Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Locker.1274.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) st####.tin####.com:80
- TCP(TLS/1.0) chec####.cc:443
- TCP(TLS/1.0) gm.mm####.com:443
- TCP(TLS/1.0) 1####.251.36.3:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) log-re####.com:443
- TCP(TLS/1.0) vi####.lan####.com:443
- TCP(TLS/1.0) z.c####.com:443
- TCP(TLS/1.0) 1####.251.39.106:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) 1####.250.179.138:443
- TCP(TLS/1.0) st####.woo####.com.####.com:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.2) 1####.250.179.138:443
- TCP(TLS/1.2) and####.a####.go####.com:443
DNS requests:
- 360####.org
- and####.a####.go####.com
- and####.cli####.go####.com
- c####.mm####.com
- c.c####.com
- chec####.cc
- log-re####.com
- m####.go####.com
- p####.google####.com
- pla####.googleu####.com
- s95.c####.com
- st####.tin####.com
- st####.woo####.com
- vi####.lan####.com
- z4.c####.com
HTTP GET requests:
- chec####.cc:443/feature/config?api_version=####&app_id=####&app_version=...
- chec####.cc:443/jd?a=####&av=####&d=####&p=####&v=####&vc=####
- st####.tin####.com/static/ij-cloud/cs/google_analytics_6.aar
HTTP POST requests:
- log-re####.com:443/report
File system changes:
Creates the following files:
- /data/data/####/01741a76e810f377_0
- /data/data/####/06d96946d3de1318_0
- /data/data/####/06d96946d3de1318_1
- /data/data/####/07d9e109577c8e74_0
- /data/data/####/0d042179102fad1b_0
- /data/data/####/11e20f3df2e488ac_0
- /data/data/####/2c695c1beca772d3_0
- /data/data/####/2f17f80f67d6b63a_0
- /data/data/####/37cfa0400172cb17_0
- /data/data/####/3b43ca75deb4463b_0
- /data/data/####/3c3bf311451288cf_0
- /data/data/####/4110a965c8d20565_0
- /data/data/####/41a69af474339c06_0
- /data/data/####/4202cf0c5de51f40_0
- /data/data/####/4329109b8e5e33ad_0
- /data/data/####/47b6e9e071ac3a05_0
- /data/data/####/47f3539c35be00ec15e8cdecc90c6cec37901bd81a86ed1...3b.apk
- /data/data/####/47f3539c35be00ec15e8cdecc90c6cec37901bd81a86ed1...3b.dex
- /data/data/####/47f3539c35be00ec15e8cdecc90c6cec37901bd81a86ed1...leted)
- /data/data/####/5048665a51bc150e_0
- /data/data/####/553bb4dabbe05256_0 (deleted)
- /data/data/####/5616f70fdc24288c_0
- /data/data/####/5df61e0504d150b9_0
- /data/data/####/681d853bb6a13d2a_0
- /data/data/####/69cc3f17a78fbb22_0
- /data/data/####/7b6cd058f3d18a51_0
- /data/data/####/83ad614f620446b4_0
- /data/data/####/86a9500dea47f618_0
- /data/data/####/89209803614158bd_0 (deleted)
- /data/data/####/8ac7e13cb637a6dd_0
- /data/data/####/8ed8b76a2eaaeced_0 (deleted)
- /data/data/####/8f1999b76871af8d_0
- /data/data/####/97f2e25ed09f4569_0 (deleted)
- /data/data/####/9f8c9d2c38c7f83b_0
- /data/data/####/9f8c9d2c38c7f83b_1
- /data/data/####/CBGr2.xml
- /data/data/####/Cookies-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/b45bc80461fcb600_0
- /data/data/####/b49800c3385bb752_0
- /data/data/####/bee9db93a9444433_0
- /data/data/####/c03578bf50bd2bed_0
- /data/data/####/c5df95734d1f89b4_0
- /data/data/####/c898bfd31ce55293_0
- /data/data/####/caa61ad2ce98ca02_0
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.oat
- /data/data/####/e1039fa8ae08c319_0
- /data/data/####/e1bdd9cef3531eb1_0
- /data/data/####/e3c6fab172578d74_0
- /data/data/####/e3c6fab172578d74_1
- /data/data/####/ef944a13fc93e584_0
- /data/data/####/f839d3363b10ab49_0
- /data/data/####/fb4175c4413e0b15_0
- /data/data/####/index
- /data/data/####/libjiagu.so
- /data/data/####/metrics_guid
- /data/data/####/proc_auxv
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/xiaoernb.vip_preferences.xml
- /data/media/####/crash.txt
Miscellaneous:
Loads the following dynamic libraries:
- libjiagu
- libluajava
- libygsiyu
Uses the following algorithms to encrypt data:
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- DES
- DES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about network.
Displays its own windows over windows of other apps.
