Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.337.origin
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) pic####.i####.com:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) i####.doub####.com.####.net:443
- TCP(TLS/1.0) p5.ssl.qhi####.com:443
- TCP(TLS/1.0) p####.z####.com.####.com:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.0) img1-do####.b0.a####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) api-ac####.pangoli####.com.####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) ima####.x####.com.####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) mast-br####.oss-cn-####.aliy####.com:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.2) 1####.251.36.3:443
- TCP(TLS/1.2) p####.google####.com:443
- TCP arm.z####.cn:10002
- UDP p####.google####.com:443
DNS requests:
- 2.and####.p####.####.org
- and####.a####.go####.com
- and####.google####.com
- api-ac####.pangoli####.com
- arm.z####.cn
- f####.gst####.com
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- ima####.x####.com
- m####.go####.com
- mast-br####.oss-cn-####.aliy####.com
- p####.google####.com
- p####.z####.com
- p2.ssl.qhi####.com
- p5.ssl.qhi####.com
- pic####.i####.com
- rr2---s####.g####.com
- u####.u####.com
- ut####.u####.com
- www.google####.com
- wx3.sin####.cn
HTTP GET requests:
- api-ac####.pangoli####.com.####.com:443/bmiddle/0079OWK7gy1gzztqs8lkxj30...
- api-ac####.pangoli####.com.####.com:443/view/photo/l/public/p2873608330....
- api-ac####.pangoli####.com.####.com:443/view/photo/s_ratio_poster/public...
- i####.doub####.com.####.net:443/view/photo/l/public/p2629400982.webp
- i####.doub####.com.####.net:443/view/photo/l/public/p2633509652.webp
- i####.doub####.com.####.net:443/view/photo/l/public/p2634001163.webp
- i####.doub####.com.####.net:443/view/photo/l/public/p2644203343.webp
- i####.doub####.com.####.net:443/view/photo/l/public/p2882141221.webp
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p256116...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p256729...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p256797...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p256879...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p256945...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p257107...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p258714...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p258810...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p259107...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p259982...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p261939...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p262078...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p262367...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p262752...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p263218...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p263708...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p264161...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p266500...
- i####.doub####.com.####.net:443/view/photo/s_ratio_poster/public/p273425...
- ima####.x####.com.####.com:443/storages/769f-audiofreehighqps/0E/D9/GKwR...
- ima####.x####.com.####.com:443/storages/8000-audiofreehighqps/EA/0A/CKwR...
- img1-do####.b0.a####.com:443/view/photo/l/public/p2642295318.webp
- img1-do####.b0.a####.com:443/view/photo/l/public/p2751750668.webp
- img1-do####.b0.a####.com:443/view/photo/l/public/p2868724729.webp
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p257212350...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p257969911...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p258553350...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p259252168...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p259366492...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p260014245...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p260906404...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p261078877...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p262587978...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p262837375...
- img1-do####.b0.a####.com:443/view/photo/s_ratio_poster/public/p272106686...
- mast-br####.oss-cn-####.aliy####.com:443/videocat/playlist.json
- mast-br####.oss-cn-####.aliy####.com:443/videocat/resource/resource_103....
- p####.z####.com.####.com:443/50/v2-18704f47837b14a4b4682db3b7a9af76_720w...
- p####.z####.com.####.com:443/view/photo/l/public/p2836849094.webp
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p255676596...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p257281321...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p257312464...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p257588276...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p257648235...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p257870506...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p258106487...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p258803109...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p258838887...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p259252299...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p259506442...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p261599230...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p262120152...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p262388032...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p262434154...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p262494559...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p262887792...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p263436059...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p264510686...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p269071222...
- p####.z####.com.####.com:443/view/photo/s_ratio_poster/public/p275568406...
