Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Packed.44101

Added to the Dr.Web virus database: 2019-04-10

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.DownLoader.792.origin
  • Android.DownLoader.793.origin
Network activity:
Connects to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) g.al####.com:80
  • TCP(HTTP/1.1) sss.zhe####.com:80
  • TCP(HTTP/1.1) 58.2####.198.131:888
  • TCP(HTTP/1.1) dup.baidust####.com:80
  • TCP(HTTP/1.1) www.pc####.com.####.cn:80
  • TCP(HTTP/1.1) www.remo####.com:80
  • TCP(HTTP/1.1) xua####.5####.com:80
  • TCP(HTTP/1.1) ping####.qq.com:80
  • TCP(HTTP/1.1) s1.ps####.com:80
  • TCP(HTTP/1.1) pos.b####.com:80
  • TCP(HTTP/1.1) ni####.5####.com:3002
  • TCP(HTTP/1.1) c####.zhito####.com:807
  • TCP(HTTP/1.1) ec####.b####.com:80
  • TCP(HTTP/1.1) zf####.v.qin####.com:80
  • TCP(HTTP/1.1) ad.huoli####.cn:80
  • TCP(HTTP/1.1) v####.funs####.com:80
  • TCP(HTTP/1.1) sdk.91a####.com:80
  • TCP(HTTP/1.1) t####.qq.com:80
  • TCP(HTTP/1.1) h####.ha####.com:80
  • TCP(HTTP/1.1) s.zhe####.com:80
  • TCP(HTTP/1.1) as.j####.com:80
  • TCP(HTTP/1.1) ad.l####.com:3001
  • TCP(HTTP/1.1) mfs.y####.com:80
  • TCP(HTTP/1.1) yb.bugse####.com:3002
  • TCP(HTTP/1.1) w####.fun.tv:80
  • TCP(HTTP/1.1) pco####.ta####.com:80
  • TCP(HTTP/1.1) up####.v.qin####.com:80
  • TCP(HTTP/1.1) s.c####.com:80
  • TCP(HTTP/1.1) b####.bugse####.com:3001
  • TCP(HTTP/1.1) dd.arg####.com:80
  • TCP(HTTP/1.1) b####.bugse####.com:80
  • TCP(HTTP/1.1) yt.mm####.com:80
  • TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
  • TCP(HTTP/1.1) ipv6-as####.m.ta####.com:80
  • TCP(HTTP/1.1) ssp.huay####.com:80
  • TCP(HTTP/1.1) a####.exc.mob.com:80
  • TCP(HTTP/1.1) crea####.j####.com:80
  • TCP(HTTP/1.1) ad.l####.com:80
  • TCP(HTTP/1.1) yb.bugse####.com:80
  • TCP(HTTP/1.1) gm.mm####.com:80
  • TCP(HTTP/1.1) log.mm####.com:80
  • TCP(HTTP/1.1) af.al####.com:80
  • TCP(HTTP/1.1) wed####.ha####.com:80
  • TCP(HTTP/1.1) c####.zhito####.com:808
  • TCP(HTTP/1.1) z.c####.com:80
  • TCP(HTTP/1.1) ni####.5####.com:80
  • TCP(HTTP/1.1) s####.funs####.net:80
  • TCP(HTTP/1.1) pco####.y####.com:80
  • TCP(HTTP/1.1) ad.l####.com:3002
  • TCP(HTTP/1.1) www.ha####.com:80
  • TCP(HTTP/1.1) produc####.3####.com.cn:80
  • TCP(HTTP/1.1) tui.zhito####.com:807
  • TCP(HTTP/1.1) bda####.b0.a####.com:80
  • TCP(HTTP/1.1) ni####.5####.com:3001
  • TCP(HTTP/1.1) c1.ha####.cn:80
  • TCP(HTTP/1.1) hm.b####.com:80
  • TCP(HTTP/1.1) b####.bugse####.com:3002
  • TCP(HTTP/1.1) c.c####.com:80
  • TCP(HTTP/1.1) ss.wx1####.com:80
  • TCP(HTTP/1.1) b####.bugse####.com:3000
  • TCP(HTTP/1.1) xua####.5####.com:3002
  • TCP(HTTP/1.1) amdc####.m.ta####.com:80
  • TCP(HTTP/1.1) a.y####.com:80
  • TCP(HTTP/1.1) 1####.31.213.162:80
  • TCP(HTTP/1.1) bb.dugeshe####.com:80
  • TCP(HTTP/1.1) www.x####.com:80
  • TCP(HTTP/1.1) www.3####.com:80
  • TCP(TLS/1.0) t####.qq.com:443
  • TCP(TLS/1.0) z.c####.com:443
  • TCP(TLS/1.0) us####.gsta####.net:443
  • TCP(TLS/1.0) gm.mm####.com:443
  • TCP(TLS/1.0) pos.b####.com:443
  • TCP(TLS/1.0) api.face####.com:443
  • TCP(TLS/1.0) log.mm####.com:443
