Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.657.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- TCP(/re?code=afc880fa2dbccbe046a601092a6fa15536680a7202acf0059a5a0f30469ef0d5be381fc2e8bd4a729efed64d598bd4d8b943a63875dd1e14943dc606b4be17b37d5b78021b2dd05942fad77fe80d79fcf96b9a0497d1a787c73e79b3cc528a972967413431079c9456148f4cca6920bed2c4ad084ee3e67b4094719b3b48093800fb31f835d071ea889a69caff836e8d116f5dc87194547b77ef633c0640bc69579fb6c4eb0b1e66205e75af9b947d12d90f4a81d60ca124e5960600a696fad3e880fc0ee2bd119b25b9d6804179da11b6195d7b7b94a8f6c63ff50ccc35d87c978082a8d197ff2e588f7880a816f07d8af8157a6dcf655f4bf17b0470658e61b47e2783d1aff8769c8a0b6cf8b141043e2f505076641b72b22862983cab45bcc4a17d23da8e7a55c0caac877a3448e7f785e14e20b294dafe7ababd22101ea0bfb15b172d939ddcd3f43d4ecd7165e5ca145543ca7535ec975bc3d8ccad6c4db93d54a04aea60b7c5f5bd3a33371020fbf833e5169579ac57d56851e88dbaf64fddc68c4989c149ddd774d774196ee1603241245f917c644918b83e63684310f0a3284c02b228e4c2f71944cf07972c504ae0ea2770bdaced0d6bf0ab8975b34f810269071c741494762e78010b4c475ceb9d355d3452d9f81285088f92f5c971db609bc7fa27742538193d9856b0b58305e228e1f5f0744f1fcfb5adf7df1b0691b3e539a22807b39e7f75e7d4327120c05127d80d451e7b102a70720579d925cfee58b4cdbe13a013a40ed2ef65623f0894de1b5190f606c0feec65ffad494eef4d91988ded90981339b010b8203edacd58645574bb1351f502a78451b3631a39626009798c04179f2ecd44d011cfc16ce85b16f782fe909fc929ff6215b5a98deb852c6fc6f3cc5e501d4b61160f20f4db92c31) a.cor####.com:80
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.55.28.235:80
- TCP(HTTP/1.1) c####.360.cn:80
- TCP(HTTP/1.1) t####.zhiz####.com:80
- TCP(HTTP/1.1) adv.danding####.com:8081
- TCP(HTTP/1.1) c.g####.qq.com:80
- TCP(HTTP/1.1) cm.adi####.com:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) www.ta####.com:80
- TCP(HTTP/1.1) ap####.adi####.com:80
- TCP(HTTP/1.1) ga####.lotu####.com:80
- TCP(HTTP/1.1) dl.cm.ksmo####.####.com:80
- TCP(HTTP/1.1) p####.tc.qq.com:80
- TCP(HTTP/1.1) a.e####.cn:80
- TCP(HTTP/1.1) s####.e.qq.com:80
- TCP(HTTP/1.1) api.m####.adwan####.com:80
- TCP(HTTP/1.1) v.g####.qq.com:80
- TCP(HTTP/1.1) 3####.tc.qq.com:80
- TCP(HTTP/1.1) a.cor####.com:80
- TCP(HTTP/1.1) u####.bfsspad####.8l####.com:80
- TCP(HTTP/1.1) 1####.11.61.135:80
- TCP(HTTP/1.1) dsp.zhiz####.com:80
- TCP(HTTP/1.1) rcv.a####.com:80
- TCP(HTTP/1.1) btxhres####.moqi####.com.####.com:80
- TCP(HTTP/1.1) t####.cor####.com:80
- TCP(HTTP/1.1) dsp.tou####.com:80
- TCP(HTTP/1.1) api.e####.cn:80
- TCP(HTTP/1.1) 1####.26.247.23:80
- TCP(HTTP/1.1) 1####.31.213.162:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) pic.ange####.cn:80
- TCP(HTTP/1.1) 1####.11.61.137:80
- TCP(HTTP/1.1) www.mingqi####.top:80
- TCP(HTTP/1.1) 47.97.2####.214:80
- TCP(HTTP/1.1) m.ta####.com:80
- TCP(HTTP/1.1) api.map.b####.com:80
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(HTTP/1.1) mi.g####.qq.com:80
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) m.ta####.com:443
DNS requests:
- a.cor####.com
- a.e####.cn
- adv.danding####.com
- ag####.m.ta####.com
- amdc####.m.ta####.com
- and####.cli####.go####.com
- ap####.adi####.com
- api.e####.cn
- api.m####.adwan####.com
- api.map.b####.com
- btxhres####.moqi####.com
- c####.360.cn
- c####.mm####.com
- c.appj####.com
- c.c####.com
- c.g####.qq.com
- cm.adi####.com
- dd.m####.com
- dl.cm.ksmo####.com
- dsp.tou####.com
- dsp.zhiz####.com
- ga####.lotu####.com
- h5.m.ta####.com
- imgc####.qq.com
- m.ta####.com
- mi.g####.qq.com
- on####.lotu####.com
- p####.ugd####.com
- pic.ange####.cn
- pic.e####.cn
- plb####.u####.com
- pp.m####.com
- qzones####.g####.cn
- rcv.a####.com
- regi####.xm####.xi####.com
- s####.e.qq.com
- s13.c####.com
- t####.cor####.com
- t####.zhiz####.com
- u####.bfsspad####.8l####.com
- u####.u####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- v.g####.qq.com
- www.mingqi####.top
- www.ta####.com
- z7.c####.com
HTTP GET requests:
- 3####.tc.qq.com/16891/E417DD8157BD7DEA3C45C8F812B5AB32.apk?fsname=####&_...
