45e98564600d96b68d3d2c8ea547d?s=####&d=####&r=#...
- 1.grav####.com/avatar/8f45acb8a42332cbf20c4f43ed996e8f?s=####&d=####&r=#...
- 1.grav####.com/avatar/ac07f5c4279fd404e25e0e1bee79db46?s=####&d=####&r=#...
- 1.grav####.com/avatar/c4c7fea65b1947eb42f3fc993a1ad4d4?s=####&d=####&r=#...
- 1.grav####.com/avatar/ce83513724d3f8d9f9fe55d7751bbe94?s=####&d=####&r=#...
- 1.grav####.com/avatar/de9e45a838909e2dceea2669479ecfd6?s=####&d=####&r=#...
- 1.grav####.com/avatar/e4ecdfa5ed4ad43a90b239fc6d149e2b?s=####&d=####&r=#...
- 1.grav####.com/avatar/ed235a7e217067758b744cc16882b470?s=####&d=####&r=#...
- b.axc####.store/?yibif=####
- jan####.nl/?cmpgn=####
- jan####.nl/?replytocom=####
- jan####.nl/wp-content/themes/twentytwelve/js/navigation.js?ver=####
- jan####.nl/wp-content/themes/twentytwelve/style.css?ver=####
- jan####.nl/wp-content/uploads/2013/08/1.jpg
- jan####.nl/wp-content/uploads/2013/08/2.jpg
- jan####.nl/wp-content/uploads/2013/08/bootcamper.jpg
- jan####.nl/wp-content/uploads/2013/08/c1.jpg
- jan####.nl/wp-content/uploads/2013/08/c2.jpg
- jan####.nl/wp-content/uploads/2013/08/c3.jpg
- jan####.nl/wp-content/uploads/2013/08/c4.jpg
- jan####.nl/wp-content/uploads/2013/08/c5.jpg
- jan####.nl/wp-content/uploads/2013/08/c6.jpg
- jan####.nl/wp-content/uploads/2013/08/c7.jpg
- jan####.nl/wp-content/uploads/2013/08/hetistijd.jpg
- jan####.nl/wp-content/uploads/2013/08/lovehunter.jpg
- jan####.nl/wp-content/uploads/2013/08/mikamikam.jpg
- jan####.nl/wp-includes/images/smilies/icon_biggrin.gif
- jan####.nl/wp-includes/images/smilies/icon_wink.gif
- jan####.nl/wp-includes/js/comment-reply.min.js?ver=####
- jan####.nl/wp-includes/js/jquery/jquery-migrate.min.js?ver=####
- jan####.nl/wp-includes/js/jquery/jquery.js?ver=####
- syndica####.ex####.com/ads-priv.php?i=####
- syndica####.ex####.com/splash.php?cat=####&idzone=####&type=####&p=####&...
- w####.d.ybos####.us/?yibif=####
- www.google-####.com/__utm.gif?utmwv=5.6.7&utms=2&utmn=1088760008&utmhn=j...
- www.google-####.com/__utm.gif?utmwv=5.6.7&utms=3&utmn=242337240&utmhn=ja...
- www.google-####.com/ga.js
- www.google-####.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=173889111&utmhn=...
Modified file system:
Creates the following files:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/index
- <Package Folder>/databases/music_db
- <Package Folder>/databases/music_db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/webviewCookiesChromiumPrivate.db-journal
Miscellaneous:
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
Uses administrator priveleges.
Displays its own windows over windows of other applications.
