Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Triada.5134

Added to the Dr.Web virus database: 2021-11-04

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.Click.311.origin
  • Android.DownLoader.1007.origin
  • Android.DownLoader.1051.origin
  • Android.DownLoader.1056.origin
  • Android.Mobifun.30.origin
  • Android.Mobifun.33.origin
  • Android.Packed.55438
  • Android.RemoteCode.231.origin
  • Android.RemoteCode.319.origin
  • Android.Triada.4567
  • Android.Triada.5071
  • Android.Triada.510.origin
  • Android.Triada.537.origin
  • Android.Triada.573.origin
Threat detection based on machine learning.
Network activity:
Connects to:
  • UDP(DNS) 8####.8.4.4:53
  • TCP(HTTP/1.1) hw9####.new####.com:80
  • TCP(HTTP/1.1) t####.c8####.com:20209
  • TCP(HTTP/1.1) sdk.appclic####.com:80
  • TCP(HTTP/1.1) www.d####.xyz:80
  • TCP(HTTP/1.1) nu####.js####.com:12029
  • TCP(HTTP/1.1) gc4####.9####.com:80
  • TCP(HTTP/1.1) www.go####.com:80
  • TCP(HTTP/1.1) z.c####.com:80
  • TCP(HTTP/1.1) fung####.ly####.com:80
  • TCP(HTTP/1.1) api.bi####.com:80
  • TCP(HTTP/1.1) www-bin####.dual-a-####.a-ms####.net:80
  • TCP(HTTP/1.1) api.applove####.com:80
  • TCP(HTTP/1.1) p####.pay####.com:80
  • TCP(HTTP/1.1) z4####.ep####.com:14002
  • TCP(HTTP/1.1) d####.dd7####.com:80
  • TCP(HTTP/1.1) s####.appclic####.com:80
  • TCP(HTTP/1.1) d.moce####.com:9091
  • TCP(HTTP/1.1) s####.b####.com:80
  • TCP(HTTP/1.1) sdk-eve####.ap-sout####.log.####.com:80
  • TCP(HTTP/1.1) y####.k8####.com:80
  • TCP(HTTP/1.1) a####.r####.com:13002
  • TCP(HTTP/1.1) geo.appclic####.com:80
  • TCP(HTTP/1.1) t####.c8####.com:13002
  • TCP(TLS/1.0) wcf.seven####.com:443
  • TCP(TLS/1.0) rgk.zu####.cn:443
  • TCP(TLS/1.0) 77a3dce####.safef####.googles####.com:443
  • TCP(TLS/1.0) android####.go####.com:443
  • TCP(TLS/1.0) www.go####.com:443
  • TCP(TLS/1.0) c####.pay####.com:443
  • TCP(TLS/1.0) f####.google####.com:443
  • TCP(TLS/1.0) adser####.go####.nl:443
  • TCP(TLS/1.0) googl####.g.doublec####.net:443
  • TCP(TLS/1.0) 1####.251.36.10:443
  • TCP(TLS/1.0) s####.appclic####.com:443
  • TCP(TLS/1.0) gd.a.s####.com:443
  • TCP(TLS/1.0) adser####.go####.com:443
  • TCP(TLS/1.0) oss.heyg####.club:443
  • TCP(TLS/1.0) pag####.googles####.com:443
  • TCP(TLS/1.0) packag####.oss-ap-####.aliy####.com:443
  • TCP(TLS/1.0) f####.gst####.com:443
  • TCP(TLS/1.0) 5.ah####.com:443
  • TCP(TLS/1.0) tpc.googles####.com:443
  • TCP(TLS/1.0) fo####.site:443
  • TCP(TLS/1.0) cdn.amppro####.org:443
  • TCP(TLS/1.2) 1####.250.179.195:443
  • TCP(TLS/1.2) 1####.250.179.142:443
  • TCP(TLS/1.2) 1####.251.36.10:443
  • UDP 1####.194.160.74:443
  • UDP 1####.251.36.10:443
DNS requests:
  • 5.ah####.com
  • 77a3dce####.safef####.googles####.com
  • a####.r####.com
  • adser####.go####.com
  • adser####.go####.nl
  • android####.go####.com
  • api.applove####.com
  • api.bi####.com
  • c####.pay####.com
  • cdn.amppro####.org
  • d####.dd7####.com
  • d.moce####.com
  • dwq.fs####.com
  • f####.google####.com
  • f####.gst####.com
  • fo####.site
