Android.RemoteCode.7218

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.RemoteCode.291.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) 1####.159.18.80:8001
TCP(HTTP/1.1) sw####.z####.com.cn:8080
TCP(HTTP/1.1) 1####.159.18.80:8000
TCP(HTTP/1.1) 1####.89.97.82:8000
TCP(HTTP/1.1) pi####.qq.com:80
TCP(HTTP/1.1) gam####.m.d####.com:80
TCP(HTTP/1.1) 2####.111.8.140:8080
TCP(HTTP/1.1 X-OF-Signature: B/mMhTSROlfkf82pBurL4oGOnYU= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980kHBoqtCjSuP3XM9C platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 825619398805499 imsi: 460001263568434 signer: B/mMhTSROlfkf82pBurL4oGOnYU= sdkSessionId: HF5BJUlvL5Tf platFormId: 03 Content-Length: 556 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Accept-Encoding: gzip data=sdkSessionId%40HF5BJUlvL5Tf%2Ctel%4013993942811%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116070656%2CchannelId%4042718018%2CinstallFlag%401%2CstartFlag%401%2Cpacker%40%2Cuuid%400f4f04f10c1148cb85676758f8374b6f%2Cimei%40825619398805499%2Cimsi%40460001263568434%2CmacAddr%40b61834f7e506%2Cbrand%40alps%2Cmodel%40P9600%26P8100%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A26%3A41%2CeventInvokeTime%401%2CeventType%401%2CeventId%40E0001) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: s6t/5aWNPvJZvt7zo3HFcgzifgs= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980kHBoqtCjSuP3XM9C platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 825619398805499 imsi: 460001263568434 signer: s6t/5aWNPvJZvt7zo3HFcgzifgs= sdkSessionId: HF5BJUlvL5Tf platFormId: 03 Content-Length: 604 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=62CCB37F8B43FB88F910C10F586F1951 Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40HF5BJUlvL5Tf%2Ctel%4013993942811%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116070656%2CchannelId%4042718018%2CinstallFlag%400%2CstartFlag%402%2Cpacker%40%2Cuuid%400f4f04f10c1148cb85676758f8374b6f%2Cimei%40825619398805499%2Cimsi%40460001263568434%2CmacAddr%40b61834f7e506%2Cbrand%40alps%2Cmodel%40P9600%26P8100%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A26%3A52%2CeventInvokeTime%4048%2CeventId%40E0009_1%2CloginAccount%4013993942811%2CloginMode%402%2CeventType%409) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: tkYuHs/m9W6xYN7bM0dn+UGQqFk= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980kHBoqtCjSuP3XM9C platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 825619398805499 imsi: 460001263568434 signer: tkYuHs/m9W6xYN7bM0dn+UGQqFk= sdkSessionId: HF5BJUlvL5Tf platFormId: 03 Content-Length: 604 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=772E0816BFCB9749D2B71FDC5CE05290 Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40HF5BJUlvL5Tf%2Ctel%4013993942811%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116070656%2CchannelId%4042718018%2CinstallFlag%401%2CstartFlag%401%2Cpacker%40%2Cuuid%400f4f04f10c1148cb85676758f8374b6f%2Cimei%40825619398805499%2Cimsi%40460001263568434%2CmacAddr%40b61834f7e506%2Cbrand%40alps%2Cmodel%40P9600%26P8100%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A26%3A45%2CeventInvokeTime%4021%2CeventId%40E0009_1%2CloginAccount%4013993942811%2CloginMode%402%2CeventType%409) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: wnlVnzCmHZfvCi/7brmyMkWree0= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980kHBoqtCjSuP3XM9C platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 825619398805499 imsi: 460001263568434 signer: wnlVnzCmHZfvCi/7brmyMkWree0= sdkSessionId: HF5BJUlvL5Tf platFormId: 03 Content-Length: 556 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=FFA9219BF266C5BA221F069C5B6DF9B7 Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40HF5BJUlvL5Tf%2Ctel%4013993942811%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116070656%2CchannelId%4042718018%2CinstallFlag%400%2CstartFlag%402%2Cpacker%40%2Cuuid%400f4f04f10c1148cb85676758f8374b6f%2Cimei%40825619398805499%2Cimsi%40460001263568434%2CmacAddr%40b61834f7e506%2Cbrand%40alps%2Cmodel%40P9600%26P8100%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A26%3A49%2CeventInvokeTime%401%2CeventType%401%2CeventId%40E0001) sd####.cm####.com:80
UDP(NTP) 1.cn.p####.####.org:123
TCP(TLS/1.0) c####.x####.com:443

