Android.RemoteCode.7219

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.RemoteCode.291.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) 2####.111.8.140:8080
TCP(HTTP/1.1) 1####.89.97.82:8000
TCP(HTTP/1.1) 1####.159.18.80:8001
TCP(HTTP/1.1) 1####.159.18.80:8000
TCP(HTTP/1.1) pi####.qq.com:80
TCP(HTTP/1.1) gam####.m.d####.com:80
TCP(HTTP/1.1) sw####.z####.com.cn:8080
TCP(HTTP/1.1 X-OF-Signature: 5LbroB4pPPpeEczNFmpG3cFLbcM= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980dXCjEfNxU0Yf6lWE platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 309617070840334 imsi: 460022594317869 signer: 5LbroB4pPPpeEczNFmpG3cFLbcM= sdkSessionId: m4G94LXmzqd8 platFormId: 03 Content-Length: 596 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=8F7D8F9D538B17670C1DA0153FF3030B Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40m4G94LXmzqd8%2Ctel%4013906026581%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116071695%2CchannelId%4042725043%2CinstallFlag%401%2CstartFlag%401%2Cpacker%40%2Cuuid%4017e8f534f57f499fb159df7c4a7f8c25%2Cimei%40309617070840334%2Cimsi%40460022594317869%2CmacAddr%407a2e1bee7ad7%2Cbrand%40Sony%2Cmodel%40C5502%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A27%3A51%2CeventInvokeTime%4021%2CeventId%40E0009_1%2CloginAccount%4013906026581%2CloginMode%402%2CeventType%409) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: A5cK1P3zpXwzsvD21J4lU8mTw+w= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980dXCjEfNxU0Yf6lWE platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 309617070840334 imsi: 460022594317869 signer: A5cK1P3zpXwzsvD21J4lU8mTw+w= sdkSessionId: m4G94LXmzqd8 platFormId: 03 Content-Length: 548 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=8F7D8F9D538B17670C1DA0153FF3030B Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40m4G94LXmzqd8%2Ctel%4013906026581%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116071695%2CchannelId%4042725043%2CinstallFlag%400%2CstartFlag%402%2Cpacker%40%2Cuuid%4017e8f534f57f499fb159df7c4a7f8c25%2Cimei%40309617070840334%2Cimsi%40460022594317869%2CmacAddr%407a2e1bee7ad7%2Cbrand%40Sony%2Cmodel%40C5502%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A27%3A54%2CeventInvokeTime%401%2CeventType%401%2CeventId%40E0001) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: g6K3B46P+zSEI3eC+iIuEy4k4/Y= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980dXCjEfNxU0Yf6lWE platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 309617070840334 imsi: 460022594317869 signer: g6K3B46P+zSEI3eC+iIuEy4k4/Y= sdkSessionId: m4G94LXmzqd8 platFormId: 03 Content-Length: 548 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Accept-Encoding: gzip data=sdkSessionId%40m4G94LXmzqd8%2Ctel%4013906026581%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116071695%2CchannelId%4042725043%2CinstallFlag%401%2CstartFlag%401%2Cpacker%40%2Cuuid%4017e8f534f57f499fb159df7c4a7f8c25%2Cimei%40309617070840334%2Cimsi%40460022594317869%2CmacAddr%407a2e1bee7ad7%2Cbrand%40Sony%2Cmodel%40C5502%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A27%3A45%2CeventInvokeTime%401%2CeventType%401%2CeventId%40E0001) sd####.cm####.com:80
TCP(HTTP/1.1 X-OF-Signature: irNjM8MzVsOZOMpAqucl2YSQwro= X-OF-Key: Signature-OF-RSAUtils OS_TYPE: 1 Accept: application/xml Response-Type: xml GameType: 6 Iccid: 8980dXCjEfNxU0Yf6lWE platform: Android apiVersion: 2.5 SDKVersion: 28002 imei: 309617070840334 imsi: 460022594317869 signer: irNjM8MzVsOZOMpAqucl2YSQwro= sdkSessionId: m4G94LXmzqd8 platFormId: 03 Content-Length: 596 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Host: sdklog.cmgame.com Connection: Keep-Alive Cookie: JSESSIONID=750592BEAEFB69260ADE64B28EA2C689 Cookie2: $Version=1 Accept-Encoding: gzip data=sdkSessionId%40m4G94LXmzqd8%2Ctel%4013906026581%2Cuid%40%2CsdkType%401%2CsdkVer%4028002%2ClogVer%402.1%2CserviceType%406%2CcpId%40799087%2CcontentId%40689116071695%2CchannelId%4042725043%2CinstallFlag%400%2CstartFlag%402%2Cpacker%40%2Cuuid%4017e8f534f57f499fb159df7c4a7f8c25%2Cimei%40309617070840334%2Cimsi%40460022594317869%2CmacAddr%407a2e1bee7ad7%2Cbrand%40Sony%2Cmodel%40C5502%2Coperator%401%2CnetworkType%404%2CapnType%400%2CisProxyGateway%402%2CinvokeTime%402020-11-22+13%3A27%3A59%2CeventInvokeTime%4049%2CeventId%40E0009_1%2CloginAccount%4013906026581%2CloginMode%402%2CeventType%409) sd####.cm####.com:80
UDP(NTP) 1.cn.p####.####.org:123
TCP(TLS/1.0) c####.x####.com:443