  • fung####.ly####.com
  • gc4####.9####.com
  • geo.appclic####.com
  • googl####.g.doublec####.net
  • hw9####.new####.com
  • jz####.mc####.com
  • nu####.js####.com
  • oss.heyg####.club
  • p####.pay####.com
  • packag####.oss-ap-####.aliy####.com
  • pag####.googles####.com
  • pv.s####.com
  • rgk.zu####.cn
  • s####.appclic####.com
  • s####.b####.com
  • sdk-eve####.ap-sout####.log.####.com
  • sdk.appclic####.com
  • securep####.g.doublec####.net
  • t####.c8####.com
  • tpc.googles####.com
  • ug####.bi####.com
  • wcf.seven####.com
  • www.b####.com
  • www.d####.xyz
  • www.go####.com
  • y####.k8####.com
  • z4####.ep####.com
  • z9.c####.com
HTTP GET requests:
  • 5.ah####.com:443/thirdsdk/flowcashpack/123/TK-209a-202106251800d
  • 5.ah####.com:443/thirdsdk/flowcashpack/82/MF-1.19a-202104301548d
  • api.applove####.com/api/v3/cache/get?osv=####&srnc=####&token=####&ds=##...
  • api.applove####.com/api/v3/template/get?slot_id=####&update_time=####&us...
  • d####.dd7####.com/upload/hw/batdex20191010.jar
  • d####.dd7####.com/upload/hw/c1005dex20190527.jar
  • d####.dd7####.com/upload/hw/h5rq20191022.jar
  • d####.dd7####.com/upload/hw/kklz02dex20200414.jar
  • d####.dd7####.com/upload/hw/lsdk20200506.jar
  • d####.dd7####.com/upload/hw/mf20200508.jar
  • d####.dd7####.com/upload/hw/qcdex20200316.jar
  • d####.dd7####.com/upload/plog/cy1028.jar
  • d####.dd7####.com/upload/plog/djso1101.jar
  • d####.dd7####.com/upload/plog/hx0409.jar
  • d####.dd7####.com/upload/plog/jar20190515.jar
  • d####.dd7####.com/upload/plog/jrw20210630.jar
  • d####.dd7####.com/upload/plog/kk20201106.jar
  • d####.dd7####.com/upload/plog/ps20210219.jar
  • d####.dd7####.com/upload/plog/sdk0625.jar
  • d####.dd7####.com/upload/plog/sh290_20210810.jar
  • d####.dd7####.com/upload/plog/skk20210416.jar
  • d####.dd7####.com/upload/plog/xianmm0512.jar
  • d####.dd7####.com/upload/plog/yeah0510.jar
  • fo####.site:443/ewewew/s20211101220628.1
  • fung####.ly####.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-lo...
  • fung####.ly####.com/lym07ly08/fonts/fontawesome-webfont.woff2?v=####
  • fung####.ly####.com/lym07ly08/game/greedy-rat-eating-peas/
  • fung####.ly####.com/lym07ly08/images/favicon.ico
  • fung####.ly####.com/lym07ly08/images/logo/breaking-through-the-neon-barr...
  • fung####.ly####.com/lym07ly08/images/logo/congested-parking-lot-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/germ-crisis-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/greedy-rat-eating-peas-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/hurdle-challenge-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/magnet-brother-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/night-cat-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/rabbit-samurai-adventure-logo....
  • fung####.ly####.com/lym07ly08/images/logo/save-the-happy-kingdom-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/snake-ball-hitting-brick-logo....
  • fung####.ly####.com/lym07ly08/images/logo/snakes-and-digital-blocks-logo...