- a.cor####.com/re?code=####
- a.e####.cn/public/getClickUrlList.shtml?lng=####&sd=####&screenheight=##...
- a.e####.cn/public/getClickUrlPoList.shtml?lng=####&sd=####&screenheight=...
- a.e####.cn/public/getCommonInformationAd.shtml?height=####&width=####&ln...
- a.e####.cn/public/getCommonStartUpAd.shtml?height=####&width=####&lng=##...
- a.e####.cn/public/isDebugAd.shtml?ts=####&appid=####&sign=####
- a.e####.cn/public/rab.shtml?id=####&network=####&machine=####
- a.e####.cn/public/showUrlVisit.shtml?os=####&osversion=####&appversion=#...
- adv.danding####.com:8081/danding-api/adv/receiveTrack?type=####&adid=###...
- ap####.adi####.com/tj?key=####&rd=####&req=####&token=####
- ap####.adi####.com/tj?key=####&rd=####&req=YWR####&token=####
- api.e####.cn/public/getSecondaryHomeData.shtml?machine=####&version=####...
- api.m####.adwan####.com/clickNotice.api?reqId=####
- api.m####.adwan####.com/displayNotice.api?reqId=####
- btxhres####.moqi####.com.####.com/bt/xhmgc_bt_55.apk?IT_CLK_####
- c.g####.qq.com/gdt_mclick.fcg?viewid=####&jtype=####&i=####&os=####&asi=...
- c.g####.qq.com/gdt_trace_a.fcg?actionid=####&targettype=####&tagetid=###...
- cm.adi####.com/?t=####&d=####&k=####&rd=####&c=####&code=####&pcode=####...
- dl.cm.ksmo####.####.com/static/res/fixed/ef/2010007662.apk
- dsp.tou####.com/api/ruangao/ads/click?extra=####
- dsp.tou####.com/api/ruangao/ads/show?extra=####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=-####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=5####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=8####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=I####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=R####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=T####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=U####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=b####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=f####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=h####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=i####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=l####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=n####&price=####
- dsp.tou####.com/api/ruangao/ads/show?extra=p####&price=####
- dsp.zhiz####.com/track/pixel?op=####&ct=####&price=####&ext=####
- m.ta####.com/?sprefer=####
- mi.g####.qq.com/gdt_mview.fcg?actual_width=####&count=####&r=####&templa...
- mi.g####.qq.com/gdt_mview.fcg?posw=####&spsa=####&posh=####&count=####&r...
- p####.tc.qq.com/qzone/biz/gdt/mob/sdk/v2/android02/images/tsa_ad_logo.png
- p####.tc.qq.com/qzone/biz/gdt/mod/android/AndroidAllInOne/proguard/his/r...
