Technical information
Malicious functions:
Sends SMS messages:
- 4446: SHNMB 7533 SDK0085NG13802P957J010U929I<IMSI>ED
- 4446: SHNMB 7533 SDK0085NG13802P957J011U929I<IMSI>ED
Executes code of the following detected threats:
- Android.Backdoor.336.origin
- Android.Click.234
- Android.HiddenAds.76.origin
- Android.RemoteCode.88.origin
- Android.SmsBot.612.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google Host>
- TCP(Google Services) <Google Host>
- TCP(HTTP/1.1) g.i####.com:80
- TCP(HTTP/1.1) onc####.com:80
- TCP(HTTP/1.1) go.mob####.com:80
- TCP(HTTP/1.1) cdn.a####.com:80
- TCP(HTTP/1.1) supera####.com:80
- TCP(HTTP/1.1) adr####.com:80
- TCP(HTTP/1.1) ssl.gst####.com:80
- TCP(HTTP/1.1) i####.cn.com:80
- TCP(HTTP/1.1) c.d####.com:80
- TCP(HTTP/1.1) ip####.io:80
- TCP(HTTP/1.1) z####.com:80
- TCP(HTTP/1.1) www.go####.nl:80
- TCP(HTTP/1.1) traktra####.com:80
- TCP(HTTP/1.1) pg.x####.com:80
- TCP(HTTP/1.1) pipesch####.com:80
- TCP(HTTP/1.1) www.gst####.com:80
- TCP(HTTP/1.1) t.e####.com:80
- TCP(HTTP/1.1) st####.pushedw####.com:80
- TCP(HTTP/1.1) m62-gen####.com:80
- TCP(HTTP/1.1) f####.com:80
- TCP(HTTP/1.1) d####.smyk####.com:80
- TCP(HTTP/1.1) 2####.177.13.68:8288
- TCP(HTTP/1.1) uswild####.al####.com.####.net:80
- TCP(HTTP/1.1) a####.jiek####.com:80
- TCP(HTTP/1.1) lightin####.7####.net:80
- TCP(HTTP/1.1) eed.ta####.com:80
- TCP(HTTP/1.1) p####.le####.com:80
- TCP(HTTP/1.1) c.f####.com:80
- TCP(HTTP/1.1) api.uyt####.com:80
- TCP(HTTP/1.1) zigzag####.com:80
- TCP(HTTP/1.1) time####.com:80
- TCP(HTTP/1.1) b####.re:80
- TCP(HTTP/1.1) ads.apio####.com:80
- TCP(HTTP/1.1) m.aedx####.com:80
- TCP(HTTP/1.1) www.mmmmmm####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) www.o####.net:80
- TCP(HTTP/1.1) api.gad####.com:80
- TCP(HTTP/1.1) tra####.tc-cl####.com:80
- TCP(HTTP/1.1) tr4.t####.com:80
- TCP(HTTP/1.1) a####.hm5.me:80
- TCP(HTTP/1.1) www.go####.com:80
- TCP(HTTP/1.1) a####.jiek####.com:9090
- TCP(HTTP/1.1) t####.lin####.com:80
- TCP(HTTP/1.1) fu####.com:80
- TCP(HTTP/1.1) bs5####.com:80
- TCP(HTTP/1.1) c.b####.com:80
- TCP(HTTP/1.1) api.tazj####.com:80
- TCP(HTTP/1.1) syndica####.exoc####.com:80
- TCP(HTTP/1.1) p####.lead####.com:80
- TCP(HTTP/1.1) t####.a####.com:80
- TCP(HTTP/1.1) go.pushna####.com:80
- TCP(HTTP/1.1) d####.witchcr####.com:80
- TCP(HTTP/1.1) www.zfr####.com:80
- TCP(HTTP/1.1) www.cu####.com:80
- TCP(HTTP/1.1) pha####.info:80
- TCP(HTTP/1.1) go.pub####.com:80
- TCP(HTTP/1.1) a.yesa####.com:80
- TCP(HTTP/1.1) channel####.com:80
- TCP(HTTP/1.1) adplexm####.a####.com:80
- TCP(TLS/1.1) 1####.168.66.254:56794
- TCP(TLS/1.1) www.gst####.com:443
- TCP(TLS/1.1) ga.x####.com:443
- TCP(TLS/1.1) cdn.123sha####.com:443
- TCP(TLS/1.1) c####.jq####.com:443
- TCP(TLS/1.1) c.d####.com:443
- TCP(TLS/1.1) proadsr####.com:443
- TCP(TLS/1.1) ssl.gst####.com:443
- TCP(TLS/1.1) xoclkrv####.com:443
- TCP(TLS/1.1) playj####.com:443
- TCP(TLS/1.1) pushedw####.com:443
- TCP(TLS/1.1) 1####.168.66.254:40814
- TCP(TLS/1.1) wild####.al####.com.####.net:443
- TCP(TLS/1.1) eu####.al####.com.####.net:443
- TCP(TLS/1.1) trac####.le####.com:443
