Android.RemoteCode.7254

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.RemoteCode.6618

Network activity:

Connects to:

UDP(DNS) 8####.8.4.4:53
TCP(HTTP/1.1) ip.ta####.com:80
TCP(HTTP/1.1) 39.1####.226.174:10032
TCP(HTTP/1.1) lar####.c####.l####.####.com:80
TCP(HTTP/1.1) j.souso####.com:80
TCP(HTTP/1.1) j.quwe####.com:80
TCP(HTTP/1.1) norma-e####.m####.com:80
TCP(HTTP/1.1) api.d####.com.####.com:80
TCP(HTTP/1.1) gd.a.s####.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(TLS/1.0) 2####.107.1.97:443
TCP(TLS/1.0) al####.u####.com:443
TCP(TLS/1.0) to####.ctobsn####.com:443
TCP(TLS/1.0) api16-a####.pa####.io.####.net:443
TCP(TLS/1.0) in####.d####.net:443
TCP(TLS/1.0) 1####.217.20.74:443
TCP(TLS/1.0) 1####.217.17.42:443
TCP(TLS/1.0) pang####.sn####.com:443
TCP(TLS/1.0) di####.b####.net:443
TCP(TLS/1.2) 1####.217.20.74:443
TCP(TLS/1.2) 1####.217.19.206:443
TCP(TLS/1.2) 1####.217.17.138:443
TCP(TLS/1.2) 1####.217.19.195:443
TCP zb-cent####.m.ta####.com:80

DNS requests:

a####.man.aliy####.com
a.souso####.com
amdc####.m.ta####.com
and####.b####.qq.com
api.d####.com
api16-a####.pa####.io
dig.b####.net
dm.byted####.com
dm.ps####.com
dm.tou####.com
helpgam####.ksmo####.com
ip.ta####.com
j.quwe####.com
j.souso####.com
m####.go####.com
norma-e####.m####.com
p####.voic####.cn
pang####.sn####.com
plb####.u####.com
pv.s####.com
s.startog####.com
sdk.api.o####.####.cn
sf3-fe####.pglstat####.com
sf3-ttc####.ps####.com
to####.ctobsn####.com
u####.u####.com
umen####.m.ta####.com
umengj####.m.ta####.com

HTTP GET requests:

api.d####.com.####.com/dynamic/ad_configs?timestamp=####&channel=####&_d...
gd.a.s####.com/cityjson
ip.ta####.com/service/getIpInfo.php?ip=####
lar####.c####.l####.####.com/1569729237115_191c4ae3638a6e43.png
norma-e####.m####.com/android/exchange/getpublickey.do

HTTP POST requests:

and####.b####.qq.com/rqd/async
j.quwe####.com/f/m1
j.souso####.com/a/l1
j.souso####.com/ad/config
norma-e####.m####.com/push/android/external/add.do

File system changes:

Creates the following files:

