Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Click.308.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) of.okyes####.com:80
- TCP(HTTP/1.1) f####.google####.com:80
- TCP(HTTP/1.1) overt####.com:80
- TCP(HTTP/1.1) r####.koapk####.com:80
- TCP(HTTP/1.1) csk####.com:80
- TCP(HTTP/1.1) t####.up####.com:80
- TCP(HTTP/1.1) s####.b####.com:80
- TCP(HTTP/1.1) f####.gst####.com:80
- TCP(HTTP/1.1) clic####.c0c.xyz:80
- TCP(HTTP/1.1) ps.okyes####.com:8802
- TCP(HTTP/1.1) www.adbocg####.com:8802
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) c.atandm####.com:443
- TCP(TLS/1.0) csk####.com:443
- TCP(TLS/1.0) smart-v####.com:443
- TCP(TLS/1.0) jsde####.a7####.flexbal####.net:443
- TCP(TLS/1.0) app.super####.io:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) c####.cloudf####.com:443
- TCP(TLS/1.0) ta####.offerst####.net:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) cac####.gas####.edge2be####.com:443
- TCP(TLS/1.0) adser####.go####.nl:443
- TCP(TLS/1.0) p####.v####.net:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) a####.google####.com:443
- TCP(TLS/1.0) p####.prizes4####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) makedi####.xyz:443
- TCP(TLS/1.0) news-ju####.com:443
DNS requests:
- a####.google####.com
- ads.cons####.com
- adser####.go####.com
- adser####.go####.nl
- app.super####.io
- c####.cloudf####.com
- c.atandm####.com
- cdn.jsde####.net
- clic####.c0c.xyz
- cs-g####.com
- csk####.com
- f####.google####.com
- f####.gst####.com
- googl####.g.doublec####.net
- makedi####.xyz
- mt####.go####.com
- news-ju####.com
- of.okyes####.com
- overt####.com
- p####.prizes4####.com
- p####.v####.net
- ps.okyes####.com
- r####.koapk####.com
- s####.b####.com
- smart-v####.com
- ssl.gst####.com
- t####.up####.com
- ta####.offerst####.net
- www.adbocg####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
HTTP GET requests:
- clic####.c0c.xyz/rest/ck/o/1291/2427509?click_id=####
- clic####.c0c.xyz/rest/ck/o/1291/2427509?click_id=####&mc=####
- csk####.com/?a=####&oc=####&c=####&m=####&s1=####&s2=####
- f####.google####.com/css?family=####
- f####.gst####.com/s/ubuntu/v14/4iCs6KVjbNBYlgoKfw7znU6AFw.ttf
- f####.gst####.com/s/ubuntu/v14/4iCv6KVjbNBYlgoCxCvjsGyIPYZvgw.ttf
- of.okyes####.com/redirect?uid=####&sourceid=####&clickid=####
- overt####.com/d/46801059bf4cd8312d4?sub=####&source=####
- overt####.com/d/46801059bf4cd8312d4?sub=####&source=####&code=####&_tdf=...
- overt####.com/gw?sub=a1a23a17-7608-4f1b-b1f1-3ede1e9801b8&source=1481210...
- s####.b####.com/redirect?s=####&at=####&rt=####&s2=####
- t####.up####.com/click?id=####&aff=####&ost=####&click=####
HTTP POST requests:
- ps.okyes####.com:8802/sub/cb
- r####.koapk####.com/pgm/rt/lg
- www.adbocg####.com:8802/sub/v2/of
File system changes:
Creates the following files:
- /data/data/####/20160121.xml
- /data/data/####/AD_ID_SPINFO.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/index
- /data/data/####/loa.xml
- /data/data/####/ocom_mdvbgr_biwlcme_1.dex
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
Miscellaneous:
Executes the following shell scripts:
- logcat -d -v time
Loads the following dynamic libraries:
- libcom_mdvbgr_biwlcme_2
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
