Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Triada.4494

Added to the Dr.Web virus database: 2019-12-06

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Android.Triada.483.origin
Network activity:
Connects to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) de.gtp.xy####.com:8844
  • TCP(HTTP/1.1) cdn.info####.me:80
  • TCP(HTTP/1.1) gd.a.s####.com:80
  • TCP(HTTP/1.1) s####.jom####.com:80
  • TCP(HTTP/1.1) ff.s####.com:8080
  • TCP(HTTP/1.1) p####.api.adoc####.com:80
  • TCP(HTTP/1.1) wap.e####.cn:80
  • TCP(HTTP/1.1) d####.c####.l####.####.com:80
  • TCP(HTTP/1.1) p.rqco####.com:8806
  • TCP(HTTP/1.1) ad.yf####.com:8088
  • TCP(HTTP/1.1) s####.al####.com:80
  • TCP(HTTP/1.1) 1####.75.92.94:80
  • TCP(HTTP/1.1) i####.u####.cn:80
  • TCP(HTTP/1.1) 1####.75.90.218:80
  • TCP(HTTP/1.1) a####.caiji####.com:80
  • TCP(HTTP/1.1) u####.a####.top:80
  • TCP(HTTP/1.1) api.liyan####.com:808
  • TCP(HTTP/1.1) a.bjsd####.com:80
  • TCP(HTTP/1.1) a####.w####.com:80
  • TCP(HTTP/1.1) f####.caiji####.com:80
  • TCP(HTTP/1.1) j####.g####.vip:80
  • TCP(HTTP/1.1) 47.1####.59.53:900
  • TCP(HTTP/1.1) ad.qia####.com:80
  • TCP(HTTP/1.1) ad.smudge####.com:8986
  • TCP(HTTP/1.1) pco####.ta####.com:80
  • TCP(HTTP/1.1) m.xiaoshu####.cn:80
  • TCP(HTTP/1.1) www.78####.cc:80
  • TCP(HTTP/1.1) bag.sdk.a####.####.com:80
  • TCP(HTTP/1.1) wap.xb####.com:80
  • TCP(HTTP/1.1) 614.a####.top:80
  • TCP(HTTP/1.1) yq####.jn####.ltd:80
  • TCP(HTTP/1.1) c####.z####.net:80
  • TCP(HTTP/1.1) yun.b####.com:80
  • TCP(HTTP/1.1) php.sho####.com:80
  • TCP(HTTP/1.1) pg####.d2####.com:10273
  • TCP(HTTP/1.1) api.yunco####.com:80
  • TCP(HTTP/1.1) ad.w####.com:80
  • TCP(HTTP/1.1) wap.78####.cc:80
  • TCP(HTTP/1.1) 1713464####.cn-hang####.fc.####.com:80
  • TCP(HTTP/1.1) u50.gt####.cn:8700
  • TCP(HTTP/1.1) gm.mm####.com:80
  • TCP(HTTP/1.1) 47.1####.185.46:80
  • TCP(HTTP/1.1) api.lubang####.com:80
  • TCP(HTTP/1.1) log.sho####.com:80
  • TCP(HTTP/1.1) a.78####.cc:80
  • TCP(HTTP/1.1) z.c####.com:80
  • TCP(HTTP/1.1) api####.tiantia####.com:80
  • TCP(HTTP/1.1) pt.kg####.cn.####.com:80
  • TCP(HTTP/1.1) co####.ssp.adoc####.com:80
  • TCP(HTTP/1.1) t####.a####.top:80
  • TCP(HTTP/1.1) cpd.ohyeah####.com:80
  • TCP(HTTP/1.1) down####.baiyuns####.com:80
  • TCP(HTTP/1.1) api.s####.xin:80
  • TCP(HTTP/1.1) v.sho####.com:80
  • TCP(HTTP/1.1) s.ip####.com:8071
  • TCP(HTTP/1.1) api.adoc####.com:80
  • TCP(HTTP/1.1) r.ip####.com:8071
  • TCP(HTTP/1.1) s2.z####.cn:80
  • TCP(HTTP/1.1) log.gtp.xy####.com:80
  • TCP(HTTP/1.1) vvv.focusd####.cn:80
  • TCP(HTTP/1.1) 61.1####.215.228:80
  • TCP(HTTP/1.1) tt####.vni####.com:20147
  • TCP(HTTP/1.1) d####.wos####.com:80
  • TCP(HTTP/1.1) c.c####.com:80
  • TCP(HTTP/1.1) api.gug####.com:8935
