Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.DownLoader.676.origin
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 386.disp####.spcd####.com:80
- TCP(HTTP/1.1) 1####.29.183.230:9613
DNS requests:
- www.san####.com
HTTP GET requests:
- 386.disp####.spcd####.com/ap/medet8.dat
Modified file system:
Creates the following files:
- <Package Folder>/.cache/secData.dex
- <Package Folder>/.cache/secData.dve
- <Package Folder>/.cache/secData.jar
- <Package Folder>/com.secneo.tmp
- <Package Folder>/daemon.t.tmp
- <Package Folder>/files/####/btmp
- <Package Folder>/files/####/tk
- <Package Folder>/files/####/tmd
- <Package Folder>/files/####/tv.jar
- <Package Folder>/files/####/tver
- <Package Folder>/shared_prefs/mm.xml
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/daemon -p <Package>/daemon -r am startservice --user 0 -n <Package>/com.amb.uk.main.DmService -e key daemon -i 2027
- chmod 777 <Package Folder>/daemon
Loads the following dynamic libraries:
- SecShell
Uses special library to hide executable bytecode.
Gains access to telephone information (number, imei, etc.).
