Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.CoinSteal.SparkCat.4.origin
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- UDP(DNS) 1####.76.76.76:53
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) qi####.com.00fc####.####.cn:80
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) gi####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.0) 1####.177.14.94:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) rr6---s####.g####.com:443
- TCP(TLS/1.0) api.ali####.org:443
- TCP(TLS/1.2) and####.google####.com:443
- TCP(TLS/1.2) 1####.250.74.10:443
- TCP(TLS/1.2) 1####.177.14.94:443
- TCP(TLS/1.2) 1####.217.21.164:443
- TCP(TLS/1.2) 1####.250.74.138:443
- UDP efc3c12####.ali####.com:8003
- UDP p####.google####.com:443
- UDP 3.0.2####.252:8113
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- api.ali####.org
- efc3c12####.ali####.com
- f####.gst####.com
- gi####.com
- gmscomp####.google####.com
- p####.google####.com
- pla####.google####.com
- qi####.com
- rr6---s####.g####.com
- rr9---s####.g####.com
HTTP GET requests:
- gi####.com:443/group6815923/ai/-/raw/main/rel.json
- qi####.com.00fc####.####.cn/images/256/20240828/16/35/e0bcfd15aef9191e68...
- qi####.com.00fc####.####.cn/images/256/img2/2e94a2fc0a44f66c7e3d4beec64a...
- qi####.com.00fc####.####.cn/images/256/img2/2f603c7d462340862da4e40ef331...
- qi####.com.00fc####.####.cn/images/256/img2/312810eff246fffd311c14e3a88a...
- qi####.com.00fc####.####.cn/images/256/img2/80572de9e24ec32e8417cb7f3668...
- qi####.com.00fc####.####.cn/images/256/img2/85de2d8cab1eab4e300cd88fe6db...
- qi####.com.00fc####.####.cn/images/256/img2/9fd517986b3ff597703d6bce830b...
- qi####.com.00fc####.####.cn/images/256/img2/b0934c43126cb836ea82ebe78d56...
- qi####.com.00fc####.####.cn/images/256/img2/c2999217f16c5a886e6f4df3d98c...
- qi####.com.00fc####.####.cn/images/256/img2/d0f1a8a9beb1aaec00c5ecce8345...
- qi####.com.00fc####.####.cn/images/256/u/1012/5463/11/head/530c978a1fe26...
- qi####.com.00fc####.####.cn/images/256/u/1320/0808/87/head/08bab389c582a...
- qi####.com.00fc####.####.cn/images/256/u/1434/6289/63/head/e27247bee4014...
- qi####.com.00fc####.####.cn/images/256/u/1662/4302/2/head/0b51317a054d65...
- qi####.com.00fc####.####.cn/images/256/u/1960/1615/5/head/c2dfedf54391e3...
- qi####.com.00fc####.####.cn/images/256/u/4925/0696/3/head/52d8bf3085c67d...
HTTP POST requests:
- api.ali####.org:443/api/e/config/oc
- api.ali####.org:443/api/e/d/u
File system changes:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/.hptc.cache_kwynzv.iodqyymr
- /data/data/####/.hptc_kache_kwynzv.iodqyymr
- /data/data/####/0fd1761e39e2237143c470c399e83cb1.png
- /data/data/####/0fd1761e39e2237143c470c399e83cb1.png_tmp
- /data/data/####/15376ed9ef756946a4cc79b2db90639f.png
- /data/data/####/15376ed9ef756946a4cc79b2db90639f.png_tmp
- /data/data/####/18852f028d0ae0162af00b1d44c0d644.png
- /data/data/####/18852f028d0ae0162af00b1d44c0d644.png_tmp
- /data/data/####/1dcfebb20c5eed233f0f651d569a3a02654b5b03
- /data/data/####/31a3cc52baad38840cbac9a0a45cf5e9.png
- /data/data/####/31a3cc52baad38840cbac9a0a45cf5e9.png_tmp
- /data/data/####/335d278417743125ac05dc26032e6cf4a19c0ace
- /data/data/####/469f7c8bb516e31d5c95b1554d84a424.jpg
- /data/data/####/469f7c8bb516e31d5c95b1554d84a424.jpg_tmp
- /data/data/####/5ffc79cf5681441fe86a3f18e8990894967d717c
- /data/data/####/678550860940f766c831d70f5386cf33.jpg
