Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.32
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.wagbr####.t####.####.com:80
- TCP(HTTP/1.1) int.d####.s####.####.cn:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) q.c####.com:80
- TCP(HTTP/1.1) log.mm####.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) sh.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) a####.al####.com:80
- TCP(HTTP/1.1) h5####.p####.cn:80
- TCP(HTTP/1.1) i####.51.la:80
- TCP(HTTP/1.1) js.u####.51.la:80
- TCP(HTTP/1.1) a.c####.com:80
- TCP(HTTP/1.1) gxb.mm####.com:80
- TCP(HTTP/1.1) m.ta####.com:80
- TCP(HTTP/1.1) def####.waf.ta####.com:80
- TCP(TLS/1.0) huhu-12####.f####.myqc####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) gw.al####.com:443
- TCP(TLS/1.0) re####.al####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) like####.cc:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) m.ta####.com:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
DNS requests:
- a####.al####.com
- a.c####.com
- af####.ali####.com
- af####.ali####.com
- afp.al####.com
- afpt####.ali####.com
- app.jjl-####.com
- c####.mm####.com
- c.c####.com
- fee.feiyunh####.com
- gw.al####.com
- gxb.mm####.com
- h####.c####.com
- h####.c####.com
- h####.c####.com
- h5####.p####.cn
- h5.m.ta####.com
- huhu-12####.f####.myqc####.com
- i####.51.la
- i####.c####.com
- img.al####.com
- int.d####.s####.####.cn
- ip.ta####.com
- js.u####.51.la
- like####.cc
- log.mm####.com
- m.ta####.com
- new.c####.com
- pco####.ali####.com
- pco####.c####.com
- q14.c####.com
- re####.al####.com
- s.c####.com
- s22.c####.com
- s5.c####.com
- w.c####.com
- www.c####.com
- www.ta####.com
- z1.c####.com
HTTP GET requests:
- a####.al####.com/acookie.html
- a####.al####.com/afp-creative/creative/u46686923/a33c97c31b5e8aef10ebbaa...
- a####.al####.com/afp-creative/creative/u46686923/e7452824c6e75973bc96512...
- a####.al####.com/g/mm/afp-cdn/JS/k.js
- a####.al####.com/g/mm/afp-cdn/JS/r.js
- a####.wagbr####.t####.####.com/acookie.html
- a####.wagbr####.t####.####.com/clk?bid=####&pid=####&cid=####&mid=####&o...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_55850014&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56000332&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56322240&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56322262&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56344564&sp=1&c...
- a####.wagbr####.t####.####.com/imp?bid=####&pid=####&cid=####&mid=####&o...
- a####.wagbr####.t####.####.com/opt?bid=####&pid=####&cid=####&mid=####&o...
- a.c####.com/dplusTrack/?data=ey####&img=####&ip=####&dataver=####&_=####
- c.c####.com/c.php?id=####
- c.c####.com/c.php?id=####&l=####
- c.c####.com/core.php?web_id=####&l=####&t=####
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/dplus.php?id=####
- c.c####.com/img/2.gif
- c.c####.com/stat.php?id=####&web_id=####&show=####
- def####.waf.ta####.com/help_css/css.css
- def####.waf.ta####.com/help_images/icon.gif
- def####.waf.ta####.com/help_images/input_back.gif
- def####.waf.ta####.com/help_images/logo.gif
- def####.waf.ta####.com/help_images/logo1.gif
- def####.waf.ta####.com/help_images/menu_bottom.gif
- def####.waf.ta####.com/help_images/menu_top.gif
- def####.waf.ta####.com/help_images/search_back.gif
- def####.waf.ta####.com/help_images/search_button.gif
- def####.waf.ta####.com/help_images/search_pic.gif
- def####.waf.ta####.com/help_images/search_right.gif
- def####.waf.ta####.com/help_images/tit_back.gif
- def####.waf.ta####.com/support/cnzz.js
- def####.waf.ta####.com/support/jquery.min.js
- def####.waf.ta####.com/support/shiyongjiaochengjicui/2015/0612/182.html
- def####.waf.ta####.com/uploads/allimg/150612/1-1506121313593a.png
- gxb.mm####.com/gxb.gif?si=####&ref=####&lang=####&bw=####&bh=####&pu=###...
- h5####.p####.cn/Play/H6Category?t=####
- h5####.p####.cn/Play/H6Home
- i####.51.la/go1?id=####&rt=####&rl=####&lang=####&ct=####&pf=####&ins=##...
- int.d####.s####.####.cn/iplookup/iplookup.php?format=####
- ip.ta####.com/service/getIpInfo2.php?ip=####
- js.u####.51.la/19422581.js
- log.mm####.com/w.gif?logtype=1&pre=http://new.cnzz.com/v1/login.php?site...
- m.ta####.com/?sprefer=####
- q.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- sh.wagbr####.alibaba####.com/stat/website.php?web_id=####
- sh.wagbr####.alibaba####.com/v1/images/an_download.gif
- sh.wagbr####.alibaba####.com/v1/images/ios_download.gif
- sh.wagbr####.alibaba####.com/v1/images/login/bqline.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button01.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button02.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button03.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button04.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button05.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button06.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button07.gif
- sh.wagbr####.alibaba####.com/v1/images/login/check.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/leftback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/logo.gif
- sh.wagbr####.alibaba####.com/v1/images/login/titleback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/toolback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/topback.jpg
- sh.wagbr####.alibaba####.com/v1/images/qr/qr.php?siteid=####
- sh.wagbr####.alibaba####.com/v1/images/validate.php
- sh.wagbr####.alibaba####.com/v1/login.php?siteid=####
- www.ta####.com/
Modified file system:
Creates the following files:
- /data/data/####/EOZTzhVG.jar
- /data/data/####/cuyrsyqg.yxrxfqqm.gkkm.dlmmf_preferences.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/device_id.xml.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/index
- /data/data/####/libus.so
- /data/data/####/libvia_pay.so
- /data/data/####/multidex.version.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/journal.tmp
Miscellaneous:
Loads the following dynamic libraries:
- agloi
- us
- via_pay
Uses the following algorithms to encrypt data:
- AES-ECB-PKCS5Padding
- RSA
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