DNS requests:

1.cn.p####.####.org
av1.x####.com
c####.x####.com
gam####.m.d####.com
h####.b####.com
i####.cn
pg.x####.com
pi####.qq.com
sd####.cm####.com
sw####.z####.com.cn

HTTP GET requests:

sw####.z####.com.cn:8080/SG_Frontend/Query?gid=####&vid=####&ch=####&icc...
sw####.z####.com.cn:8080/SG_Frontend/gameNofity

HTTP POST requests:

gam####.m.d####.com/standalone/queryGbAndMmSupport
pi####.qq.com/mstat/report/?index=####
sd####.cm####.com/behaviorLogging/eventLogging/accept?

File system changes:

Creates the following files:

/data/data/####/202011221327611.v1.crash
/data/data/####/2cb6687eb5__local_except_cache.json
/data/data/####/2cb6687eb5__local_stat_cache.json
/data/data/####/TDCloudSettingsConfig84E6108306034BB7A16BC23F2F96BF1A.xml
/data/data/####/TD_app_pefercen_profile.xml
/data/data/####/TDpref_longtime.xml
/data/data/####/TDpref_shorttime.xml
/data/data/####/TDtcagent.db
/data/data/####/TDtcagent.db-journal
/data/data/####/__Baidu_Stat_SDK_SendRem.xml
/data/data/####/b.gif
/data/data/####/b.jar
/data/data/####/b.jar.temp
/data/data/####/b.jpg
/data/data/####/b.jpg.temp
/data/data/####/b.jpg.temp (deleted)
/data/data/####/com.sg.atmrxyx.baidu.mid.world.ro.xml
/data/data/####/com.sg.atmrxyx.baidu_preferences.xml
/data/data/####/com_dk_shared_preferences.xml
/data/data/####/ddai300_ds.jar
/data/data/####/ddai300_s_p287.dat
/data/data/####/ddai_ad300_hotcfg.xml
/data/data/####/multidex.version.xml
/data/data/####/pri_tencent_analysis.db_com.sg.atmrxyx.baidu-journal
/data/data/####/sg.dex
/data/data/####/sg_game.dex
/data/data/####/talkingdata_app.db-journal
/data/data/####/talkingdata_app_process_preferences_file
/data/data/####/talkingdata_app_version_preferences_file
/data/data/####/td.lock
/data/data/####/tdid.xml
/data/data/####/tdlock.txt
/data/data/####/tencent_analysis.db_com.sg.atmrxyx.baidu-journal
/data/media/####/.confd
/data/media/####/.confd-journal
/data/media/####/.config
/data/media/####/.cuid
/data/media/####/.tcookieid

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
chmod 777 <Package Folder>/files/b.jar
logcat -c
logcat -d -v time
su
which su

Loads the following dynamic libraries:

MtaNativeCrash_v2
gdx

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-ECB-PKCS5Padding
DES-ECB-PKCS5Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-ECB-PKCS5Padding

Uses elevated priveleges.

Accesses the ITelephony private interface.

Contains functionality for automatic SMS sending.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about APN settings.

Gets information about installed apps.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial