Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.337.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.177.14.94:80
- TCP(TLS/1.0) rr18---####.g####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) h.t####.qq.com:443
- TCP(TLS/1.0) 1####.177.14.94:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) adsd####.d####.pro:443
- TCP(TLS/1.0) er####.u####.com.####.com:443
- TCP(TLS/1.0) pla####.google####.com:443
- TCP(TLS/1.2) md####.google####.com:443
- TCP(TLS/1.2) 1####.177.14.99:443
- TCP(TLS/1.2) 1####.177.14.94:443
- UDP md####.google####.com:443
DNS requests:
- adsd####.d####.pro
- and####.a####.go####.com
- and####.b####.qq.com
- er####.u####.com
- h.t####.qq.com
- m####.go####.com
- md####.google####.com
- p####.google####.com
- pla####.google####.com
- rr18---####.g####.com
- rr2---s####.g####.com
- rr9---s####.g####.com
HTTP GET requests:
- adsd####.d####.pro:443/getConfigNew3?userName=####&version=####
HTTP POST requests:
- and####.b####.qq.com:443/rqd/async?aid=####
- er####.u####.com.####.com:443/api/crashsdk/logcollect?chk=####&vno=####&...
- er####.u####.com.####.com:443/apm_cc
- er####.u####.com.####.com:443/upload
- h.t####.qq.com:443/kv
File system changes:
Creates the following files:
- /data/data/####/.jg.ac
- /data/data/####/1002
- /data/data/####/1004
- /data/data/####/655b54cd58a9eb5b0a0d59fa_1.4.5_33a89524_SM-T555...log.gz
- /data/data/####/A3AEECD8.dex
- /data/data/####/A3AEECD8.dex.flock (deleted)
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/PPALITU2RETTULF0ELPMAXE0MOC.ctj
- /data/data/####/PPALITU2RETTULF0ELPMAXE0MOC.st
- /data/data/####/Y29uZmlnXzY1NWI1NGNkNThhOWViNWIwYTBkNTlmYQ.sp
- /data/data/####/Y29uZmlnXzY1NWI1NGNkNThhOWViNWIwYTBkNTlmYQ.sp.bak
- /data/data/####/app_themes.xml
- /data/data/####/bugly_db_-journal
- /data/data/####/bytes
- /data/data/####/cdt.wa
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/com.example.flutter_utilapp.BETA_VALUES.xml
- /data/data/####/cr.wa
- /data/data/####/crashrecord.xml
- /data/data/####/dt.wa
- /data/data/####/efs_launch.xml
- /data/data/####/efs_launch.xml.bak
- /data/data/####/efsid
- /data/data/####/efsid3417
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/fds (deleted)
- /data/data/####/jgobfppppp (deleted)
- /data/data/####/libjiagu_64.so
- /data/data/####/local_crash_lock
- /data/data/####/native_record_lock
- /data/data/####/native_record_lock (deleted)
- /data/data/####/paconfig.sp
- /data/data/####/paconfig.sp.bak
- /data/data/####/proc_auxv
- /data/data/####/sendlock
- /data/data/####/sp_replace_flag.sp
- /data/data/####/sp_replace_flag.sp.bak
- /data/data/####/ssp_config.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_config.xml.bak
- /data/data/####/umeng_general_config.xml
- /data/data/####/unique
- /data/data/####/update.xml
- /data/data/####/update_lc
- /data/data/####/ver
- /data/data/####/wa_gzip_1_1_3613_1799_1706985374112
- /data/data/####/wa_gzip_1_1_3613_9379_1706985323054
- /data/data/####/wa_none_1_1_3613_279_1706985314107
- /data/data/####/z==1.2.0&&1.4.5_1706985305314_emNmZw==;.log
- /data/media/####/crash-2024-02-03-21-35-24-1706985324432.log
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/sh -c getprop
- getprop
- logcat -d -b events -b main -v threadtime -t 1500
- logcat -d -v threadtime
- ls -l /system/bin/su
- sh -c type su
Loads the following dynamic libraries:
- libA3AEECD8
- libBugly-ext
- libcrashsdk
- libjiagu_64
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about network.
