Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.SmsSend.20275
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(GCM) <Google Host>
- TCP(HTTP/1.1) m####.ads####.com:80
- TCP(HTTP/1.1) wpc.1####.edgecas####.net:80
- TCP(HTTP/1.1) clk.apxadtr####.net:80
- TCP(HTTP/1.1) r####.adsb####.com:80
- TCP(HTTP/1.1) j0u.excepti####.com:80
- TCP(HTTP/1.1) trac####.gas####.com:80
- TCP(HTTP/1.1) r####.to####.xyz:80
- TCP(HTTP/1.1) www.u####.com:80
- TCP(HTTP/1.1) c####.wallof####.com:80
- TCP(HTTP/1.1) 5k5.612####.com:80
- TCP(HTTP/1.1) tra####.cla####.com:80
- TCP(HTTP/1.1) a####.securel####.com:80
- TCP(HTTP/1.1) a####.adsbt####.com:80
- TCP(HTTP/1.1) gl####.ymtrac####.com:80
- TCP(HTTP/1.1) k1u.525####.com:80
- TCP(HTTP/1.1) rockt####.com:80
- TCP(HTTP/1.1) t####.cpitra####.com:80
- TCP(HTTP/1.1) ald####.com:80
- TCP(HTTP/1.1) gl####.top####.com:9090
- TCP(HTTP/1.1) z####.com:80
- TCP(HTTP/1.1) koolm####.info:80
- TCP(HTTP/1.1) t####.cpa.tapge####.com:80
- TCP(HTTP/1.1) gl####.ecxtrac####.com:80
- TCP(HTTP/1.1) wpc.4####.edgecas####.net:80
- TCP(HTTP/1.1) ap####.mobi:80
- TCP(HTTP/1.1) p####.le####.com:80
- TCP(HTTP/1.1) lpa.perfon####.com:80
- TCP(HTTP/1.1) tra####.nob####.com:80
- TCP(HTTP/1.1) cpgnrot####.com:80
- TCP(HTTP/1.1) www.u####.com:7079
- TCP(TLS/1.0) a####.gold:443
- TCP(TLS/1.0) smarto####.site:443
- TCP(TLS/1.0) bestper####.site:443
- TCP(TLS/1.0) b.query####.com:443
- TCP(TLS/1.0) waws-pr####.vip.azurewe####.####.net:443
DNS requests:
- 4####.h####.a####.####.net
- 5k5.612####.com
- a####.adsbt####.com
- a####.gold
- a####.securel####.com
- ald####.com
- ap####.mobi
- b.query####.com
- bestper####.site
- c####.wallof####.com
- cdn.securel####.com
- clk.apxadtr####.net
- cpgnrot####.com
- gl####.ecxtrac####.com
- gl####.top####.com
- gl####.ymtrac####.com
- j0u.excepti####.com
- k1u.525####.com
- koolm####.info
- lemm####.azurewe####.net
- lpa.perfon####.com
- m####.ads####.com
- m####.securel####.com
- p####.le####.com
- r####.to####.xyz
- rockt####.com
- smarto####.site
- t####.cpa.tapge####.com
- t####.cpitra####.com
- tra####.cla####.com
- tra####.nob####.com
- trac####.gas####.com
- www.trac####.site
- www.u####.com
- z####.com
HTTP GET requests:
- 5k5.612####.com/?kw=####&s2=####
- a####.securel####.com/t/lj3d155538jgywkh4rwfAAbqnnb247dk/?s1=####&s2=####
- c####.wallof####.com/?utm_medium=####&utm_campaign=####&cid=####&1=####
- gl####.ecxtrac####.com/click?pid=####&offer_id=####&sub1=####&sub2=####&...
- j0u.excepti####.com/api/front/coregs/677f7f4038ad3e352b4c613218e03f2e/get
- j0u.excepti####.com/offer/h1zd1ljrg2yt2/?s1=####&s2=####&affid=####
- k1u.525####.com/?s1=####&s2=####&trafficsource_id=####&token2=####
- r####.adsb####.com/c/140a6455137922f3?c1=####&c2=####&c3=####&_uu=####
- r####.adsb####.com/c/245d96912e3e4930
- tra####.cla####.com/rotator.php?type=####&aff_id=####&aff_sub=####&sourc...
- tra####.nob####.com/?p=####&media_type=####&pi=####&sub_id=####&click_id...
- wpc.1####.edgecas####.net/thumb/media/384/60/215895f9ed21b3798d1f5a200b2...
- www.u####.com/ru/findbutton0718.js
- www.u####.com/ru/processurl0718.js
- www.u####.com/ru/simulationClickYes0718.js
HTTP POST requests:
- j0u.excepti####.com/api/session/start?s1=####&s2=####&affid=####
- j0u.excepti####.com/api/track
- www.u####.com:7079/jsdk/sd.action?b=####
- www.u####.com:7079/jsdk/sd.action?b=####&ca=####&ica=####&re=####
Modified file system:
Creates the following files:
- <Package Folder>/app_jgu/####/libwapCore.so
- <Package Folder>/app_jgu/####/tmp.mu2072
- <Package Folder>/app_jgu/<Package>.rm
- <Package Folder>/app_jgu/x.apk
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <SD-Card>/commonsdk/findbutton0718.js
- <SD-Card>/commonsdk/processurl0718.js
- <SD-Card>/commonsdk/simulationClickYes0718.js
Miscellaneous:
Loads the following dynamic libraries:
- v8js
Uses the following algorithms to decrypt data:
- desede-CBC-PKCS5Padding
Gains access to telephone information (number, imei, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
Gains access to information about sent/received SMS messages.
