Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Spy.2442
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.254.116.117:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) d####.d####.mob.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) l####.cc:80
- TCP(HTTP/1.1) api.shu####.cn:80
- TCP(HTTP/1.1) api.s####.mob.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(TLS/1.0) dai.shu####.cn:443
- TCP(TLS/1.0) dcc.shu####.cn:443
- TCP(TLS/1.0) opera####.dreams####.cn:443
- TCP(TLS/1.0) c####.dreams####.cn:443
- TCP(TLS/1.0) api.shu####.cn:443
- TCP(TLS/1.0) daa.shu####.cn:443
- TCP(TLS/1.0) d####.dreams####.cn:443
- TCP(TLS/1.0) sa.dreams####.cn:443
- TCP t####.qq.com:14000
- TCP t####.qq.com:8080
DNS requests:
- a####.exc.mob.com
- ab.dreams####.cn
- acc####.dreams####.cn
- api.s####.mob.com
- api.shu####.cn
- c####.dreams####.cn
- c.d####.mob.com
- d####.d####.mob.com
- d####.dreams####.cn
- daa.shu####.cn
- dai.shu####.cn
- dcc.shu####.cn
- l####.cc
- l####.tbs.qq.com
- m.d####.mob.com
- opera####.dreams####.cn
- pi####.qq.com
- sa.dreams####.cn
- t####.qq.com
HTTP GET requests:
- m.d####.mob.com/v3/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
HTTP POST requests:
- a####.exc.mob.com/errconf
- api.s####.mob.com/conf5
- api.s####.mob.com/conn
- api.s####.mob.com/log4
- api.s####.mob.com/snsconf
- api.shu####.cn/report?v=####&c=####&e=####
- d####.d####.mob.com/dinfo
- d####.d####.mob.com/dsign
- l####.cc/i/sdk/install
- l####.cc/i/sdk/open
- m.d####.mob.com/v3/cdata
- pi####.qq.com/mstat/report/?index=####
File system changes:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.tpns.service.xml.xml
- /data/data/####/.tpns.settings.xml.xml
- /data/data/####/.tpush_mta.xml
- /data/data/####/1004
- /data/data/####/LKME_Server_Request_Queue.xml
- /data/data/####/MultiDex.lock
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/bugly_db_-journal
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/com.infinitemarket.comic-journal
- /data/data/####/com.infinitemarket.comic_dna.xml
- /data/data/####/com.infinitemarket.comic_preferences.xml
- /data/data/####/com.infinitemarket.comic_prefs.xml
- /data/data/####/com.infinitemarket.comic_prefs.xml.bak (deleted)
- /data/data/####/com.sensorsdata.analytics.android.sdk.SensorsDataAPI.xml
- /data/data/####/com_kuaikan_comic_android.xml
- /data/data/####/com_kuaikan_comic_config_android.xml
- /data/data/####/core_info
- /data/data/####/crashrecord.xml
- /data/data/####/device_id.xml
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/kkxm.db-journal
- /data/data/####/libjiagu-733565256.so
- /data/data/####/linkedme_referral_shared_pref.xml
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/native_record_lock
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/sensorsdata.xml
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbslock.txt
- /data/data/####/tpush.shareprefs.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/media/####/..ccvid
- /data/media/####/._android.dat
- /data/media/####/._driver.dat
- /data/media/####/._system.dat
- /data/media/####/.acc.dat
- /data/media/####/.aio.dat
- /data/media/####/.ccvid
- /data/media/####/.dh-journal
- /data/media/####/.dhlock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.lm_device_id
- /data/media/####/.mps
- /data/media/####/.nulplt
- /data/media/####/.pkg_lock
- /data/media/####/.rcTag
- /data/media/####/.rc_lock
- /data/media/####/_android.dat
- /data/media/####/_driver.dat
- /data/media/####/_system.dat
- /data/media/####/acc.dat
- /data/media/####/aio.dat
- /data/media/####/tbslog.txt
Miscellaneous:
Executes the following shell scripts:
- <Package Folder>/lib/libxguardian.so <Package>,2100307961; 55728 203.205.128.130 [{"idx":0,"ts":%d,"et":2000,"si":0,"ui":"<IMEI>","ky":"Axg%lu","mid":"0","ev":{"ov":"18","sr":"600*752","md":"<System Property>","lg":"en","sv":"3.26","mf":"unknown","apn":"%s"}}] 0 18
