Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.907
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) slot####.e####.com.####.net:80
- TCP(SSL/3.0) g.geo####.com:443
- TCP(TLS/1.0) c####.lb.wac.####.net:443
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) p####.e####.com:443
- TCP(TLS/1.0) securep####.g.doublec####.net:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) showads####.pubm####.com:443
- TCP(TLS/1.0) ebay####.o####.net:443
- TCP(TLS/1.0) tpc.googles####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) 1####.177.119.113:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) usllpic####.d.aa.####.net:443
- TCP(TLS/1.0) r####.e####.com:443
- TCP(TLS/1.0) as####.casalem####.com.####.net:443
- TCP(TLS/1.0) ocs####.e####.com:443
- TCP(TLS/1.0) adser####.go####.nl:443
- TCP(TLS/1.0) s####.e####.com:443
- TCP(TLS/1.0) slot1####.e####.com.####.net:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) si####.e####.com:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) optimiz####.rubicon####.net.####.net:443
- TCP(TLS/1.0) i####.slot####.e####.####.net:443
- TCP(TLS/1.0) src.eba####.com:443
- TCP(TLS/1.0) g.geo####.com:443
- TCP(TLS/1.0) slot####.e####.com.####.net:443
- TCP(TLS/1.0) gha.e####.com:443
DNS requests:
- adser####.go####.com
- adser####.go####.nl
- adserve####.ad####.adverti####.com
- as####.casalem####.com
- ebay####.o####.net
- fast####.rubicon####.com
- gha.e####.com
- i.eba####.com
- ir.ebayst####.com
- ocs####.e####.com
- p####.e####.com
- pag####.googles####.com
- r####.e####.com
- s####.e####.com
- se####.a####.com
- secu####.ebayst####.com
- securep####.g.doublec####.net
- sho####.pubm####.com
- si####.e####.com
- src.eba####.com
- ssl.gst####.com
- tpc.googles####.com
- usllpic####.d.aa.####.net
- www.e####.com
- www.go####.com
- www.go####.nl
- www.googlet####.com
- www.gst####.com
HTTP GET requests:
- slot####.e####.com.####.net/
Modified file system:
Creates the following files:
- /data/data/####/.edata
- /data/data/####/classes.dex
- /data/data/####/classes.dex (deleted)
- /data/data/####/classes.dve
- /data/data/####/classes.jar
- /data/data/####/com.SecShell.tmp2263
- /data/data/####/com.SecShell.tmp2289
- /data/data/####/com.SecShell.tmp2315
- /data/data/####/com.SecShell.tmp2425
- /data/data/####/com.SecShell.tmp2460
- /data/data/####/com.SecShell.tmp2486
- /data/data/####/com.SecShell.tmp2520
- /data/data/####/com.SecShell.tmp2546
- /data/data/####/com.SecShell.tmp2572
- /data/data/####/com.SecShell.tmp2616
- /data/data/####/com.SecShell.tmp2642
- /data/data/####/com.SecShell.tmp2668
- /data/data/####/com.SecShell.tmp2754
- /data/data/####/com.SecShell.tmp2778
Miscellaneous:
Loads the following dynamic libraries:
- SecShell
Uses special library to hide executable bytecode.
