Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.88.origin
- Android.Xiny.197
- Android.Xiny.244.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.cu####.com:80
- TCP(HTTP/1.1) www.zfr####.com:80
DNS requests:
- www.cu####.com
- www.zfr####.com
HTTP GET requests:
- www.cu####.com/20180530155843.BdJar521Dex_05301557.zip
HTTP POST requests:
- www.zfr####.com/up.do
Modified file system:
Creates the following files:
- /data/data/####/backw
- /data/data/####/cn_rs.xml
- /data/data/####/com.ort.kp_preferences.xml
- /data/data/####/d.zip
- /data/data/####/dtemp.apk
- /data/data/####/lib_v19n.dat
- /data/data/####/m_cfg.xml
- /data/data/####/mesosphere_v19n.jar
- /data/data/####/ob3.zip
- /data/data/####/t_ini.xml
- /data/media/####/pid
- /data/media/####/sp
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.zon.qoo.MS
- chmod 777 <Package Folder>/backw
- dd if=<Package Folder>/lib/libbackw.so of=<Package Folder>/backw
- sh
Loads the following dynamic libraries:
- backw
Uses the following algorithms to encrypt data:
- AES-ECB-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
- AES-ECB-PKCS5Padding
Gains access to telephone information (number, imei, etc.).
Parses information from SMS messages.
