Android.Backdoor.766

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Backdoor.657.origin
Android.Triada.382.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) on####.lotu####.com:80
TCP(HTTP/1.1) 1####.74.111.56:9039
TCP(HTTP/1.1) oc.u####.com:80
TCP(HTTP/1.1) a.appj####.com:80
TCP(HTTP/1.1) p####.mili####.com:13579
TCP(HTTP/1.1) dl.c####.com:8081
TCP(HTTP/1.1) p.c####.com:9698
TCP(HTTP/1.1) on####.lotu####.com:88
TCP(HTTP/1.1) p.c####.com:9002

DNS requests:

a####.u####.com
a.appj####.com
dl.c####.com
e####.6d####.com
e####.c####.com
ga####.lotu####.com
oc.u####.com
on####.lotu####.com
p####.mili####.com
p.c####.com
ser####.j####.360.cn
www.huangda####.com

HTTP POST requests:

a####.u####.com/app_logs
a.appj####.com/ad-service/ad/mark
a.appj####.com/jiagu/check/upgrade
dl.c####.com:8081/update/index.php/protocol/getupdate
oc.u####.com/v2/check_config_update
oc.u####.com/v2/get_update_time
on####.lotu####.com/?st=####&sv=####&tm=####&sv=####&sc=####&sid=ezE####...
on####.lotu####.com:88/?mid=####&st=####&sv=####&tm=####&sv=####&sc=####...
p####.mili####.com:13579/SMSpay/api/updateVersion.do?
p.c####.com:9002/protocol/v2_1/pushbasicdata.do
p.c####.com:9698/protocol/v5_15/getstrategy.do

Modified file system:

Creates the following files:

/data/anr/traces.txt
<Package Folder>/databases/database-journal
<Package Folder>/databases/ehooab-journal
<Package Folder>/databases/ehooep
<Package Folder>/databases/ehooep-journal
<Package Folder>/databases/milipay_sms_one.db
<Package Folder>/databases/milipay_sms_one.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/files/####/.jg.ic
<Package Folder>/files/.imprint
<Package Folder>/files/.jiagu.lock
<Package Folder>/files/libjiagu.so
<Package Folder>/files/lotuseed_nr.apps
<Package Folder>/files/lotuseed_nr.s
<Package Folder>/files/lotuseed_nr.task
<Package Folder>/files/mj.apk
<Package Folder>/files/mobclick_agent_cached_<Package>52
<Package Folder>/files/umeng_it.cache
<Package Folder>/shared_prefs/<Package>_preferences.xml
<Package Folder>/shared_prefs/com.upay.billing.saveddata.Main.xml
<Package Folder>/shared_prefs/ehooae.xml
<Package Folder>/shared_prefs/ehooep.xml
<Package Folder>/shared_prefs/ehoopost.xml
<Package Folder>/shared_prefs/jg_app_update_settings_random.xml
<Package Folder>/shared_prefs/lotuseed_global_nr.xml
<Package Folder>/shared_prefs/mjpay.xml
<Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
<Package Folder>/shared_prefs/multidex.version.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/shared_prefs/upay_pay.xml
<Package Folder>/shared_prefs/zhangpay_share.xml
<Package Folder>/shared_prefs/zhangpay_sms_info.xml
<SD-Card>/.system/lotuseed.devid
<SD-Card>/.twservice/####/.DS_Store
<SD-Card>/.twservice/####/libyhcore.so
<SD-Card>/.twservice/####/libyhcore2.so
<SD-Card>/.twservice/####/tw
<SD-Card>/.twservice/qshp_3001_2172.zip

Miscellaneous:

Executes next shell scripts:

df
getprop apps.customerservice.device
ps

Loads the following dynamic libraries:

cocos2dcpp
libjiagu
ybzf

Uses the following algorithms to encrypt data:

Uses the following algorithms to decrypt data:

DES
DES-CBC-PKCS5Padding

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about APN settings.

Gains access to information about installed applications.

Displays its own windows over windows of other applications.

Parses information from SMS messages.

Gains access to information about sent/received SMS messages.

Tecnologías

Términos

Formación y educación

Mitos

Technical information

Curing recommendations

Free trial