Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.RemoteCode.358.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) x####.x####.top:80
- TCP(HTTP/1.1) cdn.k####.com.####.net:80
- TCP(HTTP/1.1) v.l####.cn:80
- TCP(HTTP/1.1) c8w2ov7####.aliy####.click:80
- TCP(HTTP/1.1) v.r####.cn:80
- TCP(HTTP/1.1) 1####.78.170.208:8802
- TCP(HTTP/1.1) www.d####.com:80
- TCP(HTTP/1.1) survey-####.com:80
- TCP(HTTP/1.1) 1####.220.133.60:6868
- TCP(HTTP/1.1) 1####.23.247.140:8888
- TCP(HTTP/1.1) 1####.77.181.150:8888
- TCP(HTTP/1.1) op.ys####.cn:80
- TCP(HTTP/1.1) 39.1####.226.196:8801
- TCP(HTTP/1.1) na61-####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) hx####.h####.tv:80
- TCP(HTTP/1.1) 1####.78.170.208:8801
- TCP(HTTP/1.1) 1####.40.102.153:8808
- TCP(HTTP/1.1) 1####.77.181.150:7777
- TCP(TLS/1.0) cos.accele####.myqc####.com:443
- TCP(TLS/1.0) i####.doub####.com.####.cn:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) rr6---s####.g####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) a.w.bili####.com:443
- TCP(TLS/1.0) 1####.250.74.35:443
- TCP(TLS/1.0) rr9---s####.g####.com:443
- TCP(TLS/1.0) www.4####.org:443
- TCP(TLS/1.0) g####.com:443
- TCP(TLS/1.0) jiekou-####.cos.ap-chon####.####.com:443
- TCP(TLS/1.0) h.t####.qq.com:443
- TCP(TLS/1.0) 2####.58.211.14:443
- TCP(TLS/1.0) se####.v####.i####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.2) 1####.250.74.35:443
- TCP(TLS/1.2) 1####.250.74.68:443
- TCP(TLS/1.2) 2####.58.211.14:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- TCP(TLS/1.2) 2####.58.207.227:443
- TCP(TLS/1.2) 1####.250.74.46:443
- TCP 2####.h####.com:443
- TCP as####.hei####.tv:443
- TCP jih####.com:443
- TCP aserver####.m.ta####.com:443
- TCP app.wh####.cn:443
- TCP www.fr####.run:443
- TCP pbac####.v####.qq.com:443
- TCP d.dcm####.top:443
- TCP www.cf####.com:443
- TCP c####.mod####.cc:443
- TCP mobi####.bz.m####.com:443
- TCP 1####.25.167.56:9998
- TCP p####.cc:443
- TCP ocr.w####.link:443
- TCP www.tuxia####.com:443
- TCP n####.v####.qq.####.net:443
- TCP api.9ce####.com.####.net:443
- TCP img1-do####.b0.a####.com:443
- TCP i####.doub####.com:443
- TCP i####.doub####.com.####.com:443
- TCP api.web.36####.com:443
- UDP 2####.255.255.250:1900
- TCP for####.do####.com:443
- TCP d####.oss-cn-####.byt####.store:443
- TCP sa####.tv:443
- TCP w####.gyf.lol:443
- TCP api.so.36####.com:443
- TCP a.w.bili####.com:443
- TCP y.g####.cn.####.net:443
- TCP vip.w####.cn:5200
- TCP www.q####.com:443
- TCP l####.me:443
- TCP fs-im-k####.qini####.com:443
- TCP suba####.vip:443
DNS requests:
- 2####.cn
- 2####.h####.com
- and####.b####.qq.com
- and####.google####.com
- api.9ce####.com
- api.bili####.com
- api.pull####.com
- api.so.36####.com
- api.web.36####.com
- app.wh####.cn
- app.yiy####.top
- apply-1####.cos.accele####.####.com
- as####.hei####.tv
- buyaoza####.com
- c####.mod####.cc
- c8w2ov7####.aliy####.click
- cdn.daxingu####.cn
- cdn.k####.com
- d####.oss-cn-####.byt####.store
- d.dcm####.top
- fs-im-####.7moor####.com
- g####.com
- gmscomp####.google####.com
- h.t####.qq.com
