Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.467.origin
- Android.Xiny.287.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 45.79.1####.241:80
- TCP(HTTP/1.1) api.bi####.com:80
- TCP(HTTP/1.1) api.f####.com:80
- TCP(HTTP/1.1) www.koapk####.com:8081
- TCP api.f####.com:80
DNS requests:
- api.bi####.com
- api.f####.com
- mt####.go####.com
- www.koapk####.com
HTTP GET requests:
- api.f####.com/co?u=####&s=####&gaid=####&imei=####&androidId=####&at=###...
HTTP POST requests:
- api.bi####.com/un
- www.koapk####.com:8081/sm/sr/rt/ry
File system changes:
Creates the following files:
- /data/data/####/20160121.xml
- /data/data/####/20160121.xml.bak
- /data/data/####/201912181550.apk
- /data/data/####/201912181550.dex
- /data/data/####/3f7b6523-8eca-4a3a-ad1c-b57b33abf918.dex (deleted)
- /data/data/####/3f7b6523-8eca-4a3a-ad1c-b57b33abf918.jar
- /data/data/####/49868988.apk
- /data/data/####/53091fe5-4f31-4214-9d13-f08d942cb1a9.dex (deleted)
- /data/data/####/53091fe5-4f31-4214-9d13-f08d942cb1a9.jar
- /data/data/####/9bc6244d-ad52-4e2a-b104-2d973bec8579.dex (deleted)
- /data/data/####/9bc6244d-ad52-4e2a-b104-2d973bec8579.jar
- /data/data/####/9c5f8a3e-7311-47ef-9989-d04716954f74.dex (deleted)
- /data/data/####/9c5f8a3e-7311-47ef-9989-d04716954f74.jar
- /data/data/####/MobikokCommonConfig.xml
- /data/data/####/MobikokCommonConfig.xml.bak
- /data/data/####/MobikokCommonConfig.xml.bak (deleted)
- /data/data/####/Q2hhbm5lbElES2V5MjAxNjEyMjcxODU3.xml
- /data/data/####/af8f0112-919d-4fa5-b9de-f03e8cb5ba3b.dex (deleted)
- /data/data/####/af8f0112-919d-4fa5-b9de-f03e8cb5ba3b.jar
- /data/data/####/b894d96f-d781-4194-83b6-69b141d2278e.dex (deleted)
- /data/data/####/b894d96f-d781-4194-83b6-69b141d2278e.jar
- /data/data/####/b954c360-bb4e-4434-9917-6d7f389a7eb5.dex (deleted)
- /data/data/####/b954c360-bb4e-4434-9917-6d7f389a7eb5.jar
- /data/data/####/bdownloaders.db
- /data/data/####/c201912181550.apk
- /data/data/####/c66c71ea-527c-4b22-aba1-745d733672d7.dex (deleted)
- /data/data/####/c66c71ea-527c-4b22-aba1-745d733672d7.jar
- /data/data/####/c68726d2-47f0-45ae-b557-ca910cfa3a4d.dex (deleted)
- /data/data/####/c68726d2-47f0-45ae-b557-ca910cfa3a4d.jar
- /data/data/####/dffdffd4-6f4b-4726-894f-ebdf5f910f01.dex (deleted)
- /data/data/####/dffdffd4-6f4b-4726-894f-ebdf5f910f01.jar
- /data/data/####/e57812d5-377a-4913-93cc-872d33a161f6.jar
- /data/data/####/f1cdf181-81cf-4b0f-a55d-3d6b6574fbfb.dex (deleted)
- /data/data/####/f1cdf181-81cf-4b0f-a55d-3d6b6574fbfb.jar
- /data/data/####/ja201908091350.data
- /data/data/####/libnav-6mdw2z.so
- /data/data/####/swith1014.db
- /data/data/####/swith1014.db-journal
- /data/data/####/webview.db
- /data/data/####/webview.db-journal
- /data/media/####/Config.txt
Miscellaneous:
Executes the following shell scripts:
- app_process /system/bin com.android.commands.pm.Pm path <Package>
- awk {print $9}
- grep 10109
- grep 10970
- grep 2297
- grep 3125
- grep 3976
- grep 4851
- grep 5749
- grep 6615
- grep 7448
- grep 8347
- grep 9201
- logcat -d -v time
- md5 /data/app/<Package>-1.apk
- ps
- sh
Loads the following dynamic libraries:
- com.jrey.shnu
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about location.
Gets information about phone status (number, IMEI, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
