Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.337.origin
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) us####.duckcal####.com:80
- TCP(HTTP/1.1) jp####.duckcal####.com:80
- TCP(HTTP/1.1) connect####.gst####.com:80
- TCP(HTTP/1.1) m####.duckcal####.com:80
- TCP(HTTP/1.1) in####.duckcal####.com:80
- TCP(HTTP/1.1) ir####.duckcal####.com:80
- TCP(HTTP/1.1) h####.duckcal####.com:80
- TCP(HTTP/1.1) api.chas####.net:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) s####.duckcal####.com:80
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) g####.face####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) 74.1####.131.100:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) ssl.google-####.com:443
- TCP(TLS/1.0) unit####.edges####.net:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) connect####.gst####.com:443
- TCP(TLS/1.0) rr18---####.g####.com:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.0) rr9---s####.g####.com:443
- TCP(TLS/1.2) www.go####.com:443
- UDP p####.google####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- api.chas####.net
- au####.duckcal####.com
- ca####.duckcal####.com
- co####.unit####.uni####.com
- connect####.gst####.com
- fr####.duckcal####.com
- g####.face####.com
- ge####.duckcal####.com
- gmscomp####.google####.com
- googl####.g.doublec####.net
- gu####.duckcal####.com
- h####.duckcal####.com
- in####.duckcal####.com
- ir####.duckcal####.com
- jp####.duckcal####.com
- k####.duckcal####.com
- m####.duckcal####.com
- m####.go####.com
- p####.google####.com
- rr18---####.g####.com
- rr2---s####.g####.com
- rr9---s####.g####.com
- s####.duckcal####.com
- s####.duckcal####.com
- sdk.a####.cn
- ssl.google-####.com
- u####.duckcal####.com
- us####.duckcal####.com
- us####.duckcal####.com
- www.face####.com
- www.go####.com
- www.google####.com
- www.googlet####.com
HTTP GET requests:
- api.chas####.net/V1/ArriveRate?type=####&mnc=####&app_version=####&andro...
- unit####.edges####.net:443/webview/3.5.1/3bfc3ca178a47dbaaa3a2fb2d74d961...
- unit####.edges####.net:443/webview/3.5.1/release/config.json?ts=####&sdk...
- us####.duckcal####.com/V1/ArriveRate?type=####&mnc=####&app_version=####...
- www.go####.com/gen_204
- www.googlet####.com:443/r?id=####&v=####
- www.googlet####.com:443/r?id=####&v=####&pv=####
HTTP POST requests:
- h####.duckcal####.com/V1/checkSpeed
- in####.duckcal####.com/V1/checkSpeed
- ir####.duckcal####.com/V1/checkSpeed
- jp####.duckcal####.com/V1/checkSpeed
- m####.duckcal####.com/V1/checkSpeed
- s####.duckcal####.com/V1/checkSpeed
- us####.duckcal####.com/Api/event?version_name=####
- us####.duckcal####.com/Api/index?version_name=####
- us####.duckcal####.com/Api/report_port_error?version_name=####
- us####.duckcal####.com/V1/checkSpeed
- us####.duckcal####.com/V1/connect?version_name=####
- us####.duckcal####.com/V1/server_new?version_name=####
File system changes:
Creates the following files:
- /data/data/####/1633031840514.dex
- /data/data/####/1633031840514.dex.flock (deleted)
- /data/data/####/1633031840514.jar
- /data/data/####/1633031840514.tmp
- /data/data/####/AppEventsLogger.persistedevents
- /data/data/####/Cookies-journal
- /data/data/####/FBAdPrefs.xml
- /data/data/####/UnityAdsStorage-private-data.json
- /data/data/####/UnityAdsStorage-public-data.json
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/_gtmContainerRefreshPolicy_GTM-NT8WS8.xml
- /data/data/####/admob.xml
- /data/data/####/androidx.work.workdb-journal (deleted)
- /data/data/####/audience_network.dex
- /data/data/####/audience_network.dex.flock (deleted)
- /data/data/####/bypass-china.acl
- /data/data/####/bypass-lan-china.acl
- /data/data/####/bypass-lan.acl
- /data/data/####/china-list.acl
- /data/data/####/choose_channerl_data.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex.flock (deleted)
- /data/data/####/classes2.dex
- /data/data/####/classes2.dex.flock (deleted)
- /data/data/####/classes3.dex
- /data/data/####/classes3.dex.flock (deleted)
- /data/data/####/classes4.dex
- /data/data/####/classes4.dex.flock (deleted)
- /data/data/####/com.facebook.ads.idfa.xml
- /data/data/####/com.facebook.internal.SKU_DETAILS.xml
- /data/data/####/com.facebook.sdk.USER_SETTINGS.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.google.android.gms.analytics.prefs.xml
