Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.564.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) hd.a####.com:80
- TCP(TLS/1.0) schedul####.w####.com:443
DNS requests:
- ad####.m.ta####.com
- bcfeed####.ta####.com
- co####.w####.com
- cr####.w####.com
- dyn.w####.com
HTTP GET requests:
- hd.a####.com/proton/white-list.json
File system changes:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/0a231bd8575dcf72.txt
- /data/data/####/2CD91DE9A0F1D93BFFAEF848DEF79462
- /data/data/####/8ef9c457b3bbb403.lock
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/UTCommon.xml
- /data/data/####/app_preferences.xml
- /data/data/####/caimiapp_prefile.xml
- /data/data/####/com.caimi.creditcard_preferences.xml
- /data/data/####/cpugpuinfo
- /data/data/####/dianshi.host
- /data/data/####/finance_cache_preference.xml
- /data/data/####/getui_sp.xml
- /data/data/####/init_c1.pid
- /data/data/####/kuaidai.so-journal
- /data/data/####/libexec.so
- /data/data/####/libexecmain.so
- /data/data/####/libsgmainso-5.1.81.so.tmp
- /data/data/####/lock.lock
- /data/data/####/message.db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/sdk.baa.app.xml
- /data/data/####/sdk.baa.user.xml
- /data/data/####/sdk.taobao.app.xml
- /data/data/####/sdk.taobao.user.xml
- /data/data/####/sensorsdata.xml
- /data/data/####/sharePreferencePatch.xml
- /data/data/####/sp.lock
- /data/data/####/swbridge
- /data/data/####/umeng_general_config.xml
- /data/data/####/ut.db
- /data/data/####/ut.db-journal
- /data/data/####/wax-resource.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/media/####/.nomedia
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
Miscellaneous:
Executes the following shell scripts:
- getprop ro.product.cpu.abi
- sh -c cat /proc/2164/wchan
- sh -c cat /proc/2210/wchan
- sh -c cat /proc/2335/wchan
- sh -c cat /proc/2414/wchan
- sh -c cat /proc/2457/wchan
- sh -c cat /proc/2569/wchan
- sh -c cat /proc/2619/wchan
- sh -c cat /proc/2662/wchan
- sh -c cat /proc/2784/wchan
- sh -c cat /proc/2827/wchan
- sh -c cat /proc/2916/wchan
- sh -c cat /proc/2967/wchan
- sh -c cat /proc/3090/wchan
- sh -c cat /proc/3133/wchan
- sh -c cat /proc/3278/wchan
- sh -c cat /proc/3320/wchan
- sh -c cat /proc/3434/wchan
- sh -c cat /proc/3474/wchan
- sh -c cat /proc/3586/wchan
- sh -c cat /proc/3627/wchan
Loads the following dynamic libraries:
- c++_shared
- getuiext2
- libexec
- libexecmain
- mmkv
- sgmainso-5.1
- ut_c_api
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
