Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Android.DownLoader.3946

Added to the Dr.Web virus database: 2018-11-20

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.RemoteCode.41.origin
  • Android.Triada.417.origin
  • Android.Triada.440.origin
  • Android.Xiny.20
  • Android.Xiny.224.origin
Downloads the following detected threats from the Internet:
  • Android.Xiny.20
Accesses the ITelephony private interface.
Network activity:
Connects to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) 58.2####.198.165:888
  • TCP(HTTP/1.1) im####.nic####.cn:80
  • TCP(HTTP/1.1) 1####.75.90.129:80
  • TCP(HTTP/1.1) qiniu-s####.cdn.d####.com:80
  • TCP(HTTP/1.1) ob.nic####.cn:80
  • TCP(HTTP/1.1) 58.2####.198.131:888
  • TCP(HTTP/1.1) dup.baidust####.com:80
  • TCP(HTTP/1.1) www.pc####.com.####.cn:80
  • TCP(HTTP/1.1) i####.i####.com:80
  • TCP(HTTP/1.1) tc.c####.com:80
  • TCP(HTTP/1.1) pos.b####.com:80
  • TCP(HTTP/1.1) s####.x####.com.cn:80
  • TCP(HTTP/1.1) wn.pos.b####.com:80
  • TCP(HTTP/1.1) d0.x####.com.cn:80
  • TCP(HTTP/1.1) ec####.b####.com:80
  • TCP(HTTP/1.1) i.c####.com.####.com:80
  • TCP(HTTP/1.1) zf####.v.qin####.com:80
  • TCP(HTTP/1.1) ad.huoli####.cn:80
  • TCP(HTTP/1.1) v####.funs####.com:80
  • TCP(HTTP/1.1) c.appj####.com:80
  • TCP(HTTP/1.1) a.appj####.com:80
  • TCP(HTTP/1.1) 1####.75.115.32:80
  • TCP(HTTP/1.1) m####.z####.cn:80
  • TCP(HTTP/1.1) s.zhito####.com:808
  • TCP(HTTP/1.1) z####.heyc####.net:80
  • TCP(HTTP/1.1) www.ye####.org:80
  • TCP(HTTP/1.1) p####.cdb####.cn:80
  • TCP(HTTP/1.1) z.zt####.net:80
  • TCP(HTTP/1.1) ucstati####.b0.a####.com:80
  • TCP(HTTP/1.1) c####.baidust####.com:80
  • TCP(HTTP/1.1) MY####.huita####.com:10091
  • TCP(HTTP/1.1) 2####.187.226.25:80
  • TCP(HTTP/1.1) z.c####.com:80
  • TCP(HTTP/1.1) 61.1####.211.17:80
  • TCP(HTTP/1.1) s####.funs####.net:80
  • TCP(HTTP/1.1) ip.ch####.com:80
  • TCP(HTTP/1.1) 7k####.46####.com:15215
  • TCP(HTTP/1.1) m1.laogeda####.com:80
  • TCP(HTTP/1.1) app.w####.cn:80
  • TCP(HTTP/1.1) 1####.40.20.155:80
  • TCP(HTTP/1.1) ip.zhito####.com:88
  • TCP(HTTP/1.1) ub####.baidust####.com:80
  • TCP(HTTP/1.1) r####.qq####.cn:80
  • TCP(HTTP/1.1) c.c####.com:80
  • TCP(HTTP/1.1) do.soi####.com:80
  • TCP(HTTP/1.1) idu####.qini####.com:80
  • TCP(HTTP/1.1) m.scx####.com:80
  • TCP(HTTP/1.1) ip.zhito####.com:807
  • TCP(HTTP/1.1) 7k####.46####.com:20351
  • TCP(HTTP/1.1) w####.c####.com:80
  • TCP(HTTP/1.1) m.jj####.com:80
  • TCP(HTTP/1.1) ask.c####.com.####.com:80
  • UDP(NTP) 2.and####.p####.####.org:123
  • TCP(TLS/1.0) dev-tes####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.0) z.c####.com:443
  • TCP(TLS/1.0) pc####.i####.com:443
  • TCP(TLS/1.0) api.nic####.cn:443
  • TCP(TLS/1.0) c####.pc####.com.cn:443
  • TCP(TLS/1.0) gm.mm####.com:443
  • TCP(TLS/1.0) pos.b####.com:443
  • TCP(TLS/1.0) aliyuns####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.0) st####.adhu####.com:443
  • TCP(TLS/1.0) 2b.tand####.com:443