  • TCP(TLS/1.0) 141504####.wo####.com:443
  • TCP(TLS/1.0) 2####.107.1.97:443
  • TCP(TLS/1.0) ec####.b####.com:443
  • TCP(TLS/1.0) api.appsf####.com:443
  • TCP(TLS/1.0) is.sn####.com:443
  • TCP(TLS/1.0) s3.ps####.com:443
  • TCP(TLS/1.0) mg####.pcon####.com.cn:443
  • TCP(TLS/1.0) 1####.217.19.206:443
  • TCP(TLS/1.0) js.3con####.com:443
  • TCP(TLS/1.0) www.pc####.com.####.cn:443
  • TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
  • TCP(TLS/1.0) p####.pc####.com.cn:443
  • TCP(TLS/1.0) c.c####.com:443
  • TCP(TLS/1.0) ivy.pcon####.com.cn:443
  • TCP(TLS/1.0) hm.b####.com:443
  • TCP(TLS/1.0) msg.umengc####.com:443
  • TCP(TLS/1.0) w.k####.me:443
  • TCP(TLS/1.0) dup.baidust####.com:443
  • TCP(TLS/1.0) t.appsf####.com:443
  • TCP(TLS/1.0) ipv6-as####.m.ta####.com:443
  • TCP(TLS/1.0) ad.doublec####.net:443
  • TCP(TLS/1.0) us-aebr####.ali####.com:443
  • TCP(TLS/1.0) s1.ps####.com:443
  • TCP 2####.119.215.163:80
  • TCP ope####.m.ta####.com:443
DNS requests:
  • 141504####.wo####.com
  • a####.exc.mob.com
  • a####.man.aliy####.com
  • a.y####.com
  • ad.doublec####.net
  • ad.huoli####.cn
  • ad.l####.com
  • adm.t####.com
  • af.al####.com
  • ag####.m.ta####.com
  • amdc####.m.ta####.com
  • api.appsf####.com
  • api.y####.com
  • as.j####.com
  • b####.bugse####.com
  • b####.bugse####.com
  • bb.dugeshe####.com
  • c####.atm.y####.com
  • c####.ha####.cn
  • c####.mm####.com
  • c####.zhito####.com
  • c.c####.com
  • c1.ha####.cn
  • crea####.j####.com
  • dd.arg####.com
  • dup.baidust####.com
  • ec####.b####.com
  • fou####.ali####.com
  • g####.face####.com
  • g.al####.com
  • global-####.dwgfast####.com
  • gm.mm####.com
  • h####.c####.com
  • h####.ha####.com
  • hm.b####.com
  • i####.com
  • ip.zhito####.com
  • is.sn####.com
  • ivy.pcon####.com.cn
  • js.3con####.com
  • log.mm####.com
  • mf.atm.y####.com
  • mg####.pcon####.com.cn
  • msg.umengc####.com
  • ni####.5####.com
  • p####.bugse####.com
  • p####.p####.com
  • p####.pc####.com.cn
  • pco####.c####.com
  • pco####.y####.com
  • ping####.qq.com
  • pl####.y####.com
  • plb####.u####.com
  • pos.b####.com
  • produc####.3####.com.cn
  • r2.y####.com
  • s####.funs####.net
  • s.c####.com
  • s.zhe####.com
  • s1.ps####.com
  • s11.c####.com
  • s13.c####.com
  • s19.c####.com
  • s22.c####.com
  • s23.c####.com
  • s3.ps####.com
  • s4.c####.com
  • s5.c####.com
  • s95.c####.com
  • s96.c####.com
  • sdk.91a####.com
  • ss.wx1####.com
  • ssp.huay####.com
  • sss.zhe####.com
  • st####.api.3g.####.com
  • st####.funs####.com
  • t####.qq.com
  • t.appsf####.com
  • ttt.arg####.com
  • tui.zhito####.com
  • u####.u####.com
  • umen####.m.ta####.com
  • umengj####.m.ta####.com
  • ups.y####.com
  • us####.gsta####.net
  • v####.fun.tv
  • v####.fun.tv
  • vt####.y####.com
  • vt####.y####.com
  • w####.fun.tv
  • w.k####.me
  • wed####.ha####.com
  • www.3####.com
  • www.ha####.com
  • www.pc####.com.cn
  • www.remo####.com
  • www.x####.com
  • xua####.5####.com
  • yb.bugse####.com
  • yt.mm####.com
  • z1.c####.com
  • z11.c####.com
  • z13.c####.com