- hx####.h####.tv
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- i####.doub####.com
- im####.67c####.com
- ip.ta####.com
- jiekou-####.cos.ap-chon####.####.com
- jih####.com
- ky####.top
- l####.me
- m####.do####.com
- m.fenggo####.com
- mobi####.bz.m####.com
- n####.v####.qq.com
- ocr.w####.link
- op.ys####.cn
- p####.cc
- p####.google####.com
- pbac####.v####.qq.com
- rr6---s####.g####.com
- rr9---s####.g####.com
- sa####.tv
- se####.v####.i####.com
- se####.y####.com
- suba####.vip
- survey-####.com
- t####.byted####.com
- u.shyt####.com
- v.l####.cn
- v.r####.cn
- vcover-####.p####.q####.cn
- vip.w####.cn
- w####.gyf.lol
- www.4####.org
- www.cf####.com
- www.d####.com
- www.fr####.run
- www.q####.com
- www.tuxia####.com
- x####.x####.top
- y.g####.cn
HTTP GET requests:
- cdn.k####.com.####.net/update/sdk/task_164.jar
- cos.accele####.myqc####.com:443/cksp.json
- g####.com:443/zishi001/zishiruanjian/raw/master/spider.jar
- g####.com:443/zishi001/zishiruanjian/raw/master/xiaosa5.jar
- g####.com:443/zishi001/zokzishi/raw/master/js/4K影视.json
- g####.com:443/zishi001/zokzishi/raw/master/js/来看点播.json
- g####.com:443/zishi001/zokzishi/raw/master/js/流光影视.json
- g####.com:443/zishi001/zokzishi/raw/master/js/爱上电影.json
- g####.com:443/zishi001/zokzishi/raw/master/js/素白白.js
- g####.com:443/zishi001/zokzishi/raw/master/js/追剧弹幕.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/drpy4.min.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/gbk.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/jsencrypt.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/node-rsa.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/pako.min.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/drpy_libs/模板.js
- g####.com:443/zishi001/zokzishi/raw/master/lib/fgys.json
- g####.com:443/zishi001/zokzishi/raw/master/lib/兔小贝.json
- g####.com:443/zishi001/zokzishi/raw/master/lib/星芽短剧.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/drpy2.min.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/gbk.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/jinja.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/jsencrypt.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/json5.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/node-rsa.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/pako.min.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/优酷弹幕.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/哔哩直播.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/奇趣影视.json
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/小熊弹幕.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/模板.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/爱奇艺弹幕.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/百忙无果.js
- g####.com:443/zishi001/zokzishi/raw/master/xs/js/腾讯弹幕.js
- hx####.h####.tv/api/search/s5?k=####&srefer=####&type=####&page=####
- jiekou-####.cos.ap-chon####.####.com:443/1.txt
- na61-####.wagbr####.ali####.####.com/service/getIpInfo.php?ip=####
- se####.v####.i####.com:443/o?if=####&key=####&pageNum=####&pos=####&page...
