Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.300.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) bbq.aa####.cn:80
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.2) 2####.58.214.14:443
- TCP(TLS/1.2) 1####.250.179.195:443
- UDP md####.google####.com:443
DNS requests:
- and####.google####.com
- bbq.aa####.cn
- md####.google####.com
HTTP POST requests:
- bbq.aa####.cn/classes.dex
File system changes:
Creates the following files:
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex
- /data/dalvik-cache/####/system@framework@am.jar@classes.dex.flo...leted)
- /data/data/####/.cl
- /data/data/####/.jg.ic
- /data/data/####/1.png
- /data/data/####/2.png
- /data/data/####/3.png
- /data/data/####/4.png
- /data/data/####/5.png
- /data/data/####/6.png
- /data/data/####/7.png
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a.html
- /data/data/####/auto.js.png
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.oat
- /data/data/####/com.jayhaw.jsqqhongzha.app_preferences.xml
- /data/data/####/learn.js
- /data/data/####/libjiagu.so
- /data/data/####/logo.png
- /data/data/####/main.js
- /data/data/####/metrics_guid
- /data/data/####/proc_auxv
- /data/data/####/project.json
- /data/data/####/startFire.js
- /data/data/####/ui.js
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3527
- /system/bin/log -p d -t su /dev/com.android.settings/.socket3724
- /system/bin/log -p d -t su 10065 /system/bin/sh executing 0 /system/bin/sh using binary /system/bin/sh : sh
- /system/bin/log -p d -t su connecting client 3509
- /system/bin/log -p d -t su connecting client 3703
- /system/bin/log -p d -t su daemon: stderr using PTY
- /system/bin/log -p d -t su daemon: stdin using PTY
- /system/bin/log -p d -t su daemon: stdout using PTY
- /system/bin/log -p d -t su remote args: 1
- /system/bin/log -p d -t su remote pid: 3509
- /system/bin/log -p d -t su remote pid: 3703
- /system/bin/log -p d -t su remote pts_slave: /dev/pts/1
- /system/bin/log -p d -t su remote req pid: 3498
- /system/bin/log -p d -t su remote req pid: 3689
- /system/bin/log -p d -t su remote uid: 10065
- /system/bin/log -p d -t su sending code
- /system/bin/log -p d -t su starting daemon client 10065 10065
- /system/bin/log -p d -t su su invoked.
- /system/bin/log -p d -t su waiting for child exit
- /system/bin/log -p d -t su waiting for user
- /system/bin/log -p e -t su sqlite3 open /data/user_de/0/com.android.settings/databases/su.sqlite failure: 14
- /system/bin/sh -
- getprop ro.cm.device
- getprop ro.product.device
- sh
- su
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Uses elevated priveleges.
Uses special library to hide executable bytecode.
Gets information about network.
Displays its own windows over windows of other apps.
Intercepts notifications.
Requests the system alert window permission.