  • TCP(HTTP/1.1) p####.caiji####.com:80
  • TCP(HTTP/1.1) dl.u####.cn:8880
  • TCP(HTTP/1.1) i.ip####.com:8071
  • TCP(HTTP/1.1) 47.1####.211.73:80
  • TCP(HTTP/1.1) app.a####.top:80
  • TCP(HTTP/1.1) e4####.0r####.com:10293
  • TCP(HTTP/1.1) h.w####.com:80
  • UDP(NTP) 2.and####.p####.####.org:123
  • TCP(SSL/3.0) p####.ou####.com:4433
  • TCP(TLS/1.0) av1.x####.com:443
  • TCP(TLS/1.0) 614.a####.top:443
  • TCP(TLS/1.0) mvo.jh####.xyz:443
  • TCP(TLS/1.0) mvo.y####.xyz:443
  • TCP(TLS/1.0) pt.kg####.cn.####.com:443
  • TCP(TLS/1.0) a####.d####.com:443
  • TCP(TLS/1.0) www.google-####.com:443
  • TCP(TLS/1.0) log.mm####.com:443
  • TCP(TLS/1.0) et2.wagbr####.adverti####.####.com:443
  • TCP(TLS/1.0) gd.a.s####.com:443
  • TCP(TLS/1.0) p####.ou####.com:4433
  • TCP(TLS/1.0) www.j####.com:443
  • TCP(TLS/1.0) c.fw####.com:8888
  • TCP(TLS/1.0) api.g####.vip:443
  • TCP(TLS/1.0) m####.0511####.com:443
  • TCP(TLS/1.0) c####.x####.com.####.com:443
  • TCP(TLS/1.0) vz.yun####.com.####.com:443
  • TCP(TLS/1.0) cd.j####.cn:443
  • TCP(TLS/1.0) s####.d####.com:443
  • TCP(TLS/1.0) na61-####.wagbr####.ali####.####.com:443
  • TCP(TLS/1.0) st3.wagbr####.adverti####.####.com:443
  • TCP(TLS/1.0) c.c####.com:443
  • TCP(TLS/1.0) hm.b####.com:443
  • TCP(TLS/1.0) s####.al####.com:443
  • TCP(TLS/1.0) sdk.a####.uu####.com:443
  • TCP(TLS/1.0) up.clsc####.com:443
  • TCP(TLS/1.0) i####.d####.com:443
  • TCP(TLS/1.0) api.info####.me:443
  • TCP(TLS/1.0) m.6####.cn:443
  • TCP(TLS/1.0) ad1.azh####.com:9190
  • TCP(TLS/1.0) g.al####.com:443
DNS requests:
  • 2.and####.p####.####.org
  • 4s####.8c####.com
  • 614.a####.top
  • a####.caiji####.com
  • a####.d####.com
  • a####.m.sm.cn
  • a####.w####.com
  • a.78####.cc
  • a.bjsd####.com
  • ad.qia####.com
  • ad.smudge####.com
  • ad.w####.com
  • ad.yf####.com
  • ad1.azh####.com
  • ad3.azh####.com
  • api####.tiantia####.com
  • api.adoc####.com
  • api.free####.xin
  • api.g####.vip
  • api.gug####.com
  • api.info####.me
  • api.liyan####.com
  • api.lubang####.com
  • api.s####.b####.com
  • api.s####.xin
  • api.yunco####.com
  • app.a####.top
  • av1.x####.com
  • bag.sdk.a####.####.com
  • c####.mm####.com
  • c####.s####.com
  • c####.x####.com
  • c####.z####.net
  • c.c####.com
  • c.fw####.com
  • cd.j####.cn
  • cdn.info####.me
  • co####.ssp.adoc####.com
  • cpd.ohyeah####.com
  • d####.wos####.com
  • d####.yo####.com
  • d.sho####.com
  • d1.sho####.com
  • de.gtp.xy####.com
  • dl.u####.cn
  • down####.baiyuns####.com
  • e4####.0r####.com
  • f####.caiji####.com
  • f.qia####.com
  • ff.s####.com
  • fou####.ta####.com
  • g.al####.com
  • h####.c####.com
  • h.w####.com
  • hm.b####.com
  • i####.d####.com
  • i####.u####.cn
  • i.ip####.com