/data/data/####/.imprint
/data/data/####/0.xml
/data/data/####/39285EFA.dex
/data/data/####/39285EFA.dex.flock (deleted)
/data/data/####/86_029e7aa3-1116-4c18-93c1-4fa3360c42f1_1610661..._0.ich
/data/data/####/86_02a4896d-a059-4bac-9fc5-b70771879a36_1610661..._0.ich
/data/data/####/86_03b8d0cd-52f6-4e20-8e0c-d044a6e09f5b_1610661..._0.ich
/data/data/####/86_063cd0b0-82bb-4fd1-bcdd-d03d3b5b4fff_1610661..._0.ich
/data/data/####/86_06f21e29-257a-41c8-95f8-827849701f13_1610661..._0.ich
/data/data/####/86_08cf989a-bd77-4a0b-ba41-03b6bbce5d35_1610661..._0.ich
/data/data/####/86_0bd60feb-660b-418a-a645-aa5a992c3b01_1610661..._0.ich
/data/data/####/86_0d0cd282-d8f8-4190-b1c8-9cb897daa695_1610661..._0.ich
/data/data/####/86_1340b129-39dd-491a-bcd8-b701bfe39836_1610661..._0.ich
/data/data/####/86_16ed1c34-d7ce-41f5-a5ce-22963d62a386_1610661..._0.ich
/data/data/####/86_183ca8e6-aa0c-4b86-abaa-1ed3e3c102e6_1610661..._0.ich
/data/data/####/86_2a71d16b-0b2c-4388-8167-116a45991e44_1610661..._0.ich
/data/data/####/86_3a796a86-e0cf-4ea7-b0c3-b6e84d3dfa8d_1610661..._0.ich
/data/data/####/86_3c35089e-163b-4e98-8576-f91f7f8cdd7b_1610661..._0.ich
/data/data/####/86_3f11ec9f-2d15-4a65-a8d1-f6280f543df5_1610661..._0.ich
/data/data/####/86_43ca858b-f619-4544-9c57-1419b3f422b3_1610661..._0.ich
/data/data/####/86_46a8bbdc-eee4-423c-a184-6a662347d3dc_1610661..._0.ich
/data/data/####/86_481e21df-8956-4509-a389-e5d581c4d2fa_1610661..._0.ich
/data/data/####/86_536a7d6e-dba8-4f68-b41e-4e5a3196fec6_1610661..._0.ich
/data/data/####/86_5835b252-149e-4d16-9224-954068381c49_1610661..._0.ich
/data/data/####/86_5a477231-096f-48da-affe-b481faabebc0_1610661..._0.ich
/data/data/####/86_5a9be0d4-4d4f-4129-9d66-aa3afcee7137_1610661..._0.ich
/data/data/####/86_5e2ea281-0e1e-401e-8aaf-77b2e48bfd48_1610661..._0.ich
/data/data/####/86_5f256153-25c9-472a-b3ba-0a7fe86da560_1610661..._0.ich
/data/data/####/86_5fb852e6-eae8-4d8b-b6d9-0adfd97584c2_1610661..._0.ich
/data/data/####/86_63ebfacd-a17c-46b2-8c08-df00d6a89a76_1610661..._0.ich
/data/data/####/86_64cdbf48-4133-4b4a-898e-73fa2cdde199_1610661..._0.ich
/data/data/####/86_720fa16f-ff70-407d-88fa-8c1ac120a2db_1610661..._0.ich
/data/data/####/86_72e99c0e-6a93-49e2-87eb-3809e64ead0a_1610661..._0.ich
/data/data/####/86_75ead9ec-0bdd-4ba3-bedd-ed503f770ebc_1610661..._0.ich
/data/data/####/86_779b037b-45e0-4107-86c2-2c5e65d6cf5b_1610661..._0.ich
/data/data/####/86_7819d7c3-d0d2-4aa7-88d4-470911369ce4_1610661..._0.ich
/data/data/####/86_7b167476-e574-46a1-84ac-f9d47e3e0d96_1610661..._0.ich
/data/data/####/86_7ea13891-61bc-462c-b3d2-dd53051b5a21_1610661..._0.ich
/data/data/####/86_8213c7ec-f268-4abb-b2fc-ff7ab56c8836_1610661..._0.ich
/data/data/####/86_8327df6e-b3ef-4b6b-a371-3505f4233159_1610661..._0.ich
/data/data/####/86_849f6b56-6746-4f44-98d0-dcae99ddcd4d_1610661..._0.ich
/data/data/####/86_8514c3de-204e-44d9-ab64-384f1008c454_1610661..._0.ich
/data/data/####/86_90544a07-7a15-4ca2-a740-95fd29443daf_1610661..._0.ich
/data/data/####/86_95e55298-64b3-4a3a-9b08-e4fbf74a1956_1610661..._0.ich
/data/data/####/86_97989648-f373-480b-84e1-d92fddd9e6c3_1610661..._0.ich
/data/data/####/86_996f1b72-4c37-4500-a4af-7e6866d98b2a_1610661..._0.ich
/data/data/####/86_9b3d45b1-bbfc-4a61-833b-33b2cb39e459_1610661..._0.ich
/data/data/####/86_9b5e274a-44ae-412a-bd5e-9529ad65d7e5_1610661..._0.ich
/data/data/####/86_9cc25434-8094-4e45-8371-2548753ac0f2_1610661..._0.ich
/data/data/####/86_a7131a3e-069d-42ed-bf26-136e1e80b9c4_1610661..._0.ich
/data/data/####/86_a8e8000c-58c7-4915-a4d9-643b9ba60908_1610661..._0.ich
/data/data/####/86_a9e1d68f-10ec-4127-9f8a-0fac4b4b5762_1610661..._0.ich
/data/data/####/86_b3265c67-3f28-42b0-9dc9-2fd37a8fe3f3_1610661..._0.ich
/data/data/####/86_b3d93aff-b314-496b-9371-8d2738fe024c_1610661..._0.ich
/data/data/####/86_b8808bb7-734c-4f6a-b9aa-cae7825e8f0a_1610661..._0.ich
/data/data/####/86_bdb62978-a573-437c-9b4c-49848cdaf9e3_1610661..._0.ich
/data/data/####/86_c44ca72a-1922-4ff3-b165-08ee78202266_1610661..._0.ich
/data/data/####/86_c6e4e670-fb06-4e2b-a347-a17ba4ceb268_1610661..._0.ich
/data/data/####/86_c78f44f4-9a93-4710-a488-db0b013ac172_1610661..._0.ich
/data/data/####/86_c9c85a91-da64-443e-a60f-65512e11c84b_1610661..._0.ich
/data/data/####/86_ca2e8fd3-39f4-4c13-b7d9-6f2cd967affe_1610661..._0.ich