  • fung####.ly####.com/lym07ly08/images/logo/star-butterfly-princess-runs-w...
  • fung####.ly####.com/lym07ly08/images/logo/traffic-racer-logo.jpg
  • fung####.ly####.com/lym07ly08/images/logo/yellow-ball-adventure-logo.jpg
  • fung####.ly####.com/lym07ly08/images/sokiDa.jpg
  • fung####.ly####.com/lym07ly08/images/top.png
  • fung####.ly####.com/lym07ly08/public/bootstrap.min.css
  • fung####.ly####.com/lym07ly08/public/font-awesome.min.css
  • fung####.ly####.com/lym07ly08/static/jquery-1.11.2.min.js
  • fung####.ly####.com/lym07ly08/static/shejiwo.js
  • fung####.ly####.com/lym07ly08/static/theme.css
  • gc4####.9####.com/zsyunsxda
  • gc4####.9####.com/zsyunsxda/
  • gd.a.s####.com:443/cityjson
  • geo.appclic####.com/
  • oss.heyg####.club:443/browser_lada_20210507/browser_lada_20210507_3
  • oss.heyg####.club:443/js_browser_0312/js_browser_0312_20210312
  • oss.heyg####.club:443/js_htp_20210604/js_htp_20210604_2
  • oss.heyg####.club:443/js_soa_2/js_soa_2_20210926
  • oss.heyg####.club:443/js_testpoca/js_testpoca_20210205
  • oss.heyg####.club:443/js_wpn/js_wpn_20210412
  • oss.heyg####.club:443/js_yy/js_yy_20210830
  • oss.heyg####.club:443/stg/stg_201119
  • p####.pay####.com/s-r/332/60063a81055a8
  • packag####.oss-ap-####.aliy####.com:443/test_inner/inner_20210804
  • s####.appclic####.com/stg?channel=####&sdk=####
  • s####.appclic####.com:443/stg?channel=####&sdk=####
  • s####.b####.com/redirect?s=####&at=####&rt=####&s1=####
  • sdk.appclic####.com/check?channel=####&geo=####
  • www-bin####.dual-a-####.a-ms####.net/
  • www.go####.com/ads/measurement/l?ebcid=####
  • www.go####.com/pagead/drt/ui
  • y####.k8####.com/cocoDY/app-5329125.zip
  • y####.k8####.com/dtbx/liangzong/hwlz06.zip
  • y####.k8####.com/dtbx/xingchuang/D10233_20210726.zip
  • y####.k8####.com/dtbx/yunshi/awli-release.zip
  • y####.k8####.com/hwyw/akertuns.zip
  • y####.k8####.com/hwyw/erfdoc9e54utr9gf7e455968y.zip
  • y####.k8####.com/hwyw/staunkert.zip
  • y####.k8####.com/plugins/applh0723.zip
  • y####.k8####.com/plugins/dp2.zip
  • y####.k8####.com/plugins/yz058Uc30i0913.zip
  • y####.k8####.com/test/plugin_getInfo_user.zip
  • y####.k8####.com/zhuti/7y21yueermobi.zip
  • y####.k8####.com/zhuti/7y27jsdededkk.zip
  • y####.k8####.com/zhuti/8y17xinghao.zip
  • z.c####.com/stat.htm?id=####&cnzz_eid=####
HTTP POST requests:
  • a####.r####.com:13002/84gcjmo/
  • a####.r####.com:13002/ck0k66o/
  • a####.r####.com:13002/v1jyved/
  • api.bi####.com/un
  • c####.pay####.com:443/1/j?a=####
  • d.moce####.com:9091/wap/gateway
  • hw9####.new####.com/api/activite
  • hw9####.new####.com/api/back
  • hw9####.new####.com/api/offer
  • hw9####.new####.com/api/tbdynamic
  • hw9####.new####.com/apidata/showeb
  • nu####.js####.com:12029/hfdlls/
  • nu####.js####.com:12029/i3v8nb/
  • nu####.js####.com:12029/lfkdnr/
  • rgk.zu####.cn:443/v1/init?id=####
  • rgk.zu####.cn:443/v1/mr?id=####
  • sdk-eve####.ap-sout####.log.####.com/logstores/dev-log/track
  • t####.c8####.com:13002/4ad8fq/
  • t####.c8####.com:13002/a7atzr/
  • t####.c8####.com:13002/lgu4ds/
  • t####.c8####.com:20209/dvifq/
  • wcf.seven####.com:443/FBService.svc/d3f23rf334f3
  • www.d####.xyz/Orders/getlive?channel=####&Slevi=####&anmac=####&anosv=##...
