Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.160
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) uf####.b####.com:80
- TCP(HTTP/1.1) v####.a####.eeric####.com:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) hpd.b####.com:80
- TCP(HTTP/1.1) v####.api.eeric####.com:80
- TCP(HTTP/1.1) supermo####.jom####.com:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) sv.bdst####.com.####.com:443
- TCP(TLS/1.0) ssls####.jom####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) wap.n.sh####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) box.jom####.com:443
DNS requests:
- a####.xctr####.com
- f####.b####.com
- g####.bdst####.com
- hpd.b####.com
- m.b####.com
- s.bdst####.com
- sm.b####.com
- ssl.gst####.com
- sv.bdst####.com
- uf####.b####.com
- v####.a####.eeric####.com
- v####.api.eeric####.com
- www.go####.com
- www.gst####.com
HTTP GET requests:
- box.jom####.com/common/openjs/openBox.js?_v=####
- hpd.b####.com/v.gif?tid=####&ct=####&cst=####&logFrom=####&logInfo=####&...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/assert_3e...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/promise_a...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/underscor...
- supermo####.jom####.com/static/wiseindex/amd_modules/ralltiir_13df900.js
- supermo####.jom####.com/static/wiseindex/fonts/n-icons_d083fee.ttf
- supermo####.jom####.com/static/wiseindex/img/fetch_ing_8_0.png
- supermo####.jom####.com/static/wiseindex/js/lib/atomWrapper_6fc442d.js
- supermo####.jom####.com/static/wiseindex/js/package/newsActivity_f3a3935...
- supermo####.jom####.com/static/wiseindex/js/package/superframe_5b7bdae.js
- uf####.b####.com/?m=####&a=####&appid=####&activityId=####&needEmail=###...
- uf####.b####.com/Public/css/h5_commonHeader.css
- uf####.b####.com/Public/img/h5-list-arrow-left.png
- uf####.b####.com/Public/img/h5-myfb.png
- uf####.b####.com/Public/js/commonsubmit.js
- uf####.b####.com/Public/js/commonsubmit_config.js
- uf####.b####.com/Public/js/loading.js
- uf####.b####.com/Public/js/zepto.min.js
- v####.a####.eeric####.com/fileupload/00934f6c06dea89a.jar
- wap.n.sh####.com/
- wap.n.sh####.com/?action=####&ms=####&version=####&callback=####&r=####&...
- wap.n.sh####.com/se/static/img/iphone/logo.png
- wap.n.sh####.com/se/static/img/iphone/tab_loading__bg_logo.png
- wap.n.sh####.com/se/static/js/bundles/ala-util_893f93e.js
- wap.n.sh####.com/se/static/js/service/index_polymer_c9d50d1.js
- wap.n.sh####.com/se/static/js/service/index_seloader_release.js?v=####
- wap.n.sh####.com/se/static/wiseatom/personalcenter/pack_bc18b69.js
- wap.n.sh####.com/static/index/plus/public/icon_police.png
- wap.n.sh####.com/static/search/clear.png
- wap.n.sh####.com/sugrec?callback=####&type=####&prod=####&pic=####&from=...
- wap.n.sh####.com/tc?tcreq4log=####&r=####&logid=####&from=####&pu=####&c...
HTTP POST requests:
- v####.api.eeric####.com/api/payment/mobileInit.html
- v####.api.eeric####.com/api/payment/updateInit
File system changes:
Creates the following files:
- /data/data/####/560c55fa0c905529dc1345aa7badeba8.apk
- /data/data/####/daemon
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/done
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/index
- /data/data/####/libbsjni.so
- /data/data/####/libdaemon_api20.so
- /data/data/####/libdaemon_api21.so
- /data/data/####/libe960253d.so
- /data/data/####/libgoldcoast.so
- /data/data/####/libmegjb.so
- /data/data/####/libstub.so
- /data/data/####/smspaycom.wyzf.plugin.b.a.db
- /data/data/####/smspaycom.wyzf.plugin.b.a.db-journal
- /data/data/####/sp_name_configcom.wyzf.plugin.d.h.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wyzf_config20189314.xml
- /data/data/####/wyzf_plg_5.1.9.jar
Miscellaneous:
Executes the following shell scripts:
- /system/bin/netcfg
- chmod 700 <Package Folder>/app_bin/daemon
Loads the following dynamic libraries:
- e960253d
Uses the following algorithms to encrypt data:
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- DES-CBC-PKCS5Padding
Gets information about location.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Gets information about sent/received SMS.
