Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Banker.Mamont.17.origin
Sends data of incoming SMS to a remote host.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(TLS/1.0) ru####.ru:443
- TCP(TLS/1.0) raffik-####.store:443
DNS requests:
- raffik-####.store
- ru####.ru
HTTP GET requests:
- raffik-####.store:443/api/get_bot_commands.php?tag=####
HTTP POST requests:
- raffik-####.store:443/api/log_sms.php
- raffik-####.store:443/api/register_bot.php
- raffik-####.store:443/api/update_permissions.php
File system changes:
Creates the following files:
- /app_webview/Default/####/000003.log
- /app_webview/Default/####/LOCK
- /app_webview/Default/####/LOG
- /app_webview/Default/####/MANIFEST-000001
- /app_webview/Default/Cookies
- /app_webview/Default/Web Data
- /app_webview/Default/Web Data-journal
- /app_webview/variations_seed_new
- /app_webview/webview_data.lock
- /data/data/####/.org.chromium.Chromium.YFcmyN
- /data/data/####/000001.dbtmp
- /data/data/####/5NwKSfNkCQcOO4G9w5B68VBOY3jkx2xy.dex
- /data/data/####/5iAmnXvFFFrRbTKhGDiyw1zkKd1hJhLO.dex
- /data/data/####/9Hm9ckEJdzMfPxKGCoyPtxckKtKg5sjW.dex
- /data/data/####/BotPrefs.xml
- /data/data/####/BrowserMetrics-spare.pma.tmp
- /data/data/####/Cookies-journal
- /data/data/####/DVNvSGnZldtY0s8XHKGbEmDQhtsg5QqO.dex
- /data/data/####/MANIFEST-000001
- /data/data/####/PermissionsReport.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/ciF5yqfFySyiPpMbyyCDwhq3V3mKU7eL.dex
- /data/data/####/font_unique_name_table.pb
- /data/data/####/index
- /data/data/####/inokxSH2vr4hmzkTQhxhSgigBDFNokyK.dex
- /data/data/####/profileInstalled
- /data/data/####/settings.dat
- /data/data/####/the-real-index
- /data/data/####/todelete_f275ed2d2b1872b8_0_1 (deleted)
- /data/data/####/variations_seed_new
- /data/data/####/variations_stamp
- /data/data/####/ۦۖ۫
- /data/data/####/ۦۖ۫.
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/su
- rm -r/data/user/0/<Package>/app_ded/5NwKSfNkCQcOO4G9w5B68VBOY3jkx2xy.dex
- rm -r/data/user/0/<Package>/app_ded/5iAmnXvFFFrRbTKhGDiyw1zkKd1hJhLO.dex
- rm -r/data/user/0/<Package>/app_ded/9Hm9ckEJdzMfPxKGCoyPtxckKtKg5sjW.dex
- rm -r/data/user/0/<Package>/app_ded/DVNvSGnZldtY0s8XHKGbEmDQhtsg5QqO.dex
- rm -r/data/user/0/<Package>/app_ded/ciF5yqfFySyiPpMbyyCDwhq3V3mKU7eL.dex
- rm -r/data/user/0/<Package>/app_ded/inokxSH2vr4hmzkTQhxhSgigBDFNokyK.dex
Loads the following dynamic libraries:
- libnp_protect_res
Uses elevated priveleges.
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Appears corrupted in a way typical for malicious files.
