Technical information
Malicious functions:
Sends SMS messages:
- 12114000372329: i2mPNk1AOWWu6IO69LttHIXkg==
Network activity:
Connecting to:
- h####.####.com
- ali####.####.com
- w####.####.com
- z####.####.com
- beijin####.####.com
- s####.####.com
- 1####.####.151:8080
- so####.com
- p####.####.com
- 4####.####.232:8081
- ut####.cn
- 4####.####.157:9321
- 1####.####.67:8080
- 1####.####.167
- 1####.####.167:9321
- ut####.cn:8080
- a####.####.com
- g####.####.com
- 1####.####.67
- c####.####.net
- c####.####.com
- e####.####.com
- a####.####.cn
HTTP GET requests:
- w####.####.com/adx.php?c=####
- s####.####.com/style/css/main.css
- c####.####.net/pixel?google_nid=####&google_cm=####&google_tc=####
- ali####.####.com/tfscom/T1iIp8FaVhXXXqupbX.js
- h####.####.com/public.js
- c####.####.com/9.gif?abc=####&rnd=####
- beijin####.####.com/apks/load.bat
- h####.####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&ep=####&et=####&ja=####&ln=####&lo=####<=####&nv=####&rnd=####&si=####&st=####&v=####&lv=####
- p####.####.com/hckm?di=####&dri=####&dis=####&dai=####&ps=####&dcb=####&dtm=####&dvi=####&dci=####&dpt=####&tsr=####&tpr=####&ti=####&ari=####&dbv=###...
- ali####.####.com/tkapi/plugin.js?_t=####
- h####.####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&et=####&ja=####&ln=####&lo=####<=####&nv=####&rnd=####&si=####&st=####&v=####&lv=####&tt=####
- c####.####.com/cpro/exp/closead/img/bg_rb.png
- c####.####.com/cpro/ui/noexpire/img/4.0.0/pc_ads_bear.1x.png
- c####.####.com/cn.html?1####
- c####.####.com/cpro/ui/noexpire/img/4.0.0/pc_ads.1x.png
- z####.####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&showp=####&t=####&h=####&rnd=####
- p####.####.com/hckm?rdid=####&dc=####&di=####&dri=####&dis=####&dai=####&ps=####&dcb=####&dtm=####&dvi=####&dci=####&dpt=####&tsr=####&tpr=####&ti=###...
- ali####.####.com/tps/i3/T1.lJGFlVcXXa6Q3bb-9-18.gif
- c####.####.com/gpixel?google_gid=####&google_cver=####
- a####.####.cn/bao/uploaded/i1/TB13ETsNpXXXXcIXVXXXXXXXXXX_!!0-item_pic.jpg_160x160.jpg
- e####.####.com/hmt/icon/21.gif
- c####.####.com/cpro/ui/noexpire/js/4.0.0/adClosefeedbackUpgrade.min.js
- a####.####.com/libs/jquery/2.1.4/jquery.min.js
- a####.####.cn/tps/i2/T1m09PXsFiXXbTThPr-7-7.gif
- so####.com/mobile
- c####.####.com/cpro/exp/closead/img/bd_logo.png
- g####.####.com/display?rd=####&pid=####&pgid=####&rf=####&et=####&ttype=####&v=####&cm=####&ck=####&cw=####&ct=####&wt=####&ti=####&tl=####&st=####&cb...
- a####.####.cn/tkapi.js
- c####.####.com/cpro/ui/noexpire/js/3.1.6/cpro.js
- ali####.####.com/tkapi/mclick.js?_t=####
- h####.####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&et=####&ja=####&ln=####&lo=####&nv=####&rnd=####&si=####&st=####&v=####&lv=####&tt=####
- a####.####.cn/bao/uploaded/i4/22754018/TB2aVvhXSFjpuFjSszhXXaBuVXa_!!22754018.jpg_160x160.jpg
- s####.####.com/style/css/bootstrap.min.css
- a####.####.cn/bao/uploaded/i1/TB1WgdlOpXXXXauXXXXXXXXXXXX_!!0-item_pic.jpg_160x160.jpg
- c####.####.net/pixel?google_nid=####&googl####
- s####.####.com/core.php?web_id=####&t=####
- s####.####.com/style/images/logo.gif
- s####.####.com/z_stat.php?id=####&web_id=####
- h####.####.com/h.js?0474b4d####
- s####.####.com/core.php?web_id=1000363052&t=z?c=####
- c####.####.com/cpro/ui/c.js
- g####.####.com/load?rf=####&dr=####&pid=####&pgid=####&ak=####&ttype=####&scr=####&lan=####&ciid=####&csid=####&curl=####&ckeywords=####&cb=####
HTTP POST requests:
- 4####.####.157:9321/abs/init
- 4####.####.232:8081/logic/absloginfo?imei=####&imsi=####&message=####
- so####.com/mobiles
- ut####.cn/excalibur/avalon/sdk/queryResult.aspx
- 1####.####.67:8080//BusiService/@intf@/i2001
- 1####.####.167/abs/fee
- 1####.####.67//BusiService/@intf@/i0002
- 1####.####.67//BusiService/@intf@/i0001
- ut####.cn:8080/excalibur/avalon/sdk/init.aspx
- 1####.####.151:8080/astrolinkSDK/info/getUpUrlInfo
- ut####.cn/excalibur/avalon/sdk/pay.aspx
- 1####.####.167:9321/abs/fee
Modified file system:
Creates the following files:
- /data/data/####/app_dex/utopay.jar
- /data/data/####/app_dex/utopay_icon.gif
- /data/data/####/databases/utopay.db-journal
- /data/data/####/shared_prefs/setting.xml
- /data/data/####/databases/d_aosd56dg
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/shared_prefs/1154|account_file.xml
- /data/data/####/files/sdk.jar
- /sdcard/Download/AST_DOWN/version.bin
- /data/data/####/shared_prefs/abs.xml
- /sdcard/Download/AST_DOWN/load.bat
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/shared_prefs/STORE_MAIN.xml
- /data/data/####/databases/webview.db-journal
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/app_dex/utopay_close.png
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
- /data/data/####/cache/webviewCacheChromium/f_000007
- /data/data/####/cache/webviewCacheChromium/f_000006
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /data/data/####/shared_prefs/sp_haoapp.xml
- /data/data/####/shared_prefs/abs.xml.bak
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/databases/d_aosd56dg-journal
Miscellaneous:
Executes next shell scripts:
- getprop apps.customerservice.device
Contains functionality to send SMS messages automatically.