- survey-####.com/
HTTP POST requests:
- and####.b####.qq.com:443/rqd/async?aid=####
- c8w2ov7####.aliy####.click/api.php/getappapi.index/searchList
- h.t####.qq.com:443/kv
- op.ys####.cn/v2/home/search
- v.l####.cn//v2/home/search
- v.l####.cn/v2/home/search
- v.r####.cn/v2/home/search
- www.d####.com//search.php
- x####.x####.top/api.php/getappapi.index/searchList
File system changes:
Creates the following files:
- /data/data/####/.hptc_kache_uawei.himovceie
- /data/data/####/0006b746aa229079a43bef818a01afbd2dfb94d11803997...2eb0.0
- /data/data/####/0d649b0f63545408affe34a4e06bbd34930333fd4afb50d...6f73.0
- /data/data/####/0f82beb369f802eb737ca80551080875f275778e8898cce...cf70.0
- /data/data/####/1004
- /data/data/####/1373037256.dex
- /data/data/####/1373037256.dex.flock (deleted)
- /data/data/####/1373037256.jar
- /data/data/####/1373037256.jar.ab04210df573be1507691bc5b569031f
- /data/data/####/14cb00547c205bc0c0dc2e098945ee6794d4906f360cd8f...leted)
- /data/data/####/1fa29cd6dff4110403cb5e144f0fac5a6adf13614258444...c952.0
- /data/data/####/2063315211.dex
- /data/data/####/2063315211.dex.flock (deleted)
- /data/data/####/2063315211.jar
- /data/data/####/2063315211.jar.temp
- /data/data/####/22a118af39025d3ebc7a887e4181728e84fb96f1a377c6c...2d04.0
- /data/data/####/28a4c38ec63acc89cda546161d0bb524211cbae5737db83...94e7.0
- /data/data/####/2a8d9d5796e9d48a0acb34a33ae5df5f08f555e24b31936...0133.0
- /data/data/####/2aca54ded94815b1981f515a6d7267a35d194e9f3c6ab03...8536.0
- /data/data/####/2bd86dcc7d1f0301ad7ba4e70a6716a41b366e90d1b2792....0.tmp
- /data/data/####/2d8b3a974771a653f6cc2ee5d88dc341
- /data/data/####/348d6ce2545d5d97569e5a96a6ba191d4d1a8cc00b8fd64...6a1e.0
- /data/data/####/36ed2cb50eec39d53e600773181e8636d67d5921795c62a...4288.0
- /data/data/####/3b7371c07eefca10f31786447962b669
- /data/data/####/3ca81f89424b52770f6ad1eb72d0531724cba5732fe37a9...1c63.0
- /data/data/####/49715fc775b00d13c00af19ca3472163c1506eeb89a7cf4....0.tmp
- /data/data/####/4d051606707d60b757430e6f0e3cc653891040ac6503f63...6521.0
- /data/data/####/57feeb3679fdcf8d88cefbde2960ef08525302f9bd3cf56...165d.0
- /data/data/####/58a7486e0cf310b758db45980f0ade4d27e5c013085c5a6....0.tmp
- /data/data/####/58a7486e0cf310b758db45980f0ade4d27e5c013085c5a6...3ef9.0
- /data/data/####/58c3dcb1dde4c18cdb110b4c9bb834b730c25116811c5eb....0.tmp
- /data/data/####/5994c3f911c910736a2935f33f68c4f399efe1c191e5ae8...f209.0
- /data/data/####/5a69c434d35a91f24f9506ace260a58179864381767a542...f294.0
- /data/data/####/5f876a9952bc91ad67bc7305c8068c2bfb69fba9b26c025...18b8.0
- /data/data/####/600b2e34cba98918b96a49ec133d97b76b6b1b2cd653818...59c6.0
- /data/data/####/687236fc46dec880bcb6cba350c72403ec0894f2bc8024e....0.tmp
- /data/data/####/687236fc46dec880bcb6cba350c72403ec0894f2bc8024e...905c.0
- /data/data/####/6976390c2ece006187f2437545ba3cb6eb1693b1e460363...7b68.0
- /data/data/####/6a1ddbbf584eaaad758ce58efb08c1fe665dd56c4bb25c8...4413.0
- /data/data/####/6ac65c7ef31eef825909499dee1cb78270309317a7b62f2...b374.0
- /data/data/####/6aca77ae3646f4746357b867aedd74ecd56cfb26396eb8d...7ba0.0