  • j####.g####.vip
  • k####.caiji####.com
  • kou####.a####.top
  • l####.m.sm.cn
  • lg.ca####.com
  • log.gtp.xy####.com
  • log.mm####.com
  • log.sho####.com
  • m####.0511####.com
  • m.6####.cn
  • m.xiaoshu####.cn
  • mao.r####.cn
  • moo.r####.cn
  • mvo.jh####.xyz
  • mvo.y####.xyz
  • p####.api.adoc####.com
  • p####.caiji####.com
  • p####.ou####.com
  • p####.zhanz####.b####.com
  • p.rqco####.com
  • pco####.c####.com
  • pco####.sm.cn
  • pg####.d2####.com
  • php.sho####.com
  • pt.kg####.cn
  • pv.s####.com
  • r.ip####.com
  • res####.a####.top
  • s####.al####.com
  • s####.d####.com
  • s####.m.sm.cn
  • s.ip####.com
  • s2.z####.cn
  • s22.c####.com
  • s96.c####.com
  • sdk.a####.uu####.com
  • t####.a####.top
  • tt####.vni####.com
  • u####.a####.top
  • u50.gt####.cn
  • up.clsc####.com
  • v.sho####.com
  • vvv.focusd####.cn
  • vz.yun####.com
  • wap.78####.cc
  • wap.e####.cn
  • wap.inpetus####.com
  • wap.xb####.com
  • www.78####.cc
  • www.78####.cc
  • www.google-####.com
  • www.j####.com
  • www.na####.cn
  • wz.78####.cc
  • y####.m.sm.cn
  • yq####.jn####.ltd
  • yun.b####.com
  • z1.c####.com
  • z12.c####.com
  • z2.c####.com
  • z3.c####.com
  • z6.c####.com
  • z9.c####.com
HTTP GET requests:
  • 1713464####.cn-hang####.fc.####.com/lg/?lg="0E"55si"55"4F"55hsobuXtcl"55...
  • 1713464####.cn-hang####.fc.####.com/lg/?lg="0E"55si"55"4F"55khfcbu"55"5D...
  • 61.1####.215.228/filter_control_614.json
  • 614.a####.top/controlup614.json
  • 614.a####.top/sdk11.png
  • 614.a####.top/sdk12.png
  • 614.a####.top/sdk13_4.png
  • 614.a####.top/sdk15.png
  • 614.a####.top/sdk17.png
  • 614.a####.top/sdk18.png
  • 614.a####.top/sdk2.png
  • 614.a####.top/sdk23_1.png
  • 614.a####.top/sdk3.png
  • 614.a####.top/sdk5_2.png
  • 614.a####.top/sdk7.png
  • 614.a####.top/sdk9.png
  • a####.caiji####.com/a/asdf?cnl=####&vv=####&vv2=####&aid=####&sid=####&d...
  • a####.caiji####.com/u1/uuuu?cnl=####&vv=####&imei=####&imsi=####&mac=###...
  • a.78####.cc/index/upapp/app_datas?upapp_id=####&imei=####&channel_id=####
  • ad.w####.com/Error.aspx?aspxerrorpath=####
  • api.adoc####.com/ssp/mgm/task?taskId=####&ip=####
  • api.adoc####.com/titan/monitor/device_info
  • app.a####.top/app614.json
  • c####.z####.net/v.js?m/ZHKKhhdNtR1UM64ttorWuLYwOWdWvTCDmHsjq4Yfw=####
  • c.c####.com/core.php?web_id=####&t=####
  • c.c####.com/z_stat.php?id=####
  • cdn.info####.me/files/6c45a613bd2246430bc352de8bd5a2dd
  • cdn.info####.me/files/7669a18a4777d89d77d88a2c45deead1
  • co####.ssp.adoc####.com/api/v2/SDKCommonConfig?channelCode=####&version=...
  • co####.ssp.adoc####.com/api/v2/mgmConfig?channelCode=####&version=####
  • co####.ssp.adoc####.com/api/v2/mgmWebviewRatioConfig?channelCode=####&ve...
