Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Banker.Mamont.199.origin
Sends data of incoming SMS to a remote host.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.221.200.242:8080
- TCP(HTTP/1.1) 5.42.1####.214:80
- TCP(TLS/1.0) px.ad####.net:443
- TCP(TLS/1.0) t####.ru:443
- TCP(TLS/1.0) api.min####.ru:443
- TCP(TLS/1.0) www.fri####.ru:443
- TCP(TLS/1.0) ed####.me.g####.com:443
- TCP(TLS/1.0) mc.ya####.ru:443
- TCP(TLS/1.0) v####.com:443
- TCP(TLS/1.0) www.ar####.com:443
- TCP(TLS/1.0) k5####.ru:443
- TCP(TLS/1.0) pay.ya####.ru:443
- TCP(TLS/1.0) 8203d5f####.se####.net:443
- TCP(TLS/1.0) st####.turbota####.io:443
- TCP(TLS/1.0) clients####.google####.com:443
- TCP(TLS/1.0) st.to####.ru:443
- TCP(TLS/1.0) top-####.m####.ru:443
- TCP(TLS/1.0) t####.sol####.ru:443
- TCP(TLS/1.0) cdn.digine####.net:443
DNS requests:
- 8203d5f####.se####.net
- api.min####.ru
- cdn.digine####.net
- clients####.google####.com
- ed####.me.g####.com
- k5####.ru
- mc.ya####.ru
- pay.ya####.ru
- px.ad####.net
- st####.turbota####.io
- st.to####.ru
- t####.ru
- t####.sol####.ru
- top-####.m####.ru
- up####.google####.com
- v####.com
- wi####.fri####.ru
- www.ar####.com
- www.fri####.ru
HTTP GET requests:
- 5.42.1####.214/api/cfg/7cce590557bfd15669b98db6578d8fd6
- 5.42.1####.214/api/v2/cmd/swvnQflUl2ZtotOLtk6gBIpHc2gLwd55?key=####
HTTP POST requests:
- 1####.221.200.242:8080/log
- 1####.221.200.242:8080/ping
- 5.42.1####.214/api/v2/ping
- 5.42.1####.214/api/v2/register
File system changes:
Creates the following files:
- /app_webview/Default/####/000003.log
- /app_webview/Default/####/LOCK
- /app_webview/Default/####/LOG
- /app_webview/Default/####/MANIFEST-000001
- /app_webview/Default/Cookies
- /app_webview/Default/Web Data
- /app_webview/Default/Web Data-journal
- /app_webview/webview_data.lock
- /cache/WebView/####/50b14d52688f1d36_0
- /data/data/####/.org.chromium.Chromium.Rzig11
- /data/data/####/.org.chromium.Chromium.jD9BXn
- /data/data/####/000001.dbtmp
- /data/data/####/0708d7b9a6a288f3_0
- /data/data/####/15651b3c1592329a_0
- /data/data/####/174e9e74c34a8c7f_0
- /data/data/####/1807c189834472a4_0
- /data/data/####/18a71fdbbf987f42_0
- /data/data/####/1bc79277b30b3201_0
- /data/data/####/1d7c82d384ce5a83_0
- /data/data/####/1f20213af526ccff_0
- /data/data/####/2944ee8c86abdf08_0
- /data/data/####/35df4af587e1c3ce_0
- /data/data/####/3676a96bb6c1287d_0
- /data/data/####/36f958c70ea20a17_0
- /data/data/####/3963fc7418187a22_0
- /data/data/####/39a121ad0a7940d7_0
- /data/data/####/3e92a3f52abde7b4_0
- /data/data/####/3fb69f9d4a0df6f7_0
- /data/data/####/473efa6f8a241c87_0
- /data/data/####/48b45d259a3ea87f_0
- /data/data/####/546c15e30e47d4cc_0
- /data/data/####/551fb50bdb0b34f7_0
- /data/data/####/553368eedf658c54_0
- /data/data/####/554dbf90374560d2_0
- /data/data/####/59dc9f9ad9c1a38f_0
- /data/data/####/5be6ff3dd954b99e_0
- /data/data/####/640f61f6cb846dfc_0
- /data/data/####/646d4cbf61842b75_0
- /data/data/####/656145666e6f0764_0
- /data/data/####/67ed629b206e1e5d_0
- /data/data/####/68cb6aec7d43bda6_0
- /data/data/####/750c9ac410c87bbd_0
- /data/data/####/7b8eb31059c2edbc_0
- /data/data/####/7ee4d650090ce8cd_0
- /data/data/####/800c50bfeb63a515_0
- /data/data/####/9825e6c5a23e0ded_0
- /data/data/####/9a235d003dfffaf2_0
- /data/data/####/9b7b78dabd79edcf_0
- /data/data/####/CURRENT
- /data/data/####/Cookies-journal
- /data/data/####/MANIFEST-000001
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/a2d0834ace81d6ff_0
- /data/data/####/a9aca6ddf25003fa_0
- /data/data/####/ab42f43abfdbd0ed_0
- /data/data/####/ae60b5d476acb5bb_0
- /data/data/####/app_config.xml
- /data/data/####/b4ff88add07f5593_0
- /data/data/####/b847bf7145f62751_0
- /data/data/####/bbcee6e3b042777e_0
- /data/data/####/c0682a72b17a0153_0
- /data/data/####/c308047f01acccd4_0
- /data/data/####/c41ded537b7000d4_0
- /data/data/####/c51f582a38cd89db_0
- /data/data/####/c63542d80d615522_0
- /data/data/####/c954f13551517709_0
- /data/data/####/cccd0181747bde50_0
- /data/data/####/d03ccc19f06016b4_0
- /data/data/####/d157db4233b289fc_0
- /data/data/####/d257a76212f344a8_0
- /data/data/####/d32fddc0f992ffc8_0
- /data/data/####/d647b22be4d1f894_0
- /data/data/####/d9ef58bc3603c9f1_0
- /data/data/####/deab9b061d766625_0
- /data/data/####/device_prefs.xml
- /data/data/####/e5bb4647d94279c1_0
- /data/data/####/ec95c8bf3c5afb23_0
- /data/data/####/f50fb2bbf4e91783_0
- /data/data/####/font_unique_name_table.pb
- /data/data/####/geo_state.dat
- /data/data/####/index
- /data/data/####/jxVLG.jsa.cur.prof
- /data/data/####/jxVLG.jsa.tmp
- /data/data/####/jxVLG.vdex
- /data/data/####/settings.dat
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/todelete_3d69ff196904abfa_0_1 (deleted)
- /data/data/####/todelete_5561b9236005bba3_0_1 (deleted)
- /data/data/####/variations_seed_new
- /data/data/####/variations_stamp
Miscellaneous:
Displays its own windows over windows of other apps.
Gets information about sent/received SMS.
Appears corrupted in a way typical for malicious files.
