Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Locker.1274.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) www.yehangx####.com:80
- TCP(HTTP/1.1) q1.q####.cn:80
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) rr1---s####.g####.com:443
- TCP(TLS/1.0) www.google####.com:443
- TCP(TLS/1.2) 1####.251.39.99:443
- UDP www.google####.com:443
- UDP p####.google####.com:443
DNS requests:
- 2.and####.p####.####.org
- and####.a####.go####.com
- and####.google####.com
- m####.go####.com
- p####.google####.com
- q1.q####.cn
- rr1---s####.g####.com
- www.google####.com
- www.yehangx####.com
HTTP GET requests:
- q1.q####.cn/g?b=####&nk=####&s=####
- www.yehangx####.com/api/game/dayindex.php
- www.yehangx####.com/api/game/houtai/api/qdgl.php
- www.yehangx####.com/api/game/houtai/api/update.php
- www.yehangx####.com/api/game/houtai/api/zc.php?user=####&name=####&pass=...
- www.yehangx####.com/api/game/img/yikmresource/fcpic/1000a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/1001a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/2581a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/3177.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/3179.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/3181.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/4711a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/4712.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/4713.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/gd/2254a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/gd/2259a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/sj/436a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/sj/437a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/sj/910a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/ydbs/1544a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/ydbs/1810a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/ydbs/2114a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/ydbs/255a.png
- www.yehangx####.com/api/game/img/yikmresource/fcpic/ydbs/577a.png
- www.yehangx####.com/api/game/index.php?page=####
File system changes:
Creates the following files:
- /data/data/####/030dabeb335c95f033bd96a0a0e9b239.0.tmp
- /data/data/####/030dabeb335c95f033bd96a0a0e9b239.1
- /data/data/####/030dabeb335c95f033bd96a0a0e9b239.1.tmp
- /data/data/####/0fee021bf43d1b3294e1fd7bb35a23dd.0.tmp
- /data/data/####/0fee021bf43d1b3294e1fd7bb35a23dd.1
- /data/data/####/0fee021bf43d1b3294e1fd7bb35a23dd.1.tmp
- /data/data/####/169c86513f908bf7bc0f4514bcfa842e.0.tmp
- /data/data/####/169c86513f908bf7bc0f4514bcfa842e.1
- /data/data/####/169c86513f908bf7bc0f4514bcfa842e.1.tmp
- /data/data/####/2c9606c29e11c2d51f826d8df42a5b90.0.tmp
- /data/data/####/2c9606c29e11c2d51f826d8df42a5b90.1.tmp
- /data/data/####/374b5b199f5fa2f0816c2ae9590da25d.0.tmp
- /data/data/####/374b5b199f5fa2f0816c2ae9590da25d.1
- /data/data/####/374b5b199f5fa2f0816c2ae9590da25d.1.tmp
- /data/data/####/38b02b532578970c2e75c6b9709a198b.0.tmp
- /data/data/####/38b02b532578970c2e75c6b9709a198b.1
- /data/data/####/38b02b532578970c2e75c6b9709a198b.1.tmp
- /data/data/####/4f22917fbde1cbed21ff322626e80db8.0.tmp
- /data/data/####/4f22917fbde1cbed21ff322626e80db8.1
- /data/data/####/5d40e949ec7c3549def42d8087028a7b.0.tmp
- /data/data/####/5d40e949ec7c3549def42d8087028a7b.1
- /data/data/####/6305e0efb0ff70c224fb62784a5faade.0.tmp
- /data/data/####/6305e0efb0ff70c224fb62784a5faade.1.tmp
- /data/data/####/766a8ecbaf9d2f73ecda49cf603b90b5.0.tmp
- /data/data/####/766a8ecbaf9d2f73ecda49cf603b90b5.1
- /data/data/####/77e3dfc15279ec94564277628b62e9e7.0.tmp
- /data/data/####/77e3dfc15279ec94564277628b62e9e7.1
- /data/data/####/77e3dfc15279ec94564277628b62e9e7.1.tmp
- /data/data/####/786c09c361e96c84024f976f2ad0a5f8.0.tmp
- /data/data/####/786c09c361e96c84024f976f2ad0a5f8.1.tmp
- /data/data/####/a47309579a91d37658e4121ab00e42ce.0.tmp
- /data/data/####/a47309579a91d37658e4121ab00e42ce.1
- /data/data/####/a47309579a91d37658e4121ab00e42ce.1.tmp
- /data/data/####/b0e788e4710297f4236731b52fc962b2.0.tmp
- /data/data/####/b0e788e4710297f4236731b52fc962b2.1
- /data/data/####/b0e788e4710297f4236731b52fc962b2.1.tmp
- /data/data/####/b152fdb489b07f3fd82b0aad3e79f524.0.tmp
- /data/data/####/b152fdb489b07f3fd82b0aad3e79f524.1.tmp
- /data/data/####/cdecbcb1dcede9254197e1e72e65ee2a.0.tmp
- /data/data/####/cdecbcb1dcede9254197e1e72e65ee2a.1
- /data/data/####/cdecbcb1dcede9254197e1e72e65ee2a.1.tmp
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.oat
- /data/data/####/classes1.dex
- /data/data/####/classes1.dex.flock (deleted)
- /data/data/####/d148fcb11047dd81231178688f2a73f4.0.tmp
- /data/data/####/d148fcb11047dd81231178688f2a73f4.1
- /data/data/####/df4370d7104741e5bb091cef781a1005.0
- /data/data/####/df4370d7104741e5bb091cef781a1005.1
- /data/data/####/f719918e5c8595a2eecf7bc1079a45d9.0.tmp
- /data/data/####/f719918e5c8595a2eecf7bc1079a45d9.1
- /data/data/####/f719918e5c8595a2eecf7bc1079a45d9.1.tmp
- /data/data/####/f799051017e6cc646f2823b5658e4049.0.tmp
- /data/data/####/f799051017e6cc646f2823b5658e4049.1
- /data/data/####/f799051017e6cc646f2823b5658e4049.1.tmp
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/proc_auxv
- /data/media/####/class
- /data/media/####/user
- /data/misc/####/primary.prof
Miscellaneous:
Loads the following dynamic libraries:
- libjiagu
- libluajava
- libygsiyu
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Displays its own windows over windows of other apps.