  • TCP(TLS/1.0) c####.baidust####.com:443
  • TCP(TLS/1.0) ec####.b####.com:443
  • TCP(TLS/1.0) aliyuno####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.0) hotfix####.oss-cn-####.aliy####.com:443
  • TCP(TLS/1.0) m.cuda####.com:443
  • TCP(TLS/1.0) i####.pcon####.fas####.com:443
  • TCP(TLS/1.0) mg####.pcon####.com.cn:443
  • TCP(TLS/1.0) js.3con####.com:443
  • TCP(TLS/1.0) at.al####.com:443
  • TCP(TLS/1.0) dis####.in####.com:443
  • TCP(TLS/1.0) www.pc####.com.####.cn:443
  • TCP(TLS/1.0) p####.pc####.com.cn:443
  • TCP(TLS/1.0) c.c####.com:443
  • TCP(TLS/1.0) ivy.pcon####.com.cn:443
  • TCP(TLS/1.0) pp.c####.com:443
  • TCP(TLS/1.0) i.tand####.com:443
  • TCP(TLS/1.0) hm.b####.com:443
  • TCP(TLS/1.0) log.cuda####.com:10090
  • TCP(TLS/1.0) bu####.bianxia####.com:443
  • TCP(TLS/1.0) dup.baidust####.com:443
  • TCP(TLS/1.0) w####.pcon####.com.cn:443
  • TCP(TLS/1.0) adsc####.tand####.com:443
DNS requests:
  • 2.and####.p####.####.org
  • 2b.tand####.com
  • 7k####.46####.com
  • MY####.huita####.com
  • a.appj####.com
  • ad.huoli####.cn
  • adm.t####.com
  • ads.w####.cn
  • adsc####.tand####.com
  • aliyuno####.oss-cn-####.aliy####.com
  • aliyuns####.oss-cn-####.aliy####.com
  • aliyuns####.oss-cn-####.aliy####.com
  • api.nic####.cn
  • app.w####.cn
  • ask.c####.com
  • at.al####.com
  • bbs.c####.com
  • bu####.bianxia####.com
  • c####.baidust####.com
  • c####.mm####.com
  • c####.pc####.com.cn
  • c.appj####.com
  • c.c####.com
  • d0.x####.com.cn
  • dev-tes####.oss-cn-####.aliy####.com
  • dis####.in####.com
  • do.soi####.com
  • dup.baidust####.com
  • ec####.b####.com
  • g####.c####.com
  • h####.c####.com
  • hm.b####.com
  • hotfix####.oss-cn-####.aliy####.com
  • i####.com
  • i####.x####.com.cn
  • i####.xca####.com
  • i.c####.com
  • i.tand####.com
  • im####.nic####.cn
  • img.pc####.com.cn
  • img.pcon####.com.cn
  • ip.ch####.com
  • ip.zhito####.com
  • ivy.pcon####.com.cn
  • js.3con####.com
  • js.x####.com.cn
  • log.cuda####.com
  • m####.z####.cn
  • m.cuda####.com
  • m.jj####.com
  • m.scx####.com
  • m1.laogeda####.com
  • mg####.pcon####.com.cn
  • ob.nic####.cn
  • p####.cdb####.cn
  • p####.pc####.com.cn
  • p####.x####.com.cn
  • pc####.i####.com
  • pos.b####.com
  • pp.c####.com
  • r####.qq####.cn
  • s####.funs####.net
  • s####.x####.com.cn
  • s.zhito####.com
  • s11.c####.com
  • s19.c####.com
  • s20.c####.com
  • s22.c####.com
  • s23.c####.com
  • s4.c####.com
  • s95.c####.com
  • s96.c####.com
  • st####.adhu####.com
  • tc.c####.com
  • ub####.baidust####.com
  • ucst####.c####.com
  • v####.fun.tv
  • v####.fun.tv
  • v1.c####.com
  • w####.c####.com
  • w####.iy####.cn
  • w####.pc####.com.cn
  • w####.pcon####.com.cn
  • wn.pos.b####.com
  • www.c####.com
  • www.pc####.com.cn
  • www.pcon####.com.cn
  • www.ye####.org
  • y2####.uw####.com
  • z####.heyc####.net
  • z.zt####.net
  • z1.c####.com
  • z11.c####.com
  • z2.c####.com
