Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Proxy.44.origin
- Android.Proxy.45.origin
- Android.RemoteCode.345.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) co####.ssp.math####.cn:80
- TCP(HTTP/1.1) p####.api.math####.cn:80
- TCP(HTTP/1.1) detec####.math####.cn:80
- TCP(HTTP/1.1) na61-####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) l####.b####.com:80
- TCP(HTTP/1.1) 1####.161.124.146:12340
- TCP(HTTP/1.1) d####.100u####.com:80
- TCP(HTTP/1.1) c####.dc.100u####.####.net:80
- TCP(HTTP/1.1) newap####.math####.cn:80
- TCP(HTTP/1.1) w####.pcon####.com.cn:80
- TCP(HTTP/1.1) ap####.math####.cn:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) d####.100u####.com:443
- TCP(TLS/1.0) pos.zblqo####.com:8657
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) asl.8888####.com:1444
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.2) 1####.250.27.94:443
- UDP gmscomp####.google####.com:443
- UDP hs9.hangzho####.com:16000
- TCP 1####.161.124.56:12351
DNS requests:
- 2.and####.p####.####.org
- and####.a####.go####.com
- ap####.math####.cn
- asl.8888####.com
- c####.dc.100u####.com
- co####.ssp.math####.cn
- d####.100u####.com
- detec####.math####.cn
- gmscomp####.google####.com
- hs9.hangzho####.com
- ip.ta####.com
- l####.b####.com
- newap####.math####.cn
- p####.api.math####.cn
- pos.zblqo####.com
- w####.pcon####.com.cn
HTTP GET requests:
- ap####.math####.cn/ssp/mgm/task?taskId=####&ip=####&channelCode=####&ver...
- c####.dc.100u####.####.net/sdkfile/2b61f81bc24ede77294be73bf173598f.apk?...
- c####.dc.100u####.####.net/sdkfile/4b9b600b0c125ddf5d9dd51f1de906cf.apk?...
- c####.dc.100u####.####.net/sdkfile/63d2a0466b49cd3cf3306703a8368f27.apk?...
- c####.dc.100u####.####.net/sdkfile/a4a65e951e538c0a7fab8117d709dc71.apk?...
- c####.dc.100u####.####.net/sdkfile/bea026694fc1e93d67c0f09f21338d04.jar?...
- co####.ssp.math####.cn/api/v2/SDKActiveConfig?version=####&channelCode=#...
- co####.ssp.math####.cn/api/v2/SDKCommonConfig?channelCode=####&version=#...
- co####.ssp.math####.cn/api/v3/mgmConfig?channelCode=####&version=####&an...
- co####.ssp.math####.cn/api/v3/sdkTestConfig?send_ts=####
- detec####.math####.cn/favicon.ico
- detec####.math####.cn/images/sdk/detective.jpeg
- detec####.math####.cn/js/finger20220224.js
- detec####.math####.cn/sdk/checkCookie/httpClient?uniqueId=####&androidVe...
- detec####.math####.cn/sdk/checkCookie/webview?uniqueId=####&androidVersi...
- detec####.math####.cn/sdk/checkRedirect?uniqueId=a96466e8553d3e2143f31bd...
- detec####.math####.cn/sdk/filterHeader/httpClient?uniqueId=####&androidV...
- detec####.math####.cn/sdk/filterHeader/webview?uniqueId=####&androidVers...
- detec####.math####.cn/sdk/oneShot?uniqueId=####&androidVersion=####&sdkV...
- detec####.math####.cn/sdk/openWebview?uniqueId=a96466e8553d3e2143f31bd54...
- detec####.math####.cn/sdk/redirectHttpClientSecondPage?uniqueId=####&and...
- detec####.math####.cn/sdk/redirectWebviewSecondPage?uniqueId=####&androi...
- detec####.math####.cn/sdk/setCookie/httpClient?uniqueId=####&androidVers...
- detec####.math####.cn/sdk/setCookie/webview?uniqueId=####&androidVersion...
- detec####.math####.cn/sdk/validateCookie/httpClient?uniqueId=####&androi...
- detec####.math####.cn/sdk/validateCookie/webview?uniqueId=####&androidVe...
- detec####.math####.cn/sdk/webviewBasic?uniqueId=a96466e8553d3e2143f31bd5...
- l####.b####.com/jquery/2.1.4/jquery.min.js
- na61-####.wagbr####.ali####.####.com/service/getIpInfo2.php?ip=####
- newap####.math####.cn/ssp/mgm_test/webview_version?channelCode=####&vers...