  • z4####.ep####.com:14002/a2jyco/
  • z4####.ep####.com:14002/ajnhz5/
  • z4####.ep####.com:14002/uv2tay/
File system changes:
Creates the following files:
  • /data/data/####/.ki
  • /data/data/####/.m
  • /data/data/####/.t
  • /data/data/####/.wmgs
  • /data/data/####/011134986548f3458aa3e7e2a7fceb8d
  • /data/data/####/1.dex
  • /data/data/####/1.dex.flock (deleted)
  • /data/data/####/1.jar
  • /data/data/####/109086jvy
  • /data/data/####/109086jvy.dex
  • /data/data/####/109086jvy.dex.flock (deleted)
  • /data/data/####/110DA34DBF855151FCE6063B7AE98E65
  • /data/data/####/110DA34DBF855151FCE6063B7AE98E65.dex
  • /data/data/####/110DA34DBF855151FCE6063B7AE98E65.dex.flock (deleted)
  • /data/data/####/110DA34DBF855151FCE6063B7AE98E65.temp
  • /data/data/####/110DA34DBF855151FCE6063B7AE98E65.zip
  • /data/data/####/2021_11_04readzibaoliangwuke.xml
  • /data/data/####/2118BF62061AA81849864E1FA899D952
  • /data/data/####/2118BF62061AA81849864E1FA899D952.dex
  • /data/data/####/2118BF62061AA81849864E1FA899D952.dex.flock (deleted)
  • /data/data/####/2118BF62061AA81849864E1FA899D952.temp
  • /data/data/####/2118BF62061AA81849864E1FA899D952.zip
  • /data/data/####/27BF05872DF06A7DE4E877D5B3A61827.xml
  • /data/data/####/37D20B1E2F07E4F3F21755062BA40547
  • /data/data/####/3e2wssr.xml
  • /data/data/####/3e2wssr.xml.bak
  • /data/data/####/47AB7209AD7ACF4EB1EA636A3039D803
  • /data/data/####/4A20E7AD78924312CD8BC7F756DE340F
  • /data/data/####/4A20E7AD78924312CD8BC7F756DE340F.dex
  • /data/data/####/4A20E7AD78924312CD8BC7F756DE340F.dex.flock (deleted)
  • /data/data/####/4A20E7AD78924312CD8BC7F756DE340F.temp
  • /data/data/####/4A20E7AD78924312CD8BC7F756DE340F.zip
  • /data/data/####/5A064F2364D48401E82059BE1BFB3FC6
  • /data/data/####/5A064F2364D48401E82059BE1BFB3FC6.dex
  • /data/data/####/5A064F2364D48401E82059BE1BFB3FC6.dex.flock (deleted)
  • /data/data/####/5A064F2364D48401E82059BE1BFB3FC6.jar
  • /data/data/####/5A064F2364D48401E82059BE1BFB3FC6.temp
  • /data/data/####/636CD3B3EDFDE2D4D1D32F10D7347670
  • /data/data/####/636CD3B3EDFDE2D4D1D32F10D7347670.dex
  • /data/data/####/636CD3B3EDFDE2D4D1D32F10D7347670.dex.flock (deleted)
  • /data/data/####/636CD3B3EDFDE2D4D1D32F10D7347670.temp
  • /data/data/####/636CD3B3EDFDE2D4D1D32F10D7347670.zip
