Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.1051.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) greedyf####.com:80
- TCP(TLS/1.0) contex####.m####.net:443
- TCP(TLS/1.0) greedyf####.com:443
- TCP(TLS/1.0) rr5---s####.g####.com:443
- TCP(TLS/1.0) 1####.250.179.138:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) p1.zem####.com:443
- TCP(TLS/1.0) a####.cloudf####.com:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) wild####.outb####.com.####.net:443
- TCP(TLS/1.0) rr1---s####.g####.com:443
- TCP(TLS/1.0) 7.z####.top:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) bxx.pooboo####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) rr3---s####.g####.com:443
- TCP(TLS/1.0) log.outb####.org:443
- TCP(TLS/1.0) securep####.g.doublec####.net:443
- TCP(TLS/1.0) globalh####.com:443
- TCP(TLS/1.0) wild####.outbrai####.com.####.net:443
- TCP(TLS/1.0) btlo####.com:443
- TCP(TLS/1.0) plb####.u####.com:443
- TCP(TLS/1.0) mcdp-ch####.outb####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) b####.pb####.com:443
- TCP(TLS/1.0) 5.ah####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) odb.outb####.com:443
- TCP(TLS/1.0) b.airmo####.com:443
- TCP(TLS/1.0) d.adup-####.com:443
- TCP(TLS/1.2) 1####.250.179.138:443
- TCP(TLS/1.2) 1####.251.39.99:443
- UDP 1####.250.179.138:443
- UDP p####.google####.com:443
- UDP rr1---s####.g####.com:443
- UDP rr3---s####.g####.com:443
- UDP rr5---s####.g####.com:443
DNS requests:
- 5.ah####.com
- 7.z####.top
- a####.cloudf####.com
- and####.a####.go####.####.8
- and####.a####.go####.com
- and####.google####.com
- android####.go####.com
- b####.pb####.com
- b.airmo####.com
- btlo####.com
- bxx.pooboo####.com
- contex####.m####.net
- d.adup-####.com
- f####.google####.com
- f####.gst####.com
- globalh####.com
- greedyf####.com
- im####.outbrai####.com
- log.outbrai####.com
- mcdp-ch####.outb####.com
- odb.outb####.com
- p####.google####.com
- p####.outb####.com
- p1.zem####.com
- pag####.googles####.com
- pla####.google####.com
- plb####.u####.com
- rr1---s####.g####.com
- rr3---s####.g####.com
- rr5---s####.g####.com
- s.airmo####.com
- securep####.g.doublec####.net
- tc####.outbrai####.com
- u####.u####.com
- wid####.outb####.com
- widget-####.outb####.com
- www.googlet####.com
- www.gst####.com
HTTP GET requests:
- 5.ah####.com:443/thirdsdk/flowcashpack/103/mgidnews-140a-202107061216d
- 5.ah####.com:443/thirdsdk/flowcashpack/113/umenews-136a-202204071858d
- 5.ah####.com:443/thirdsdk/flowcashpack/116/mgidnews2-137a-202107061200d
- 5.ah####.com:443/thirdsdk/flowcashpack/150/umenews2-135a-202203311931d
- 5.ah####.com:443/thirdsdk/flowcashpack/154/mgidnews3-151a-202112311508d
- 5.ah####.com:443/thirdsdk/flowcashpack/162/bingAdOA-145a-202203311946d
- 5.ah####.com:443/thirdsdk/flowcashpack/168/bingAdOA2-151a-202203312002d
- 5.ah####.com:443/thirdsdk/flowcashpack/172/offer2-170a-202201211803d
- 5.ah####.com:443/thirdsdk/flowcashpack/99/offer-166a-202203111503d
- greedyf####.com/index.php/nl/2022/05/05/de-meest-creatieve-vliegtuigbesc...