- /data/data/####/678550860940f766c831d70f5386cf33.jpg_tmp
- /data/data/####/6b6195ba1a69b3d10673e750c52f17f20834284e
- /data/data/####/6d2b2628c394f5f3bccd1a13da681486.jpg
- /data/data/####/6d2b2628c394f5f3bccd1a13da681486.jpg_tmp
- /data/data/####/6e2a0233c5f42c4fd047087a83944944ba8ff3df
- /data/data/####/700aff7615334546e15aaa51fc1b2c61.png
- /data/data/####/700aff7615334546e15aaa51fc1b2c61.png_tmp
- /data/data/####/70d338766ae20514eca6f5d387445bc8d553f73f
- /data/data/####/9bfce3b2e5933d86d0bc9c64fe8d6171.jpg
- /data/data/####/9bfce3b2e5933d86d0bc9c64fe8d6171.jpg_tmp
- /data/data/####/FM_config.xml
- /data/data/####/FlutterSharedPreferences.xml
- /data/data/####/app_yVMCsFi51
- /data/data/####/app_yVMCsFi51 (deleted)
- /data/data/####/b0b40e701f6de6035572bdb70d6462ed9bbc7f13
- /data/data/####/b8e8cc862b6970750b7506120ce74069.png
- /data/data/####/b8e8cc862b6970750b7506120ce74069.png_tmp
- /data/data/####/bc41f59ecb259361e9954acf16761ec7.jpg
- /data/data/####/bc41f59ecb259361e9954acf16761ec7.jpg_tmp
- /data/data/####/bdcdaf337ba4f516db4f7e61545d5be7.png
- /data/data/####/bdcdaf337ba4f516db4f7e61545d5be7.png_tmp
- /data/data/####/classes.dex
- /data/data/####/classes.dex.flock (deleted)
- /data/data/####/classes2.dex
- /data/data/####/classes2.dex.flock (deleted)
- /data/data/####/classes3.dex
- /data/data/####/classes3.dex.flock (deleted)
- /data/data/####/d2a32c8fb1b1d63fffdc6ba0c635f4ed6faa9c7f
- /data/data/####/d7c40486b792b8ccc7c9bd508055b6a5bbddea0b
- /data/data/####/d872f9559f6d4c96c2064f93b25b8580.png
- /data/data/####/d872f9559f6d4c96c2064f93b25b8580.png_tmp
- /data/data/####/d98c46ce8220a49e3f3617e2520f0076.png
- /data/data/####/d98c46ce8220a49e3f3617e2520f0076.png_tmp
- /data/data/####/dbf0b59707243688b50dd4379eb13b4e17ec7cec
- /data/data/####/dev_id.xml.xml
- /data/data/####/e9ce8c748cca44f5bc2ff93fe2b46951.jpg
- /data/data/####/e9ce8c748cca44f5bc2ff93fe2b46951.jpg_tmp
- /data/data/####/f17ec4e6286c3fb2ab7c368367a730d9712a1a4d
- /data/data/####/f59686a0f242f2bf17c8b883fb87d1103a58fa06
- /data/data/####/ff6dd5b2b437e69eb92c2f6fafd203c3.jpg
- /data/data/####/ff6dd5b2b437e69eb92c2f6fafd203c3.jpg_tmp
- /data/data/####/kwb
- /data/data/####/kwcloud_v4_fae60e487fec5ee35f42e07d9ad7cee5
- /data/data/####/libagora-ffmpeg.so
- /data/data/####/libagora-rtc-sdk.so
- /data/data/####/libagora-soundtouch.so
- /data/data/####/libapp.so
- /data/data/####/libdownloadproxy.so
- /data/data/####/libflutter.so
- /data/data/####/libgifimage.so
- /data/data/####/libimage_processing_util_jni.so
- /data/data/####/libimagepipeline.so
- /data/data/####/libkiwi.so
- /data/data/####/libliteavsdk.so
- /data/data/####/libmlkit_google_ocr_pipeline.so
- /data/data/####/libmodsvmp.so
- /data/data/####/libnetmobsec-4.4.7.so
- /data/data/####/libsentry-android.so
- /data/data/####/libsentry.so
- /data/data/####/libtpcore-master.so
- /data/data/####/libtpthirdparties-master.so
- /data/data/####/libtxffmpeg.so
- /data/data/####/libtxsoundtouch.so
- /data/data/####/libwebp.so
- /data/data/####/libwebpimage.so
- /data/data/####/liteImageCache.txt
- /data/data/####/proc_auxv
- /data/data/####/rapp
- /data/data/####/secure.xml
- /data/media/####/.dev_id.txt
- /data/media/####/e2j7xr
Miscellaneous:
Loads the following dynamic libraries:
- libUwBEZirnyG7NcJA
- libflutter
- libkiwi
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Requests the system alert window permission.