  • cpd.ohyeah####.com/APKData/GetList?APILevel=18&AndroidId=c159657daa50349...
  • d####.c####.l####.####.com/TTT021_018.y
  • d####.c####.l####.####.com/api.jar
  • d####.c####.l####.####.com/lijian.jar
  • d####.wos####.com/upload/csaa.jsp?a=####&b=####&c=####&d=####&e=####&f=#...
  • dl.u####.cn:8880/201908/2QI9R1566987709.jar?ver=####&md5=####
  • down####.baiyuns####.com/cy.js
  • down####.baiyuns####.com/jquery.min.js
  • f####.caiji####.com/v1/cc/mobile?brand=####&model=####&andid=####&andv=#...
  • ff.s####.com:8080/ttad/api/jv5/ipkYjXUqPXLbo2wJuiygGA==/c159657daa503498...
  • gd.a.s####.com/cityjson
  • gd.a.s####.com/cityjson?ie=####
  • gm.mm####.com/9.gif?abc=####&rnd=####
  • i####.u####.cn/10936021319605157604.jpg?id=####&from=####
  • i####.u####.cn/11224045805727790193.jpg?id=####&from=####
  • i####.u####.cn/13182047689384202598.jpg?id=####&from=####
  • i####.u####.cn/13261172953709138387.jpg?id=####&from=####
  • i####.u####.cn/14082037559419740436.jpg?id=####&from=####
  • i####.u####.cn/15328086582881015104.jpg?id=####&from=####
  • i####.u####.cn/17964173102595831123.jpg?id=####&from=####
  • i####.u####.cn/2068781571663704705.jpg?id=####&from=####
  • i####.u####.cn/2184730116121943462.jpg?id=####&from=####
  • i####.u####.cn/4372961763312761706.jpg?id=####&from=####
  • i####.u####.cn/4885641118192167215.jpg?id=####&from=####
  • i####.u####.cn/6513782944573935428.jpg?id=####&from=####
  • i####.u####.cn/6663407442113016156.jpg?id=####&from=####
  • i####.u####.cn/7249373329243366857.jpg?id=####&from=####
  • i####.u####.cn/7461991887356462693.jpg?id=####&from=####
  • j####.g####.vip/ggx.js
  • j####.g####.vip/xb.js
  • j####.g####.vip/xs240.js
  • m.xiaoshu####.cn/mbook_images/header-back.gif
  • m.xiaoshu####.cn/mbook_images/header-backhome.gif
  • m.xiaoshu####.cn/mbook_js/common.js
  • m.xiaoshu####.cn/mbook_js/index.js
  • m.xiaoshu####.cn/mbook_js/read.js
  • m.xiaoshu####.cn/mbook_js/yuedu.js
  • m.xiaoshu####.cn/mbook_js/zepto.min.js
  • m.xiaoshu####.cn/mbxs240/17747/67_1.html
  • m.xiaoshu####.cn/mbxs240/2589/916_1.html
  • p####.api.adoc####.com/ip
  • p.rqco####.com:8806/c/1575377083829
  • pco####.ta####.com/app.gif?&cna=####
  • pt.kg####.cn.####.com/sc/animate.min.css
  • pt.kg####.cn.####.com/smSearchS2.min.js
  • pt.kg####.cn.####.com/yy/chclose.png
  • s####.al####.com/L1/272/6837/static/wap/img/uc-32.png
  • s####.al####.com/L1/272/6837/static/wap/img/uc.png
  • s####.jom####.com/push.js
  • s####.jom####.com/s.gif?r=####&l=####
  • s2.z####.cn/ims?kt=####&at=####&key=aHR####&sign=yx####&tv=####&x####
  • t####.a####.top/channl_haoqi1.png
  • t####.a####.top/e/20191108171457b_600017_v61.enc
  • t####.a####.top/kouling.json
  • t####.a####.top/req.json
  • u####.a####.top/614.html
  • u50.gt####.cn:8700/adloader/Json/Advert?pid=####&callback=####&platform=...
  • u50.gt####.cn:8700/adloader/Json/Link?pid=####&aid=####&ce=####&callback...
  • vvv.focusd####.cn/ad/v1/log.action?action=v_initial&package=<Package>&ch...