  • z5.c####.com
  • z6.c####.com
  • z8.c####.com
HTTP GET requests:
  • 2####.187.226.25/bb.html
  • 2####.187.226.25/ccwap.html
  • 2####.187.226.25/chuan.html
  • 2####.187.226.25/hz/ad4.html
  • 2####.187.226.25/hz/ghwap.html
  • 2####.187.226.25/wapm.html
  • 2####.187.226.25/zhou.html
  • ad.huoli####.cn/hlh.html?wap_####
  • app.w####.cn/action/account/getinfo?app_id=####&udid=####&imsi=####&net=...
  • app.w####.cn/action/account/offerlist?app_id=####&udid=####&imsi=####&ne...
  • app.w####.cn/action/connect/active?app_id=####&udid=####&imsi=####&net=#...
  • app.w####.cn/action/pop_ad/ad?app_id=####&udid=####&imsi=####&net=####&b...
  • ask.c####.com.####.com/askques/expert/getAll
  • ask.c####.com.####.com/askques/questions/show/660427
  • ask.c####.com.####.com/banner3.html?d=####
  • ask.c####.com.####.com/css/layout1_d.css
  • ask.c####.com.####.com/css/other.css
  • ask.c####.com.####.com/d/post/18348895.html
  • ask.c####.com.####.com/images/bg_alpha.png
  • ask.c####.com.####.com/images/ico-25x25.gif
  • ask.c####.com.####.com/images/user_sig_split.gif
  • ask.c####.com.####.com/js/cookie.js?2009101####
  • ask.c####.com.####.com/js/new_sw.js?t=####
  • ask.c####.com.####.com/jscripts/doc.js
  • ask.c####.com.####.com/style/ask_d.css?v=####
  • ask.c####.com.####.com/style/frame-inner.css
  • ask.c####.com.####.com/style/iask_d.css
  • ask.c####.com.####.com/style/images/ask-cms-but-88x25.gif
  • ask.c####.com.####.com/style/images/ask-cms-icon-14x14.gif
  • ask.c####.com.####.com/style/images/ask-cms-top-2.gif
  • ask.c####.com.####.com/style/images/ask2_blind4.gif
  • ask.c####.com.####.com/style/images/ask_return.jpg
  • ask.c####.com.####.com/style/images/ask_tiwen.jpg
  • ask.c####.com.####.com/style/images/bg_header.jpg
  • ask.c####.com.####.com/style/images/icon.gif
  • ask.c####.com.####.com/style/images/icon_num.gif
  • ask.c####.com.####.com/style/images/search.gif
  • ask.c####.com.####.com/style/images/top1.jpg
  • ask.c####.com.####.com/style/images/top2.jpg
  • ask.c####.com.####.com/style/images/use_tool.gif
  • ask.c####.com.####.com/style/newPost.css?v=####
  • ask.c####.com.####.com/style/style_board.css
  • ask.c####.com.####.com/style/style_post3.css
  • ask.c####.com.####.com/style/word.css
  • ask.c####.com.####.com/styles/menu_style_d.css?v=####
  • c####.baidust####.com/cpro/ui/c.js
  • c####.baidust####.com/cpro/ui/noexpire/img/mob_adicon.png
  • c####.baidust####.com/sync.htm?cproid=####
  • c.c####.com/core.php?web_id=####&t=####
  • c.c####.com/stat.php?id=####
  • c.c####.com/stat.php?id=####&web_id=####
  • c.c####.com/z_stat.php?id=####&web_id=####
  • d0.x####.com.cn/pvlog/ad_count.php?t=####
  • do.soi####.com/201811/wwn.jar
  • dup.baidust####.com/js/os.js
  • dup.baidust####.com/tpl/ctm3.js
  • ec####.b####.com/rs.jpg?type=####&stamp=####
  • i####.i####.com/irt?_iwt_UA=####&jsonp=####
  • i####.i####.com/irt?_iwt_UA=UA-xcar-000001&ref=/photo.xcar.com.cn/group/...