- pic.ange####.cn/web/259013087.jpg!s4
- pic.ange####.cn/web/259013811.jpg!m3
- pic.ange####.cn/web/260024699.jpg!m3
- pic.ange####.cn/web/260024705.jpg!m720
- pic.ange####.cn/web/260024710.jpg
- pic.ange####.cn/web/260024710.jpg!m720
- pic.ange####.cn/web/260024712.jpg!m720
- pic.ange####.cn/web/260024713.jpg!m720
- pic.ange####.cn/web/260024714.jpg!m720
- pic.ange####.cn/web/260024715.jpg!m720
- pic.ange####.cn/web/260024716.jpg!m720
- pic.ange####.cn/web/260024717.jpg!m720
- pic.ange####.cn/web/260024718.jpg!m720
- pic.ange####.cn/web/260024722.jpg!m720
- pic.ange####.cn/web/260024723.jpg!m720
- pic.ange####.cn/web/260024724.jpg!m720
- pic.ange####.cn/web/260024725.jpg!m720
- pic.ange####.cn/web/260024726.jpg!m720
- pic.ange####.cn/web/260024728.jpg!m720
- pic.ange####.cn/web/260024729.jpg!m720
- pic.ange####.cn/web/260024730.jpg!m720
- pic.ange####.cn/web/260024731.jpg!m720
- pic.ange####.cn/web/260024734.jpg!m720
- pic.ange####.cn/web/260327969.jpg!m3
- pic.ange####.cn/web/261808584.jpg!s4
- pic.ange####.cn/web/48436013.jpg!m3
- rcv.a####.com/click?CAAQDA.####
- rcv.a####.com/show?CAAQFQ.####
- rcv.a####.com/show?CAAQIQ.####
- s####.tc.qq.com/gdt/0/DAAZFV7AKAAPAABBBbdOF5A-Ai8THh.jpg/0?ck=####
- s####.tc.qq.com/ma_icon/0/icon_42350811_1536302646/256
- t####.cor####.com/tj?bid=####&id=####&ua=####&ip=####&m=####&n=####&clk=...
- t####.cor####.com/tj?bid=####&id=####&ua=####&ip=####&m=####&n=####&imp=...
- t####.zhiz####.com/mad.do?zzat=####&siteid=####&zzid=####&pr=####&adx=##...
- u####.bfsspad####.8l####.com/adClick?v=####&b=####&st=####&p=####&g=####...
- u####.bfsspad####.8l####.com/adShow?v=####&b=####&i=####&r=####&bid=####...
- u####.bfsspad####.8l####.com/dplClick?v=####&b=####&st=####&p=####&g=###...
- v.g####.qq.com/gdt_stats.fcg?viewid=####&i=####&os=####&xp=####&gap=####
- www.mingqi####.top/?iclicashsid=####
- www.mingqi####.top/css/m.css
- www.mingqi####.top/js/jquery.min.js
- www.mingqi####.top/picture/android_tips.png
- www.mingqi####.top/picture/bg.jpg
- www.mingqi####.top/picture/bg1_02.jpg
- www.mingqi####.top/picture/bg1_04.jpg
- www.mingqi####.top/picture/bg1_05.jpg
- www.mingqi####.top/picture/bg1_06.jpg
- www.mingqi####.top/picture/bg1_07.jpg
- www.mingqi####.top/picture/bg1_08.jpg
- www.mingqi####.top/picture/bg1_09.jpg
- www.mingqi####.top/picture/bg1_10.jpg
- www.mingqi####.top/picture/bg1_11.jpg
- www.mingqi####.top/picture/bg1_12.jpg
- www.ta####.com/
HTTP POST requests:
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- api.map.b####.com/location/ip?ak=####&coor=####
- c####.360.cn/stra_packet
- c.appj####.com/ad/splash/stats.html
- ga####.lotu####.com/?st=####&sv=####&tm=####&sid=GyA####&apn=####&ct=###...
- s####.e.qq.com/activate
- s####.e.qq.com/click
- s####.e.qq.com/msg
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.jgrpa.xml
- /data/data/####/.log.lock
- /data/data/####/.log.rpa
- /data/data/####/06b9c9b1114e0ca57708f382d3b8b765.xml
- /data/data/####/2072.yaqcookie
- /data/data/####/5ead7c1916e321af3ee0d7d6aa595238.temp
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AdloadStore.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/BuglySdkInfos.xml
- /data/data/####/ClassicsHeader.xml
- /data/data/####/ContextData.xml
- /data/data/####/DaemonServer
- /data/data/####/GDTSDK.db
- /data/data/####/GDTSDK.db-journal
- /data/data/####/Ji.xml
- /data/data/####/MessageStore.db-journal
- /data/data/####/MsgLogStore.db-journal
- /data/data/####/accs.db-journal
- /data/data/####/ad_show_time.xml
- /data/data/####/agoo.pid
- /data/data/####/cn.ecook.xml
- /data/data/####/collectiondatabase
- /data/data/####/collectiondatabase-journal
- /data/data/####/com.google.android.gms.analytics.prefs.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/devCloudSetting.cfg
- /data/data/####/devCloudSetting.sig
- /data/data/####/dexMethod.94151578.dat
- /data/data/####/e4902e679b57119224abc89d71b51100.temp