  • wap.78####.cc/api/cn/1
  • wap.e####.cn/c.php?s=Jnpvb####&p=aj0wJ####&srccpv=####
  • wap.xb####.com/mbook_images/header-back.gif
  • wap.xb####.com/mbook_images/header-backhome.gif
  • wap.xb####.com/mbook_js/common.js
  • wap.xb####.com/mbook_js/index.js
  • wap.xb####.com/mbook_js/read.js
  • wap.xb####.com/mbook_js/yuedu.js
  • wap.xb####.com/mbook_js/zepto.min.js
  • wap.xb####.com/mbquanben_17740/201_1.html
  • wap.xb####.com/mbquanben_9627/173_1.html
  • www.78####.cc/index/backend/pro_count?event_id=####&channel_id=####&proj...
  • www.78####.cc/index/limit/getLimit?channel=####&project=####
  • www.78####.cc/index/project/project_status?action=####
  • yq####.jn####.ltd/sy/fdvdar
  • yq####.jn####.ltd/zz/401jkmhjhwy.zip
  • yun.b####.com/pw/636a6d6f62.jpg
  • yun.b####.com/pw/666f72627974.jpg
  • yun.b####.com/pw/765f73646b.jpg
  • yun.b####.com/tz/6173.jpg
  • yun.b####.com/xtz/1579072131.ico
  • z.c####.com/stat.htm?id=####&cnzz_eid=####
  • z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
HTTP POST requests:
  • a####.w####.com/rest/pt
  • a.bjsd####.com/index.php?r=####
  • ad.qia####.com//api/2io82K
  • ad.qia####.com//api/8VbeIo
  • ad.qia####.com//api/Ddgv3VE
  • ad.qia####.com//api/Mny1OOW3
  • ad.qia####.com//api/QTnLukEdO1
  • ad.qia####.com//api/SEEzevU1
  • ad.qia####.com//api/SJoGF44Q
  • ad.qia####.com//api/SVFUp6
  • ad.qia####.com//api/voEYG7
  • ad.smudge####.com:8986/api/5/detail?businessId=####&token=####&timestamp...
  • ad.w####.com/api.htm?pid=####
  • ad.yf####.com:8088/ad/tk?aid=####&time=####
  • api####.tiantia####.com/ads
  • api.gug####.com:8935/
  • api.liyan####.com:808/get/api
  • api.lubang####.com/domain.php
  • api.lubang####.com/srp.php
  • api.s####.xin/log/if0
  • api.s####.xin/log/p02
  • api.yunco####.com/service/rest
  • bag.sdk.a####.####.com/v1/bag/monitor
  • d####.wos####.com/upload/event2.jsp
  • d####.wos####.com/upload/event9.jsp
  • d####.wos####.com/upload/longheartbeat.jsp
  • d####.wos####.com/upload/shortheartbeat.jsp
  • de.gtp.xy####.com:8844/Device/info/
  • de.gtp.xy####.com:8844/favicon.ico
  • de.gtp.xy####.com:8844/i?ts=####
  • e4####.0r####.com:10293/widlth/
  • h.w####.com/api/Gu5wT0Z
  • i.ip####.com:8071/5/1510864978/1
  • i.ip####.com:8071/5/1510864978/2
  • log.gtp.xy####.com/sdk
  • log.sho####.com/index.php?r=####
  • log.sho####.com/index.php?r=####&uid=####&tm=####&model=####&density=###...
