Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.SmsSpy.135.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) devs-####.du####.com:80
- TCP(HTTP/1.1) m.mpl.du####.com:80
- TCP(HTTP/1.1) a####.hia####.com:80
- TCP(HTTP/1.1) api-s####.mob.com:80
- TCP(TLS/1.0) bj####.j####.cn:443
- TCP(TLS/1.0) errne####.u####.com.####.com:443
- TCP(TLS/1.0) u####.u####.com:443
- TCP(TLS/1.0) aip.baid####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) sdk.yol####.hk:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) ce3e####.j####.cn:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) co####.j####.cn:443
- TCP(TLS/1.0) sy.c####.cn:443
- TCP(TLS/1.0) iot.sino####.com:443
- TCP(TLS/1.0) msh####.b####.com:443
- TCP(TLS/1.0) tbsreco####.i####.qq.com:443
- TCP(TLS/1.2) 1####.251.211.238:443
- TCP(TLS/1.2) 64.2####.163.95:443
- TCP(TLS/1.2) 1####.250.200.3:443
- TCP(TLS/1.2) 1####.177.14.106:443
- TCP(TLS/1.2) 1####.194.220.95:443
- TCP 1####.9.178.8:7001
- TCP schedul####.yo####.com:443
- TCP 27.44.2####.55:21005
- UDP easytom####.com:19000
DNS requests:
- a####.du####.com
- a####.du####.com
- a####.hia####.com
- a####.hia####.com
- aip.baid####.com
- and####.a####.go####.com
- and####.google####.com
- ap####.du####.com
- ap####.du####.com
- ap####.hia####.com
- ap####.hia####.com
- ap####.yk####.com
- api-s####.mob.com
- api.map.b####.com
- bj####.j####.cn
- ce3e####.j####.cn
- co####.j####.cn
- devs-####.du####.com
- devs-####.hia####.com
- easytom####.com
- errne####.u####.com
- f####.gst####.com
- gmscomp####.google####.com
- i####.me
- iot.sino####.com
- m####.hia####.com
- m.mpl.du####.com
- msh####.b####.com
- o####.youza####.com
- s####.cn.ron####.com
- s.j####.cn
- sdk.yol####.hk
- sis-####.j####.cn
- sis.j####.io
- smartop####.jig####.cn
- sy.c####.cn
- tbsreco####.i####.qq.com
- u####.u####.com
- ut####.u####.com
- www.google####.com
HTTP GET requests:
- a####.hia####.com/dm?appkey=####
- a####.hia####.com/privacy/policy/authorization/status?networktype=####&i...
- a####.hia####.com/v6/gcf?networktype=####&ts=####&isAgreePp=####&v6=####...
- msh####.b####.com:443/p/1/rs/250/985050722/1730933611/f895d3623944ecba3a...
HTTP POST requests:
- aip.baid####.com:443/public/2.0/license/face-api/app/querydevicelicense
- api-s####.mob.com/conf5
- api-s####.mob.com/conn
- api-s####.mob.com/snsconf
- api.map.b####.com:443/sdkcs/verify
- ce3e####.j####.cn:443/cz/b85fd4e568833e92
- co####.j####.cn:443/v1/status
- devs-####.du####.com/getDuidBlacklist
- errne####.u####.com.####.com:443/apm_cc
- iot.sino####.com:443/api/sino-deviceaccess/sdk/authentication
- m.mpl.du####.com/tcp/config/init
- msh####.b####.com:443/c/11/z/250/985050722/1730933610/417c128cf89236d994...
- msh####.b####.com:443/f/2/jc/250/985050722/1730933610/417c128cf89236d994...
- msh####.b####.com:443/p/1/auh/250/985050001/1730933603/9a4883bdf22c889d5...
- msh####.b####.com:443/p/1/r/250/985050722/1730933612/a7b17d9be769fdfffd6...
- msh####.b####.com:443/s/3/gd/250/985050722/1730933609/1b223ca0af1c03ac71...
- msh####.b####.com:443/s/5/aio/250/985050722/1730933605/ee8d365d687c7f7b6...