HTTP POST requests:
- 7.z####.top:443/v1/mgidnews
- 7.z####.top:443/v1/mgidnews2
- 7.z####.top:443/v1/mgidnews3
- al####.u####.com:443/unify_logs
- b.airmo####.com:443/v1/bingAd
- b.airmo####.com:443/v1/bingAdOA
- b.airmo####.com:443/v1/bingAdOA2
- b.airmo####.com:443/v1/hwstask?cid=####
- b.airmo####.com:443/v2/bingAd2
- b.airmo####.com:443/v2/hwstask?cid=####
- bxx.pooboo####.com:443/v1/init?id=####
- bxx.pooboo####.com:443/v1/mr?id=####
- plb####.u####.com:443/umpx_internal
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/011134986548f3458aa3e7e2a7fceb8d
- /data/data/####/0753c0afb1f0b24b_0
- /data/data/####/089528098f4636e0_0
- /data/data/####/0e868318fe23a092_0
- /data/data/####/10814363d46e0cae_0
- /data/data/####/112162nbp
- /data/data/####/112162nbp.dex
- /data/data/####/112162nbp.dex.flock (deleted)
- /data/data/####/12b374e78c41631b_0
- /data/data/####/12b5fc0e2731b877524cf3c67a65d81b.xml
- /data/data/####/1616060d558b6ef5_0
- /data/data/####/1dcc7836085c82cf_0
- /data/data/####/220814b94ff97711_0
- /data/data/####/2353c2f2499e99ec_0
- /data/data/####/288b3fa2265be166_0
- /data/data/####/293ca98097a10174_0
- /data/data/####/2f556017fc3066d7_0
- /data/data/####/2f556017fc3066d7_1
- /data/data/####/32786e255a101d60_0
- /data/data/####/32786e255a101d60_1
- /data/data/####/32f325d8522dbf91793275735cd62949.xml
- /data/data/####/346718d74127d9d7_0
- /data/data/####/39be7a2fb0ae4f26_0
- /data/data/####/3cc1c5364fcd6751_0
- /data/data/####/442e223132488841_0 (deleted)
- /data/data/####/474ad74b6887f38c_0
- /data/data/####/49891a8ed50b23d397dfcef3dec249f5.xml
- /data/data/####/4b27d66720c31cac_0
- /data/data/####/4c0696016476936e_0 (deleted)
- /data/data/####/5cca86f8554b015d_0
- /data/data/####/6b64d6b12d6b654d_0
- /data/data/####/73e389489ae4fc75_0
- /data/data/####/764d0656e2d23ffd_0
- /data/data/####/7ee81254260289c4_0
- /data/data/####/830a5b5b8d51c0c9ff0e9e1a23b8cf4d.xml
- /data/data/####/85e499503ef8fa75_0 (deleted)
- /data/data/####/8a73aecd4a919f10_0
- /data/data/####/922107b6a2c06d71ac7a70ce9f418426.xml
- /data/data/####/93a98e8c1440f39b_0
- /data/data/####/94839abec2981189_0 (deleted)
- /data/data/####/98e3e0c477ca7b5a_0
- /data/data/####/99623aaa
- /data/data/####/99623aaa.dex
- /data/data/####/99623aaa.dex.flock (deleted)
- /data/data/####/9c292e1203a2905c_0
- /data/data/####/Cookies-journal
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a40431393004e0e7_0
- /data/data/####/a56811a5f7f3643f_0
- /data/data/####/af001773881cfa2e_0
- /data/data/####/b60b4f1c2a79aa8f_0
- /data/data/####/b60b4f1c2a79aa8f_1
- /data/data/####/bd82a0ca364aef5f_0
- /data/data/####/c39826b13236c682_0
- /data/data/####/c39826b13236c682_1
- /data/data/####/c6d98674f93ac912_0
- /data/data/####/ca78e1287f83b3ef_0
- /data/data/####/cd8b1408adf949c8_0
- /data/data/####/com.ahxja.oqtpk_preferences.xml
- /data/data/####/d69d2e54e5b584b6b69254cc35c04c07.xml
- /data/data/####/d7388e2ce26edaa6_0
- /data/data/####/dW1weF9pbnRlcm5hbF8xNjUyNDI5NTE0MDY0;
- /data/data/####/ddbd1381e61f66d8_0
- /data/data/####/df3f9a467c5b22a0_0 (deleted)
- /data/data/####/e432220e60f3f673_0
- /data/data/####/e434c7fdb7727767_0
- /data/data/####/e4578f565fdf4d90_0
- /data/data/####/e91acbfe1a6545d6_0
- /data/data/####/ea0eeb8276f0571ec290eb23c3f787dd.xml
- /data/data/####/ed20838c7457a291_0
- /data/data/####/ef37d4b3278d9f59_0
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f9019f6a514b8e22_0
- /data/data/####/f9500920f58ff77a_0
- /data/data/####/facc876c30459ea8_0
- /data/data/####/fc2f111c1bb142f9_0
- /data/data/####/fc782376c5e21a0947860b9f4521031c.xml
