Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.232.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.cu####.com:80
- TCP(HTTP/1.1) h5.n####.com:80
- TCP(HTTP/1.1) www.zfr####.com:80
DNS requests:
- h5.n####.com
- www.cu####.com
- www.zfr####.com
HTTP GET requests:
- www.cu####.com/20180813174437.d_2018013_702.zip
HTTP POST requests:
- h5.n####.com/deploy/gttask
- www.zfr####.com/up.do
Modified file system:
Creates the following files:
- /data/data/####/D1100other_config.xml
- /data/data/####/D1100sp_config.xml
- /data/data/####/D1100upgrade_config.xml
- /data/data/####/backw
- /data/data/####/d.zip
- /data/data/####/dtemp.apk
- /data/data/####/m_cfg.xml
- /data/data/####/my.db
- /data/data/####/my.db-journal
- /data/data/####/ob.zip
- /data/data/####/sp_click_cf.xml
- /data/data/####/t_ini.xml
- /data/media/####/pid
Miscellaneous:
Executes next shell scripts:
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/com.zon.qoo.MS
- chmod 777 <Package Folder>/backw
- dd if=<Package Folder>/lib/libbackw.so of=<Package Folder>/backw
- sh
Loads the following dynamic libraries:
- backw
Uses the following algorithms to encrypt data:
- desede-ECB-PKCS5Padding
Gains access to telephone information (number, imei, etc.).