  • z2.c####.com
  • z5.c####.com
  • z7.c####.com
  • z8.c####.com
  • z9.c####.com
HTTP GET requests:
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/css/cold.css
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/1.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/10.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/11.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/12.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/13.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/14.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/15.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/16.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/2.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/3.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/4.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/5.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/6.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/7.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/8.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/9.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/bkimg.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/btn-tb.gif
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/btn-tel.gif
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/gd.gif
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/tel.gif
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/images/zx.jpg
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/index.html
  • a.y####.com/wtsww1xgbs_gdf&clean&p-t/js/jquery-1.8.0.min.js
  • ad.huoli####.cn/fenpei.html?3####
  • ad.huoli####.cn/hz/ad4.html
  • ad.huoli####.cn/hz/ghwap.html
  • ad.huoli####.cn/wapm.html
  • ad.huoli####.cn/wapm1.html
  • ad.l####.com/ad
  • ad.l####.com:3001/api?rdtime=####&id=####&osv=####&imei=####&adid=####&m...
  • ad.l####.com:3002/api?rdtime=####&id=####&osv=####&imei=####&adid=####&m...
  • af.al####.com/AWSC/uab/115.js?d=####
  • af.al####.com/js/uac.js
  • as.j####.com/getStatus?id=SuC5####&h=####
  • as.j####.com/z_stat.js?m=FqYqz####
  • b####.bugse####.com/ad
  • b####.bugse####.com/adip
  • b####.bugse####.com:3000/api?rdtime=####&id=####&osv=####&imei=####&adid...
  • b####.bugse####.com:3001/api?rdtime=####&id=####&osv=####&imei=####&adid...
  • b####.bugse####.com:3002/api?rdtime=####&id=####&osv=####&imei=####&adid...
  • bb.dugeshe####.com/yxsl/a.js
  • bda####.b0.a####.com/lever/Android.html
  • bda####.b0.a####.com/still2017/ip_html/ip_2018_dw_003.html
  • c####.zhito####.com:807/17/shoubiaom.html
  • c####.zhito####.com:808/waptj.html
  • c.c####.com/core.php?web_id=####&t=####
  • c.c####.com/stat.php?id=####
  • c.c####.com/stat.php?id=####&web_id=####
  • c.c####.com/z_stat.php?id=####
  • c.c####.com/z_stat.php?id=####&web_id=####
  • c1.ha####.cn/js/ad/fl.js
  • crea####.j####.com/cnzz/1275568514.html
  • dd.arg####.com/yhws/channel/kg/kgsd.js
  • dup.baidust####.com/js/ds.js
  • dup.baidust####.com/js/os.js
  • ec####.b####.com/rs.jpg?type=####&stamp=####
  • g.al####.com/alilog/??s/8.10.4/plugin/aplus_client.js,aplus_cplugin/0.6....