  • i.c####.com.####.com/avatar/801/801478.png
  • i.c####.com.####.com/avatar/893/893703.png
  • i.c####.com.####.com/avatar/901/901761.png
  • i.c####.com.####.com/avatar/96/96852.png?124963####
  • idu####.qini####.com/2009/images/t0512_pics_arr.gif
  • idu####.qini####.com/cms/group/r_map.gif
  • idu####.qini####.com/group/images/s_l.cur
  • idu####.qini####.com/group/js/changspeed.js
  • idu####.qini####.com/group/js/picload.js
  • idu####.qini####.com/group/view_ab.php?aid=####
  • idu####.qini####.com/group/view_ab.php?pid=####
  • im####.nic####.cn/group1/M00/00/AB/rBGXxFswiuCAT78cAAAbq2quBfU679.png
  • im####.nic####.cn/group1/M00/01/AC/rBGXxFvG5qOAH3RmAAEwVDAjJeo220.gif
  • im####.nic####.cn/h5-mami/activity/hand.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn_click.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/btn_disabled.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/dice.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/numBg.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/prize.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/prize2.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/process.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result1.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result2.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result3.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result4.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result5.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/result6.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/rule.png
  • im####.nic####.cn/h5-mami/activity/rollDick/2.0/png/rule2.png
  • im####.nic####.cn/h5-mami/activity/rollDick/png/coin1.png
  • im####.nic####.cn/h5-mami/activity/rollDick/png/coin2.png
  • im####.nic####.cn/h5-mami/activity/rollDick/png/coin3.png
  • im####.nic####.cn/h5-mami/activity/rollDick/png/couponBtns.png
  • im####.nic####.cn/h5-mami/couponPrize/3.6/btn.png
  • im####.nic####.cn/h5-mami/couponPrize/3.6/line.png
  • im####.nic####.cn/h5-mami/couponPrize/3.6/main3.png
  • im####.nic####.cn/h5-mami/couponPrize/3.6/stars.png
  • im####.nic####.cn/h5-mami/couponPrize/3.6/win.png
  • im####.nic####.cn/h5/activity/colorball/images/prize_bg.png
  • im####.nic####.cn/images/activity/prize/1a6kv6cfs5h.png
  • im####.nic####.cn/images/activity/prize/1i5r5wsvp6b.png
  • im####.nic####.cn/images/activity/prize/1k3rnftrwu8.png
  • im####.nic####.cn/images/activity/prize/1w2lr2kovld.png
  • im####.nic####.cn/images/activity/prize/1z52s0ja17z.png
  • im####.nic####.cn/mami-media/img/cek0ldw6pp.jpg
  • im####.nic####.cn/mami-media/img/ewscwsbz2i.png
  • ip.ch####.com/getip.aspx
  • ip.zhito####.com:807/0622.html
  • ip.zhito####.com:807/ip.html?0####
  • ip.zhito####.com:807/js/jquery.js
  • ip.zhito####.com:88/zong/0622.html
  • m.jj####.com/w5j6gTDabo0i.php?o=####&i=####&s=####&ad=####
  • m.jj####.com/yangzhuzixun/20180111/1630.html
  • m.scx####.com/VPEMj4t2vRU7.php?o=####&i=####&s=####&ad=####
  • m.scx####.com/zuixinzixun/20180427/2162.html
  • m1.laogeda####.com/ads/admaster24.php?o=####
  • m1.laogeda####.com/ads/admaster240.php?o=####
  • m1.laogeda####.com/templets/tui/js/jquery-1.8.3.min.js
  • ob.nic####.cn/huodong/Production/20181031/node_modules/fastclick/lib/fas...
  • ob.nic####.cn/huodong/Production/20181031/node_modules/iscroll/build/isc...
  • ob.nic####.cn/huodong/Production/20181031/pkg/Common.js
  • ob.nic####.cn/huodong/Production/20181031/pkg/Vendor.js
  • ob.nic####.cn/huodong/Production/20181031/projects/page/DiceGame/DiceGam...
  • ob.nic####.cn/huodong/Production/20181031/projects/page/DiceGame/css/ski...
  • ob.nic####.cn/huodong/Production/20181031/projects/widget/PrizeModal/Dic...
  • p####.cdb####.cn/z/2gdbvnfgbdf4x.zip
  • p####.cdb####.cn/z/2hadfvsdvdr4x.zip
  • p####.cdb####.cn/z/2jafghbdf4x.zip
  • p####.cdb####.cn/z/2mbfgsdgfkl4x.zip
  • p####.cdb####.cn/z/2wofgghjyj4x.zip
  • pos.b####.com/accm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/bfp/snippetcacher.php?dpv=####&di=####
  • pos.b####.com/ccom?di=2968680&dri=0&dis=7&dai=0&ps=0x0&enu=encoding&dcb=...
  • pos.b####.com/dclm?conwid=####&conhei=####&rtbid=####&rdid=####&dc=####&...
  • pos.b####.com/dclm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/gchm?di=5903639&dri=0&dis=7&dai=0&ps=0x0&enu=encoding&dcb=...
  • pos.b####.com/gcjm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/hcpm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/jcsm?conwid=####&conhei=####&rdid=####&dc=####&di=####&dri...
  • pos.b####.com/jcsm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/qcgm?conwid=####&conhei=####&rdid=####&dc=####&di=####&dri...
  • pos.b####.com/qcgm?di=####&dri=####&dis=####&dai=####&ps=####&enu=####&d...
  • pos.b####.com/rclm?di=5897808&dri=0&dis=3&dai=0&ps=284x3&enu=encoding&dc...
  • pos.b####.com/sync_pos.htm?cproid=####
  • qiniu-s####.cdn.d####.com/cms/iwt/iwt-min.js
  • qiniu-s####.cdn.d####.com/tools/jq/1.5.1.min.js
  • r####.qq####.cn/f/AAAfgskyg026
  • r####.qq####.cn/g/fbgfby026
  • s####.funs####.net/ecom-ad/ifar_all/?oc=####
  • s####.funs####.net/ecom-ad/ifar_duration/?rprotocol=####&fck=####&mick=#...
  • s####.funs####.net/ecom-ad/ifar_load/?rprotocol=1&fck=154272687983098&mi...
  • s####.x####.com.cn/flow/flow.php?t=####
  • s.zhito####.com:808/wappaichong.html?0####
  • tc.c####.com/adscache/caches/104.js?n=####
  • tc.c####.com/adscache/caches/105.js?n=####
  • tc.c####.com/adscache/caches/106.js?n=####
  • tc.c####.com/adscache/caches/108.js?n=####
  • tc.c####.com/adscache/caches/109.js?n=####
  • tc.c####.com/adscache/caches/160.js?n=####
  • tc.c####.com/adscache/caches/163.js?n=####
  • tc.c####.com/adscache/caches/183.js?n=####
  • tc.c####.com/adscache/caches/187.js?n=####
  • tc.c####.com/adscache/caches/196.js?n=####
  • tc.c####.com/adscache/caches/205.js?n=####
  • tc.c####.com/adscache/caches/215.js?n=####
  • tc.c####.com/adscache/caches/216.js?n=####
  • tc.c####.com/adscache/caches/227.js?n=####
  • tc.c####.com/adscache/caches/238.js?n=####
  • tc.c####.com/adscache/caches/239.js?n=####
  • tc.c####.com/adscache/caches/240.js?n=####
  • tc.c####.com/adscache/caches/245.js?n=####
  • tc.c####.com/adscache/caches/246.js?n=####
  • tc.c####.com/adscache/caches/25.js?n=####
  • tc.c####.com/adscache/caches/27.js?n=####
  • tc.c####.com/adscache/caches/296.js?n=####
  • tc.c####.com/adscache/caches/308.js?n=####
  • tc.c####.com/adscache/caches/344.js?n=####
  • tc.c####.com/adscache/caches/436.js?n=####
  • tc.c####.com/adscache/caches/492.js?n=####
  • tc.c####.com/adscache/caches/510.js?n=####
  • tc.c####.com/adscache/caches/72.js?n=####
  • tc.c####.com/adx.js
  • tc.c####.com/iframeads/adsdispatch.php?pid=####
  • tc.c####.com/js/tcjs.php
  • ub####.baidust####.com/media/v1/0f000K0cVUU39cXk88AlQ0.png
  • ub####.baidust####.com/media/v1/0f000rjGcUz0eAp5Q9tTtf.png
  • ucstati####.b0.a####.com/cmbbs/jquery.1.3.2.js
  • ucstati####.b0.a####.com/cmbbs/main.js
  • ucstati####.b0.a####.com/globalMsg.js
  • v####.funs####.com/vasd/pa/index?zzt=####&sid=####&ref=####&mick=####&cv...
  • w####.c####.com/abc/xyz/point/index.php
  • wn.pos.b####.com/adx.php?c=####
  • www.pc####.com.####.cn//exp/12089/12214/12454/20140829144939336019.jpg.w...
  • www.pc####.com.####.cn//exp/12089/12214/12454/20140829144947102033.jpg.w...
  • www.pc####.com.####.cn//exp/12089/12214/12454/20140829144956493601.jpg.w...
  • www.pc####.com.####.cn//exp/12089/12214/12454/m_20140829144934059307.jpg
  • www.pc####.com.####.cn//exp/12089/12214/12454/m_20140829144939336019.jpg
  • www.pc####.com.####.cn//exp/12089/12214/12454/m_20140829144947102033.jpg
  • www.pc####.com.####.cn//news/11231/20140722223700180436.jpg.webp
  • www.pc####.com.####.cn//news/11231/20140722223702254601.jpg.webp
  • www.pc####.com.####.cn//news/11231/20140722223703913050.jpg.webp
  • www.pc####.com.####.cn//news/11231/20140722223705809966.jpg.webp
  • www.pc####.com.####.cn//news/11231/m_20140722223702254601.jpg
  • www.pc####.com.####.cn//news/11231/m_20140722223703913050.jpg
  • www.pc####.com.####.cn//news/11231/m_20140722223705809966.jpg
  • www.pc####.com.####.cn//news/11231/m_20140722223706204673.jpg
  • www.pc####.com.####.cn/autox/x2.html
  • z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
  • zf####.v.qin####.com/market/ext/udc/c00100085.html?zzt=####
  • zf####.v.qin####.com/unet/static/udc.js?zzt=####
HTTP POST requests:
  • 7k####.46####.com:15215/tr/
  • 7k####.46####.com:15215/ts/
  • 7k####.46####.com:20351/ds/
  • MY####.huita####.com:10091/wisdom/marking
  • a.appj####.com/jiagu/check/upgrade
  • app.w####.cn/action/user_info
  • c.appj####.com/ad/splash/stats.html
  • m####.z####.cn/s
  • ob.nic####.cn/niceapi/getactivity
  • ob.nic####.cn/niceapi/getactivitybuoy
  • ob.nic####.cn/niceapi/getadvertorder
  • ob.nic####.cn/niceapi/orderdatainfo
  • www.ye####.org/i?requestId=####&g=####&ua=####
  • z####.heyc####.net/getlist
  • z####.heyc####.net/xlogin
  • z.zt####.net/vsdk/a/f
  • z.zt####.net/vsdk/a/t
File system changes:
Creates the following files:
  • /data/data/####/.jg.ic
  • /data/data/####/4e793485339d62b7f39474831e879f9a
  • /data/data/####/518b137efcadca43d34c532689bb9f56.log
  • /data/data/####/518b137efcadca43d34c532689bb9f56.log.temp
  • /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log
  • /data/data/####/5ff9fbceaae1b0f381c9a2589fb0cc4c.log.temp
  • /data/data/####/718808d93795e42acb919bab227e6424.xml
  • /data/data/####/7aoukUXJB.jar
  • /data/data/####/AppSettings.xml
  • /data/data/####/ApplicationCache.db-journal
  • /data/data/####/CacheTime.dat
  • /data/data/####/F2i0LRmzUP.jar
  • /data/data/####/F8BXmsFm.jar
  • /data/data/####/JSON.xml
  • /data/data/####/PreferenciasGeneral.xml
  • /data/data/####/ShowAdFlag.xml
  • /data/data/####/USOAPP.xml
  • /data/data/####/W_Key.xml
  • /data/data/####/WebViewSettings.xml
  • /data/data/####/a4be9ff4668403efdb304dc0106533f6.log
  • /data/data/####/a4be9ff4668403efdb304dc0106533f6.log.temp
  • /data/data/####/ad_show_time.xml
  • /data/data/####/bl6KqRIb.jar
  • /data/data/####/com.droidnew.qiang.kangaroo.logic_preferences.xml
  • /data/data/####/com_droidnew_qiang_kangaroo_logic.txt
  • /data/data/####/commmauwucik.xml
  • /data/data/####/countClickIP.xml
  • /data/data/####/data_0
  • /data/data/####/data_1
  • /data/data/####/data_2
  • /data/data/####/data_3
  • /data/data/####/downloadswc
  • /data/data/####/downloadswc-journal
  • /data/data/####/dpi
  • /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log
  • /data/data/####/e2d119a1c8895232098cd0bba4d5750c.log.temp
  • /data/data/####/f_000001
  • /data/data/####/f_000002
  • /data/data/####/f_000003
  • /data/data/####/f_000004
  • /data/data/####/f_000005
  • /data/data/####/f_000006
  • /data/data/####/f_000007
  • /data/data/####/f_000008
  • /data/data/####/f_000009
  • /data/data/####/f_00000a
  • /data/data/####/f_00000b
  • /data/data/####/f_00000c
  • /data/data/####/f_00000d
  • /data/data/####/f_00000e
  • /data/data/####/f_00000f
  • /data/data/####/f_000010
  • /data/data/####/f_000011
  • /data/data/####/f_000012
  • /data/data/####/f_000013
  • /data/data/####/f_000014
  • /data/data/####/f_000015
  • /data/data/####/f_000016
  • /data/data/####/f_000017
  • /data/data/####/f_000018
  • /data/data/####/f_000019
  • /data/data/####/f_00001a
  • /data/data/####/f_00001b
  • /data/data/####/f_00001c
  • /data/data/####/f_00001d
  • /data/data/####/f_00001e
  • /data/data/####/f_00001f
  • /data/data/####/f_000020
  • /data/data/####/f_000021