- TCP(TLS/1.1) formula####.com:443
- TCP(TLS/1.1) t####.a####.com:443
- TCP(TLS/1.1) st####.pushedw####.com:443
- TCP 1####.168.66.254:44586
DNS requests:
- a####.hm5.me
- a####.jiek####.com
- a####.jiek####.com
- a####.u####.com
- a.yesa####.com
- adplexm####.a####.com
- adr####.com
- ads.apio####.com
- api.gad####.com
- api.tazj####.com
- api.uyt####.com
- b####.aliexp####.com
- b####.re
- bs5####.com
- c####.jq####.com
- c.b####.com
- c.d####.com
- c.f####.com
- cdn.123sha####.com
- cdn.ad####.media
- channel####.com
- d####.smyk####.com
- d####.witchcr####.com
- eed.ta####.com
- f####.com
- formula####.com
- fu####.com
- g.i####.com
- ga.x####.com
- go.mob####.com
- go.pub####.com
- go.pushna####.com
- i####.cn.com
- i.al####.com
- ip####.io
- koolm####.info
- lightin####.7####.net
- lightin####.com
- m.aedx####.com
- m62-gen####.com
- modesc####.info
- n####.datefac####.com
- oc.u####.co
- oc.u####.com
- onc####.com
- p####.le####.com
- p####.lead####.com
- pg.x####.com
- pha####.info
- pipesch####.com
- playj####.com
- proadsr####.com
- pushedw####.com
- s.c####.aliexp####.com
- ssl.gst####.com
- st####.pushedw####.com
- supera####.com
- syndica####.exoc####.com
- t####.a####.com
- t####.lin####.com
- t.e####.com
- time####.com
- tr4.t####.com
- tra####.tc-cl####.com
- trac####.le####.com
- traktra####.com
- www.cu####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
- www.mmmmmm####.com
- www.o####.net
- www.zfr####.com
- xoclkrv####.com
- z####.com
- zigzag####.com
HTTP GET requests:
- a####.hm5.me/U929_SW01_24.jar
- a####.jiek####.com/sdkcp/wappush?uid=####&model=####&imei=####&screen_si...
- adplexm####.a####.com/imp?p=70447355&ct=html&ap=1304&referrer=&psid=6587...
- adplexm####.a####.com/imp?p=70447355&ct=html&ap=1304&referrer=http://www...
- adplexm####.a####.com/ul_cb/imp?p=70447355&ct=html&ap=1304&referrer=&psi...
- adplexm####.a####.com/ul_cb/imp?p=70447355&ct=html&ap=1304&referrer=http...
- ads.apio####.com/pull/top_offer?gaid=####&id=####
- bs5####.com/?s=####&z=####&g=####&svar=####&ssk=####&h=####&b=####
- channel####.com/?l=####&s=####&z=####&g=####&ba=####&dm=####&ep=####&vi=...
- i####.cn.com/a/3521668acb8d3a1a04964513d0f7eb368
- m62-gen####.com/?b=####&ba=####&disableService=####&dm=####&ep=####&g=##...
- ssl.gst####.com/gb/images/qi1_36e7b564.png
- ssl.gst####.com/gen_204?atyp=####&ct=####&cad=####&ogsr=####&id=####&ic=...
- ssl.gst####.com/images/branding/googlelogo/2x/googlelogo_color_160x56dp....
- ssl.gst####.com/images/nav_logo242_hr.webp
- ssl.gst####.com/xjs/_/js/k=xjs.qs.nl.qQoVWDuZy7M.O/m=aa,abd,async,dvl,fo...
- ssl.gst####.com/xjs/_/js/k=xjs.qs.nl.qQoVWDuZy7M.O/m=sx,c,sb_mob,bct,cdo...
- syndica####.exoc####.com/splash.php?idzone=####&type=####&sub=####
- syndica####.exoc####.com/splash.php?idzone=####&type=####&sub=####&teste...
- t####.lin####.com/click?cid=####
- tr4.t####.com/newServing/tracking_id.php?gtruid=1&r=http://a.yesadsrv.co...
- tra####.tc-cl####.com/?p=####&media_type=####&source_type=####&click_id=...
- uswild####.al####.com.####.net/e/VV3fqnuFQ?af=####&afref=####&cv=####&dp...
