Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.1007.origin
- Android.Triada.573.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) api.applove####.com:80
- TCP(HTTP/1.1) lo####.applove####.com:80
- TCP(TLS/1.0) 1####.251.36.42:443
- TCP(TLS/1.0) ruwild####.al####.com.####.net:443
- TCP(TLS/1.0) thinkbi####.g2####.com:443
- TCP(TLS/1.0) rr1---s####.g####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) fo####.site:443
- TCP(TLS/1.0) appstra####.com:443
- TCP(TLS/1.0) seven####.com:443
- TCP(TLS/1.0) 2####.58.214.10:443
- TCP(TLS/1.0) gd.a.s####.com:443
- TCP(TLS/1.0) hype####.gotrac####.com:443
- TCP(TLS/1.0) eu####.al####.com.####.net:443
- TCP(TLS/1.0) os####.9####.com:443
- TCP(TLS/1.0) 2####.58.208.106:443
- TCP(TLS/1.0) 1####.250.179.142:443
- TCP(TLS/1.2) 1####.251.39.99:443
- TCP(TLS/1.2) 1####.251.36.42:443
- TCP(TLS/1.2) 1####.251.36.46:443
- TCP(TLS/1.2) 2####.58.214.10:443
- UDP 2####.58.208.106:443
- UDP 1####.251.36.42:443
DNS requests:
- air####.com
- alphamo####.g2####.com
- api.applove####.com
- appstra####.com
- fo####.site
- gmscomp####.google####.com
- hype####.gotrac####.com
- lo####.applove####.com
- m####.go####.com
- os####.9####.com
- pv.s####.com
- rr1---s####.g####.com
- s####.aliexp####.com
- s.c####.aliexp####.com
- seven####.com
- thinkbi####.g2####.com
HTTP GET requests:
- api.applove####.com/api/v3/cache/get?osv=####&srnc=####&token=####&ds=##...
- api.applove####.com/api/v3/template/get?slot_id=####&update_time=####&us...
- appstra####.com:443/tracking/click?trafficsource=####&clickid=####&pub_s...
- eu####.al####.com.####.net:443/i/_A4gIGW?af=####&dp=####&adid=####&idfa=...
- fo####.site:443/323ewew/s20220619151252.1
- gd.a.s####.com:443/cityjson
- hype####.gotrac####.com:443/click?campaign_id=####&pub_id=####&p1=####&s...
- hype####.gotrac####.com:443/click?campaign_id=####&pub_id=####&p1=newS##...
- ruwild####.al####.com.####.net:443/continuation_default.htm?aff_platform...
- ruwild####.al####.com.####.net:443/nl/__pc/continuation_default.htm?aff_...
- thinkbi####.g2####.com:443/click?pid=####&offer_id=####&sub1=####&sub2=#...
- thinkbi####.g2####.com:443/click?pid=####&offer_id=####&sub1=ne####&sub2...
HTTP POST requests:
- lo####.applove####.com/android/v2/click_redirect
- os####.9####.com:443/typefish/en/cp/a
- os####.9####.com:443/typefish/en/customer/reg
- seven####.com:443/BBService.svc/wwwwsaxsax
- seven####.com:443/OOService.svc/iuiuidasdsiiui
File system changes:
Creates the following files:
- /data/data/####/Cookies-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/androidxcorealc0z.
- /data/data/####/androidxcorealc0z.dex
- /data/data/####/androidxcorealc0z.dex.flock (deleted)
- /data/data/####/cd_werozod
- /data/data/####/cd_yurirty
- /data/data/####/com.asdcmaxd.aaekxiex_ct_default.xml
- /data/data/####/com.asdcmaxd.aaekxiex_ct_default.xml.bak (deleted)
- /data/data/####/com.asdcmaxd.aaekxiex_preferences.xml
- /data/data/####/com.sdfwe.werw.case.の.bat_tryrty
- /data/data/####/commesgomgboy.
- /data/data/####/commesgomgboy.dex
- /data/data/####/commesgomgboy.dex.flock (deleted)
- /data/data/####/metrics_guid
- /data/data/####/s1s1k1_c2o3n23f2i3g2.xml
- /data/data/####/s20220619151252.dex
- /data/data/####/s20220619151252.dex.flock (deleted)
- /data/data/####/sp_dsoio.xml
- /data/data/####/sp_dsoio.xml.bak
- /data/data/####/sp_ytuetryetr.xml
- /data/data/####/times.xml
- /data/data/####/udu_id.xml
- /data/data/####/udu_r.xml
- /data/data/####/udu_sid.xml
- /data/media/####/Log.txt
Miscellaneous:
Executes the following shell scripts:
- app_process /system/bin com.android.commands.pm.Pm list package -3
- cat /proc/version
- sh
Uses the following algorithms to encrypt data:
- DES
Uses the following algorithms to decrypt data:
- DES
- desede-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