/data/data/####/86_cf13fa7e-a5fd-42a7-98bf-286cdb8c5391_1610661..._0.ich
/data/data/####/86_d58b7b26-3c79-48c9-b423-d9cb31691772_1610661..._0.ich
/data/data/####/86_d7b81a5f-520c-4382-be9e-cca5028a0667_1610661..._0.ich
/data/data/####/86_df1be379-c4bc-48fd-af50-e20fab8b71fc_1610661..._0.ich
/data/data/####/86_e6e1d265-a88a-45f7-b9b9-c2166ca2e592_1610661..._0.ich
/data/data/####/86_ea25d596-caa8-4531-bd88-d1bdc391c779_1610661..._0.ich
/data/data/####/86_ea5914e8-6cfb-4cbc-b2ef-022b89b64415_1610661..._0.ich
/data/data/####/86_ed324e6b-03a4-4255-a221-41ab4aaf9328_1610661..._0.ich
/data/data/####/86_ed98d1ba-d89f-4c22-be72-2252cdba3e29_1610661..._0.ich
/data/data/####/86_ef9754bd-2a41-41e0-9950-16ae0b5a90f9_1610661..._0.ich
/data/data/####/86_f4677548-5776-497a-b2bf-ba408fe38b6b_1610661..._0.ich
/data/data/####/86_f4f4daf6-2b3b-4458-a56c-059100317174_1610661..._0.ich
/data/data/####/86_fad19eba-c3d5-4b7a-83d1-5af612bf8cbf_1610661..._0.ich
/data/data/####/86_fb7f822a-f985-4df9-8bf1-2baa9b5e72da_1610661..._0.ich
/data/data/####/86_fcfd85b2-559b-45ea-aa7d-f2cec429c1cd_1610661..._0.ich
/data/data/####/ACCS_SDK.xml
/data/data/####/ACCS_SDK.xml.bak (deleted)
/data/data/####/ACCS_SDK_CHANNEL.xml
/data/data/####/ACCS_SDK_CHANNEL.xml.bak
/data/data/####/Agoo_AppStore.xml
/data/data/####/Alvin2.xml
/data/data/####/ContextData.xml
/data/data/####/IFLY_AD_SHARED.xml
/data/data/####/MessageStore.db-journal
/data/data/####/MsgLogStore.db-journal
/data/data/####/UM_PROBE_DATA.xml
/data/data/####/Web Data
/data/data/####/WebViewChromiumPrefs.xml
/data/data/####/a==8.1.6&&2.7.029_1610661011635_envelope.log
/data/data/####/accs.db-journal
/data/data/####/ad_cbx_umeng_common_config.xml
/data/data/####/agoo.pid
/data/data/####/bd_embed_tea_agent.db-journal
/data/data/####/bugly_db_-journal
/data/data/####/c5281e50767541054f07c906043767fc.0.tmp
/data/data/####/c5281e50767541054f07c906043767fc.1.tmp
/data/data/####/c9307688af916f628d6c88f01299e1ad.0
/data/data/####/c9307688af916f628d6c88f01299e1ad.1
/data/data/####/cartoon-journal
/data/data/####/cbxlib.xml
/data/data/####/channel_umeng_common_config.xml
/data/data/####/classes.dex
/data/data/####/classes.dex.flock (deleted)
/data/data/####/com.dmzj.manhua_infoc_config_pref.xml
/data/data/####/com.dmzj.manhua_preferences.xml
/data/data/####/com.x.y.1.xml
/data/data/####/com.x.y.2.xml
/data/data/####/d5bceed9078514041fd1d4d9a9079816.0.tmp
/data/data/####/d5bceed9078514041fd1d4d9a9079816.1.tmp
/data/data/####/dW1weF9pbnRlcm5hbF8xNjEwNjYxMDA5ODU4;
/data/data/####/devyok.DATA_PROVIDER.xml
/data/data/####/doc.zip
/data/data/####/downloader.db-journal
/data/data/####/embed_applog_stats.xml
/data/data/####/embed_header_custom.xml
/data/data/####/embed_last_sp_session.xml
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/foc.png
/data/data/####/hc_sblib_sdk.xml
/data/data/####/hc_sblib_sdk.xml.bak
/data/data/####/hoc.xml
/data/data/####/httpdns_config_cache.xml
/data/data/####/httpdns_config_cache.xml.bak
/data/data/####/i==1.2.0&&2.7.029_1610661009823_envelope.log
/data/data/####/ifly_adx_temp
/data/data/####/iflyads_cache_ctrl.xml
/data/data/####/info.xml
/data/data/####/init_code_id_2300004_-1093512238
/data/data/####/journal.tmp
/data/data/####/local_crash_lock
/data/data/####/local_crash_lock (deleted)
/data/data/####/message_accs_db
/data/data/####/message_accs_db-journal
/data/data/####/metrics_guid
/data/data/####/mz_push_preference.xml
/data/data/####/npth.xml
/data/data/####/npth_log.db-journal
/data/data/####/proc_auxv
/data/data/####/security_info
/data/data/####/security_info (deleted)
/data/data/####/snssdk_openudid.xml
/data/data/####/t==8.1.6&&2.7.029_1610661010795_envelope.log
/data/data/####/temp.dat
/data/data/####/tt_dns_settings.xml
/data/data/####/tt_sdk_settings.xml
/data/data/####/tt_sdk_settings.xml.bak
/data/data/####/ttopenadsdk.xml
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/um_pri.xml
/data/data/####/umdat.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_location.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/umeng_message_state.xml
/data/data/####/update.xml
/data/data/####/user_info.xml
/data/data/####/user_info.xml.bak
/data/data/####/userlist.xml
/data/data/####/webview_data.lock
/data/misc/####/primary.prof