  • p####.caiji####.com/klv2/sdkkl/mobile
  • p.rqco####.com:8806/p/1575377085440
  • p.rqco####.com:8806/t/1575377089255
  • p.rqco####.com:8806/t/1575377089524
  • p.rqco####.com:8806/t/1575377090205
  • p.rqco####.com:8806/t/1575377090608
  • p.rqco####.com:8806/t/1575377091352
  • p.rqco####.com:8806/t/1575377092194
  • p.rqco####.com:8806/t/1575377094637
  • p.rqco####.com:8806/t/1575377094938
  • p.rqco####.com:8806/t/1575377096720
  • p.rqco####.com:8806/t/1575377096961
  • p.rqco####.com:8806/t/1575377098219
  • p.rqco####.com:8806/t/1575377098520
  • p.rqco####.com:8806/t/1575377099193
  • p.rqco####.com:8806/t/1575377099446
  • p.rqco####.com:8806/t/1575377100145
  • p.rqco####.com:8806/t/1575377100416
  • p.rqco####.com:8806/t/1575377101652
  • p.rqco####.com:8806/t/1575377101919
  • p.rqco####.com:8806/t/1575377103437
  • p.rqco####.com:8806/t/1575377103682
  • p.rqco####.com:8806/t/1575377104428
  • p.rqco####.com:8806/t/1575377106556
  • p.rqco####.com:8806/t/1575377107227
  • p.rqco####.com:8806/t/1575377107517
  • p.rqco####.com:8806/t/1575377108408
  • p.rqco####.com:8806/t/1575377108673
  • p.rqco####.com:8806/t/1575377110607
  • p.rqco####.com:8806/t/1575377110853
  • p.rqco####.com:8806/t/1575377111963
  • p.rqco####.com:8806/t/1575377112205
  • pg####.d2####.com:10273/dvjnzt/
  • pg####.d2####.com:10273/rnggno/
  • pg####.d2####.com:10273/tzvntp/
  • php.sho####.com/index.php?r=####
  • r.ip####.com:8071/5/163832107/2
  • s.ip####.com:8071/5/3562354862/1
  • tt####.vni####.com:20147/dijc1v/
  • v.sho####.com/index.php?r=####
  • www.78####.cc/index/backend/pro_data
File system changes:
Creates the following files:
  • /data/data/####/.3WN9
  • /data/data/####/.5TE4.xml
  • /data/data/####/.6173.apk
  • /data/data/####/.636a6d6f62.apk
  • /data/data/####/.666f72627974.apk
  • /data/data/####/.765f73646b.apk
  • /data/data/####/.J1_v.xml
  • /data/data/####/.__mob_ad_data.xml
  • /data/data/####/.ef0b4ddacc046d054f437ba0af966623
  • /data/data/####/.fKSra
  • /data/data/####/.fKSra.zip
  • /data/data/####/.xml
  • /data/data/####/0000210291
  • /data/data/####/1575377108172_2216
  • /data/data/####/1575377108349_2216
  • /data/data/####/1575377108384_2216
  • /data/data/####/1575377108483_2216
  • /data/data/####/1575377108549_2216
  • /data/data/####/1575377109025_2216
  • /data/data/####/1575377111470_2216
  • /data/data/####/1635348753.jar
  • /data/data/####/1s.jar
  • /data/data/####/2a02b077baa09b3b178b64e03536627e.xml
  • /data/data/####/44367F39739CCD6BBF960E91E7DB78B2.xml
  • /data/data/####/4B8DB6B83129A65A2EF4DCFC1393C3B0.xml
  • /data/data/####/6901029832
  • /data/data/####/6c45a613bd2246430bc352de8bd5a2dd
  • /data/data/####/8EAD111D030291821E19A80E344C340A.xml
  • /data/data/####/9618302918.xml
  • /data/data/####/ApplicationCache.db-journal
  • /data/data/####/Archimedes_p1
  • /data/data/####/Archimedes_p2
  • /data/data/####/Archimedes_p3
  • /data/data/####/Archimedes_p4
  • /data/data/####/Archimedes_p5
  • /data/data/####/IM.xml
  • /data/data/####/TD_app_pefercen_profile.xml
  • /data/data/####/TDpref_cloudcontrol1.xml
  • /data/data/####/TDpref_longtime.xml
  • /data/data/####/TDpref_longtime0.xml
  • /data/data/####/UlNTUExDT1VOVExZU1RPUkUA.xml
  • /data/data/####/WSsTRq.data-journal
  • /data/data/####/XkdjsIx132mMskey1.xml
  • /data/data/####/XkdjsIx132mMtasks.xml
  • /data/data/####/Y2pzbW9ib25zcA.xml