- www.cu####.com/20170804144104.ExpDex_5.2.0_201708041439.zip
- www.go####.com/
- zigzag####.com/NL/2072983539?trackid=####&transaction_id=####&pubid=####...
- zigzag####.com/smart/nl-6ezh?trackid=####&transaction_id=####&pubid=####
HTTP POST requests:
- api.gad####.com/oversea_adjust_and_download_write_redis/notify/download/...
- g.i####.com/pilot/api/300102
- m.aedx####.com/errorview/api/601
- m.aedx####.com/smartview/api/920
- pg.x####.com/api/q/a/3521668acb8d3a1a04964513d0f7eb368
- t.e####.com/ggview/rsddateindex
- www.mmmmmm####.com/osp/oaen_get.action?tasktype=####&imei=####&imsi=####...
- www.mmmmmm####.com/osp/oaen_reg.action
- www.zfr####.com/up.do
Modified file system:
Creates the following files:
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/index
- <Package Folder>/databases/fruit.db
- <Package Folder>/databases/fruit.db-journal
- <Package Folder>/databases/mpush_game.db-journal
- <Package Folder>/databases/my.db
- <Package Folder>/databases/my.db-journal
- <Package Folder>/databases/net_dc_sdk.db
- <Package Folder>/databases/net_dc_sdk.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.catr.apk
- <Package Folder>/files/####/.center.tapk
- <Package Folder>/files/####/.client
- <Package Folder>/files/####/.dg
- <Package Folder>/files/####/.dico.apk
- <Package Folder>/files/####/.dlme.apk
- <Package Folder>/files/####/.dlsb.apk
- <Package Folder>/files/####/.dsmt.apk
- <Package Folder>/files/####/.ir
- <Package Folder>/files/####/.p.apk
- <Package Folder>/files/####/.service
- <Package Folder>/files/####/.ukd
- <Package Folder>/files/####/.uks
- <Package Folder>/files/####/.uok
- <Package Folder>/files/####/5f79d63143102423ac148986c2ae37a0.da...leted)
- <Package Folder>/files/####/5f79d63143102423ac148986c2ae37a0.data.temp
- <Package Folder>/files/####/a.xml
- <Package Folder>/files/####/b.png
- <Package Folder>/files/####/busybox
- <Package Folder>/files/####/checkFile0
- <Package Folder>/files/####/checkFile13
- <Package Folder>/files/####/mkdevsh
- <Package Folder>/files/####/myshell
- <Package Folder>/files/####/postroot.sh
- <Package Folder>/files/####/r1
- <Package Folder>/files/####/r2
- <Package Folder>/files/####/r3
- <Package Folder>/files/####/r4
- <Package Folder>/files/####/rsh
- <Package Folder>/files/####/rt8
- <Package Folder>/files/####/supolicy
- <Package Folder>/files/.imprint
- <Package Folder>/files/5f79d63143102423ac148986c2ae37a0.data
- <Package Folder>/files/SW01
- <Package Folder>/files/SW01.jar
- <Package Folder>/files/bb.jar
- <Package Folder>/files/d.zip
- <Package Folder>/files/dtemp.apk
- <Package Folder>/files/mpush_gateway_preferences_file
- <Package Folder>/files/mpush_version_preferences_file
- <Package Folder>/files/ob.zip
- <Package Folder>/files/sdk.dex
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/3521668acb8d3a1a04964513d0f7eb368...le.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/ActivatePreUtil.xml
- <Package Folder>/shared_prefs/BusinessPreUtil.xml
- <Package Folder>/shared_prefs/LoginPreUtil.xml
- <Package Folder>/shared_prefs/OfferPreUtil.xml
- <Package Folder>/shared_prefs/SSP.xml
- <Package Folder>/shared_prefs/SSPPrefe.xml
- <Package Folder>/shared_prefs/SSPPrefe.xml.bak
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/cn_rs.xml
- <Package Folder>/shared_prefs/device_info.xml
- <Package Folder>/shared_prefs/kbkbUpdateVerPreference.xml
- <Package Folder>/shared_prefs/m_cfg.xml
- <Package Folder>/shared_prefs/m_cfg.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/ops_data.xml
- <Package Folder>/shared_prefs/other_config.xml
- <Package Folder>/shared_prefs/pref_file.xml
- <Package Folder>/shared_prefs/pref_file.xml.bak
- <Package Folder>/shared_prefs/sp_config.xml
- <Package Folder>/shared_prefs/t_ini.xml
- <Package Folder>/shared_prefs/t_ini.xml.bak
- <Package Folder>/shared_prefs/td_pefercen_profile.xml
- <Package Folder>/shared_prefs/td_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak (deleted)