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.speedy.vpn_preferences.xml
- /data/data/####/connected_left_time.xml
- /data/data/####/evernote_jobs.db-journal
- /data/data/####/gaClientId
- /data/data/####/gfwlist.acl
- /data/data/####/google_analytics_v4.db-journal
- /data/data/####/google_tagmanager.db
- /data/data/####/google_tagmanager.db-journal
- /data/data/####/index
- /data/data/####/last_fast_host_file.xml
- /data/data/####/login_files.xml
- /data/data/####/metrics_guid
- /data/data/####/net_data_file.xml
- /data/data/####/new_user.xml
- /data/data/####/proc_auxv
- /data/data/####/push_offer_file.xml
- /data/data/####/resource_GTM-NT8WS8
- /data/data/####/server_log_file.xml
- /data/data/####/the-real-index
- /data/data/####/user_info_file.xml
- /data/media/####/.nomedia
- /data/media/####/UnityAdsTest.txt
- /data/media/####/UnityAdsTest.txt (deleted)
- /data/media/####/UnityAdsWebApp.html
Miscellaneous:
Executes the following shell scripts:
- app_process /system/bin com.android.commands.pm.Pm path <Package>
- ping -c 10 -w 5 101.99.90.107
- ping -c 10 -w 5 102.130.118.99
- ping -c 10 -w 5 102.130.121.237
- ping -c 10 -w 5 103.107.198.170
- ping -c 10 -w 5 103.107.198.234
- ping -c 10 -w 5 103.236.150.199
- ping -c 10 -w 5 104.149.128.254
- ping -c 10 -w 5 104.149.134.194
- ping -c 10 -w 5 109.166.37.25
- ping -c 10 -w 5 109.169.72.95
- ping -c 10 -w 5 110.34.164.19
- ping -c 10 -w 5 111.90.150.121
- ping -c 10 -w 5 131.196.253.98
- ping -c 10 -w 5 139.99.135.133
- ping -c 10 -w 5 139.99.238.179
- ping -c 10 -w 5 139.99.89.194
- ping -c 10 -w 5 155.138.148.219
- ping -c 10 -w 5 158.69.1.16
- ping -c 10 -w 5 162.250.191.253
- ping -c 10 -w 5 172.104.116.233
- ping -c 10 -w 5 172.105.35.22
- ping -c 10 -w 5 172.105.43.221
- ping -c 10 -w 5 172.105.6.77
- ping -c 10 -w 5 172.107.199.110
- ping -c 10 -w 5 173.254.202.219
- ping -c 10 -w 5 185.153.180.10
- ping -c 10 -w 5 185.160.26.54
- ping -c 10 -w 5 185.162.125.91
- ping -c 10 -w 5 185.162.126.217
- ping -c 10 -w 5 185.219.133.59
- ping -c 10 -w 5 185.238.242.130
- ping -c 10 -w 5 188.240.71.142
- ping -c 10 -w 5 193.108.118.154
- ping -c 10 -w 5 2.56.149.99
- ping -c 10 -w 5 2.56.151.169
- ping -c 10 -w 5 203.78.103.48
- ping -c 10 -w 5 203.78.103.93
- ping -c 10 -w 5 212.103.61.167
- ping -c 10 -w 5 217.138.193.54
- ping -c 10 -w 5 217.138.202.6
- ping -c 10 -w 5 3.249.52.148
- ping -c 10 -w 5 3.35.207.221
- ping -c 10 -w 5 31.133.100.49
- ping -c 10 -w 5 37.120.213.230
- ping -c 10 -w 5 37.48.80.203
- ping -c 10 -w 5 46.165.254.155
- ping -c 10 -w 5 46.165.254.163
- ping -c 10 -w 5 47.108.177.240
- ping -c 10 -w 5 47.242.230.196
- ping -c 10 -w 5 47.93.84.139
- ping -c 10 -w 5 5.181.4.239
- ping -c 10 -w 5 5.188.0.138
- ping -c 10 -w 5 5.188.0.184
- ping -c 10 -w 5 5.188.36.11
- ping -c 10 -w 5 5.188.93.119
- ping -c 10 -w 5 5.188.93.41
- ping -c 10 -w 5 50.7.1.27
- ping -c 10 -w 5 51.195.136.209
- ping -c 10 -w 5 51.79.158.186
- ping -c 10 -w 5 51.79.161.77
- ping -c 10 -w 5 51.79.161.80
- ping -c 10 -w 5 51.89.138.162
- ping -c 10 -w 5 51.89.164.86
- ping -c 10 -w 5 62.210.213.6
- ping -c 10 -w 5 77.247.125.27
- ping -c 10 -w 5 81.90.188.58
- ping -c 10 -w 5 82.118.21.21
- ping -c 10 -w 5 89.249.73.206
- ping -c 10 -w 5 91.193.5.198
- ping -c 10 -w 5 91.193.6.66
- ping -c 10 -w 5 92.119.179.62
- ping -c 10 -w 5 92.223.79.76
- ping -c 10 -w 5 92.223.85.112
- ping -c 10 -w 5 92.223.85.145
- ping -c 10 -w 5 92.223.93.140
- ping -c 10 -w 5 92.38.139.95
- ping -c 10 -w 5 92.38.149.173
- ping -c 10 -w 5 92.38.152.142
- ping -c 10 -w 5 92.38.171.101
- ping -c 10 -w 5 92.38.171.103
- ping -c 10 -w 5 95.216.5.254
- pm path <Package>
- sh chmod 755 /data/app/<Package>-1/lib/arm/libpdnsd.so
- sh chmod 755 /data/app/<Package>-1/lib/arm/libproxychains4.so
- sh chmod 755 /data/app/<Package>-1/lib/arm/libssr-local.so
- sh chmod 755 /data/app/<Package>-1/lib/arm/libtun2socks.so
- sh killall libpdnsd.so
- sh killall libproxychains4.so
- sh killall libssr-local.so
- sh killall libtun2socks.so
- sh rm -f /data/user/0/<Package>/libpdnsd.so-vpn.conf
- sh rm -f /data/user/0/<Package>/libproxychains4.so-vpn.conf
- sh rm -f /data/user/0/<Package>/libssr-local.so-vpn.conf
- sh rm -f /data/user/0/<Package>/libtun2socks.so-vpn.conf
Loads the following dynamic libraries:
- libarm_protect
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