  • /data/data/####/6fb69037213d6bb4_0
  • /data/data/####/6fb69037213d6bb4_0 (deleted)
  • /data/data/####/8FFE8235E5662DE0A07F13AC7491AB54
  • /data/data/####/90FCBC4E72D8C499954E2A48BD6A2C19
  • /data/data/####/90FCBC4E72D8C499954E2A48BD6A2C19.dex
  • /data/data/####/90FCBC4E72D8C499954E2A48BD6A2C19.dex.flock (deleted)
  • /data/data/####/90FCBC4E72D8C499954E2A48BD6A2C19.jar
  • /data/data/####/90FCBC4E72D8C499954E2A48BD6A2C19.temp
  • /data/data/####/92803EBB7D87B2E67FB0CEF6704D2D24
  • /data/data/####/95D59285D710EC3D31C7DC4E023745A4
  • /data/data/####/95D59285D710EC3D31C7DC4E023745A4.dex
  • /data/data/####/95D59285D710EC3D31C7DC4E023745A4.dex.flock (deleted)
  • /data/data/####/95D59285D710EC3D31C7DC4E023745A4.temp
  • /data/data/####/95D59285D710EC3D31C7DC4E023745A4.zip
  • /data/data/####/9B6F0F554183A3CD8361BE73C403E28B
  • /data/data/####/9B6F0F554183A3CD8361BE73C403E28B.dex
  • /data/data/####/9B6F0F554183A3CD8361BE73C403E28B.dex.flock (deleted)
  • /data/data/####/9B6F0F554183A3CD8361BE73C403E28B.temp
  • /data/data/####/9B6F0F554183A3CD8361BE73C403E28B.zip
  • /data/data/####/BFDB36197AD62250D717DC665B6B32FF
  • /data/data/####/C3B2481BF31F7E7DF213B1679D8AFC65
  • /data/data/####/C926D733D4E308956A8587F7AD9FED7C
  • /data/data/####/C926D733D4E308956A8587F7AD9FED7C.dex
  • /data/data/####/C926D733D4E308956A8587F7AD9FED7C.dex.flock (deleted)
  • /data/data/####/C926D733D4E308956A8587F7AD9FED7C.jar
  • /data/data/####/C926D733D4E308956A8587F7AD9FED7C.temp
  • /data/data/####/Cookies
  • /data/data/####/Cookies-journal
  • /data/data/####/D1E212CE2246CA824FF329FE82DA5812
  • /data/data/####/D1E212CE2246CA824FF329FE82DA5812.dex
  • /data/data/####/D1E212CE2246CA824FF329FE82DA5812.dex.flock (deleted)
  • /data/data/####/D1E212CE2246CA824FF329FE82DA5812.jar
  • /data/data/####/D1E212CE2246CA824FF329FE82DA5812.temp
  • /data/data/####/E1A26EB104BC37CA228217F2AA6136CB
  • /data/data/####/E1A26EB104BC37CA228217F2AA6136CB.dex
  • /data/data/####/E1A26EB104BC37CA228217F2AA6136CB.dex.flock (deleted)
  • /data/data/####/E1A26EB104BC37CA228217F2AA6136CB.jar
  • /data/data/####/E1A26EB104BC37CA228217F2AA6136CB.temp
  • /data/data/####/E7C8A3F6E0E20F381FF38DF485FCE16E
  • /data/data/####/E7C8A3F6E0E20F381FF38DF485FCE16E.dex
  • /data/data/####/E7C8A3F6E0E20F381FF38DF485FCE16E.dex.flock (deleted)
