Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.BankBot.Ermac.6.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) it####.live:80
- TCP(TLS/1.0) content####.google####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) acco####.go####.com:443
- TCP(TLS/1.0) up####.google####.com:443
- TCP(TLS/1.0) p####.go####.com:443
- TCP(TLS/1.0) clients####.google####.com:443
- UDP f####.gst####.com:443
- UDP acco####.go####.com:443
DNS requests:
- acco####.go####.com
- acco####.you####.com
- as####.pro
- clients####.google####.com
- content####.google####.com
- ed####.me.g####.com
- f####.gst####.com
- it####.live
- md####.live
- nd####.live
- os####.pro
- p####.go####.com
- up####.google####.com
- www.go####.com
- www.gst####.com
HTTP GET requests:
- it####.live/socket.io/?EIO=####&transport=####
- it####.live/socket.io/?EIO=####&transport=####&sid=####
HTTP POST requests:
- it####.live/php/1clfrm4305mv.php/
- it####.live/php/23uoz4wl9rsy0v4.php/
- it####.live/php/2aff8xg1y56y81kf.php/
- it####.live/php/4.php/
- it####.live/php/51v.php/
- it####.live/php/5nmrmwrs05tqgibd4i.php/
- it####.live/php/7gh434cp6jc.php/
- it####.live/php/8gqx.php/
- it####.live/php/a59othzugt8wm8kmg8a.php/
- it####.live/php/cfs7v16mtz22nz9.php/
- it####.live/php/cp5z1ogns8y9.php/
- it####.live/php/epwvgk3jvt4.php/
- it####.live/php/hseaegfiyncpb.php/
- it####.live/php/jj6kwpu.php/
- it####.live/php/jkbb.php/
- it####.live/php/ktaurfbth0.php/
- it####.live/php/psleimqs.php/
- it####.live/php/r6m.php/
- it####.live/php/rh7q9jy.php/
- it####.live/php/wjs.php/
- it####.live/php/xmysv40e7pj.php/
- it####.live/socket.io/?EIO=####&transport=####&sid=####
File system changes:
Creates the following files:
- /com.figafevuludo.xuzeju/app_webview/####/000003.log
- /com.figafevuludo.xuzeju/app_webview/####/Cookies
- /com.figafevuludo.xuzeju/app_webview/####/LOCK
- /com.figafevuludo.xuzeju/app_webview/####/LOG
- /com.figafevuludo.xuzeju/app_webview/####/MANIFEST-000001
- /com.figafevuludo.xuzeju/app_webview/####/QuotaManager
- /com.figafevuludo.xuzeju/app_webview/####/QuotaManager-journal
- /com.figafevuludo.xuzeju/app_webview/####/Web Data
- /com.figafevuludo.xuzeju/app_webview/####/Web Data-journal
- /com.figafevuludo.xuzeju/app_webview/webview_data.lock
- /com.figafevuludo.xuzeju/no_backup/androidx.work.workdb
- /com.figafevuludo.xuzeju/no_backup/androidx.work.workdb-shm
- /com.figafevuludo.xuzeju/no_backup/androidx.work.workdb-wal
- /data/misc/####/primary.prof
- /data/user/####/.org.chromium.Chromium.gM5ff7
- /data/user/####/000001.dbtmp
- /data/user/####/000003.log
- /data/user/####/0d7f1ee473196046_0
- /data/user/####/13582f8e23cf46e1_0
- /data/user/####/24f0b56bdc8cd981_0
- /data/user/####/2e7dc864f37f61d3_0
- /data/user/####/2f0ebd3ae83f48d0_0
- /data/user/####/33166b95042feb2d_0
- /data/user/####/361b2ba9deefcfc3_0
- /data/user/####/4391ef6ee98ee22e_0
- /data/user/####/46b55d69bb184906_0
- /data/user/####/4e00b64957da07ac_0
- /data/user/####/55f5a6eec70da359_0
- /data/user/####/567f7f391d66e06d_0
- /data/user/####/5f6d4b8478741812_0
- /data/user/####/6728a17b31e012b3_0
- /data/user/####/6b4dd7985971b702_0
- /data/user/####/75413d2a2357e22d_0
- /data/user/####/7d2c65bb57332ecc_0
- /data/user/####/812604a56aad1486_0
- /data/user/####/8e10f629c9990b58_0
- /data/user/####/BrowserMetrics-spare.pma.tmp
- /data/user/####/CNCf.json
- /data/user/####/CNCf.json.cur.prof
- /data/user/####/Cookies-journal
- /data/user/####/LOCK
- /data/user/####/LOG
- /data/user/####/MANIFEST-000001
- /data/user/####/WebViewChromiumPrefs.xml
- /data/user/####/a408e927ff953e3b_0
- /data/user/####/androidx.work.workdb-journal (deleted)
- /data/user/####/androidx.work.workdb-wal
- /data/user/####/b045d56485b19300_0
- /data/user/####/ded1e93f1ddabb5b_0
- /data/user/####/ee7b88df1d82f814_0
- /data/user/####/ef2b74344eff5275_0
- /data/user/####/f536d18bbc6028a2_0
- /data/user/####/ff04e77d123e8c06_0
- /data/user/####/font_unique_name_table.pb
- /data/user/####/index
- /data/user/####/pref_store
- /data/user/####/settings.dat
- /data/user/####/settings.xml
- /data/user/####/settings.xml.bak
- /data/user/####/temp-index
- /data/user/####/the-real-index
- /data/user/####/todelete_34bdd850f3c460ef_0_1 (deleted)
- /data/user/####/todelete_35b0ad36bfdf45b3_0_1 (deleted)
- /data/user/####/todelete_7e5271d65b027836_0_1 (deleted)
- /data/user/####/todelete_896ff2318c3ed038_0_1 (deleted)
- /data/user/####/todelete_c802dee663c2a7b8_0_1 (deleted)
- /data/user/####/todelete_ead9e48e1d6c6a56_0_1 (deleted)
- /data/user/####/todelete_f2347facc1e193e7_0_1 (deleted)
- /data/user/####/variations_seed_new
- /data/user/####/variations_stamp
Miscellaneous:
Executes the following shell scripts:
- /system/bin/su
Uses elevated priveleges.
Displays its own windows over windows of other apps.
Intercepts notifications.
Requests the system alert window permission.
Appears corrupted in a way typical for malicious files.
Attempts to detect sandbox environment.