DNS requests:

1.cn.p####.####.org
av1.x####.com
c####.x####.com
gam####.m.d####.com
h####.b####.com
i####.cn
pg.x####.com
pi####.qq.com
sd####.cm####.com
sw####.z####.com.cn

HTTP GET requests:

sw####.z####.com.cn:8080/SG_Frontend/Query?gid=####&vid=####&ch=####&icc...
sw####.z####.com.cn:8080/SG_Frontend/gameNofity

HTTP POST requests:

gam####.m.d####.com/standalone/queryGbAndMmSupport
pi####.qq.com/mstat/report/?index=####
sd####.cm####.com/behaviorLogging/eventLogging/accept?

File system changes:

Creates the following files:

/data/data/####/202011221326362.v1.crash
/data/data/####/2cb6687eb5__local_except_cache.json
/data/data/####/2cb6687eb5__local_stat_cache.json
/data/data/####/TDCloudSettingsConfig081DC02F997F47D28230A16D219A08C4.xml
/data/data/####/TD_app_pefercen_profile.xml
/data/data/####/TDpref_longtime.xml
/data/data/####/TDpref_shorttime.xml
/data/data/####/TDtcagent.db
/data/data/####/TDtcagent.db-journal
/data/data/####/__Baidu_Stat_SDK_SendRem.xml
/data/data/####/b.gif
/data/data/####/b.jar
/data/data/####/b.jar.temp
/data/data/####/b.jpg
/data/data/####/b.jpg.temp
/data/data/####/b.jpg.temp (deleted)
/data/data/####/bdp_channel
/data/data/####/com.sg.atmlmzbbcr.baidu.mid.world.ro.xml
/data/data/####/com.sg.atmlmzbbcr.baidu_preferences.xml
/data/data/####/com_dk_shared_preferences.xml
/data/data/####/ddai300_ds.jar
/data/data/####/ddai300_s_p287.dat
/data/data/####/ddai_ad300_hotcfg.xml
/data/data/####/multidex.version.xml
/data/data/####/pri_tencent_analysis.db_com.sg.atmlmzbbcr.baidu-journal
/data/data/####/sg.dex
/data/data/####/sg_game.dex
/data/data/####/talkingdata_app.db-journal
/data/data/####/talkingdata_app_process_preferences_file
/data/data/####/talkingdata_app_version_preferences_file
/data/data/####/td.lock
/data/data/####/tdid.xml
/data/data/####/tdlock.txt
/data/data/####/tencent_analysis.db_com.sg.atmlmzbbcr.baidu-journal
/data/media/####/.confd
/data/media/####/.confd-journal
/data/media/####/.config
/data/media/####/.cuid
/data/media/####/.tcookieid

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
chmod 777 <Package Folder>/files/b.jar
logcat -c
logcat -d -v time
su
which su

Loads the following dynamic libraries:

MtaNativeCrash_v2
gdx

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-ECB-PKCS5Padding
DES-ECB-PKCS5Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-ECB-PKCS5Padding

Uses elevated priveleges.

Accesses the ITelephony private interface.

Contains functionality for automatic SMS sending.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about APN settings.

Gets information about installed apps.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial