Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Plague.1.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c####.baidust####.com:80
- TCP(HTTP/1.1) g####.un####.50####.org:80
- TCP(HTTP/1.1) aserver####.m.ta####.com:80
- TCP(HTTP/1.1) oc.u####.com:80
- TCP(HTTP/1.1) bdse####.2####.com:80
- TCP(HTTP/1.1) j####.gg####.com:11203
- TCP(HTTP/1.1) yun.lveha####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) ggse####.2####.com.####.net:80
- TCP(HTTP/1.1) gg####.2####.com.####.net:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) m.2####.com:80
- TCP(HTTP/1.1) j####.l####.58.com:80
- TCP(HTTP/1.1) ec####.b####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) thp.2####.com:80
- TCP(HTTP/1.1) 234####.dftou####.com:80
- TCP(HTTP/1.1) ti####.2####.com:80
- TCP(HTTP/1.1) em.b####.com:80
- TCP(TLS/1.0) l####.58.com:443
- TCP(TLS/1.0) c.5####.com.####.com:443
- TCP(TLS/1.0) i####.2####.com:443
- TCP(TLS/1.0) c####.baidust####.com:443
- TCP(TLS/1.0) trac####.58.com:443
DNS requests:
- 234####.dftou####.com
- a####.u####.com
- au.u####.co
- au.u####.com
- bdse####.2####.com
- c####.baidust####.com
- c.5####.com.cn
- c.c####.com
- cm.miao####.atm.####.com
- cm.pos.b####.com
- ec####.b####.com
- em.b####.com
- f12.b####.com
- fb.u####.com
- g####.un####.50####.org
- gg####.2####.com
- ggse####.2####.com
- i####.2####.com
- i####.2####.com
- i####.2####.com
- j####.gg####.com
- j####.l####.58.com
- j1.5####.com.cn
- l####.58.com
- m.2####.com
- oc.u####.com
- pos.b####.com
- s11.c####.com
- t12.b####.com
- thp.2####.com
- ti####.2####.com
- trac####.58.com
- w.w####.com
- w1.w####.com
- w2.w####.com
- yun.lveha####.com
- z13.c####.com
HTTP GET requests:
- 234####.dftou####.com/newsapi/newsjp?type=####&pgnum=####&ime=####&idx=#...
- aserver####.m.ta####.com/cm.gif?dspid=####
- bdse####.2####.com/lnkho/jsz?c=####
- bdse####.2####.com/lnkho/odz?c=####
- bdse####.2####.com/lnkho/w?c=####
- bdse####.2####.com/lnkho/wxd?c=####
- c####.baidust####.com/cpro/ui/cm.js
- c####.baidust####.com/js/react-dom.min.js
- c####.baidust####.com/js/react.min.js
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/z_stat.php?id=####
- ec####.b####.com/rs.jpg?type=####&stamp=####
- em.b####.com/pixel?media_sign=####&media_site=####
- em.b####.com/youku?mzid=####
- g####.un####.50####.org/activity/getboottheme?reqid=####&adsenseid=####&...
- gg####.2####.com.####.net/2e4d8bc2a586a06f.js
- ggse####.2####.com.####.net/m.html?baidu_error=####×tamp=####
- ggse####.2####.com.####.net/s?conwid=320&conhei=250&rdid=3190111&dc=3&ex...
- ggse####.2####.com.####.net/s?psi=1136345dfecc6e667c823797dc6a2495&di=u3...
- j####.l####.58.com/s?spm=####&ch=####
- m.2####.com/?l####
- m.2####.com/css/v5/common_index.css
- m.2####.com/css/v5/index_flow_index.css
- m.2####.com/images/close.png
- m.2####.com/images/placeholder.png
- m.2####.com/images/v4/close_btn01.png
- m.2####.com/images/v4/common/appstore/ie_logo.png
- m.2####.com/images/v4/common/logo_160516.png
- m.2####.com/images/weathericon/weather_32.png
- m.2####.com/js/v7/common.js
- m.2####.com/js/v7/md5.min.js
- m.2####.com/js/v7/search.js
- m.2####.com/js/v7/sha1.js
- m.2####.com/js/v7/template.js
- m.2####.com/js/v7/ui_flow_index.js?2018####
- m.2####.com/js/v7/zepto.cookie.min.js
- m.2####.com/js/v7/zepto.fx.js
- m.2####.com/js/v7/zepto.min.js
- m.2####.com/js/zepto.cookie.min.js
- m.2####.com/pic/logo/03038e191628d79c4968cc647a91c3a020170704110241.png
- m.2####.com/pic/logo/13bbf06bf50b79461c2be368e58f638320171009183646.png
- m.2####.com/pic/logo/20160519172933.png
- m.2####.com/pic/logo/20160519172937.png
- m.2####.com/pic/logo/20160519172942.png
- m.2####.com/pic/logo/4037dba6086149898a3df05f4f3b2f4420180104150332.png
- m.2####.com/pic/logo/6a9ea81eaa8d6670affd62c64dabda3a20180514115339.png
- m.2####.com/pic/logo/ee093b2bbb42a180d5d281cb881a54c320170331114538.png
- m.2####.com/pic/logo/mz_logo_fhw_20181214.png
- m.2####.com/pic/logo/mz_logo_kds.png
- m.2####.com/pic/logo/mz_logo_lhb.png
- m.2####.com/pic/logo/mz_logo_sh_20181214.png
- m.2####.com/pic/logo/mz_logo_tx_20181214.png
- m.2####.com/pic/logo/mz_logo_xl_20181214.png
- m.2####.com/pic/logo/mz_logo_zlzp.png
- si####.jom####.com/it/u=2159846807,2316192924&fm=76
- si####.jom####.com/it/u=2375891852,3536098053&fm=76
- si####.jom####.com/it/u=4103572961,1439453666&fm=76
- si####.jom####.com/it/u=646874954,2527626026&fm=76
- thp.2####.com/js/MBTHP
- thp.2####.com/web/MBTHP?uId2=####&r=####&fBL=####
- thp.2####.com/web/ajax154?uId2=SPTNPQRLSX&r=http://m.2345.com/?l####&ver...
- thp.2####.com/web/ajax154?uId2=SPTNPQRLSX&r=http://m.2345.com/?lm_37&fBL...
- ti####.2####.com/t/detect2009v2.php?ver=####
- yun.lveha####.com/h5/media/media-3.2.1.min.js
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
HTTP POST requests:
- a####.u####.com/app_logs
- g####.un####.50####.org/trrs?data[type]=####&data[action]=####&adsenseid...
- j####.gg####.com:11203/getInstallApkTotalInfo
- oc.u####.com/v2/check_config_update
- oc.u####.com/v2/get_update_time
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/2078574730300860149
- /data/data/####/app_cmxeclasses.jar
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/dbymi-journal
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/index
- /data/data/####/mobclick_agent_cached_com.youan.wifi20
- /data/data/####/mobclick_agent_online_setting_com.youan.wifi.xml
- /data/data/####/sp_wifi.xml
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_feedback_user_info.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize_qq.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/wft_api10013-journal
- /data/data/####/wftwifi.db-journal
- /data/data/####/xUtils.db-journal
- /data/media/####/.nomedia
Miscellaneous:
Loads the following dynamic libraries:
- WiFi
- bspatch
- jgb
- uninstalled_observer
Uses the following algorithms to encrypt data:
- DES-ECB-PKCS5Padding
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about running apps.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
