Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Triada.410.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) acc####.thefunn####.com:8100
- TCP(HTTP/1.1) www.nyt####.com:80
- TCP(HTTP/1.1) r####.android####.info:80
- TCP(TLS/1.0) digice####.rubicon####.com.####.net:443
- TCP(TLS/1.0) 2####.58.212.174:443
- TCP(TLS/1.0) ci####.nyt####.com:443
- TCP(TLS/1.0) wild####.m####.net.####.net:443
- TCP(TLS/1.0) acco####.go####.com:443
- TCP(TLS/1.0) p####.adsafep####.com:443
- TCP(TLS/1.0) p####.rubicon####.com:443
- TCP(TLS/1.0) meter####.gtm.nyt####.com:443
- TCP(TLS/1.0) con####.face####.net:443
- TCP(TLS/1.0) qsear####.akam####.net.####.net:443
- TCP(TLS/1.0) u####.o####.net:443
- TCP(TLS/1.0) sb.scoreca####.com.####.net:443
- TCP(TLS/1.0) wild####.cdn.optimi####.####.net:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) tpc.googles####.com:443
- TCP(TLS/1.0) l####.optimi####.com:443
- TCP(TLS/1.0) cdn.optimi####.com.####.net:443
- TCP(TLS/1.0) f####.wac.1####.####.net:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) st####.ads-twi####.com:443
- TCP(TLS/1.0) samizda####.gtm.nyt####.com:443
- TCP(TLS/1.0) p2.ke####.co:443
- TCP(TLS/1.0) cdn.optimi####.com:443
- TCP(TLS/1.0) et.nyt####.com:443
- TCP(TLS/1.0) ad.doublec####.net:443
- TCP(TLS/1.0) plat####.twi####.com:443
- TCP(TLS/1.0) js####.casalem####.com.####.net:443
- TCP(TLS/1.0) dc8xl0n####.cloudf####.net:443
- TCP(TLS/1.0) a.nyt####.com:443
- TCP(TLS/1.0) cm.g.doublec####.net:443
- TCP(TLS/1.0) pag####.googles####.com:443
- TCP(TLS/1.0) t####.rubicon####.com:443
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) www.googlet####.com:443
- TCP(TLS/1.0) bs.eyebla####.ak####.net:443
- TCP(TLS/1.0) c.amazon-####.com:443
- TCP(TLS/1.0) g.geo####.com:443
- TCP(TLS/1.0) eus.rubicon####.com.####.net:443
- TCP(TLS/1.0) securep####.g.doublec####.net:443
- TCP(TLS/1.0) www.nyt####.com:443
DNS requests:
- a.nyt####.com
- a1.n####.com
- a301311####.cdn.optimi####.com
- acc####.thefunn####.com
- acco####.go####.com
- ad.doublec####.net
- bs.serving####.com
- c####.optimi####.com
- c.amazon-####.com
- cdn.optimi####.com
- ci####.nyt####.com
- cm.g.doublec####.net
- con####.face####.net
- contex####.m####.net
- cs.m####.net
- dc8xl0n####.cloudf####.net
- et.nyt####.com
- eus.rubicon####.com
- f####.f####.net
- f####.gst####.com
- ib.a####.com
- js####.ind####.com
- l####.optimi####.com
- loading####.mids####.info
- meter####.nyt####.com
- mo####.nyt####.com
- p####.adsafep####.com
- p####.rubicon####.com
- p2.ke####.co
- pag####.googles####.com
- plat####.twi####.com
- qsear####.akam####.net
- r####.android####.info
- samizda####.nyt####.com
- sb.scoreca####.com
- secure-####.rubicon####.com
- securep####.g.doublec####.net
- ssl.gst####.com
- st####.ads-twi####.com
- stat####.nyt.com
- t####.rubicon####.com
- tpc.googles####.com
- u####.o####.net
- www.go####.com
- www.googlet####.com
- www.googlet####.com
- www.gst####.com
- www.nyt####.com
HTTP GET requests:
- www.nyt####.com/
HTTP POST requests:
- acc####.thefunn####.com:8100/Update/dystat
- acc####.thefunn####.com:8100/Update/packageLogByType
- acc####.thefunn####.com:8100/Update/packageManageUpdate
- r####.android####.info/api/dystat
Modified file system:
Creates the following files:
- /data/data/####/12864742
- /data/data/####/classes.dex
- /data/data/####/com.readygo.empty_preferences.xml
- /data/data/####/config.xml
- /data/data/####/error
- /data/data/####/errorold
- /data/data/####/libnativeUtil.so
- /data/data/####/log.xml
- /data/data/####/module_cache.xml
- /data/data/####/runtime
- /data/data/####/source.zip
- /data/media/####/pureSdk
Miscellaneous:
Loads the following dynamic libraries:
- nativeUtil
Uses the following algorithms to encrypt data:
- DES
Uses the following algorithms to decrypt data:
- DES
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Adds tasks to the system scheduler.
