Technical information
Malicious functions:
Executes code of the following detected threats:
- Tool.Rooter.40.origin
Network activity:
Connecting to:
- webse####.####.com
- p####.####.com
- c####.####.com
- j####.com
- i####.####.cn
- a####.####.com
HTTP GET requests:
- p####.####.com/t01eea77178473ec646.png
- p####.####.com/t016653b0454a228877.png
- p####.####.com/t01de6c0803a8dc610e.png
- c####.####.com/dex/container_165.dex
- j####.com/uploads/sc_logo.png
- i####.####.cn/iplookup/iplookup.php?format=####
HTTP POST requests:
- webse####.####.com/PackageService.asmx
- a####.####.com/container/global_config?cid=####&udid=####&cv=####
- webse####.####.com/GetJson.aspx
- a####.####.com/app_logs
Modified file system:
Creates the following files:
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/app_bangcleplugin/container.apk
- /data/data/####/shared_prefs/umeng_feedback_conversations.xml
- /data/data/####/app_data/container.pre_need_update_plugins
- /data/data/####/shared_prefs/device_id.xml.xml
- /data/data/####/files/busybox
- /data/data/####/shared_prefs/pre_apkol.xml
- /data/data/####/.cache/libsecexe.x86.so
- /sdcard/apkol/sc_logo.png
- /data/data/####/.cache/####
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/.md5
- /data/data/####/.cache/libsecmain.x86.so
- /data/data/####/files/.imprint
- /data/data/####/.cache/libsecpreload.x86.so
- /data/data/####/.sec_version
- /data/data/####/.cache/classes.dex
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /data/data/####/.cache/####.art
- /sdcard/apkol/t016653b0454a228877.png
- /data/data/####/app_data/container.pre_global_config
- /data/data/####/.cache/classes.jar
- /data/data/####/databases/Uninstall-journal
- /data/data/####/databases/romlist
- /data/data/####/databases/Uninstall
- /data/data/####/shared_prefs/umeng_general_config.xml.bak
- /data/data/####/.cache/####.art.20
- /sdcard/apkol/t01de6c0803a8dc610e.png
- /data/data/####/databases/romlist-journal
- /sdcard/apkol/t01eea77178473ec646.png
Sets the 'executable' attribute to the following files:
- /data/data/####/.cache/####
- /data/data/####/files/busybox
Miscellaneous:
Executes next shell scripts:
- ls /sdcard
- chmod 755 /data/data/####/.cache/####
- /data/local/tmp/busybox df
- getprop ro.product.model
- cat /etc/vold.conf
- ls /emmc
- cat /etc/external_sd.fstab
- su
- chmod 755 /data/data/####/.cache/####.art.20
- getprop ro.product.cpu.abi
- cat /etc/internal_sd.fstab
- cat /etc/vold.fstab
- chmod 0777 /data/data/####/files/busybox
- /data/local/tmp/busybox df /sdcard
- cat /sys/class/net/usb0/address
- cat /proc/partitions
- chmod 755 /data/data/####/.cache/####.art
Uses elevated priveleges.
Uses special library to hide executable bytecode.
Contains functionality to send SMS messages automatically.