- /data/data/####/fde9df54b00811ec82027cd30adffce00fc2ac5b-80dc-4...bb.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce00fc2ac5b-80dc-4...e914bb
- /data/data/####/fde9df54b00811ec82027cd30adffce00fc2ac5b-80dc-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce011e69eb0e1401fa...697b1e
- /data/data/####/fde9df54b00811ec82027cd30adffce011e69eb0e1401fa...ecache
- /data/data/####/fde9df54b00811ec82027cd30adffce014536b7ffbd5520...0e963c
- /data/data/####/fde9df54b00811ec82027cd30adffce014536b7ffbd5520...ccache
- /data/data/####/fde9df54b00811ec82027cd30adffce01c3464bb-7eac-4...013105
- /data/data/####/fde9df54b00811ec82027cd30adffce01c3464bb-7eac-4...05.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce01c3464bb-7eac-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce021fd0cb3-77d0-4...8793be
- /data/data/####/fde9df54b00811ec82027cd30adffce021fd0cb3-77d0-4...be.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce021fd0cb3-77d0-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce02e334f78-5974-4...28bb37
- /data/data/####/fde9df54b00811ec82027cd30adffce02e334f78-5974-4...37.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce02e334f78-5974-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce031b772084f4e478...3cache
- /data/data/####/fde9df54b00811ec82027cd30adffce0322ab1fd-6e2b-4...96.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce0322ab1fd-6e2b-4...b35a96
- /data/data/####/fde9df54b00811ec82027cd30adffce0322ab1fd-6e2b-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce03440f7f16c4ee95...0c9749
- /data/data/####/fde9df54b00811ec82027cd30adffce03440f7f16c4ee95...9cache
- /data/data/####/fde9df54b00811ec82027cd30adffce0361312bd-6b4c-4...5d62cc
- /data/data/####/fde9df54b00811ec82027cd30adffce0361312bd-6b4c-4...cc.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce0361312bd-6b4c-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce062b26e3e-c51b-4...3399e2
- /data/data/####/fde9df54b00811ec82027cd30adffce062b26e3e-c51b-4...e2.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce062b26e3e-c51b-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce0700e4264-37aa-4...295d9e
- /data/data/####/fde9df54b00811ec82027cd30adffce0700e4264-37aa-4...9e.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce0700e4264-37aa-4...leted)
- /data/data/####/fde9df54b00811ec82027cd30adffce07f330257fa0f7d0...849278
- /data/data/####/fde9df54b00811ec82027cd30adffce07f330257fa0f7d0...8cache
- /data/data/####/fde9df54b00811ec82027cd30adffce08adefe407c55b22...5cache
- /data/data/####/fde9df54b00811ec82027cd30adffce08adefe407c55b22...e5e475
- /data/data/####/fde9df54b00811ec82027cd30adffce09967d9cd48eb186...acache
- /data/data/####/fde9df54b00811ec82027cd30adffce0ee3780d83d4e414...3cache
- /data/data/####/fde9df54b00811ec82027cd30adffce0ee3780d83d4e414...851643
- /data/data/####/fde9df54b00811ec82027cd30adffce0f80aa90fbc9e8ee...119631
- /data/data/####/fde9df54b00811ec82027cd30adffce0f80aa90fbc9e8ee...1cache
- /data/data/####/fde9df54b00811ec82027cd30adffce0fc4b96e9-2dd6-4...93.dex
- /data/data/####/fde9df54b00811ec82027cd30adffce0fc4b96e9-2dd6-4...dbd393
- /data/data/####/fde9df54b00811ec82027cd30adffce0fc4b96e9-2dd6-4...leted)
- /data/data/####/https_globalhotnews365.com_0.localstorage-journal
- /data/data/####/i==1.2.0&&1.0_1652429514031_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/metrics_guid
- /data/data/####/t==8.0.0&&1.0_1652429514531_envelope.log
- /data/data/####/the-real-index
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- ls /
- ls /sys/class/thermal
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
