Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.BankBot.Medusa.2.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) sonsson####.top:443
- TCP(HTTP/1.1) cac-####.digi####.com.####.net:80
- TCP(TLS/1.0) up####.wikim####.org:443
- TCP(TLS/1.0) c####.cloudf####.com:443
- TCP(TLS/1.0) cf-m####.l####.com.tr:443
- TCP(TLS/1.0) www.leq####.fr.####.net:443
- TCP(TLS/1.0) encrypt####.gst####.com:443
- TCP(TLS/1.0) sonsson####.top:443
- TCP(TLS/1.0) f####.google####.com:443
- TCP(TLS/1.0) ga####.f####.edu.tr:443
- TCP(TLS/1.0) cdn.tailwin####.com:443
- TCP(TLS/1.0) t####.me:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) i.hizlir####.com:443
- TCP(TLS/1.0) f####.habe####.com:443
- UDP f####.gst####.com:443
- UDP c####.cloudf####.com:443
- TCP t####.me:443
DNS requests:
- c####.cloudf####.com
- cac####.geot####.com
- cdn.tailwin####.com
- encrypt####.gst####.com
- f####.google####.com
- f####.gst####.com
- f####.habe####.com
- ga####.f####.edu.tr
- i.hizlir####.com
- med####.l####.com.tr
- sonsson####.top
- t####.me
- up####.wikim####.org
- www.leq####.fr
HTTP GET requests:
- cac-####.digi####.com.####.net/GeoTrustTLSRSACAG1.crt
- sonsson####.top:443/sk
File system changes:
Creates the following files:
- /app_webview/Default/####/000003.log
- /app_webview/Default/####/LOCK
- /app_webview/Default/####/LOG
- /app_webview/Default/####/MANIFEST-000001
- /app_webview/Default/Cookies
- /app_webview/Default/Web Data
- /app_webview/Default/Web Data-journal
- /app_webview/variations_seed_new
- /app_webview/webview_data.lock
- /data/data/####/.org.chromium.Chromium.BTMYua
- /data/data/####/.org.chromium.Chromium.JJAW0e (deleted)
- /data/data/####/000001.dbtmp
- /data/data/####/086a6aec9f082cca_0
- /data/data/####/1336a341e31cce29_0
- /data/data/####/3fd21818eb714ca5_0
- /data/data/####/52eeca6f4145f80f_0
- /data/data/####/6f033a623ebf4aa3_0
- /data/data/####/701c3d5a151be83f_0
- /data/data/####/7181d17b42086ecb_0
- /data/data/####/88d74504829c7916_0
- /data/data/####/BrowserMetrics-spare.pma
- /data/data/####/Cookies-journal
- /data/data/####/MANIFEST-000001
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/aa6e8867ea7183e9_0
- /data/data/####/b67dfe691449636c_0
- /data/data/####/b767c47d25d0b603_0
- /data/data/####/com.kaguvceqxxaokbtm.jsonwxxzfgwffkobe.xml
- /data/data/####/eae3b35e4f4fc58f_0
- /data/data/####/eb93046d955148ef_0
- /data/data/####/f23b591b1cf46e9f_0
- /data/data/####/f6ebafd557e1683d_0
- /data/data/####/fe319de484f8e59d_0
- /data/data/####/font_unique_name_table.pb
- /data/data/####/index
- /data/data/####/settings.dat
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/variations_seed_new
- /data/data/####/variations_stamp
- /data/data/####/wy.json
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/su
Uses elevated priveleges.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
Appears corrupted in a way typical for malicious files.
Attempts to detect sandbox environment.
Contains hidden alternative main activities.
