Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.613.origin
- Android.Triada.235.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) box.jom####.com:80
- TCP(HTTP/1.1) supermo####.jom####.com:80
- TCP(HTTP/1.1) hpd.b####.com:80
- TCP(TLS/1.0) als.b####.com:443
- TCP(TLS/1.0) sv.bdst####.com.####.com:443
- TCP(TLS/1.0) sslb####.jom####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) t####.jom####.com:443
- TCP(TLS/1.0) dow####.b####.com:443
- TCP(TLS/1.0) ssls####.jom####.com:443
- TCP(TLS/1.0) down####.b####.com:443
- TCP(TLS/1.0) h####.b####.com:443
- TCP(TLS/1.0) wap.n.sh####.com:443
- TCP(TLS/1.0) b.bdst####.com:443
- TCP(TLS/1.0) box.jom####.com:443
- TCP(TLS/1.0) mbdchu####.n.sh####.com:443
- TCP(TLS/1.0) hpd.b####.com:443
DNS requests:
- als.b####.com
- b.bdst####.com
- dow####.b####.com
- down####.b####.com
- e####.bdst####.com
- ext.b####.com
- f####.b####.com
- f10.b####.com
- f11.b####.com
- f12.b####.com
- g####.bdst####.com
- h####.b####.com
- h.hiph####.b####.com
- hm.b####.com
- hpd.b####.com
- m.b####.com
- mbd.b####.com
- mo.b####.com
- mt####.go####.com
- s.bdst####.com
- sm.b####.com
- ss0.b####.com
- ss1.b####.com
- ss2.b####.com
- ss3.b####.com
- sv.bdst####.com
- ti####.b####.com
HTTP GET requests:
- box.jom####.com/common/openjs/openBox.js?_v=####
- box.jom####.com/news/pic/item/342ac65c103853431c08c3a09913b07ecb808868.jpg
- hpd.b####.com/v.gif?ct=####&logFrom=####&cst=####&logInfo=####&logExtra=...
- hpd.b####.com/v.gif?ct=####&logFrom=####&tid=####&cst=####&logInfo=####&...
- hpd.b####.com/v.gif?logid=####&ssid=####&sid=####&from=####&pu=####&ct=#...
- hpd.b####.com/v.gif?tid=####&ct=####&cst=####&logFrom=####&logInfo=####&...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/assert_3e...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/promise_a...
- supermo####.jom####.com/static/wiseindex/amd_modules/@searchfe/underscor...
- supermo####.jom####.com/static/wiseindex/amd_modules/ralltiir_13df900.js
- supermo####.jom####.com/static/wiseindex/iconfont/iconfont_2681c2d.ttf
- supermo####.jom####.com/static/wiseindex/img/fetch_ing_8_0.png
- supermo####.jom####.com/static/wiseindex/js/lib/atomWrapper_6fc442d.js
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/component/backgro...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/component/breath_...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/component/btmBann...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/component/fullscr...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/fnProvider_6015d1...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/invokeBox_12354c1...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/invokeSecr_13c5fe...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/log_8406fdd.js
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/serverDataFactory...
- supermo####.jom####.com/static/wiseindex/js/lib/invoke/setInvokeCookie_b...
- supermo####.jom####.com/static/wiseindex/js/package/backflow_d744959.js
- supermo####.jom####.com/static/wiseindex/js/package/newsActivity_f3a3935...
- supermo####.jom####.com/static/wiseindex/js/package/superframe_5b7bdae.js
- supermo####.jom####.com/static/wiseindex/js/plugin/safariicon_6bd009a.js
- wap.n.sh####.com/
- wap.n.sh####.com/?action=####&ms=####&version=####&callback=####&r=####&...
- wap.n.sh####.com/se/static/img/iphone/logo.png
- wap.n.sh####.com/se/static/img/iphone/tab_loading__bg_logo.png
- wap.n.sh####.com/se/static/js/bundles/ala-util_c91ecd5.js
- wap.n.sh####.com/se/static/js/bundles/atom_44405ae.js
- wap.n.sh####.com/se/static/js/service/index_polymer_2957097.js
- wap.n.sh####.com/se/static/js/service/index_seloader_release.js?v=####
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/default_ic...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/dingdan_63...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/fankui_cc4...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/guanzhu_0e...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/hanbaobao_...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/pifu_eef38...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/shoucang_5...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/spritelist...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/pack_4bd4195.js
- wap.n.sh####.com/static/index/plus/public/icon_police.png
- wap.n.sh####.com/static/index/plus/public/tab_news.png
- wap.n.sh####.com/static/search/clear.png
- wap.n.sh####.com/static/tj.gif?time=####
- wap.n.sh####.com/sugrec?callback=####&type=####&prod=####&pic=####&from=...
- wap.n.sh####.com/tc?tcreq4log=####&r=####&logid=####&from=####&pu=####&c...
- wap.n.sh####.com/tcbox?service=####&action=####&ctv=####&cen=####&data={...
File system changes:
Creates the following files:
- /data/data/####/b46119a932d8bc345b653ca25f2e3fa4.apk
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/done
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/index
- /data/data/####/libcrypt_sign.so
- /data/data/####/onib_clz.jar
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
Miscellaneous:
Executes the following shell scripts:
- /system/bin/netcfg
Loads the following dynamic libraries:
- cvnljqeh
- kfcbdwle
Uses the following algorithms to decrypt data:
- DES
Displays its own windows over windows of other apps.