  • /data/data/####/E7C8A3F6E0E20F381FF38DF485FCE16E.temp
  • /data/data/####/E7C8A3F6E0E20F381FF38DF485FCE16E.zip
  • /data/data/####/EC0DA9876DC2A33B72C2A6BBEE1FE801.dex (deleted)
  • /data/data/####/EC0DA9876DC2A33B72C2A6BBEE1FE801.dex.flock (deleted)
  • /data/data/####/EC0DA9876DC2A33B72C2A6BBEE1FE801.jar
  • /data/data/####/F4B17ACF5290B91BC7F8C0FE52D16691
  • /data/data/####/F4B17ACF5290B91BC7F8C0FE52D16691.dex
  • /data/data/####/F4B17ACF5290B91BC7F8C0FE52D16691.dex.flock (deleted)
  • /data/data/####/F4B17ACF5290B91BC7F8C0FE52D16691.temp
  • /data/data/####/F4B17ACF5290B91BC7F8C0FE52D16691.zip
  • /data/data/####/F73811C2013B84778D431A6EE070420A.dex
  • /data/data/####/F73811C2013B84778D431A6EE070420A.dex.flock (deleted)
  • /data/data/####/F73811C2013B84778D431A6EE070420A.jar
  • /data/data/####/F73811C2013B84778D431A6EE070420A.temp
  • /data/data/####/MobikokCommonConfig.xml
  • /data/data/####/PreferenceDeviceConfig.xml
  • /data/data/####/RDEwMjMz_iuy_data.xml
  • /data/data/####/RDEwMjMz_uuid_data.xml
  • /data/data/####/Web Data
  • /data/data/####/Web Data-journal
  • /data/data/####/WebViewChromiumPrefs.xml
  • /data/data/####/YnJvd3Nlcl9sYWRh%0A.abc
  • /data/data/####/ZS50bXAuZGVjLmphcg%3D%3D%0A.jar
  • /data/data/####/ZS50bXAuamFy%0A
  • /data/data/####/ZS5kZWMuamFy%0A.dex
  • /data/data/####/ZS5kZWMuamFy%0A.dex.flock (deleted)
  • /data/data/####/ZS5kZWMuamFy%0A.jar
  • /data/data/####/aG9zdF9zdGdfYmVzdF9zZGs%3D%0A.abc
  • /data/data/####/aa1dc02f14bd694ad17d1f188edfa210
  • /data/data/####/ai
  • /data/data/####/anNfYnJvd3Nlcl8wMzEy%0A
  • /data/data/####/anNfYnJvd3Nlcl8wMzEy%0A.abc
  • /data/data/####/anNfYnJvd3Nlcl8wMzEy%0A.dex
  • /data/data/####/anNfYnJvd3Nlcl8wMzEy%0A.dex.flock (deleted)
  • /data/data/####/anNfYnJvd3Nlcl8wMzEy%0A.jar
  • /data/data/####/anNfaHRw%0A
  • /data/data/####/anNfaHRw%0A.abc
  • /data/data/####/anNfaHRw%0A.jar
  • /data/data/####/anNfc29hXzI%3D%0A.abc
  • /data/data/####/anNfd3Bu%0A.abc
  • /data/data/####/anNfdGVzdHBvY2E%3D%0A
  • /data/data/####/anNfdGVzdHBvY2E%3D%0A.abc
  • /data/data/####/anNfdGVzdHBvY2E%3D%0A.dex
  • /data/data/####/anNfdGVzdHBvY2E%3D%0A.dex.flock (deleted)
  • /data/data/####/anNfdGVzdHBvY2E%3D%0A.jar
  • /data/data/####/anNfeXk%3D%0A.abc
  • /data/data/####/androidxcorebac5z.