- p####.api.math####.cn/ip?send_ts=####
- w####.pcon####.com.cn/ipJson.jsp?json=####&level=####
HTTP POST requests:
- asl.8888####.com:1444/sdk_login?t=####
- d####.100u####.com/reportcomp
- d####.100u####.com:443/pluginsync
- d####.100u####.com:443/reportcomp
- d####.100u####.com:443/sdk
- newap####.math####.cn/titan/monitor/device_info
- pos.zblqo####.com:8657/config?&st=####
File system changes:
Creates the following files:
- /data/data/####/1673938299295
- /data/data/####/1673938299356
- /data/data/####/1673938299404
- /data/data/####/1673938299456
- /data/data/####/1cf2b0359e57e5eb_0
- /data/data/####/212126203.apk
- /data/data/####/212126203.apk.temp
- /data/data/####/212126203.dex
- /data/data/####/212126203.dex.flock (deleted)
- /data/data/####/3400da65d906b286_0
- /data/data/####/3981590050.apk
- /data/data/####/3981590050.apk.temp
- /data/data/####/3981590050.dex
- /data/data/####/3981590050.dex.flock (deleted)
- /data/data/####/39d263b93e606f7d_0
- /data/data/####/4051933824.dex
- /data/data/####/4051933824.dex.flock (deleted)
- /data/data/####/4051933824.jar
- /data/data/####/4051933824.jar.temp
- /data/data/####/4111796099.apk
- /data/data/####/4111796099.apk.temp
- /data/data/####/4111796099.dex
- /data/data/####/4111796099.dex.flock (deleted)
- /data/data/####/4d7cade02c25d4a5_0
- /data/data/####/58095b0c6485c221_0
- /data/data/####/58095b0c6485c221_1
- /data/data/####/5bd68a4a98881653_0
- /data/data/####/626804818186fb72_0
- /data/data/####/6eb68ea955d68f02_0
- /data/data/####/6ebe04f358d53a2075d3819d1d8a688a
- /data/data/####/70298c6eb6032706_0
- /data/data/####/70298c6eb6032706_1
- /data/data/####/725768036.apk
- /data/data/####/725768036.apk.temp
- /data/data/####/725768036.dex
- /data/data/####/725768036.dex.flock (deleted)
- /data/data/####/73e8ca216e72dbcd_0
- /data/data/####/745a2f442935879b71d7c1592e411ba9.xml
- /data/data/####/7d547b80782fce05_0
- /data/data/####/91f8f0aeaaf4ece4_0
- /data/data/####/Cookies-journal
- /data/data/####/ForestDataReportImpl.dex
- /data/data/####/ForestDataReportImpl.dex.flock (deleted)
- /data/data/####/ForestDataReportImpl.jar
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/abc.dex
- /data/data/####/abc.dex.flock (deleted)
- /data/data/####/abc.jar
- /data/data/####/bf4980b910c9f9ce703cba3653adb885
- /data/data/####/bigdatareport.db-journal
- /data/data/####/com.xiaopaitech.supportsdk_preferences.xml
- /data/data/####/d17be0a369c1c398_0
- /data/data/####/dexjarfile.db-journal
- /data/data/####/ec9714cd8cc81381_0
- /data/data/####/f5aea03bd46f6567_0
- /data/data/####/f851e650af3c6aa7_0
- /data/data/####/file_sp_new.xml
- /data/data/####/file_sp_new.xml.bak
- /data/data/####/index
- /data/data/####/libztvb321.2.2.2.so
- /data/data/####/libztvb641.2.2.2.so
- /data/data/####/metrics_guid
- /data/data/####/pid.txt
- /data/data/####/skyworth_uniqueid.properties
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/unknown.xml
- /data/data/####/xUtils_http_cookie.db
- /data/data/####/xUtils_http_cookie.db-journal
- /data/data/####/xUtils_http_cookie.db-journal (deleted)
- /data/data/####/x_google_ad_s_id_123
- /data/media/####/dvc
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- busybox ifconfig
- cat /sys/class/net/eth0/address
- cat /sys/class/net/wlan0/address
- chmod 777 /data/user/0/<Package>/files/.honor
- chmod 777 /data/user/0/<Package>/files/.honor/212126203.apk
- chmod 777 /data/user/0/<Package>/files/.honor/3981590050.apk
- chmod 777 /data/user/0/<Package>/files/.honor/4051933824.jar
- chmod 777 /data/user/0/<Package>/files/.honor/4111796099.apk
- chmod 777 /data/user/0/<Package>/files/.honor/725768036.apk
- chmod 777 /data/user/0/<Package>/files/.honor0
- getprop
- sh
Loads the following dynamic libraries:
- libztvb321.2.2.2
- libztvb641.2.2.2
Uses the following algorithms to encrypt data:
- AES
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