- cat /sys/class/net/wlan0/address
- df
- getprop ro.product.cpu.abi
- ls /system/fonts
- mkdir -p <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/
- service call iphonesubinfo 1
- sh
- sh -c cat /proc/meminfo
- sh -c cat /proc/sys/kernel/random/uuid
- sh -c cat /sys/block/mmcblk0/device/cid
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/..ccdid
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/..ccvid
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/._android.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/._driver.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/._system.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/.acc.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/.aio.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccdid
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccvid
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_driver.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
- sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/aio.dat
- sh -c cd /sys/class/net/eth0/ && cat address
- sh -c cd /sys/class/net/wlan0/ && cat address
- sh -c echo MUZDQ0VCMEFEODE0NDdDMUFBNDM4OEM2OTczN0I3N0IxNTcyOTI1OTI4 > <SD-Card>/../../../../../..<SD-Card>/.acc.dat
- sh -c echo MUZDQ0VCMEFEODE0NDdDMUFBNDM4OEM2OTczN0I3N0IxNTcyOTI1OTI4 > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/acc.dat
- sh -c echo MjRDNjhCRjJGRTcwRDZBMjdBMzM2RjUwMjIwRjNFRTRjOGZ2NXhDVjUrMllMaEtrSGRjWjQ2NGp3aGlwbGFNMTV4R3gydjFBVUIxUXMzVUNHMGN5OC9qNFJUK3E5N0xkbGYxdkF6WE5udSsxTDV0MnF6dSt5QnphWHRvODdJUmNxTjAvenE2bDBMeWpza3Zva0Z1UnFxMTdOMW9iWWFSZlArVkZJOE5oS0MvUmcvaWVtYkFyVG1jQlRJZWlJSGlJb3NNaDhZNFNRdFlVUGhBM2pFb3V4TEpJeHozSDdPN25wdEhrRTNqYXVMS1NndFlWY3Y4NXljSzE4YU5IaS9zSHBvWnF4S2FEMWgxVXRjd01wSmlFWlZRaHcvcnM5bmp4SUQvNEpCekE2SHJPS0syK2ljQXBpejJwUWc5Y09Pd3ovWWk2YXFoY3Q4NnJwb0g3Tk4vbTZqYjQzcTZvZ3pzK1lPQ2JRY1ZQRkd4NG1EdGZTKzJVbDYwTzRURl
- sh -c echo NDJBRTk4RUE5M0JGQkQwQ0Y3RkM0MzgwNDY3MjFGQTRGNjVENEE6M0UzNjBDOkY0QTAxNA== > <SD-Card>/../../../../../..<SD-Card>/._driver.dat
- sh -c echo NDJBRTk4RUE5M0JGQkQwQ0Y3RkM0MzgwNDY3MjFGQTRGNjVENEE6M0UzNjBDOkY0QTAxNA== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_driver.dat
- sh -c echo NkRGMTFDMTFGMTFBODA1M0MwMjQ1QTZCQTVDNkU4MzIyMDE4MDIwOTAwMDM= > <SD-Card>/../../../../../..<SD-Card>/..ccvid
- sh -c echo NkRGMTFDMTFGMTFBODA1M0MwMjQ1QTZCQTVDNkU4MzIyMDE4MDIwOTAwMDM= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccvid
- sh -c echo QjEyREVENTFDMUQ1MjBBMDY2NDUwRjc2MUYyNEMzRkExNTcyOTI1OTIz > <SD-Card>/../../../../../..<SD-Card>/.aio.dat
- sh -c echo QjEyREVENTFDMUQ1MjBBMDY2NDUwRjc2MUYyNEMzRkExNTcyOTI1OTIz > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/aio.dat
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/._system.dat
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
- sh -c echo QzlDODU0MTRDMkY2NkVDNjNENkEyOTIyOEI3ODI3OUJGNTVBQUY6OEZDNTVBOjAwNTgwOA== > <SD-Card>/../../../../../..<SD-Card>/._android.dat
- sh -c echo QzlDODU0MTRDMkY2NkVDNjNENkEyOTIyOEI3ODI3OUJGNTVBQUY6OEZDNTVBOjAwNTgwOA== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
- sh <Package Folder>/lib/libxguardian.so <Package>,2100307961; 55728 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : 0 , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.26 , mf : unknown , apn : %s }}] 0 18
Loads the following dynamic libraries:
- Bugly
- du
- libimagepipeline
- libjiagu-733565256
- neh
- tpnsSecurity
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- RSA
- RSA-ECB-NoPadding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- DES-ECB-PKCS5Padding
- desede-CBC-NoPadding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