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --debuggable --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/.00000000000/39285EFA.dex --oat-fd=33 --oat-location=/data/user/0/<Package>/.11111111111/39285EFA.dex --compiler-filter=speed
/system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/app_range/up/classes.dex --oat-fd=87 --oat-location=/data/user/0/<Package>/app_range/upopt/classes.dex --compiler-filter=speed
/system/bin/sh -c type su
chmod 0755/data/user/0/<Package>/app_range/up/classes.dex
chmod 0755/data/user/0/<Package>/app_range/up/temp.dat
chmod 777 /data/user/0/<Package>/cache/Download
getprop androVM.vbox_dpi
getprop gsm.sim.state
getprop gsm.sim.state2
getprop qemu.sf.fake_camera
getprop ro.board.platform
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.debuggable
getprop ro.genymotion.version
getprop ro.gn.sv.version
getprop ro.lenovo.lvp.version
getprop ro.miui.ui.version.name
getprop ro.secure
getprop ro.smartisan.version
getprop ro.vivo.os.version
ls -l /system/bin/su
ls /
ls /sys/class/thermal
mount

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-CFB-NOPADDING
AES-ECB-PKCS5Padding
AES-GCM-NoPadding
DES
RSA-ECB-PKCS1Padding
RSA-None-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-CFB-NOPADDING
AES-ECB-PKCS5Padding
AES-GCM-NoPadding

Accesses the ITelephony private interface.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial