Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.554.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) beacon####.aliy####.com:80
- TCP(HTTP/1.1) p####.f####.com:80
- TCP(HTTP/1.1) lo####.suibyu####.com:80
- TCP(HTTP/1.1) api.applove####.com:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(TLS/1.0) 1####.217.19.202:443
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) st####.adma####.top:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) img.adti####.com:443
- TCP(TLS/1.0) sdk.adti####.com:443
- TCP(TLS/1.0) 2####.58.211.106:443
- TCP(TLS/1.0) wcf.seven####.com:443
- TCP(TLS/1.0) wild####.moa####.com.####.net:443
- TCP(TLS/1.0) api.vu####.com.####.net:443
- TCP(TLS/1.0) tls.vu####.edges####.net:443
- TCP(TLS/1.0) ap####.tut####.net:443
- TCP(TLS/1.0) c####.gowa####.com:443
- TCP(TLS/1.0) k####.union####.info:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) unit####.edges####.net:443
- TCP(TLS/1.0) ap####.uc.cn:443
- TCP(TLS/1.0) a.adma####.top:443
- TCP(TLS/1.0) gl####.ymtrac####.com:443
- TCP(TLS/1.0) 2####.107.1.100:443
- TCP(TLS/1.2) 1####.217.19.202:443
- TCP(TLS/1.2) 1####.217.17.138:443
- TCP(TLS/1.2) 1####.217.19.195:443
- TCP(TLS/1.2) 1####.217.168.238:443
- TCP zb-cent####.m.ta####.com:443
- TCP zb-cent####.m.ta####.com:80
DNS requests:
- a####.man.aliy####.com
- a.adma####.top
- ads.api.vu####.com
- amdc####.m.ta####.com
- ap####.tut####.net
- ap####.uc.cn
- api.applove####.com
- api.vu####.com
- beacon####.aliy####.com
- c####.gowa####.com
- cd####.vu####.com
- co####.unit####.uni####.com
- gl####.ymtrac####.com
- img.adti####.com
- k####.union####.info
- lo####.suibyu####.com
- log.u####.com
- m####.go####.com
- msg.umengc####.com
- p####.f####.com
- plb####.u####.com
- sdk.adti####.com
- st####.adma####.top
- u####.u####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- wcf.seven####.com
- web####.unit####.uni####.com
- z.moa####.com
HTTP GET requests:
- api.applove####.com/api/v3/cache/get?osv=####&srnc=####&token=####&ds=##...
- api.applove####.com/api/v3/search/get?osv=####&token=####&pm=####&os=###...
- lo####.suibyu####.com/android/v1/impression?slot=####&doimp=####&pkg=###...
HTTP POST requests:
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- beacon####.aliy####.com/beacon/fetch/config/byappkey
- p####.f####.com/index.php?r=####
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/3e3b7bf1d4c747a8ab39204cbc693c4d
- /data/data/####/6eba89ae271987f98671a38476011556-header
- /data/data/####/6eba89ae271987f98671a38476011556-preload
- /data/data/####/6eba89ae271987f98671a38476011556-preloadcache (deleted)
- /data/data/####/74bb07a3a96ec77aff4a181519f246f6
- /data/data/####/74bb07a3a96ec77aff4a181519f246f6-header
- /data/data/####/74bb07a3a96ec77aff4a181519f246f6cache
- /data/data/####/7df67ec0c0cb70a141924e72cb8f5515-header
- /data/data/####/7df67ec0c0cb70a141924e72cb8f5515-preload
- /data/data/####/7df67ec0c0cb70a141924e72cb8f5515-preloadcache (deleted)
- /data/data/####/7f729c82040f4b53fdd8a889d4663498
- /data/data/####/7f729c82040f4b53fdd8a889d4663498-header
- /data/data/####/7f729c82040f4b53fdd8a889d4663498cache (deleted)
- /data/data/####/8006a4ae767a0a8766626411f7351ef2.mp4-270x480-Q2.mp4
- /data/data/####/823d4df3ed542a1fcf1093ecd8e96df2
- /data/data/####/823d4df3ed542a1fcf1093ecd8e96df2-header
- /data/data/####/823d4df3ed542a1fcf1093ecd8e96df2cache
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/Cookies-journal
- /data/data/####/Language.db-journal
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/P-2797
- /data/data/####/P-4601
- /data/data/####/TutuApp_ID.xml
- /data/data/####/TutuMarket.db-journal
- /data/data/####/TutuUser.db-journal
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/UTUT0DIORD0GNEF0MOC.anrtmp
- /data/data/####/UTUT0DIORD0GNEF0MOC.bati
- /data/data/####/UTUT0DIORD0GNEF0MOC.end
- /data/data/####/UTUT0DIORD0GNEF0MOC.hdr
- /data/data/####/UTUT0DIORD0GNEF0MOC.meminfo
- /data/data/####/UTUT0DIORD0GNEF0MOC.pid
- /data/data/####/UTUT0DIORD0GNEF0MOC.ps
- /data/data/####/UTUT0DIORD0GNEF0MOC.st
- /data/data/####/UTUT0DIORD0GNEF0MOC.start
- /data/data/####/UTUT0DIORD0GNEF0MOC.status
- /data/data/####/UTUT0DIORD0GNEF0MOC.sts
- /data/data/####/UTUT0DIORD0GNEF0MOC.time
- /data/data/####/UTUT0DIORD0GNEF0MOC.uptime
- /data/data/####/UnityAdsStorage-private-data.json
- /data/data/####/UnityAdsStorage-public-data.json
- /data/data/####/UnityAdsTest.txt
- /data/data/####/UnityAdsTest.txt (deleted)
- /data/data/####/WXovo7QJD8CKQM0WRto-3LheHVvCNx9s-qRfzKuel_k=
- /data/data/####/WXovo7QJD8CKQM0WRto-3LheHVvCNx9s-qRfzKuel_k=.vng_meta
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/aa755867a0384e3f8624823653395d8c
- /data/data/####/accs.db-journal
- /data/data/####/ad-css-injection.css
- /data/data/####/ad-js-injection.js
- /data/data/####/ad.html
- /data/data/####/agoo.pid
- /data/data/####/al.xml
- /data/data/####/c1qa2sw3de4frf5tg6yhju78ik9olp0.xml
- /data/data/####/cache_policy_journal
- /data/data/####/cache_policy_journal (deleted)
- /data/data/####/cache_touch_timestamp
- /data/data/####/cdt.wa
- /data/data/####/com.feng.droid.tutu.xml
- /data/data/####/com.feng.droid.tutu_ct_default.xml
- /data/data/####/com.feng.droid.tutu_preferences.xml
- /data/data/####/com.feng.droid.tutuye_after_install_pkg.xml
- /data/data/####/com.vungle.sdk.xml
- /data/data/####/com.vungle.sdk.xml.bak
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info
- /data/data/####/combbmkeoc.
- /data/data/####/combbmkeoc.dex
- /data/data/####/combbmkeoc.dex.flock (deleted)
- /data/data/####/core.xml
- /data/data/####/cr.wa
- /data/data/####/crash_log_sp.xml
- /data/data/####/cxZGJzRvIKeXjh-WQ52ynYrV2SX1hqmgBQoCMCtn-Jk=
- /data/data/####/cxZGJzRvIKeXjh-WQ52ynYrV2SX1hqmgBQoCMCtn-Jk=.vng_meta
- /data/data/####/d3b2bfc19948d7c10a011cdbf6a81e65.zip
- /data/data/####/d6831acde1e8718196415141b89cd125
- /data/data/####/d6831acde1e8718196415141b89cd125-header
- /data/data/####/d6831acde1e8718196415141b89cd125cache (deleted)
- /data/data/####/d8a159a08751889b165f740c466225c2.mp4-480x270-Q2.mp4
- /data/data/####/dW1weF9wdXNoX2xhdW5jaF8xNjA5ODA3MjQxMTI4;
- /data/data/####/dW1weF9zaGFyZV8xNjA5ODA3MjU4MzYy;
- /data/data/####/dW1weF9zaGFyZV8xNjA5ODA3MjU4NDA5;
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/dt.wa
- /data/data/####/e77d6ab8be892c75258f943c0e2508f2
- /data/data/####/e77d6ab8be892c75258f943c0e2508f2-header
- /data/data/####/e77d6ab8be892c75258f943c0e2508f2cache
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/httpdns_config_cache.xml.bak
- /data/data/####/httpdns_config_enable.xml
- /data/data/####/i==1.2.0&&3.6.5_1609807227139_envelope.log
- /data/data/####/index
- /data/data/####/index.html
- /data/data/####/info.xml
- /data/data/####/jWxB2oCxBbEvOg34yU4q0l9_I1bbIQlqJ-poW0A0zP8=
- /data/data/####/jWxB2oCxBbEvOg34yU4q0l9_I1bbIQlqJ-poW0A0zP8=.vng_meta
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/metrics_guid
- /data/data/####/mraid.js
- /data/data/####/okdownload-breakpoint.db-journal
- /data/data/####/proc_auxv
- /data/data/####/pv.wa
- /data/data/####/s1s2k_c3o4n5f6i7g.xml
- /data/data/####/share.db-journal
- /data/data/####/shell_config
- /data/data/####/t==9.1.6&&3.6.5_1609807226645_envelope.log
- /data/data/####/template
- /data/data/####/the-real-index
- /data/data/####/tutu_crash.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_it_sl.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umeng_socialize.xml
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_sp_zdata.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/unique
- /data/data/####/variant_data.json
- /data/data/####/ver
- /data/data/####/vungle-privacy.svg
- /data/data/####/vungle_db-journal
- /data/data/####/xclEzW6vOJtzV3wTCMojsQmy05RBKQ9pV8v8vEwpM-I=
- /data/data/####/xclEzW6vOJtzV3wTCMojsQmy05RBKQ9pV8v8vEwpM-I=.vng_meta
- /data/data/####/z==1.2.0&&3.6.5_1609807222658_envelope.log
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/<Package>0<Package>/combbmkeoc. --oat-fd=112 --oat-location=/data/user/0/<Package>/files/<Package>0<Package>/<Package>/1609807222212/combbmkeoc.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/<Package>0<Package>/combbmkeoc. --oat-fd=163 --oat-location=/data/user/0/<Package>/files/<Package>0<Package>/<Package>/1609807228825/combbmkeoc.dex --compiler-filter=speed
- getprop ro.debuggable
- ls /
- ls /sys/class/thermal
- ps
- sh -c type su
Uses the following algorithms to encrypt data:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- desede-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS7Padding
Accesses the ITelephony private interface.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
