Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.1007.origin
- Android.RemoteCode.6122
- Android.Triada.573.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) top####.si####.com:80
- TCP(HTTP/1.1) c####.movab####.net:80
- TCP(HTTP/1.1) lo####.applove####.com:80
- TCP(HTTP/1.1) api.applove####.com:80
- TCP(HTTP/1.1) c####.saltil####.com:80
- TCP(TLS/1.0) lp.xl####.com:443
- TCP(TLS/1.0) labouti####.go2af####.com:443
- TCP(TLS/1.0) cpi-of####.com:443
- TCP(TLS/1.0) eu####.al####.com.####.net:443
- TCP(TLS/1.0) dir####.knmasdf####.com:443
- TCP(TLS/1.0) appstra####.com:443
- TCP(TLS/1.0) os####.9####.com:443
- TCP(TLS/1.0) t####.com:443
- TCP(TLS/1.0) hype####.gotrac####.com:443
- TCP(TLS/1.0) fo####.site:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) seven####.com:443
- TCP(TLS/1.0) ai.adta####.tech:443
- TCP(TLS/1.0) gd.a.s####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) trk.keepfol####.online:443
- TCP(TLS/1.2) www.google####.com:443
- TCP(TLS/1.2) 64.2####.161.94:443
- TCP(TLS/1.2) 74.1####.205.101:443
- UDP and####.google####.com:443
- UDP rr3---s####.g####.com:443
- UDP rr5---s####.g####.com:443
DNS requests:
- ai.adta####.tech
- and####.a####.go####.com
- and####.google####.com
- api.applove####.com
- appstra####.com
- c####.movab####.net
- c####.saltil####.com
- cpi-of####.com
- d2ftxlb####.cloudf####.net
- d2ftxlb####.cloudf####.net.####.8
- dir####.knmasdf####.com
- fo####.site
- gmscomp####.google####.com
- go2.lkjlkjk####.com
- hype####.gotrac####.com
- lo####.applove####.com
- lp.xl####.com
- md####.google####.com
- os####.9####.com
- p####.google####.com
- pv.s####.com
- rr3---s####.g####.com
- rr5---s####.g####.com
- s.c####.aliexp####.com
- seven####.com
- t####.com
- thinkbi####.g2####.com
- top####.si####.com
- trk.keepfol####.online
- wcf.seven####.com
- www.google####.com
HTTP GET requests:
- ai.adta####.tech:443/trace?offer_id=####&app_id=####&type=####&aff_sub2=...
- api.applove####.com/api/v3/cache/get?osv=####&srnc=####&token=####&ds=##...
- api.applove####.com/api/v3/template/get?slot_id=####&update_time=####&us...
- appstra####.com:443/tracking/click?trafficsource=####&clickid=####&pub_s...
- c####.movab####.net/api/v1/click?key=####&offer_id=####&gaid=####&idfa=#...
- c####.saltil####.com/click?pid=####&offer_id=####&sub1=####&sub2=####&su...
- cpi-of####.com:443/fantastic.html?size=####&red=####&ids=####&lastid=###...
- dir####.knmasdf####.com:443/redirect?aff=####&saff=####&q=####&bundle_id...
- eu####.al####.com.####.net:443/i/_9hDQwn?adid=####&dp=MAF1####&af=####&s...
- fo####.site:443/323ewew/s20220619151252.1
- gd.a.s####.com:443/cityjson
- hype####.gotrac####.com:443/click?campaign_id=####&pub_id=####&p1=####&s...
- hype####.gotrac####.com:443/click?campaign_id=####&pub_id=####&p1=newS##...
- labouti####.go2af####.com:443/click?pid=####&offer_id=####&sub1=####&sub...
- labouti####.go2af####.com:443/click?pid=####&offer_id=####&sub1=ne####&s...
- t####.com:443/t/857488?A1=####&A2=####&A4=####&A5=####&pip=####&plang=##...
- top####.si####.com/res/202206/ne/QC_7072_Hx3o_magboy.SYS
- trk.keepfol####.online:443/click?taghash=####&publisher=####&servty=####...
HTTP POST requests:
- lo####.applove####.com/android/v2/click_redirect
- lp.xl####.com:443/v1/ls/get
- os####.9####.com:443/typefish/en/cp/a
- os####.9####.com:443/typefish/en/cp/cou
- os####.9####.com:443/typefish/en/customer/reg
- seven####.com:443/OOService.svc/iuiuidasdsiiui
File system changes:
Creates the following files:
- /data/data/####/4e835fdc1d1d5480_0 (deleted)
- /data/data/####/65dc6aed327960fb_0 (deleted)
- /data/data/####/Cookies-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/androidxcorealc0z.
- /data/data/####/androidxcorealc0z.dex (deleted)
- /data/data/####/androidxcorealc0z.dex.flock (deleted)
- /data/data/####/bab845634039547edf9770b8a3ee5b58.d
- /data/data/####/cc04a344ca095e117b547bf7142efd6e.d
- /data/data/####/cd_werozod
- /data/data/####/ck_sxwd.xml
- /data/data/####/com.acmakdheyc.dafkcjaeu_ct_default.xml
- /data/data/####/com.acmakdheyc.dafkcjaeu_preferences.xml
- /data/data/####/com.sdfwe.werw.case.の.bat_tryrty
- /data/data/####/commesgomgboy.
- /data/data/####/commesgomgboy.dex
- /data/data/####/commesgomgboy.dex.flock (deleted)
- /data/data/####/index
- /data/data/####/metrics_guid
- /data/data/####/osdk_l_40_7072.dex
- /data/data/####/osdk_l_40_7072.dex.flock (deleted)
- /data/data/####/s1s1k1_c2o3n23f2i3g2.xml
- /data/data/####/s20220619151252.dex
- /data/data/####/s20220619151252.dex.flock (deleted)
- /data/data/####/sp_dsoio.xml
- /data/data/####/sp_ytuetryetr.xml
- /data/data/####/the-real-index
- /data/data/####/times.xml
- /data/data/####/udu_id.xml
- /data/data/####/udu_r.xml
- /data/data/####/udu_r.xml.bak
- /data/data/####/udu_sid.xml
- /data/media/####/95d0cdc281f01e87f9512baff11df836
- /data/media/####/95d0cdc281f01e87f9512baff11df836.tmp
- /data/media/####/Log.txt
- /data/media/####/launchos.cfg
- /data/media/####/osdk_l_40_7072.jar
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- app_process /system/bin com.android.commands.pm.Pm list package -3
- cat /proc/version
- sh
Uses the following algorithms to encrypt data:
- AES
- DES
Uses the following algorithms to decrypt data:
- AES
- DES
- desede-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
