Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Xiny.287.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 13.2####.16.115:8081
- TCP(HTTP/1.1) api.aaf####.com:3160
- TCP(HTTP/1.1) 45.79.2####.237:80
- TCP(HTTP/1.1) 5.z####.top:80
- TCP(HTTP/1.1) 45.79.2####.177:80
- TCP(HTTP/1.1) air.on####.com:80
- TCP(HTTP/1.1) g####.datac####.monster:80
- TCP(HTTP/1.1) www.okyes####.com:8081
- TCP(HTTP/1.1) 4.z####.top:9001
- TCP(HTTP/1.1) 1####.55.34.122:8080
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) 1####.104.166.168:80
- TCP(HTTP/1.1) www.koapk####.com:8081
- TCP(HTTP/1.1) h####.xyz:80
- TCP(HTTP/1.1) 18.1####.225.218:3160
- TCP(HTTP/1.1) ggg.koapk####.com:80
- TCP(HTTP/1.1) 35.2####.2.193:80
- TCP(TLS/1.0) jsde####.a7####.flexbal####.net:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) datasta####.airmo####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) c####.pay####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) adser####.go####.nl:443
- TCP(TLS/1.0) adroit-####.app####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) www.google-####.com:443
- TCP(TLS/1.0) eye.recap####.xyz:443
DNS requests:
- 4.z####.top
- 5.z####.top
- adroit-####.app####.com
- adser####.go####.com
- adser####.go####.nl
- air.on####.com
- api.aaf####.com
- c####.pay####.com
- c####.s####.com
- cdn.jsde####.net
- d####.f####.top
- datasta####.airmo####.com
- eye.recap####.xyz
- f####.google####.com
- f####.gst####.com
- g####.datac####.monster
- ggg.koapk####.com
- googl####.g.doublec####.net
- h####.xyz
- mt####.go####.com
- pag####.googles####.com
- www.google-####.com
- www.googlet####.com
- www.googlet####.com
- www.gst####.com
- www.koapk####.com
- www.okyes####.com
- www.recap####.net
HTTP GET requests:
- 1####.55.34.122:8080/ttad/api/jv5/K4fQ7748assbhjKl29VoXQ==/7616361F89986...
- 1####.55.34.122:8080/ttad/api/jv5/XlKT8DK4NNC256cM7Gh0AA==/7616361F89986...
- 5.z####.top/thirdsdk/flowcashpack/7/66612271034.jar
- air.on####.com/app.css
- air.on####.com/app.js
- air.on####.com/detail/5dd4f9b5A6.html
- air.on####.com/static/images/icon.png
- air.on####.com/static/images/lazyload.png
- d####.c####.l####.####.com/TTT000_0002.y
- h####.xyz/g/1832b3cc-662b-409f-9df0-aada325eb79f
HTTP POST requests:
- 1####.104.166.168/pgm/sr/gm/gy
- 13.2####.16.115:8081/sm/sr/sdl/in
- 18.1####.225.218:3160/ssp/ad/get/shuyun/AVA1WCYdSdsmQmUED4em5SCL_Z-LnU1O...
- 35.2####.2.193/get?enc=####
- 4.z####.top:9001/v1/ds
- g####.datac####.monster/get?enc=####
- www.koapk####.com:8081/sm/sr/rt/ry
- www.okyes####.com:8081/sdk/nsd.action?b=####
File system changes:
Creates the following files:
- /data/data/####/1.dex
- /data/data/####/1.dex (deleted)
- /data/data/####/1.jar
- /data/data/####/20160121.xml
- /data/data/####/201905151050.apk
- /data/data/####/201905151050.dex
- /data/data/####/62d0f57d252d11ea9799506b4b12c7600c97dd260f6b418...b1.dex
- /data/data/####/62d0f57d252d11ea9799506b4b12c7600c97dd260f6b418...rcache
- /data/data/####/86f3a5a3759b99f4510edcaeb850d612
- /data/data/####/92639384.apk
- /data/data/####/Q2hhbm5lbElES2V5MjAxNjEyMjcxODU3.xml
- /data/data/####/VirtualAPK_Settings.xml
- /data/data/####/ag.xml
- /data/data/####/bdownloaders.db
- /data/data/####/bdownloaders.db-journal
- /data/data/####/c201905151050.apk
- /data/data/####/config
- /data/data/####/d41d8cd98f00b204e9800998ecf8427e.xml
- /data/data/####/e72bb0c43f526908ec26974263decf62.xml
- /data/data/####/e72bb0c43f526908ec26974263decf62.xml.bak
- /data/data/####/ja201908091350.data
- /data/data/####/kxqd_config.xml
- /data/data/####/libloaddex.hb.com.loaddex.psx.so
- /data/data/####/lob.xml
- /data/data/####/m2019121917.apk
- /data/data/####/m2019121917.dex
- /data/data/####/mt_sdk_config.xml
- /data/data/####/rq_file.xml
- /data/data/####/rtr.db
- /data/data/####/rtr.db-journal
- /data/data/####/s2019121917.apk
- /data/data/####/s2019121917.dex
- /data/data/####/sp_cool.xml
- /data/data/####/sp_cool_a.xml
- /data/data/####/sunn.dex
- /data/data/####/sunn.jar
- /data/data/####/sunn.tmp (deleted)
- /data/data/####/sunn.x
- /data/data/####/swith1014.db
- /data/data/####/swith1014.db-journal
- /data/data/####/temp.zip (deleted)
- /data/data/####/ver.ini.xml
Miscellaneous:
Executes the following shell scripts:
- app_process /system/bin com.android.commands.pm.Pm path <Package>
- awk {print $9}
- grep 2333
- grep 3373
- grep 4128
- grep 5196
- grep 6076
- grep 6915
- grep 7788
- grep 8651
- logcat -d -v time
- md5 /data/app/<Package>-1.apk
- ps
- sh
Loads the following dynamic libraries:
- loaddex.hb.com.loaddex
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS5Padding
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
