Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.SmsSend.1914.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- 1####.####.140
- 1####.####.gold
- 4####.####.net
- a####.####.com
- b####.com
- c####.####.com
- c####.####.net
- esma####.####.org
- gl####.####.com
- gl####.####.com:9090
- koolm####.info
- m####.####.com
- p####.####.com
- trac####.####.com
- u####.com
- u####.com:7079
- u####.com:8083
- v####.####.com
HTTP GET requests:
- 1####.####.140/ma/z.php?c=####&n=####&subid=####&siteid=####
- 1####.####.gold/click/8xQA3Fw9xd?pubid=####
- 1####.####.gold/click/dDJunajhw2GsOMjhR?affid=####&pubid=####&c2=####&pi...
- 1####.####.gold/main/d.php?s=1&link=http://vq7n5.2587879.com/?s2=####&s3...
- 4####.####.net/data/cache-cmp5/9d85ea0571dd8543688ccf280b9d967b.js
- 4####.####.net/data/cache-cmp5/ff5c2c5c9dca71dd75b0ab10c2a3078f.css
- 4####.####.net/media/b3f71e99f120522d9928544f5873718e5440.jpg
- 4####.####.net/media/d874e862d07577115bd5ae5a10c39e085441.png
- 4####.####.net/thumb/media/384/60/488c90f4f880464ab002e5001642507c1966.jpg
- a####.####.com/api/front/coregs/1c66cdaad7f0ae678c553a483f6dab3d/get
- a####.####.com/fd/ls/l?IG=####&CID=####&TYPE=####&DATA=####
- a####.####.com/offer/h25tcljrg2yt2/?s1=####&s2=####&affid=####
- a####.####.com/t/lj3d155538jgywkhp1yvArrqnnb247dl/?s1=####&s2=####
- b####.com/?r=####
- b####.com/AS/Suggestions?pt=####&mkt=####&qry=####&cp=####&css=####&cvid...
- b####.com/ImageResolution.aspx?w=####&h=####&hash=####&r=####
- b####.com/Passport.aspx?popup=####
- b####.com/az/hprichbg/rb/MausoleumLovcen_ROW12562397577_320x240.jpg
- b####.com/fd/ls/l?IG=####&CID=####&Type=####&DATA=####&P=####&DA=####
- b####.com/fd/s/a/sbbtn.png
- b####.com/hpmob?r=####&IG=####&IID=####
- b####.com/notifications/render?bnptrigger={"PartnerId":"HomePage","IID":...
- b####.com/rms/AutoSug/cj,nj/48de7247/3afd2d12.js?bu=####
- b####.com/rms/BingCore.Bundle/cj,nj/0b5cf849/1a2f5baa.js?bu=####
- b####.com/rms/Framework/cj,nj/f0fe13d0/9101d3f2.js?bu=####
- b####.com/rms/MobileSiteBase/cc,nc/8d0342e9/e3492d89.css?bu=####
- b####.com/rms/rms answers Homepage Mobile$MobileHeaderSprite2x/ic/7cc161...
- b####.com/rms/rms answers Identity Mobile$HamburgerMenu/cj,nj/3c429dc0/f...
- b####.com/rms/rms answers Identity Mobile$MobileSnrWindowsLiveConnectBoo...
- b####.com/rms/rms answers Shared BingCore$Animation/cj,nj/c9ce19fd/92e3c...
- b####.com/rms/rms answers Shared BingCore$fadeAnimation/cj,nj/8c497c38/f...
- b####.com/rms/rms serp Homepage$bgLogoBingTeal/ic/23b397af/f2e8bbe3.png
- c####.####.com/?a=####&c=####&E=cFXPq####&s1=####&s2=####
- c####.####.com/?a=####&c=####&E=cFXPq####&s1=####&s2=####&ckmguid=####
- c####.####.net/iclk/redirect.php?id=####&trafficsourceid=####&trackid=##...
- esma####.####.org/aff_c?offer_id=####&aff_id=####&url_id=####&ref_id=###...
- esma####.####.org/aff_r?offer_id=1009&aff_id=1044&redirect_pass=1&url=ht...
- esma####.####.org/aff_r?offer_id=1009&aff_id=1044&url=https://eat.emmaso...
- gl####.####.com/click?pid=####&offer_id=####&sub1=####&sub2=####&pid=####
- gl####.####.com:9090/app?IsOnlyCp=####&phone=####&offerid=####&affid=###...
- koolm####.info/r/a834ab54-8717-11e7-a70e-114507c6f07f/0/
- koolm####.info/r/a834ab54-8717-11e7-a70e-114507c6f07f/1/
- m####.####.com/c/69c5e7f9210e673c?tid=####&trafficsource_id=####&token2=...
- p####.####.com/red/?a=####&ba=####&code=####&pubid=####
- trac####.####.com/c96db875-0744-4d63-bef5-9cea8843e046?var3=####&Subid=#...
- u####.com/ru/findbutton0718.js
- u####.com/ru/processurl0718.js
- u####.com/ru/simulationClickYes0718.js
- v####.####.com/?s2=####&s3=####
HTTP POST requests:
- a####.####.com/api/session/start?s1=####&s2=####&affid=####
- a####.####.com/api/track
- b####.com/fd/ls/lsp.aspx
- b####.com/fd/ls/lsp.aspx?
- u####.com:7079/jsdk/sd.action?b=####&ca=####&ica=####&re=####
- u####.com:8083/jsdk/sd.action?b=####
Modified file system:
Creates the following files:
- <Package Folder>/app_jgu/u.a.n.201708221610.rm
- <Package Folder>/app_jgu/x.apk
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/index
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/com.hyjt.app.android.india.preferrence.xml
- <Package Folder>/shared_prefs/com.hyjt.app.android.india.preferrence.xml.bak
- <Package Folder>/shared_prefs/tip.xml
- <SD-Card>/SexVideo/20170804.txt
- <SD-Card>/commonsdk/findbutton0718.js
- <SD-Card>/commonsdk/processurl0718.js
- <SD-Card>/commonsdk/simulationClickYes0718.js
Miscellaneous:
Loads the following dynamic libraries:
- v8js
Uses the following algorithms to decrypt data:
- desede-CBC-PKCS5Padding
Gains access to telephone information (number, imei, etc.).
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