- new-####.u####.com:443/api/postZdata/v4
- sdk.yol####.hk:443//open_api/sdk/init
- sy.c####.cn:443/flash/thin/accountInit/v3
- tbsreco####.i####.qq.com:443/getconfig
- u####.u####.com:443/unify_logs
- u####.u####.com:443/zcfg
File system changes:
Creates the following files:
- /data/data/####/.cl_lock
- /data/data/####/.dex2oatlock
- /data/data/####/.dh
- /data/data/####/.dh-journal
- /data/data/####/.dhlock
- /data/data/####/.dk
- /data/data/####/.duid
- /data/data/####/.gcf_lock
- /data/data/####/.imprint
- /data/data/####/.mp_lockcn_sharesdk_weibodb_QQ_2
- /data/data/####/.mp_lockcn_sharesdk_weibodb_SinaWeibo_1
- /data/data/####/.mp_lockcn_sharesdk_weibodb_WechatMoments_1
- /data/data/####/.mp_lockcn_sharesdk_weibodb_Wechat_1
- /data/data/####/.mp_lockgu_0
- /data/data/####/.mp_lockmob_commons_1
- /data/data/####/.mp_lockmob_dh_1
- /data/data/####/.mp_lockshare_sdk_1
- /data/data/####/.mrecord
- /data/data/####/.mrecord (deleted)
- /data/data/####/.mrlock
- /data/data/####/.statistics
- /data/data/####/.updateIV.dat
- /data/data/####/.updateIV.dat_0
- /data/data/####/.updateIV.dat_1
- /data/data/####/.updateIV.dat_2
- /data/data/####/.updateIV.dat_3
- /data/data/####/.updateIV.dat_4
- /data/data/####/.updateIV.dat_5
- /data/data/####/0000000lllll_0.dex
- /data/data/####/0000000lllll_1.dex
- /data/data/####/0000000lllll_2.dex
- /data/data/####/0000000lllll_3.dex
- /data/data/####/0000000lllll_4.dex
- /data/data/####/0000000lllll_5.dex
- /data/data/####/000O00ll111l_0.dex
- /data/data/####/000O00ll111l_1.dex
- /data/data/####/000O00ll111l_2.dex
- /data/data/####/000O00ll111l_3.dex
- /data/data/####/000O00ll111l_4.dex
- /data/data/####/000O00ll111l_5.dex
- /data/data/####/00O000ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex (deleted)
- /data/data/####/00O000ll111l_0.dex.flock
- /data/data/####/00O000ll111l_0.dex.flock (deleted)
- /data/data/####/00O000ll111l_1.dex
- /data/data/####/00O000ll111l_1.dex (deleted)
- /data/data/####/00O000ll111l_1.dex.flock
- /data/data/####/00O000ll111l_1.dex.flock (deleted)
- /data/data/####/00O000ll111l_2.dex
- /data/data/####/00O000ll111l_2.dex (deleted)
- /data/data/####/00O000ll111l_2.dex.flock
- /data/data/####/00O000ll111l_2.dex.flock (deleted)
- /data/data/####/00O000ll111l_3.dex
- /data/data/####/00O000ll111l_3.dex (deleted)
- /data/data/####/00O000ll111l_3.dex.flock
- /data/data/####/00O000ll111l_3.dex.flock (deleted)
- /data/data/####/00O000ll111l_4.dex
- /data/data/####/00O000ll111l_4.dex (deleted)
- /data/data/####/00O000ll111l_4.dex.flock
- /data/data/####/00O000ll111l_4.dex.flock (deleted)
- /data/data/####/00O000ll111l_5.dex
- /data/data/####/00O000ll111l_5.dex (deleted)
- /data/data/####/00O000ll111l_5.dex.flock
- /data/data/####/00O000ll111l_5.dex.flock (deleted)
- /data/data/####/0OO00l111l1l
- /data/data/####/0OO00l111l1l.lock
- /data/data/####/4e67af2f-6b0a-4630-bff6-70412edf13b1
- /data/data/####/5a9d5767-3207-437f-90b6-f82f7e10c2fd
- /data/data/####/8745a257-c109-439a-836f-2c67a2e75cd9
- /data/data/####/COUNTLY_STORE.xml
- /data/data/####/FwLog.xml