  • g.al####.com/alilog/mlog/aplus_o.js
  • g.al####.com/ku/app-smartbanner/2.01.24/js/yksmartbanner.min.js
  • g.al####.com/ku/ykbannerLoader/1.01.26/js/ykbannerLoader.min.js
  • g.al####.com/secdev/entry/index.js?t=####
  • g.al####.com/secdev/sufei_data/3.7.1/index.js
  • gm.mm####.com/9.gif?abc=####&rnd=####
  • gm.mm####.com/yt/youkuplayer.fdl.playerckey?gmkey=####&gokey=v####&ccode...
  • gm.mm####.com/yt/youkuplayer.fdl.ykplayer_extad?gmkey=####&gokey####&cod...
  • gm.mm####.com/yt/youkuplayer.fdl.ykplayer_extad?gmkey=####&gokey=p####&c...
  • h####.ha####.com/opensina/hbpip_3_7280a1b0.php
  • h####.ha####.com/www/delivery/adcache/wedding_2019041011.js?v=####
  • h####.ha####.com/www/delivery/log.php?width=####&height=####&isFrame=###...
  • hm.b####.com/h.js?06ffaa0####
  • hm.b####.com/hm.gif?cc=1&ck=1&cl=16-bit&ds=600x800&vl=76&et=0&ja=0&ln=en...
  • hm.b####.com/hm.js?793a7d1####
  • ipv6-as####.m.ta####.com/embed/XMzU5NzgwNzc0OA==
  • ipv6-as####.m.ta####.com/iframeapi
  • ipv6-as####.m.ta####.com/mf?aw=####&vs=####&pver=####&tict=####&vr=####&...
  • ipv6-as####.m.ta####.com/mlog?lvs=####&sp=####&cd=####&p=####&ccode=####...
  • ipv6-as####.m.ta####.com/openapi-wireless/statis/recall_app_service
  • ipv6-as####.m.ta####.com/unifull/css/unifull.min.css?v=####
  • ipv6-as####.m.ta####.com/unifull/images/new_loading.png
  • ipv6-as####.m.ta####.com/unifull/images/new_player_icons.png
  • ipv6-as####.m.ta####.com/unifull/js/unifull.min.js?v=####
  • log.mm####.com/yt.gif?logtype=####&title=####&pre=####&c####&p-t/ind####...
  • mfs.y####.com/051000005B70F61A8B3D05FC770B0A61
  • mfs.y####.com/054104085AF44CEB0000012A600EFB30
  • ni####.5####.com/ad
  • ni####.5####.com:3001/api?rdtime=####&id=####&osv=####&imei=####&adid=##...
  • ni####.5####.com:3002/api?rdtime=####&id=####&osv=####&imei=####&adid=##...
  • pco####.ta####.com/app.gif?&cna=####
  • pco####.y####.com/app.gif?&cna=####
  • ping####.qq.com/pingd?dm=####&pvi=####&si=####&url=####&arg=####&ty=####...
  • pos.b####.com/accm?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
  • pos.b####.com/acmm?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
  • pos.b####.com/gcom?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
  • pos.b####.com/qcum?psi=bd3726b8eabbad1bbc7223fd2e818d7c&di=5897808&dri=0...
  • pos.b####.com/scmm?psi=####&di=####&dri=####&dis=####&dai=####&ps=####&e...
  • produc####.3####.com.cn/e_view.php/?key=####
  • s####.funs####.net/ecom-ad/ifar_all/?oc=####
  • s####.funs####.net/ecom-ad/ifar_duration/?rprotocol=####&fck=####&mick=#...
  • s####.funs####.net/ecom-ad/ifar_load/?rprotocol=1&fck=155487842407769&mi...
