Android.Locker.8051

Malicious functions:

Executes code of the following detected threats:

Network activity:

Connects to:

UDP(DNS) 8####.8.4.4:53
TCP(TLS/1.0) p####.google####.com:443
TCP(TLS/1.0) www.google####.com:443
TCP(TLS/1.0) 1####.217.168.202:443
TCP(TLS/1.0) safebro####.google####.com:443
TCP(TLS/1.2) 1####.217.168.202:443
TCP(TLS/1.2) 1####.250.179.195:443
TCP(TLS/1.2) 1####.250.179.142:443

DNS requests:

File system changes:

Creates the following files:

Miscellaneous:

Executes the following shell scripts:

/system/bin/dex2oat --instruction-set=x86 --dex-file=<Package Folder>/.jiagu/classes.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes2.dex --oat-file=<Package Folder>/.jiagu/classes.oat --inline-depth-limit=0 --compiler-filter=speed
/system/bin/log -p d -t su /dev/com.android.settings/.socket3470
/system/bin/log -p d -t su /dev/com.android.settings/.socket3549
/system/bin/log -p d -t su 10065 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
/system/bin/log -p d -t su child exited
/system/bin/log -p d -t su client exited 0
/system/bin/log -p d -t su connecting client 3457
/system/bin/log -p d -t su connecting client 3535
/system/bin/log -p d -t su remote args: 1
/system/bin/log -p d -t su remote pid: 3457
/system/bin/log -p d -t su remote pid: 3535
/system/bin/log -p d -t su remote pts_slave:
/system/bin/log -p d -t su remote req pid: 3423
/system/bin/log -p d -t su remote req pid: 3500
/system/bin/log -p d -t su remote uid: 10065
/system/bin/log -p d -t su sending code
/system/bin/log -p d -t su starting daemon client 10065 10065
/system/bin/log -p d -t su su invoked.
/system/bin/log -p d -t su waiting for child exit
/system/bin/log -p d -t su waiting for user
/system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
sh
su