- /data/data/####/IpInfos.xml
- /data/data/####/Map_Privacy.xml
- /data/data/####/Push_Page_Config.xml
- /data/data/####/Statistics.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/Y29uZmlnXzU2NzhmY2FlZTBmNTVhNDdmMTAwMjdmMw.sp
- /data/data/####/Y29uZmlnXzU2NzhmY2FlZTBmNTVhNDdmMTAwMjdmMw.sp.bak
- /data/data/####/ZzxCache.xml
- /data/data/####/_nohttp_cookies_db.db
- /data/data/####/_nohttp_cookies_db.db-journal
- /data/data/####/ad_auth.xml
- /data/data/####/app_LANCAREWEB-FACE-ANDROID_3
- /data/data/####/app_idl-license.face-android
- /data/data/####/bac.catch
- /data/data/####/bal.catch
- /data/data/####/ban.catch
- /data/data/####/bwc.catch
- /data/data/####/cn.jiguang.common.xml
- /data/data/####/cn.jiguang.common.xml.bak
- /data/data/####/cn.jiguang.joperate.jcore_config.xml
- /data/data/####/cn.jiguang.prefs.xml
- /data/data/####/cn.jiguang.sdk.address.xml
- /data/data/####/cn.jiguang.sdk.device.xml
- /data/data/####/cn.jiguang.sdk.reg_finger.profile.xml
- /data/data/####/cn.jiguang.sdk.user.profile.xml
- /data/data/####/cn.jiguang.union.ads.core.common.prefs.xml
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.android.user.profile.xml.bak
- /data/data/####/cn.jpush.config.xml
- /data/data/####/cn.jpush.config.xml.bak
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/cn.jpush.statistics.xml
- /data/data/####/cn_sharesdk_weibodb_QQ_2
- /data/data/####/cn_sharesdk_weibodb_SinaWeibo_1
- /data/data/####/cn_sharesdk_weibodb_WechatMoments_1
- /data/data/####/cn_sharesdk_weibodb_Wechat_1
- /data/data/####/com.china.lancareweb_preferences.xml
- /data/data/####/crs.catch
- /data/data/####/ct_account_api_sdk.xml
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/e2a3dfb1-d46c-414d-965b-23efd283643b
- /data/data/####/e6c7300c-bc44-4977-b959-ba9605a5697d
- /data/data/####/efs_launch.xml
- /data/data/####/efsid4020
- /data/data/####/elp_msg.db
- /data/data/####/elp_msg.db-journal
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/gu_0
- /data/data/####/i==1.2.0&&3.8.11.01_1730933596318_dW5pZnlfbG9ncw==;.log
- /data/data/####/internal_debug.xml
- /data/data/####/itconfig.sp
- /data/data/####/itconfig.sp.bak
- /data/data/####/lancare.xml
- /data/data/####/leroadcfg.xml
- /data/data/####/leroadcfg.xml.bak
- /data/data/####/leroadmshieldcfg.xml
- /data/data/####/libcuid_v3.so
- /data/data/####/libshellx-super.com.china.lancareweb.so
- /data/data/####/locale.config.xml
- /data/data/####/login_sdk_235.db
- /data/data/####/login_sdk_235.db-journal
- /data/data/####/map_pref.xml
- /data/data/####/metrics_guid
- /data/data/####/mmap_block
- /data/data/####/mob_commons_1
- /data/data/####/mob_dh_1
- /data/data/####/msfffppcfg.xml
- /data/data/####/msfffppcfg.xml.bak
- /data/data/####/msfffppcfg.xml.bak (deleted)
- /data/data/####/msgzpfc.xml
- /data/data/####/msgzpfc.xml.bak
- /data/data/####/msgzpfc.xml.bak (deleted)
- /data/data/####/msre.db-journal
- /data/data/####/msre_po_rt.xml
- /data/data/####/msre_po_rt.xml.bak
- /data/data/####/msvolcano.db-journal
- /data/data/####/netmt.catch.