- /data/data/####/6b219deb5c2d6dd05cbd3c089d5ed2d8
- /data/data/####/7036d4e9fd3aae3351786becf0c3fc71e09c1e7ff4e5134....0.tmp
- /data/data/####/7036d4e9fd3aae3351786becf0c3fc71e09c1e7ff4e5134...403f.0
- /data/data/####/734907a59fb0e0355b506dcde0e2db148b65da24a5b0c4a...0bbe.0
- /data/data/####/7660e6385e25756c3eaec2a1afdd28f25397a715adfb93f...299b.0
- /data/data/####/7ce2c8e3ae028b86853b8fb6206a681e
- /data/data/####/7d20f09101a75ac75c2f2b1324bd8e6d5127325190a2310...ea85.0
- /data/data/####/7f5a7df14e44738a8aabd079688054f5dc392fdaeeff9f6...ba8c.0
- /data/data/####/839437687a441462b35c999012d47e31.dex
- /data/data/####/839437687a441462b35c999012d47e31.dex.flock (deleted)
- /data/data/####/839437687a441462b35c999012d47e31.jar
- /data/data/####/952f8593c00e78257b37a608ec2439549d0e6ae6535d3f3...8b2c.0
- /data/data/####/961e23451c6b56ee62eac28dcb80a55d84548bb2ba7f2a7...885a.0
- /data/data/####/981634fd3e86788e79a2afc382ad6c26afa3b15fae21639....0.tmp
- /data/data/####/981634fd3e86788e79a2afc382ad6c26afa3b15fae21639...2768.0
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/LocalConfigSharePreference.xml
- /data/data/####/Utils.xml
- /data/data/####/a411bfac00e98c87b37858e0183f861826cc2fd2c24aa89...57bb.0
- /data/data/####/a9608fabaefe4d2e86623ddf403aecc105894100537f776...7631.0
- /data/data/####/ad59860421740037489176
- /data/data/####/ad59860421740037491947
- /data/data/####/ad59860421740037495283
- /data/data/####/ad59860421740037499028
- /data/data/####/ad_config.xml
- /data/data/####/ad_config.xml.bak
- /data/data/####/b0c42937a76ed76cf97977f83576184db3b3c1700f8f291...97e1.0
- /data/data/####/b27a225a4202a852076572db8a9abcc152326c21d9a5e5c....0.tmp
- /data/data/####/b350c0d36d7d7ec8e1f6e650e70ffe181e4e35a5f4a266b....0.tmp
- /data/data/####/b350c0d36d7d7ec8e1f6e650e70ffe181e4e35a5f4a266b...b8c2.0
- /data/data/####/b3a6571a133a40545a00c1106002ca502de7f27471a8514...7e4b.0
- /data/data/####/b9fb4ef6a9327512d8684a656cfae7022dd374c8f16d661...a18e.0
- /data/data/####/bugly_db_
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_last_us_up_tm
- /data/data/####/c5a4ad9719107d063b808bf609de385a72b67fc8fba5f0a....0.tmp
- /data/data/####/caa5610f3ba69cf3ad0d3a1958eda691.dex
- /data/data/####/caa5610f3ba69cf3ad0d3a1958eda691.dex.flock (deleted)
- /data/data/####/caa5610f3ba69cf3ad0d3a1958eda691.jar
- /data/data/####/ccabc51e3be72d1f42c9dd205cc41d23
- /data/data/####/ce069f53246b58141946a8701a3cd21a41d729628256e37...b71b.0
- /data/data/####/crashrecord.xml
- /data/data/####/crypto.KEY_256.xml
- /data/data/####/d8ff00970a34b9fdd3fa49b4cc10b815fffa3f5de4ad165....0.tmp
- /data/data/####/d8ff00970a34b9fdd3fa49b4cc10b815fffa3f5de4ad165...fcd0.0
- /data/data/####/daaaa27eab5fbc492993396dd5cd80c938a79ba53a37ee9...022f.0
- /data/data/####/dc9ae6e33748e39d3c00b4f3ff81622560eb3e2f2898aca...fc42.0
- /data/data/####/drpy2.min.js
- /data/data/####/drpy4.min.js
- /data/data/####/e9e492477ae97bccd9d0408a73b5e02e59161f055913ffe....0.tmp
- /data/data/####/e9e492477ae97bccd9d0408a73b5e02e59161f055913ffe...2ba0.0