  • /data/data/####/f_000022
  • /data/data/####/f_000023
  • /data/data/####/f_000024
  • /data/data/####/f_000025
  • /data/data/####/f_000026
  • /data/data/####/f_000027
  • /data/data/####/f_000028
  • /data/data/####/f_000029
  • /data/data/####/f_00002a
  • /data/data/####/f_00002b
  • /data/data/####/f_00002c
  • /data/data/####/f_00002d
  • /data/data/####/f_00002e
  • /data/data/####/f_00002f
  • /data/data/####/f_000030
  • /data/data/####/f_000031
  • /data/data/####/f_000032
  • /data/data/####/f_000033
  • /data/data/####/f_000034
  • /data/data/####/f_000035
  • /data/data/####/f_000036
  • /data/data/####/f_000037
  • /data/data/####/f_000038
  • /data/data/####/f_000039
  • /data/data/####/f_00003a
  • /data/data/####/f_00003b
  • /data/data/####/f_00003c
  • /data/data/####/f_00003d
  • /data/data/####/f_00003e
  • /data/data/####/f_00003f
  • /data/data/####/f_000040
  • /data/data/####/f_000041
  • /data/data/####/f_000042
  • /data/data/####/ff533ee364e852cd5369a6766a6f448b.log
  • /data/data/####/ff533ee364e852cd5369a6766a6f448b.log.temp
  • /data/data/####/gameid
  • /data/data/####/gameid.zip
  • /data/data/####/hid.db
  • /data/data/####/index
  • /data/data/####/jg_app_update_settings_random.xml
  • /data/data/####/libjiagu.so
  • /data/data/####/libmbgv.so
  • /data/data/####/libmbgv.so-32
  • /data/data/####/libmbgv.so-64
  • /data/data/####/plsghuaw.xml
  • /data/data/####/st.xml
  • /data/data/####/webview.db-journal
  • /data/data/####/webviewCookiesChromium.db-journal
  • /data/data/####/whhdjjgj.jar
  • /data/data/####/yd_config_c.xml
  • /data/data/####/z.xml
  • /data/media/####/.nid
  • /data/media/####/.uucrrux
  • /data/media/####/0668F4008AFBD99853A8C2B6CF76D3FD.temp
  • /data/media/####/0668F4008AFBD99853A8C2B6CF76D3FD.zip
  • /data/media/####/5.0wwn.jar
  • /data/media/####/AppPackage.dat
  • /data/media/####/CacheTime.dat
  • /data/media/####/UnPackage.dat
  • /data/media/####/android
  • /data/media/####/com_droidnew_qiang_kangaroo_logic.txt
  • /data/media/####/restime.dat
Miscellaneous:
Executes the following shell scripts:
  • /system/bin/sh
  • cat /proc/version
  • cat /sys/class/android_usb/android0/idProduct
  • cat /sys/class/android_usb/android0/idVendor
  • cat /sys/class/net/wlan0/address
  • chmod 755 <Package Folder>/.jiagu/libjiagu.so
  • getprop
  • getprop ro.board.platform
  • getprop ro.product.cpu.abi
  • ls -l /dev
  • ls -l /dev/block
  • ls -l /dev/block/vold
  • ls -l /dev/bus
  • ls -l /dev/bus/usb
  • ls -l /dev/bus/usb/001
  • ls -l /dev/com.android.settings.daemon
  • ls -l /dev/cpuctl
  • ls -l /dev/cpuctl/apps
  • ls -l /dev/cpuctl/apps/bg_non_interactive
  • ls -l /dev/graphics
  • ls -l /dev/input
  • ls -l /dev/log
  • ls -l /dev/pts
  • ls -l /dev/snd
  • ls -l /dev/socket
  • ps
Loads the following dynamic libraries:
  • libjiagu
  • libmbgv
Uses the following algorithms to encrypt data:
  • AES-CBC-PKCS5Padding
  • DES
  • DES-CBC-PKCS5Padding
  • RSA
  • RSA-ECB-NoPadding
Uses the following algorithms to decrypt data:
  • AES-CBC-PKCS5Padding
  • AES-ECB-PKCS5Padding
  • DES
  • DES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android