- /data/data/####/ecookdatabase
- /data/data/####/ecookdatabase-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000c (deleted)
- /data/data/####/f_00000d
- /data/data/####/f_00000d (deleted)
- /data/data/####/gaClientId
- /data/data/####/gdt_plugin.jar
- /data/data/####/gdt_plugin.jar.sig
- /data/data/####/gdt_plugin.tmp
- /data/data/####/gdt_plugin.tmp.sig
- /data/data/####/gdt_suid
- /data/data/####/geofencing.db
- /data/data/####/geofencing.db-journal
- /data/data/####/google_analytics_v4.db-journal
- /data/data/####/i==1.2.0&&4.31.45_1536417518020_envelope.log
- /data/data/####/index
- /data/data/####/info.xml
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/libjiagu2063946030.so
- /data/data/####/libyaqbasic.94151578.so
- /data/data/####/libyaqpro.94151578.so
- /data/data/####/log.android.library.xml
- /data/data/####/lonLat.xml
- /data/data/####/lotuseed.apps
- /data/data/####/lotuseed.s
- /data/data/####/lotuseed.task
- /data/data/####/lotuseed_global.xml
- /data/data/####/material.db-journal
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mipush.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/mipush_region
- /data/data/####/mipush_region.lock
- /data/data/####/multidex.version.xml
- /data/data/####/recipe.db-journal
- /data/data/####/recipedatabase-journal
- /data/data/####/sdkCloudSetting.cfg
- /data/data/####/sdkCloudSetting.sig
- /data/data/####/tiny_data.data
- /data/data/####/tiny_data.lock
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/update_lc
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/yaqsdkcookie
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.nomedia
- /data/media/####/.umm.dat
- /data/media/####/01b008a9a46f2327880d0b8d4d70ce87
- /data/media/####/1dir72t91jgtg6opl3k77y90s.tmp
- /data/media/####/1y6mqnjv31yd6cjxpvxsey6zl.tmp
- /data/media/####/2i502rmm0qr2zml55jqainv3c.tmp
- /data/media/####/2jecjks3p0ktwksdk45neob08.tmp
- /data/media/####/2odcf6j37a4cc419pmg80i19t.tmp
- /data/media/####/2z2ilf9ot99bmt8e0i8v86t1i.tmp
- /data/media/####/318j6ck0aak98te4wiwvb44md.tmp
- /data/media/####/3nebt6n87q4adbuh80p53d0eu.tmp
- /data/media/####/3u5ijjghojrnnn5teypdhx9m5.tmp
- /data/media/####/3xzjezs64vofeuucqyqvfd3rm.tmp
- /data/media/####/42380ddatomn845mi3smenk6w.tmp
- /data/media/####/46srordffptwerad5gdeiw6y.tmp
- /data/media/####/46wz1br2qp6evwhedwgk581zy.tmp
- /data/media/####/4xpc1wa1iq7v9em0ss58o311u.tmp
- /data/media/####/53n1x1pow4wpq5mhu8fa654vr.tmp
- /data/media/####/54cc9h6jshr1p6rh68kexgypr.tmp
- /data/media/####/5id9ceai37fqmqam21o2qp0s2.tmp
- /data/media/####/5o8y65zbk6whr0pd4h9ngvpv5.tmp
- /data/media/####/5ub8b174sbnyqjfuzqtgm1iv2.tmp
- /data/media/####/62u7pjczlnttj59hdbq9qfhtd.tmp
- /data/media/####/6rd9mhkvdjh25yo8zul6hph6j.tmp
- /data/media/####/70y34ozqe7oqjjmbsd59cl4e8.tmp
- /data/media/####/77w1yr2rzf2aq0tmnorkj75po.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/com.ss.android.ugc.aweme.apk_0
- /data/media/####/gtjt3xb1xly27lfkdh8qam30.tmp
- /data/media/####/log.lock
- /data/media/####/log1.txt
- /data/media/####/lotuseed.devid
- /data/media/####/rooq0n9742n12mz5s507bmfj.tmp
- /data/media/####/uuzt9yzozcf2mpcsx2ghbm4u.tmp
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:5976e9333eae2526d4001388","utdid":"W5Pe7eFEbPkDAGdzx1HPqU5b","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
- cat /sys/class/net/wlan0/address
- chmod 500 <Package Folder>/files/DaemonServer
- chmod 755 <Package Folder>/.jiagu/libjiagu2063946030.so
- ls /sys/class/thermal
- ps
- sh
- su
Loads the following dynamic libraries:
- libjiagu2063946030
- libyaqbasic.94151578
- libyaqpro.94151578
- tnet-3.1
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- RSA-ECB-PKCS1Padding
Uses elevated priveleges.
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about APN settings.
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