  • s.c####.com/s.htm?s=####&id=####&pid=####
  • s1.ps####.com/js/201501/iwt-min.js
  • ss.wx1####.com/yhws/channel/kg/as_kgsdi.html
  • ss.wx1####.com/yhws/channel/kg/as_kgsdo.html
  • ssp.huay####.com/adinfo.htm?pid=####
  • ssp.huay####.com/adinfo.htm?pid=####&protocol=####
  • sss.zhe####.com/static/20190408114016mod.enc
  • t####.qq.com/stats?sId=####
  • tui.zhito####.com:807/ip.html
  • up####.v.qin####.com/main/new/js/v8/core-min.js
  • up####.v.qin####.com/main/new/js/v8/html/statIwt_www_new-min.js?v=####
  • v####.funs####.com/vasd/pa/index?zzt=####&sid=####&ref=####&mick=####&cv...
  • w####.fun.tv/vplay/g-315225.v-984971
  • wed####.ha####.com/os_bms/js/common.js
  • wed####.ha####.com/os_bms/js/ir.js
  • www.3####.com/s.htm?s=####&id=####&pid=####
  • www.ha####.com/os_bms/js/monitor.js
  • www.ha####.com/os_bms/js/tj3.js
  • www.pc####.com.####.cn/autox/x2.html
  • www.remo####.com/xiaojing/2013/065.html
  • www.remo####.com/xiaojing/2013/guanggao.js
  • xua####.5####.com/ad
  • xua####.5####.com/api?rdtime=####&id=####&osv=####&imei=####&adid=####&m...
  • xua####.5####.com:3002/api?rdtime=####&id=####&osv=####&imei=####&adid=#...
  • yb.bugse####.com/ad
  • yb.bugse####.com/api?rdtime=####&id=####&osv=####&imei=####&adid=####&ma...
  • yb.bugse####.com:3002/api?rdtime=####&id=####&osv=####&imei=####&adid=##...
  • yt.mm####.com/yt/vp.vdoview?is_pread=####&REQID=####&replay=####&isRetry...
  • z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
  • z.c####.com/stat.htm?id=1258405568&r=http://ad.huolinghu.cn/hz/ad4.html&...
  • z.c####.com/stat.htm?id=1267940931&r=http://wedding.haibao.com/article/2...
  • zf####.v.qin####.com/market/ext/udc/c00100085.html?zzt=####
  • zf####.v.qin####.com/unet/static/udc.js?zzt=####
HTTP POST requests:
  • a####.exc.mob.com/errconf
  • amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
  • s.zhe####.com/0/ca477c3b25914a5f821296be846eca73.html
  • s.zhe####.com/18/a41844eff5ff4a0a96c9603142acfcf6.html
  • s.zhe####.com/20/8c10c5184b36491eb6ed32bdbafb1eb4.html
  • s.zhe####.com/21/951b059d52e34526bd44b82d5204ff96.html
  • s.zhe####.com/api/CheckModule.ashx
  • s.zhe####.com/api/GetLockAppOpenTask.ashx
  • s.zhe####.com/api/GetModuleConfig.ashx
  • s.zhe####.com/api/GetPkNameList.ashx
  • s.zhe####.com/api/GetTreasureTask.ashx
  • s.zhe####.com/api/ReportAppLog.ashx
  • sdk.91a####.com/api/DeviceReport.ashx
  • sh.wagbr####.aliyun####.com/man/api?ak=####&s=####
  • wed####.ha####.com/
  • wed####.ha####.com/article/2481599.htm?prc=####
  • www.ha####.com/openapi_sina.htm
  • www.x####.com/ad/mobile/client.html
File system changes:
Creates the following files:
  • /data/data/####/.duid
  • /data/data/####/.imprint
  • /data/data/####/.jg.ic
  • /data/data/####/.lock
  • /data/data/####/.vpl_lock
  • /data/data/####/7448d5c67f3614db24f9c0addbe528aca866be68d4dea6f....0.tmp
  • /data/data/####/ACCS_BINDumeng;525f7baa56240b4be0104947.xml
  • /data/data/####/ACCS_SDK.xml
  • /data/data/####/ACCS_SDK_CHANNEL.xml
  • /data/data/####/ACCS_SDK_CHANNEL.xml.bak (deleted)
  • /data/data/####/AGOO_BIND.xml
  • /data/data/####/Agoo_AppStore.xml
  • /data/data/####/Alvin2.xml