- /data/data/####/ead6e4cd1e66c073b9d6d762cbb968ff884e0c1fcb42a43....0.tmp
- /data/data/####/ead6e4cd1e66c073b9d6d762cbb968ff884e0c1fcb42a43...b5fd.0
- /data/data/####/ed1da8479f5447dce81682978df5e8a24c4a33271088acf....0.tmp
- /data/data/####/ed1da8479f5447dce81682978df5e8a24c4a33271088acf...703f.0
- /data/data/####/edd8f38079183120490c1ab622b871bd86fd7da2d00e461...0db7.0
- /data/data/####/eeee8b44a88f4d074d90171d4df7a17c09e99e705b99355...9a2f.0
- /data/data/####/f01342bc15ccc03c38b43e536185e90c6860b167f11c61d....0.tmp
- /data/data/####/f0a12e438012700c47e8801aa5d8ecf1cd3f86b372cbea6...ae86.0
- /data/data/####/fbd08eeb21b866e80d453b7c292e340cfc1d4c1d0d83266....0.tmp
- /data/data/####/fbd08eeb21b866e80d453b7c292e340cfc1d4c1d0d83266...657a.0
- /data/data/####/fc0842ec87768d7ef3c66a34f559680f355f2b8311cc6ed....0.tmp
- /data/data/####/fc0842ec87768d7ef3c66a34f559680f355f2b8311cc6ed...1b38.0
- /data/data/####/gbk.js
- /data/data/####/hawk.kva
- /data/data/####/hawk.kvb
- /data/data/####/jinja.js
- /data/data/####/journal
- /data/data/####/jsencrypt.js
- /data/data/####/json5.js
- /data/data/####/libdecjni.so.tmpn5rbn6
- /data/data/####/libdecjni.v7.so
- /data/data/####/local_crash_lock
- /data/data/####/log10f152436391ea50b172b692d5da4a7d
- /data/data/####/log1f503db1cbe6dc5491fdb548e848f041
- /data/data/####/log549201851740037486634
- /data/data/####/log549201851740037501662
- /data/data/####/log549201851740037537467
- /data/data/####/log594d15d04c3433095a430656d9017897
- /data/data/####/log9f93d2b1382d4a8264f31c136988fd69
- /data/data/####/logcbf4ee182866d50bcd745d00b0f49491
- /data/data/####/logded626c99a51a3eb52d8421483377307
- /data/data/####/native_record_lock
- /data/data/####/native_record_lock (deleted)
- /data/data/####/node-rsa.js
- /data/data/####/okgo.db
- /data/data/####/okgo.db-journal
- /data/data/####/pako.min.js
- /data/data/####/plugin_file.name
- /data/data/####/proc_auxv
- /data/data/####/share_date.xml
- /data/data/####/share_date.xml.bak
- /data/data/####/spUtils.xml
- /data/data/####/tvbox.v3.db
- /data/data/####/tvbox.v3.db-journal
- /data/data/####/tvbox.v3.db.lck
- /data/data/####/模板.js
- /data/media/####/.config
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
- /system/bin/sh -c getprop
- cat /sys/class/net/eth0/address
- cat /sys/class/net/wlan0/address
- chmod 755 /data/user/0/<Package>/files/.kad
- chmod 777 /storage/emulated/0/TV/.config
- chmod 777 /storage/emulated/0/TVBox/.config
- getprop
- logcat -d -v threadtime
- sh
Loads the following dynamic libraries:
- libBugly_Native
- libconceal
- libdecjni.so
- libgit-platinum
- libijkffmpeg
- libijksdl
- libjp
- libmitv
- libplayer
- libquickjs-android-wrapper
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-ECB-PKCS5Padding
- RSA
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5PADDING
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-PKCS1Padding
- RSA-None-PKCS1Padding
Displays its own windows over windows of other apps.
Requests the system alert window permission.
Appears corrupted in a way typical for malicious files.