  • /data/data/####/_p.xml
  • /data/data/####/_sh.xml
  • /data/data/####/adcfg.xml
  • /data/data/####/ahq_spu_ti.xml
  • /data/data/####/al_lcom.qlz.ulg.xml
  • /data/data/####/api.jar
  • /data/data/####/app.com.lhyy.dadishus.xml
  • /data/data/####/app.manager-journal
  • /data/data/####/app_com_lhyy_dadishus.txt
  • /data/data/####/atai.jar
  • /data/data/####/bfb0e63a6c4e352158be3df98d18dae5.xml
  • /data/data/####/c3BjanNjZmdzd3Q.xml
  • /data/data/####/config.service.xml
  • /data/data/####/countIp.xml
  • /data/data/####/data.zip
  • /data/data/####/data_0
  • /data/data/####/data_1
  • /data/data/####/data_2
  • /data/data/####/data_3
  • /data/data/####/ddfsfwo.data-journal
  • /data/data/####/download.info
  • /data/data/####/download.tmp
  • /data/data/####/dwBYC.data-journal
  • /data/data/####/dwssedjb.data-journal
  • /data/data/####/dwwesGGb.data-journal
  • /data/data/####/dwwsdws.data-journal
  • /data/data/####/f_000001
  • /data/data/####/f_000002
  • /data/data/####/f_000003
  • /data/data/####/f_000004
  • /data/data/####/f_000005
  • /data/data/####/f_000006
  • /data/data/####/f_000007
  • /data/data/####/f_000008
  • /data/data/####/f_000009
  • /data/data/####/f_00000a
  • /data/data/####/f_00000b
  • /data/data/####/f_00000c
  • /data/data/####/f_00000d
  • /data/data/####/f_00000e
  • /data/data/####/f_00000f
  • /data/data/####/f_000010
  • /data/data/####/f_000011
  • /data/data/####/f_000012
  • /data/data/####/f_000013
  • /data/data/####/f_000014
  • /data/data/####/f_000015
  • /data/data/####/f_000016
  • /data/data/####/f_000017
  • /data/data/####/f_000018
  • /data/data/####/f_000019
  • /data/data/####/f_00001a
  • /data/data/####/f_00001b
  • /data/data/####/f_00001c
  • /data/data/####/f_00001d
  • /data/data/####/f_00001e
  • /data/data/####/f_00001f
  • /data/data/####/f_000020
  • /data/data/####/f_000021
  • /data/data/####/f_000022
  • /data/data/####/f_000023
  • /data/data/####/f_000024
  • /data/data/####/f_000025
  • /data/data/####/f_000026
  • /data/data/####/f_000027
  • /data/data/####/fwaqsdf.xml
  • /data/data/####/fwsaefrf.data-journal
  • /data/data/####/gameid
  • /data/data/####/gameid.zip
  • /data/data/####/globalParamFile.xml
  • /data/data/####/hhq_spu_ti.xml
  • /data/data/####/hxdata.xml
  • /data/data/####/im.database.ad-journal
  • /data/data/####/index
  • /data/data/####/iv
  • /data/data/####/journal.tmp
  • /data/data/####/libpuuqlu.so
  • /data/data/####/libpuuqlu.so-32
  • /data/data/####/libpuuqlu.so-64
  • /data/data/####/lijian.jar
  • /data/data/####/m1.jar
  • /data/data/####/m6.jar
  • /data/data/####/m7.jar
  • /data/data/####/mkv.xml
  • /data/data/####/oMHea.xml
  • /data/data/####/oqoyet.png
  • /data/data/####/owsddza.xml
  • /data/data/####/owsddza.xml.bak (deleted)
  • /data/data/####/qweswws.data-journal
  • /data/data/####/qwevwwssww.xml
  • /data/data/####/qwevwwssww.xml.bak
  • /data/data/####/rq_file.xml
  • /data/data/####/sGFdwf.data-journal
  • /data/data/####/salt
  • /data/data/####/sdlpvvcn.jar
  • /data/data/####/sesvwta.xml
  • /data/data/####/sfwwWQsewq.data-journal
  • /data/data/####/startActivityOwn.xml
  • /data/data/####/sunn.jar
  • /data/data/####/sunn.tmp (deleted)
  • /data/data/####/sunn.x
  • /data/data/####/swWsewdQe.xml
  • /data/data/####/swWsewdQe.xml.bak
  • /data/data/####/swwkwsghf.data-journal
  • /data/data/####/t20191203.dat