  • /data/data/####/AppEventsLogger.persistedevents
  • /data/data/####/ContextData.xml
  • /data/data/####/DaemonServer
  • /data/data/####/MessageStore.db-journal
  • /data/data/####/MsgLogStore.db-journal
  • /data/data/####/MultiDex.lock
  • /data/data/####/ThrowalbeLog.db-journal
  • /data/data/####/a==7.5.3&&3.2.4_1554878364074_envelope.log
  • /data/data/####/accs.db-journal
  • /data/data/####/agoo.pid
  • /data/data/####/app_gstar_data.xml
  • /data/data/####/appsflyer-data.xml
  • /data/data/####/cc.xml
  • /data/data/####/com.facebook.internal.SKU_DETAILS.xml
  • /data/data/####/com.facebook.internal.preferences.APP_GATEKEEPERS.xml
  • /data/data/####/com.facebook.internal.preferences.APP_SETTINGS.xml
  • /data/data/####/com.facebook.sdk.appEventPreferences.xml
  • /data/data/####/com.facebook.sdk.attributionTracking.xml
  • /data/data/####/com.google.android.gms.analytics.prefs.xml
  • /data/data/####/com.gstarmc.android_preferences.xml
  • /data/data/####/dW1weF9pbnRlcm5hbF8xNTU0ODc4MzYxMjA4;
  • /data/data/####/dW1weF9wdXNoX2xhdW5jaF8xNTU0ODc4Mzc2MDM3;
  • /data/data/####/dW1weF9wdXNoX3JlZ2lzdGVyXzE1NTQ4NzgzNjU5NDk=;
  • /data/data/####/data_0
  • /data/data/####/data_1
  • /data/data/####/data_2
  • /data/data/####/data_3
  • /data/data/####/deed5942281a1329293aebd162a6ccfe.xml
  • /data/data/####/domain_1
  • /data/data/####/downloader.db-journal
  • /data/data/####/exchangeIdentity.json
  • /data/data/####/exid.dat
  • /data/data/####/f_000001
  • /data/data/####/f_000002
  • /data/data/####/f_000003
  • /data/data/####/f_000004
  • /data/data/####/f_000005
  • /data/data/####/f_000006
  • /data/data/####/f_000007
  • /data/data/####/f_000008
  • /data/data/####/f_000009
  • /data/data/####/f_00000a
  • /data/data/####/f_00000b
  • /data/data/####/f_00000c
  • /data/data/####/f_00000d
  • /data/data/####/f_00000e
  • /data/data/####/f_00000f
  • /data/data/####/f_000010
  • /data/data/####/f_000011
  • /data/data/####/f_000012
  • /data/data/####/f_000013
  • /data/data/####/f_000014
  • /data/data/####/f_000015
  • /data/data/####/f_000016
  • /data/data/####/f_000017
  • /data/data/####/f_000018
  • /data/data/####/f_000019
  • /data/data/####/f_00001a
  • /data/data/####/f_00001b
  • /data/data/####/google_analytics_v4.db-journal
  • /data/data/####/httpdns_config_cache.xml
  • /data/data/####/i==1.2.0&&3.2.4_1554878361337_envelope.log
  • /data/data/####/index
  • /data/data/####/info.xml
  • /data/data/####/journal.tmp
  • /data/data/####/libjiagu-1701131331.so
  • /data/data/####/max_pref.xml
  • /data/data/####/message_accs_db
  • /data/data/####/message_accs_db-journal
  • /data/data/####/mob_commons_1
  • /data/data/####/mob_sdk_exception_1
  • /data/data/####/mod.dec
  • /data/data/####/mod.dex
  • /data/data/####/mod.enc
  • /data/data/####/multidex.version.xml
  • /data/data/####/phan.xml
  • /data/data/####/tt_sdk_settings.xml
  • /data/data/####/ttopenadsdk.xml
  • /data/data/####/ttopensdk.db-journal
  • /data/data/####/ua.db
  • /data/data/####/ua.db-journal
  • /data/data/####/um_pri.xml
  • /data/data/####/umdat.xml
  • /data/data/####/umeng_common_config.xml