- p5.ssl.qhi####.com:443/sdr/400__/t01a3837779ca999585.jpg
- p5.ssl.qhi####.com:443/sdr/400__/t01e34423554ebd4e0c.jpg
- pic####.i####.com/uploads/allimg/180106/4-1P106094325.jpg
HTTP POST requests:
- al####.u####.com:443/unify_logs
- al####.u####.com:443/zcfg
- api-ac####.pangoli####.com.####.com:443/api/ad/union/sdk/stats/batch/
- new-####.u####.com:443/api/postZdata/v4
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/0674e9bb50e95fc25fccd70d78130c061fae6d33d9ccf75....0.tmp
- /data/data/####/0fa72b61f265e4bec1d7e6d794532bbc6ee102a9622b35a....0.tmp
- /data/data/####/0fc20b7fc3d42c274bc2e3c94463ff4b4df43a628c34bb8....0.tmp
- /data/data/####/106f3d94047a6e967b109df549eef74ebf8b438bbe139cd....0.tmp
- /data/data/####/1362520b5588c8b9a90d9193baad795a476990d151396d9....0.tmp
- /data/data/####/1441ab2b9489627fe7adaba7f43cc8766984703e95dbab6....0.tmp
- /data/data/####/19204a670b3362ccbd5b1e46fe3a8adca018e0f93ae8ecc....0.tmp
- /data/data/####/19b21608a56d020ea6a72bcbe92be6b834ca6f1ca6bc909....0.tmp
- /data/data/####/1fa83a87945d251515823815263e9b0020b75156f23a4e2....0.tmp
- /data/data/####/1fa83a87945d251515823815263e9b0020b75156f23a4e2...2294.0
- /data/data/####/2424bfee27374232f5175bcf15db749422148b0624ef7b3....0.tmp
- /data/data/####/24e19ef4cdca49d1b0ca12543e2d2147f0fd742c26bf997...3d60.0
- /data/data/####/28a3d098874e864c0b098c2544ccc26de6976baa89912f9....0.tmp
- /data/data/####/28b04c49b31dd0371c4620b6c280be6d6fd5ff4f81082ca....0.tmp
- /data/data/####/351605054ab8b01e3be59b1339e66d7d3e24ebbea645d51....0.tmp
- /data/data/####/3895b846b9966461b7cbcd3d906c53fdad4d96e33961ade....0.tmp
- /data/data/####/3895b846b9966461b7cbcd3d906c53fdad4d96e33961ade...2fbb.0
- /data/data/####/38b98db132625f25aa13ce7560094f2c23e9179f4ad4006....0.tmp
- /data/data/####/39ebc19d7b557013c437eaccfbc2d996bc6f302041c0d4d....0.tmp
- /data/data/####/43a62fc64b3807620d2a75a018d768ac99e583284533052....0.tmp
- /data/data/####/467f5fa27cd3640bf5e13f2c5c80396911f9404fd12d843...8975.0
- /data/data/####/4c7456bd769028e8916657f9c3e15625133fa37d5097b2a....0.tmp
- /data/data/####/4f7b9fe36a03046d56f2c4e5829a2b7ad42cca5be6d10b7....0.tmp
- /data/data/####/5533908cd0b9cfc514dd018d100ecb91e5e46af3b5c435b....0.tmp
- /data/data/####/5533908cd0b9cfc514dd018d100ecb91e5e46af3b5c435b...c74c.0
- /data/data/####/5834a8f4ee149974ab5f1dfbbe693d79fcbdf823f9d5901....0.tmp
- /data/data/####/5ca1cd79380db3b9c4ea1c9dd11ffd5b1e2417e4d8ec029...7adf.0
- /data/data/####/5ce5207fa05a3dc47f0f86876bb1aee9d29fbf62afe87e3....0.tmp
- /data/data/####/603b78c7e1db5475c4bbd2dda4e11792d28514c809556e9....0.tmp
- /data/data/####/604d8ce10c0f3301a1fd360183045d1afb2c934b0b33fbf....0.tmp
- /data/data/####/606571ede106cc45310989e9f4bfd5edbaf412679c687e9...ba58.0
- /data/data/####/67316d45b925d1d5cd87fcba7525967508b64f8da8ddaaf....0.tmp