  • /data/data/####/androidxcorebac5z.dex
  • /data/data/####/androidxcorebac5z.dex.flock (deleted)
  • /data/data/####/base.apk
  • /data/data/####/base.dex
  • /data/data/####/base.dex.flock (deleted)
  • /data/data/####/c34a4c3h54e6_TYUYRTTYT
  • /data/data/####/ccddef.dex
  • /data/data/####/ccddef.dex.flock (deleted)
  • /data/data/####/ccddef.jar
  • /data/data/####/com.cc.adsf.asdf.try.の.s3u4b34f3f4_YUIYTRYUT
  • /data/data/####/core.set.bili.collect_ct_default.xml
  • /data/data/####/core.set.bili.collect_preferences.xml
  • /data/data/####/curtain_sp.xml
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e038e17b0e57b6ecc...6cache
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e053fb20c3-d333-4...cae6f6
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e053fb20c3-d333-4...f6.dex
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e053fb20c3-d333-4...leted)
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e0a0b878ed-3a96-4...91.dex
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e0a0b878ed-3a96-4...eae391
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e0a0b878ed-3a96-4...leted)
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e0b6cb96745f47e9c...1cache
  • /data/data/####/d0b06e32c35311eb8cdbb8599f4fd9e0b6cb96745f47e9c...65f071
  • /data/data/####/d8039c9c3d92de7b_0
  • /data/data/####/data.dex
  • /data/data/####/data.dex.flock (deleted)
  • /data/data/####/data.jar
  • /data/data/####/df4essr.xml
  • /data/data/####/df4essr.xml.bak
  • /data/data/####/du
  • /data/data/####/e3f4r3ed.data
  • /data/data/####/e3f4r3ed.data-journal
  • /data/data/####/e3wg5rd.data
  • /data/data/####/e3wg5rd.data-journal
  • /data/data/####/eb1e1b843bb4b4c5_0 (deleted)
  • /data/data/####/f6edbcc3474b41fabf9cb952ccfcbfe9
  • /data/data/####/fb9dd01690a0d1ddbce9e527fb32207f.xml
  • /data/data/####/fb9dd01690a0d1ddbce9e527fb32207f.xml.bak
  • /data/data/####/gameid
  • /data/data/####/gameid.zip
  • /data/data/####/gczt.png
  • /data/data/####/gjbq.png
  • /data/data/####/index
  • /data/data/####/jctr
  • /data/data/####/kdid
  • /data/data/####/ktwp
  • /data/data/####/libkezc.so
  • /data/data/####/libkezc.so-32
  • /data/data/####/libkezc.so-64
  • /data/data/####/libmytz.so
  • /data/data/####/libmytz.so-32
  • /data/data/####/libmytz.so-64
  • /data/data/####/libsszf.so
  • /data/data/####/libsszf.so-32
  • /data/data/####/libsszf.so-64
  • /data/data/####/life_record_config.xml
  • /data/data/####/metrics_guid
  • /data/data/####/mq.xml
  • /data/data/####/ofew.png
  • /data/data/####/readzibaoliang.xml
  • /data/data/####/s1s1k1_c2o3n23f2i3g2.xml
  • /data/data/####/s20211101220628.1
  • /data/data/####/s3p43_OIUTIUYT.xml
  • /data/data/####/s3p43_OIUTIUYT.xml.bak (deleted)
  • /data/data/####/sp_dojz.xml
  • /data/data/####/sp_dojz.xml.bak
  • /data/data/####/sp_dqzanr.xml
  • /data/data/####/sp_dqzanr.xml.bak
  • /data/data/####/sp_tgee.xml
  • /data/data/####/sp_tgee.xml.bak (deleted)
  • /data/data/####/sp_uenzy.xml
  • /data/data/####/sp_uenzy.xml.bak
  • /data/data/####/sytk.xml
  • /data/data/####/the-real-index
  • /data/data/####/uhen.xml
  • /data/data/####/ulanda.xml
  • /data/data/####/uma.xml
  • /data/data/####/xfksgku
  • /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
  • app_process /system/bin com.android.commands.pm.Pm list package -3
  • cat /proc/version
  • cat /sys/class/net/wlan0/address
  • getprop
  • getprop ro.board.platform
  • getprop ro.product.cpu.abi
  • getprop ro.yunos.build.version
  • sh
Loads the following dynamic libraries:
  • xfksgku
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • AES-ECB-PKCS5Padding
  • DES-CBC-PKCS5Padding
  • RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES-CBC-PKCS5Padding
  • AES-ECB-PKCS5Padding
  • DES-CBC-PKCS5Padding
  • RSA-None-PKCS1Padding
  • desede-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Requests the system alert window permission.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android