Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.HiddenAds.2345
Removes app icon from the screen.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) cdn-cre####.acq####.unity3d####.####.net:80
- TCP(HTTP/1.1) cdn-sto####.unit####.uni####.####.net:80
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) nginx-a####.unit####.uni####.com:443
- TCP(TLS/1.0) app-mea####.com:443
- TCP(TLS/1.0) unit####.edges####.net:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) publish####.unit####.uni####.com:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) au####.unit####.uni####.com:443
- TCP(TLS/1.0) 1####.194.222.102:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.2) 1####.194.222.94:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- UDP gmscomp####.google####.com:443
- UDP rr2---s####.g####.com:443
- UDP p####.google####.com:443
- UDP rr1---s####.g####.com:443
DNS requests:
- and####.a####.go####.com
- and####.google####.com
- app-mea####.com
- au####.unit####.uni####.com
- auc####.unit####.uni####.com
- cdn-cre####.acq####.unity3d####.com
- cdn-sto####.unit####.uni####.com
- co####.unit####.uni####.com
- gmscomp####.google####.com
- goandro####.xyz
- goandro####.xyz.8.####.8
- m####.go####.com
- p####.google####.com
- publish####.unit####.uni####.com
- rr1---s####.g####.com
- rr2---s####.g####.com
HTTP GET requests:
- cdn-cre####.acq####.unity3d####.####.net/assets/62a8796b54dd2959a27704a4...
- cdn-cre####.acq####.unity3d####.####.net/assets/62a8796bd42785c7926b9219...
- cdn-sto####.unit####.uni####.####.net/store-icons/9e93f525-0028-4385-a3f...
- publish####.unit####.uni####.com:443/games/3950963/configuration?deviceM...
- unit####.edges####.net:443/webview/3.1.0/cbef059efac71f41625508f70cf5429...
- unit####.edges####.net:443/webview/3.1.0/release/config.json?ts=####&sdk...
HTTP POST requests:
- au####.unit####.uni####.com:443/v1/category/experiment
- nginx-a####.unit####.uni####.com:443/v6/games/3950963/requests?idfi=####...
- publish####.unit####.uni####.com:443/privacy/3950963/state
File system changes:
Creates the following files:
- /data/data/####/.dex2oatlock
- /data/data/####/.updateIV.dat
- /data/data/####/0000000lllll_0.dex
- /data/data/####/000O00ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex
- /data/data/####/00O000ll111l_0.dex (deleted)
- /data/data/####/00O000ll111l_0.dex.flock
- /data/data/####/00O000ll111l_0.dex.flock (deleted)
- /data/data/####/0OO00l111l1l
- /data/data/####/0OO00l111l1l.lock
- /data/data/####/App_Link.xml
- /data/data/####/HidStatus.xml
- /data/data/####/Token.xml
- /data/data/####/UnityAdsStorage-private-data.json
- /data/data/####/UnityAdsStorage-public-data.json
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/index
- /data/data/####/libshellx-super.2019.so
- /data/data/####/metrics_guid
- /data/data/####/o0oooOO0ooOo.dat
- /data/data/####/the-real-index
- /data/data/####/tosversion
- /data/data/####/unityads-installinfo.xml
- /data/data/####/xy.re.build.pdf.scanner.coaaaae.nperabo_preferences.xml
- /data/media/####/.nomedia
- /data/media/####/UnityAdsCache-260183fc51b3ec0148a5c92ac667be1a...4a.jpg
- /data/media/####/UnityAdsCache-415c20ca1313e68d65376c28075c6730...e3.png
- /data/media/####/UnityAdsCache-de5d3dd5e1f88cadb5b80b4494b0e26c...b.webm
- /data/media/####/UnityAdsTest.txt
- /data/media/####/UnityAdsWebApp.html
- /data/media/####/session.606
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- getprop ro.product.cpu.abi
- ls /data/local
Loads the following dynamic libraries:
- libshellx-super.2019
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about network.