- /data/data/####/6a6fbf589f2e64cde2e6b3c3c592f80c8659784052c1a0c....0.tmp
- /data/data/####/6f70609aee2244bcc799720f9ea7a1a135dd41cf350ca2f....0.tmp
- /data/data/####/72ea23937f7ec8f48af7c126e802e1a33c50fc2316df65e....0.tmp
- /data/data/####/72ea23937f7ec8f48af7c126e802e1a33c50fc2316df65e...25f2.0
- /data/data/####/74512700f50a13ec21ef20b4d2b28d15378e6683a6151d4....0.tmp
- /data/data/####/74512700f50a13ec21ef20b4d2b28d15378e6683a6151d4...bc60.0
- /data/data/####/76a14b2d49a27fb7cdc469b37e4a01ae59a590272acb8f0....0.tmp
- /data/data/####/79ca667020dadc711a3b8d954591065010298d285537ef5...dd6e.0
- /data/data/####/7ca4fc49c3d4ec6d81b9a6c38a208cf6b392023812c6e6a....0.tmp
- /data/data/####/7f24a66b3affb4dbee02e7535a7d5c056e9691e672e40d6....0.tmp
- /data/data/####/83dee565c921442c49a3d59d8dffa149577d74fdc508b25....0.tmp
- /data/data/####/84f15af03433d82f9de3b112ee46a27fd2f7f9086874bc9....0.tmp
- /data/data/####/89d04684be1ff1d3aa60978edf83780eb63448f2c807797....0.tmp
- /data/data/####/8d42ac1582544ca51887a2b31d9f8ed6dcbac0e00e27636....0.tmp
- /data/data/####/8e261870f3088444eed6487f24d87fc6618de9b2747af23....0.tmp
- /data/data/####/916d703b7bf79b1b4f8737b09bc1753dc7c462dd3cae8c8....0.tmp
- /data/data/####/931ea0b718ec9fb1ac8d5efcd5588460ded963035ccca2d....0.tmp
- /data/data/####/93b4cc87144db779cc5ca7841ec0b5c5ec1264c8319b4ec....0.tmp
- /data/data/####/94d173d72f9e77c53f7c1e36001e510b0c09d511821a572....0.tmp
- /data/data/####/94d173d72f9e77c53f7c1e36001e510b0c09d511821a572...155d.0
- /data/data/####/94fe9aea34f4c8a173bf384bed228da5b704039258b8ec2....0.tmp
- /data/data/####/9b7b6b3063f610f8b2f495362192d83675313c3df9c3d3d....0.tmp
- /data/data/####/9d93288fcbcddc0a9d0a4067f0b837e3f00312d6f858085....0.tmp
- /data/data/####/9d93288fcbcddc0a9d0a4067f0b837e3f00312d6f858085...ea1f.0
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a30a32638968e998d009f82a243b737cfd0ae0d9e61b123....0.tmp
- /data/data/####/a30a32638968e998d009f82a243b737cfd0ae0d9e61b123...1456.0
- /data/data/####/a611b821964625def034f19651c21f35e857c9a17968b9c....0.tmp
- /data/data/####/a85b2743d80fa297c11be3c0d912bbd427cae4b4fe91bc4....0.tmp
- /data/data/####/aadc0eb95b854ca90aef23b4b37d79f5de8bbe9cd1741cc....0.tmp
- /data/data/####/ad57eaa48bc666c7da6124305bff15ec6f21f6353449780....0.tmp
- /data/data/####/ae94cbebb9143eb32605508f29f6e9a6091ae67db51a0d9....0.tmp
- /data/data/####/afb9731d48f19ffb7d72e270c1dd15ee046367fc099b2f4....0.tmp
- /data/data/####/b0393d3f4e64c553ca568f0f45f1872b8746d6b1ba105ce....0.tmp
- /data/data/####/b3151f6fa8fa515a1f741754d377140be0aa29339e9a7ea....0.tmp
- /data/data/####/b5d98266802237eaa392a4493181a6bc274e8fbd36dfef5....0.tmp
- /data/data/####/b96532d1f7b043a685a2486fd3a160b6f9f3385b5bdd31f....0.tmp