  • /data/data/####/tdid.xml
  • /data/data/####/umeng_Cache11.jar
  • /data/data/####/umeng_Cache12.jar
  • /data/data/####/umeng_Cache13_4.jar
  • /data/data/####/umeng_Cache15.jar
  • /data/data/####/umeng_Cache17.jar
  • /data/data/####/umeng_Cache18.jar
  • /data/data/####/umeng_Cache2.jar
  • /data/data/####/umeng_Cache23_1.jar
  • /data/data/####/umeng_Cache3.jar
  • /data/data/####/umeng_Cache5_2.jar
  • /data/data/####/umeng_Cache7.jar
  • /data/data/####/umeng_Cache9.jar
  • /data/data/####/umengsCache2.jar
  • /data/data/####/url_ad.tmp
  • /data/data/####/wESUTYe.xml
  • /data/data/####/wWAys.xml
  • /data/data/####/webview.db-journal
  • /data/data/####/webviewCookiesChromium.db-journal
  • /data/data/####/wiwsf.xml
  • /data/data/####/wwswswewax.xml
  • /data/data/####/yd_config_c.xml
  • /data/data/####/ywsMJwa.xml
  • /data/media/####/.YiAds.log
  • /data/media/####/.YiAds_Net.log
  • /data/media/####/.ef0b4ddacc046d054f437ba0af966623
  • /data/media/####/.lju
  • /data/media/####/.nomedia
  • /data/media/####/.usdis
  • /data/media/####/1723D6044EA97DA846C4E3A2E2999116.jar
  • /data/media/####/1723D6044EA97DA846C4E3A2E2999116.temp
  • /data/media/####/226C6D0262EDF21275151A3830CCD201.temp
  • /data/media/####/2CBF9990016BBD260C31667F4FB2CC98.tmp
  • /data/media/####/450D657D2EB70472E0EBC07683E57633.tmp
  • /data/media/####/4F70D11BF61E642BB2EC3B7545875865
  • /data/media/####/57B8BE7C4D9F60A627970A20D229EBEE.tmp
  • /data/media/####/6067CD2BC58AF269E2045AB73920FC13
  • /data/media/####/818606432C88AD0167ECFB39728A9C07.tmp
  • /data/media/####/861A0A68877B96998B3DC6208017CB5C.tmp
  • /data/media/####/86CCDB2D39D6CBCD94C1949E3623DE92.tmp
  • /data/media/####/8878798FE288895E2E947308B0575F56.tmp
  • /data/media/####/ACC010D8007ED87989819D8F1E151E79.tmp
  • /data/media/####/B9198C64FC448596AF0D5207B261F503
  • /data/media/####/BCB8B8A202BEA82D25D7BBE55447CFC4.tmp
  • /data/media/####/C450F23D408B5ED35E68EE89732B1EB7.tmp
  • /data/media/####/D2A39DC19C580A53DD6CEC9175A160CA
  • /data/media/####/DAE9A2A64D8423ED017B19DDD4975AC8
  • /data/media/####/DE9DDF72E05EE773E69F6D20885DCA50.tmp
  • /data/media/####/_pn
  • /data/media/####/_shn
  • /data/media/####/app_com_lhyy_dadishus.txt
  • /data/media/####/c931aa6fabd0eb087ca8276298f24401.xml
  • /data/media/####/config
  • /data/media/####/date40003000700
  • /data/media/####/deviceId
  • /data/media/####/master
  • /data/media/####/master.lock
Miscellaneous:
Executes the following shell scripts:
  • /system/bin/cat /proc/cpuinfo
  • cat /proc/bus/input/devices
  • cat /proc/cpuinfo
  • cat /sys/class/net/wlan0/address
  • getprop
Loads the following dynamic libraries:
  • libpuuqlu
Uses the following algorithms to encrypt data:
  • AES
  • AES-CBC-PKCS5PADDING
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS5Padding
  • DES
  • DES-CBC-PKCS5Padding
  • DES-ECB-PKCS5Padding
  • Des-ECB-NoPadding
  • RC4-ECB-NoPadding
  • RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES
  • AES-CBC-NoPadding
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-CFB-NoPadding
  • AES-ECB-PKCS5Padding
  • DES
  • DES-CBC-PKCS5Padding
  • DES-ECB-PKCS5Padding
  • Des-ECB-NoPadding
  • RSA-None-PKCS1Padding
Accesses the ITelephony private interface.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about running apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android