- <Package Folder>/shared_prefs/upgrade_config.xml
- <SD-Card>/.tcookieid
- <SD-Card>/.windy/508e8558f784e3a21d3368e4763e2693.tmp
- <SD-Card>/LogG/####/sp
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh ./mkdevsh
- <Package Folder>/files/.snow/exp <Package Folder>/files/.snow <Package Folder>/files/.work
- app_process /system/bin com.android.commands.pm.Pm disable com.android.tools.receiver
- app_process /system/bin com.android.commands.pm.Pm disable com.android.upon.hash
- app_process /system/bin com.android.commands.pm.Pm disable com.master.main.yaogirl.longe.wei
- app_process /system/bin com.android.commands.pm.Pm disable com.qiu.qing.bing.shuo.tu
- app_process /system/bin com.android.commands.pm.Pm disable com.setting.dysdtool
- app_process /system/bin com.android.commands.pm.Pm disable com.slave.wuw.yiyi.ranran.fang
- app_process /system/bin com.android.commands.pm.Pm enable com.android.tools.receiver
- app_process /system/bin com.android.commands.pm.Pm enable com.android.upon.hash
- app_process /system/bin com.android.commands.pm.Pm enable com.master.main.yaogirl.longe.wei
- app_process /system/bin com.android.commands.pm.Pm enable com.qiu.qing.bing.shuo.tu
- app_process /system/bin com.android.commands.pm.Pm enable com.setting.dysdtool
- app_process /system/bin com.android.commands.pm.Pm enable com.slave.wuw.yiyi.ranran.fang
- chcon u:object_r:system_file:s0 /system/bin/.author
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- chcon u:object_r:system_file:s0 /system/xbin/.cp
- chcon u:object_r:system_file:s0 /system/xbin/supolicy
- chmod 777 <Package Folder>/files/.snow/.catr.apk
- chmod 777 <Package Folder>/files/.snow/.client
- chmod 777 <Package Folder>/files/.snow/.dg
- chmod 777 <Package Folder>/files/.snow/.service
- chmod 777 <Package Folder>/files/.snow/.ukd
- chmod 777 <Package Folder>/files/.snow/.uks
- chmod 777 <Package Folder>/files/.snow/.uok
- chmod 777 <Package Folder>/files/.snow/.zip/
- chmod 777 <Package Folder>/files/.snow/.zip/mkdevsh
- chmod 777 <Package Folder>/files/.snow/.zip/r1
- chmod 777 <Package Folder>/files/.snow/.zip/r2
- chmod 777 <Package Folder>/files/.snow/.zip/r3
- chmod 777 <Package Folder>/files/.snow/.zip/r4
- chmod 777 <Package Folder>/files/.snow/.zip/rsh
- chmod 777 <Package Folder>/files/.snow/.zip/rt8
- chmod 777 <Package Folder>/files/.snow/a.xml
- chmod 777 <Package Folder>/files/.snow/b.png
- chmod 777 <Package Folder>/files/.snow/busybox
- chmod 777 <Package Folder>/files/.snow/myshell
- chmod 777 <Package Folder>/files/.snow/supolicy
- chmod 777 <Package Folder>/files/.work/postroot.sh
- chown 0.0 /data/local/tmp/busybox
- chown 0.0 /system/app/Dingps.apk
- chown 0.0 /system/app/WelSlave.apk
- chown 0.0 /system/bin/.author
- chown 0.0 /system/xbin/.ci.pm
- chown 0.0 /system/xbin/.cp
- chown 0.0 /system/xbin/.rainin
- chown 0.0 /system/xbin/supolicy
- chown 0:0 /data/local/tmp/.catr.apk
- chown 0:0 /data/local/tmp/busybox
- chown 0:0 /system/app/Dingps.apk
- chown 0:0 /system/app/Linkcai.apk
- chown 0:0 /system/app/Lowerp.apk
- chown 0:0 /system/app/MainMaster.apk
- chown 0:0 /system/app/WelSlave.apk
- chown 0:0 /system/app/oneshs.apk
- chown 0:0 /system/bin/.author
- chown 0:0 /system/bin/debuggerd
- chown 0:0 /system/lib/libsoon.so
- chown 0:0 /system/xbin/.ci.pm
- chown 0:0 /system/xbin/.cp
- chown 0:0 /system/xbin/.rainin
- chown 0:0 /system/xbin/supolicy
- df /system
- mount -o remount ro /system
- mount -o remount rw /system
- mount -o remount,ro /system
- mount -o remount,rw /system
- mount -ro remount ro /system
- mount -ro remount,ro /system
- mount -wo remount rw /system
- mount -wo remount,rw /system
- rm /system/bin/debuggerd
- sh
Uses the following algorithms to encrypt data:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-NoPadding
- DES
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Gains access to information about running applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
