Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.32
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) a####.wagbr####.t####.####.com:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) q.c####.com:80
- TCP(HTTP/1.1) log.mm####.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) sh.wagbr####.alibaba####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) h5####.p####.cn:80
- TCP(HTTP/1.1) a####.al####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) pco####.c####.com:80
- TCP(HTTP/1.1) i####.51.la:80
- TCP(HTTP/1.1) js.u####.51.la:80
- TCP(HTTP/1.1) pco####.ali####.com:80
- TCP(HTTP/1.1) gxb.mm####.com:80
- TCP(HTTP/1.1) m.ta####.com:80
- TCP(TLS/1.0) huhu-12####.f####.myqc####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) t####.renyan####.com:443
- TCP(TLS/1.0) gw.al####.com:443
- TCP(TLS/1.0) re####.al####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) m.ta####.com:443
- TCP(TLS/1.0) wild####.al####.com.####.net:443
DNS requests:
- a####.al####.com
- af####.ali####.com
- af####.ali####.com
- afp.al####.com
- afpt####.ali####.com
- app.jjl-####.com
- c####.mm####.com
- c.c####.com
- fee.feiyunh####.com
- gw.al####.com
- gxb.mm####.com
- h####.c####.com
- h####.c####.com
- h5####.p####.cn
- h5.m.ta####.com
- huhu-12####.f####.myqc####.com
- i####.51.la
- i####.c####.com
- img.al####.com
- int.d####.s####.####.cn
- ip.ta####.com
- js.u####.51.la
- log.mm####.com
- m.ta####.com
- mt####.go####.com
- new.c####.com
- pco####.ali####.com
- pco####.c####.com
- q3.c####.com
- re####.al####.com
- s.c####.com
- s22.c####.com
- s5.c####.com
- t####.renyan####.com
- w.c####.com
- www.c####.com
- www.ta####.com
- z1.c####.com
HTTP GET requests:
- a####.al####.com/acookie.html
- a####.al####.com/afp-creative/creative/u46686923/527c168cffa4245269c1b1a...
- a####.al####.com/afp-creative/creative/u46686923/a33c97c31b5e8aef10ebbaa...
- a####.al####.com/afp-creative/creative/u46686923/ca4c3bf3d5851a60ce9a55a...
- a####.al####.com/afp-creative/creative/u46686923/cb538b6141cb0feb4c1ab63...
- a####.al####.com/afp-creative/creative/u46686923/df96851c838335e43c5bec7...
- a####.al####.com/afp-creative/creative/u46686923/e7452824c6e75973bc96512...
- a####.al####.com/afp-creative/creative/u46686923/fe3fcd5538d95ae880bd15f...
- a####.al####.com/g/mm/afp-cdn/JS/k.js
- a####.al####.com/g/mm/afp-cdn/JS/r.js
- a####.wagbr####.t####.####.com/acookie.html
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_55850014&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56000332&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56322240&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56322262&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56332536&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56338420&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56344564&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56350295&sp=1&c...
- a####.wagbr####.t####.####.com/ex?a=mm_46686923_14002394_56350300&sp=1&c...
- a####.wagbr####.t####.####.com/imp?bid=####&pid=####&cid=####&mid=####&o...
- a####.wagbr####.t####.####.com/opt?bid=####&pid=####&cid=####&mid=####&o...
- c.c####.com/c.php?id=####
- c.c####.com/c.php?id=####&l=####
- c.c####.com/core.php?web_id=####&l=####&t=####
- c.c####.com/core.php?web_id=####&show=####&t=####
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/img/2.gif
- c.c####.com/img/pic.gif
- c.c####.com/stat.php?id=####&web_id=####&show=####
- gxb.mm####.com/gxb.gif?si=####&ref=####&lang=####&bw=####&bh=####&pu=###...
- h5####.p####.cn/Play/H6Category?t=####
- h5####.p####.cn/Play/H6Home
- h5####.p####.cn/Play/Live
- i####.51.la/go1?id=####&rt=####&rl=####&lang=####&ct=####&pf=####&ins=##...
- ip.ta####.com/service/getIpInfo2.php?ip=####
- js.u####.51.la/19560175.js
- log.mm####.com/w.gif?logtype=1&pre=http://new.cnzz.com/v1/login.php?site...
- m.ta####.com/?sprefer=####
- pco####.ali####.com/app.gif?&cna=####
- pco####.c####.com/app.gif?&cna=####
- q.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
- sh.wagbr####.alibaba####.com/stat/website.php?web_id=####
- sh.wagbr####.alibaba####.com/v1/images/an_download.gif
- sh.wagbr####.alibaba####.com/v1/images/ios_download.gif
- sh.wagbr####.alibaba####.com/v1/images/login/bqline.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button01.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button02.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button03.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button04.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button05.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button06.gif
- sh.wagbr####.alibaba####.com/v1/images/login/button07.gif
- sh.wagbr####.alibaba####.com/v1/images/login/check.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/leftback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/logo.gif
- sh.wagbr####.alibaba####.com/v1/images/login/titleback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/toolback.jpg
- sh.wagbr####.alibaba####.com/v1/images/login/topback.jpg
- sh.wagbr####.alibaba####.com/v1/images/qr/qr.php?siteid=####
- sh.wagbr####.alibaba####.com/v1/images/validate.php
- sh.wagbr####.alibaba####.com/v1/login.php?siteid=####
- www.ta####.com/
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
Modified file system:
Creates the following files:
- /data/data/####/EOZTzhVG.jar
- /data/data/####/cnjwamp.hrubvqev.hrgy.nlndon_preferences.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/device_id.xml.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/index
- /data/data/####/libus.so
- /data/data/####/libvia_pay.so
- /data/data/####/multidex.version.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/journal.tmp
Miscellaneous:
Loads the following dynamic libraries:
- fyxzd
- us
- via_pay
Uses the following algorithms to encrypt data:
- AES-ECB-PKCS5Padding
- RSA
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