  • /data/data/####/umeng_common_location.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_it.cache
  • /data/data/####/umeng_message_state.xml
  • /data/data/####/webview.db-journal
  • /data/data/####/webviewCookiesChromium.db-journal
  • /data/data/####/webviewCookiesChromiumPrivate.db-journal
  • /data/data/####/webviewCookiesChromiumPrivate.db-journal (deleted)
  • /data/data/####/xUtils_http_cookie.db
  • /data/data/####/xUtils_http_cookie.db-journal
  • /data/media/####/.a.dat
  • /data/media/####/.adfwe.dat
  • /data/media/####/.artc_lock
  • /data/media/####/.cca.dat
  • /data/media/####/.di
  • /data/media/####/.dic_lock
  • /data/media/####/.duid
  • /data/media/####/.globalLock
  • /data/media/####/.im_lock
  • /data/media/####/.lesd_lock
  • /data/media/####/.mn_-1464060969
  • /data/media/####/.nomedia
  • /data/media/####/.pkg_lock
  • /data/media/####/.pkgs_lock
  • /data/media/####/.rc_lock
  • /data/media/####/.slw
  • /data/media/####/.ss_lock
  • /data/media/####/.umm.dat
  • /data/media/####/.wkl
  • /data/media/####/650f6cb37f124dfd9b7b79792e0a518e
  • /data/media/####/6e82c0e0960094748def7129d27bbf0a.png
  • /data/media/####/9aec988a28344c9ab778cb09099d9d95
  • /data/media/####/9fddc9e54dad40f29e036b506acf699f
  • /data/media/####/AllInOneBig.shx
  • /data/media/####/AllInOneUni.shx
  • /data/media/####/Alvin2.xml
  • /data/media/####/CH_GPS_Fire Pump.dwg
  • /data/media/####/ContextData.xml
  • /data/media/####/English Advanced Construction.dwg
  • /data/media/####/android-logo-mask.png
  • /data/media/####/android-logo-shine.png
  • /data/media/####/bb-dimdragarrow.svg
  • /data/media/####/bb-findmark.svg
  • /data/media/####/bb-grip.svg
  • /data/media/####/bb-lock.svg
  • /data/media/####/bb-move.svg
  • /data/media/####/bb-param.svg
  • /data/media/####/bb-rotate.svg
  • /data/media/####/bb-simple.svg
  • /data/media/####/bb-unlock.svg
  • /data/media/####/bigfont.map
  • /data/media/####/codepage.dat
  • /data/media/####/config.json
  • /data/media/####/deviceToken
  • /data/media/####/fcd41f7f40d348be8191d1e35e884035
  • /data/media/####/id.tmp
  • /data/media/####/language.xml
  • /data/media/####/menuBar.xml
  • /data/media/####/new.dwg
Miscellaneous:
Executes the following shell scripts:
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
  • <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:525f7baa56240b4be0104947","utdid":"XK2PlkOZnIMDAGdzx1GXcNQ2","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
  • cat /sys/class/net/wlan0/address
  • chmod 500 <Package Folder>/files/DaemonServer
  • getprop ro.build.version.emui
  • getprop ro.letv.release.version
  • getprop ro.vivo.os.build.display.id
  • ls /sys/class/thermal
  • sh
Loads the following dynamic libraries:
  • gstarcadmc
  • libjiagu-1701131331
  • tnet-3.1
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • AES-ECB-PKCS7Padding
  • DES
Uses the following algorithms to decrypt data:
  • AES-CBC-PKCS7Padding
  • AES-ECB-NoPadding
  • AES-ECB-PKCS5Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Gets information about installed apps.
Gets information about running apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android