- /data/data/####/bcc0443d2f15b51dbface73d1334695d19e21fc33b85e4a....0.tmp
- /data/data/####/bcdcdbe4c3bca94eab26eb50e111911d53cc550af8e58f4...7ded.0
- /data/data/####/c08041e968c756d4090ab015ee74debaaeef59b6da59c68....0.tmp
- /data/data/####/c1013307524ef2bdbab43fc1d674b93e8e7d802049b8177....0.tmp
- /data/data/####/c4f4bea9d3c98f5f2e8a562c29c819a3a9d0520a64ffe41....0.tmp
- /data/data/####/cef66d25c5f8bd4d96966481176688e185c71787f7b42c2....0.tmp
- /data/data/####/classes.dex
- /data/data/####/classes.dex.flock (deleted)
- /data/data/####/classes2.dex
- /data/data/####/classes2.dex.flock (deleted)
- /data/data/####/classes3.dex
- /data/data/####/classes3.dex.flock (deleted)
- /data/data/####/d01b241c614443a0c5c4aac2165093ff4c387750c9abac4....0.tmp
- /data/data/####/de7871333198fe9036e7c8f9bf28b523d1a5018485fe206....0.tmp
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/e238e3779975327285304f6c61e36f19fb9b9aec5b05246....0.tmp
- /data/data/####/e2e77bb02ec2507a441eecc001af078d769dc098d264dc4....0.tmp
- /data/data/####/e7c7f4ca374f3758df18d17f206b6a62efd1b51c2e3ff1f....0.tmp
- /data/data/####/e864a1e3dce9c7d6fa2fe82d75e20c07cb2cb574d6c12bb...2a1a.0
- /data/data/####/ebc5342424c32f9b92180207aded60b4b0b1ec91c062e48....0.tmp
- /data/data/####/ebd8471698f1326d46abfbe5a7625d4129b20ebd602acc6....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f41eaacbc7a3db908e942084784b3f0c1611194dd0067a0....0.tmp
- /data/data/####/f588a974fa16e9a454c8fd2e2cd0e208ce92da8d460d81a....0.tmp
- /data/data/####/f78effd39ae575a129ca36968f5282069933ff8916ffb74....0.tmp
- /data/data/####/f8b00c2ff2012942b359773e3a037af085bd66facef7cd2....0.tmp
- /data/data/####/ffbd4af553ab76b6242f757d03e9f650ad3e3b3dfb85ac9....0.tmp
- /data/data/####/i==1.2.0&&1.108_1669997171041_dW5pZnlfbG9ncw==;.log
- /data/data/####/journal.tmp
- /data/data/####/proc_auxv
- /data/data/####/room-journal (deleted)
- /data/data/####/t==9.4.7&&1.108_1669997171244_dW5pZnlfbG9ncw==;.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/umzid_general_config.xml.bak
- /data/data/####/update_lc
- /data/data/####/z==1.2.0&&1.108_1669997168918_emNmZw==;.log
- /data/media/####/01ad79922cba02cf0d69b4b0552e03b373986780.0.tmp
- /data/media/####/01ad79922cba02cf0d69b4b0552e03b373986780.1
- /data/media/####/01ad79922cba02cf0d69b4b0552e03b373986780.1.tmp
- /data/media/####/82d32cb6280f9edd4b69db4affa3a8cb96a507a0.0.tmp
- /data/media/####/82d32cb6280f9edd4b69db4affa3a8cb96a507a0.1.tmp
- /data/media/####/journal
- /data/media/####/journal.bkp (deleted)
Miscellaneous:
Executes the following shell scripts:
- ls /
- ls /sys/class/thermal
Loads the following dynamic libraries:
- libarm_protect
- libmmkv
- libnmmp
- libumeng-spy
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-PKCS1Padding
Displays its own windows over windows of other apps.