- /data/data/####/o0oooOO0ooOo.dat
- /data/data/####/old_app_active_cache.l
- /data/data/####/old_report_cache.l
- /data/data/####/old_report_cache.l (deleted)
- /data/data/####/paconfig.sp
- /data/data/####/paconfig.sp.bak
- /data/data/####/placeholder_00001730933591935001.dirty.xcrash
- /data/data/####/placeholder_00001730933591941002.clean.xcrash
- /data/data/####/placeholder_00001730933591941003.dirty.xcrash
- /data/data/####/placeholder_00001730933592002004.clean.xcrash
- /data/data/####/placeholder_00001730933592024005.dirty.xcrash
- /data/data/####/placeholder_00001730933592037006.clean.xcrash
- /data/data/####/prefs.lock
- /data/data/####/proc_auxv
- /data/data/####/qn_sdk_config.xml
- /data/data/####/r_key_info
- /data/data/####/rlogs.db-journal (deleted)
- /data/data/####/sai.xml
- /data/data/####/sdk.txt
- /data/data/####/sec_gd_config_mshield.xml
- /data/data/####/sec_gd_config_mshield.xml.bak
- /data/data/####/secure_rc_encryption_info.xml
- /data/data/####/secure_rc_encryption_info.xml.bak
- /data/data/####/sendlock
- /data/data/####/shanyan_share_data.xml
- /data/data/####/shanyan_share_data.xml.bak
- /data/data/####/share_sdk_1
- /data/data/####/sino_minute_sdk_sp.xml
- /data/data/####/sp_replace_flag.sp
- /data/data/####/sp_replace_flag.sp.bak
- /data/data/####/ssoconfigs.xml
- /data/data/####/ssoconfigs.xml.bak
- /data/data/####/t==9.5.2&&3.8.11.01_1730933591712_dW5pZnlfbG9ncw==;.log
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_emergence.xml
- /data/data/####/tbs_preloadx5_check_cfg_file.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tosversion
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/uifa.xml
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_session_id.xml
- /data/data/####/um_umcrash.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/umzid_general_config.xml.bak
- /data/data/####/unique
- /data/data/####/ver
- /data/data/####/z==1.2.0&&3.8.11.01_1730933587466_emNmZw==;.log
- /data/media/####/.g_b_d_v
- /data/media/####/.g_m_b_s
- /data/media/####/.gdidv
- /data/media/####/.icosc
- /data/media/####/.p
- /data/media/####/.x_b_d
- /data/media/####/VComMediaSDK_20241107015308.log
- /data/media/####/___Probe__.vb (deleted)
- /data/media/####/tbslog.txt
- /data/misc/####/primary.prof
- /data/user_de/####/move_to_de_records.xml
- /data/user_de/####/push_client_self_info.xml
Miscellaneous:
Executes the following shell scripts:
- /system/bin/netcfg
- app_process /system/bin com.android.commands.pm.Pm list package
- cat /proc/4020/mounts
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.build.version.security_patch
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.smartisan.version
- getprop ro.vivo.os.version
- ls -l /system/bin/su
- ls /
- ls /data/local
- ls /sys/class/thermal
- pm list package
- ps
- sh -c type su
Loads the following dynamic libraries:
- libBaiduMapSDK_base_v7_5_5
- libRongIMLib
- libbd_unifylicense
- libbdface_sdk
- libcrashsdk
- libgnustl_shared
- librongcloud_xcrash
- librtslog
- libshellx-super.com.china.lancareweb
- libsqlite
- libtiny_magic
- libumeng-spy
- libvcom_mediasdk
- libylpacker
- libyolanda_calc
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS7Padding
- DES
- DES-CBC-PKCS5Padding
- RC4
- RSA-ECB-PKCS1Padding
- RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS7Padding
- DES
- RSA-ECB-PKCS1Padding
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Requests the system alert window permission.
