Technical information
Malicious functions:
Downloads the following detected threats from the Internet:
- Android.RemoteCode.8274
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.57.17.27:80
- TCP(HTTP/1.1) g3.l####.com:80
- TCP(HTTP/1.1) api.cdn.nexta####.com:80
- TCP(HTTP/1.1) 1####.57.155.33:80
- TCP(HTTP/1.1) 1####.56.226.115:7001
- TCP(HTTP/1.1) 1####.57.217.238:80
- TCP(HTTP/1.1) cdn.nexta####.com:80
- TCP(HTTP/1.1) 4####.94.13.7:80
- TCP(HTTP/1.1) app.api.uli####.net:80
- TCP(HTTP/1.1) 39.1####.224.153:80
- TCP(TLS/1.0) 64.2####.163.94:443
- TCP(TLS/1.0) u####.u####.com:443
- TCP(TLS/1.0) rr2---s####.g####.com:443
- TCP(TLS/1.0) new-####.u####.com:443
- TCP(TLS/1.0) worldti####.org:443
- TCP(TLS/1.0) a####.u####.com.####.com:443
- TCP(TLS/1.0) and####.b####.qq.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) 59.82.1####.219:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) bea####.gcp.g####.com:443
- TCP(TLS/1.0) bea####.g####.com:443
- TCP(TLS/1.0) gmscomp####.google####.com:443
- TCP(TLS/1.0) 1####.250.150.138:443
- TCP(TLS/1.2) gmscomp####.google####.com:443
- TCP(TLS/1.2) 64.2####.163.94:443
- TCP(TLS/1.2) 64.2####.164.101:443
- UDP tm4.binst####.live:3923
- UDP bea####.gcp.g####.com:443
- UDP tm3.binst####.live:13
- UDP bea####.g####.com:443
- UDP 1####.250.150.138:443
- UDP as2.binst####.live:13
- UDP as2.binst####.live:3923
- UDP p####.google####.com:443
- UDP 2####.255.255.250:1900
- UDP as1.binst####.live:3924
DNS requests:
- a####.u####.com
- amdc####.m.u####.com
- and####.b####.qq.com
- api.cdn.nexta####.com
- app.api.uli####.net
- as1.binst####.live
- as2.binst####.live
- as3.binst####.live
- as4.binst####.live
- bea####.g####.com
- bea####.gcp.g####.com
- cdn.m####.uli####.net
- cdn.nexta####.com
- g3.l####.com
- gmscomp####.google####.com
- p####.google####.com
- rr2---s####.g####.com
- tm1.binst####.live
- tm2.binst####.live
- tm3.binst####.live
- tm4.binst####.live
- u####.u####.com
- umen####.m.ta####.com
- ut####.u####.com
- worldti####.org
- www.b####.com
HTTP GET requests:
- api.cdn.nexta####.com/api/live/v1/pindaos?s_t=####&s_m=####
- app.api.uli####.net/v4/api/sys/diable
- cdn.nexta####.com/app/config/live/app_conf_global.json
- cdn.nexta####.com/app/config/live/source_parse_track_conf.json
- cdn.nexta####.com/app/config/live/splayer_d_c.txt
- cdn.nexta####.com/app/config/live/wdc_mapping.gz
- cdn.nexta####.com/app/config/playback/config_support_ts.json
- cdn.nexta####.com/app/config/third/jar/hdp_0429.jar
- cdn.nexta####.com/app/config/upgrade/xingkong/apk_upgrade_config_v2.json...
- cdn.nexta####.com/app/uploads/2024-04-26/7249dc4d-0b74-41b7-bc08-61febe1...
- cdn.nexta####.com/app/uploads/2024-06-17/f316e378-e082-4fe1-8895-0afa085...
- cdn.nexta####.com/app/uploads/2024-07-22/045ba20f-aaf9-4df7-8c54-bf8f781...
- cdn.nexta####.com/app/uploads/2024-07-25/f0a19871-109d-45d7-a6b2-0de9f1e...
- cdn.nexta####.com/app/uploads/2024-08-07/02387d76-e2e3-4223-b2a0-35b5c4f...
- g3.l####.com/r?format=####
- www.a.sh####.com:443/
HTTP HEAD requests:
- cdn.nexta####.com/app/uploads/2024-07-22/045ba20f-aaf9-4df7-8c54-bf8f781...
HTTP POST requests:
- a####.u####.com.####.com:443/v3/a/audid/req
- and####.b####.qq.com:443/rqd/async?aid=####
- new-####.u####.com:443/anti/postZdata
- u####.u####.com:443/unify_logs
- u####.u####.com:443/zcfg
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/1004
- /data/data/####/4373794a74c99b2299b7d2795cfde79f.0.tmp
- /data/data/####/4373794a74c99b2299b7d2795cfde79f.1
- /data/data/####/4373794a74c99b2299b7d2795cfde79f.1.tmp
- /data/data/####/51734d668e1dfd268d4d990f5432b1ec.0.tmp
- /data/data/####/51734d668e1dfd268d4d990f5432b1ec.1.tmp (deleted)
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml.bak
- /data/data/####/AD_REC_PLAY_DATA.xml
- /data/data/####/AD_REC_PLAY_DATA.xml.bak
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Agoo_AppStore.xml.bak
- /data/data/####/BUGLY_COMMON_VALUES.xml
- /data/data/####/CONFIG_orther.xml
- /data/data/####/CONFIG_orther.xml.bak
- /data/data/####/FAVORITE.xml
- /data/data/####/LIVE_CONFIG.xml
- /data/data/####/PERMANENT_DATA.xml
- /data/data/####/PLAY.xml
- /data/data/####/Sb_Cn.xml
- /data/data/####/Splayer_config.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/a69dd77043e6f50628ec3f704da86156.0.tmp
- /data/data/####/a69dd77043e6f50628ec3f704da86156.1
- /data/data/####/a69dd77043e6f50628ec3f704da86156.1.tmp
- /data/data/####/accs.db-journal
- /data/data/####/advertisement.xml
- /data/data/####/api.prefs.xml
- /data/data/####/api.prefs.xml.bak
- /data/data/####/api.prefs.xml.bak (deleted)
- /data/data/####/b78355431fbe71f8bd51f9fb04924c8f.0.tmp
- /data/data/####/b78355431fbe71f8bd51f9fb04924c8f.1
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.0.tmp
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1
- /data/data/####/bd035c39874eb6c38c6452c24a79b265.1.tmp
- /data/data/####/bugly_db_-journal
- /data/data/####/bugly_last_us_up_tm
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.0.tmp
- /data/data/####/c87cb1b81d66b8204506dde15ee7b83a.1.tmp
- /data/data/####/crashrecord.xml
- /data/data/####/cuuid.xml
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/e1cc8c6871005a516df566368bf0b6c0.0
- /data/data/####/e1cc8c6871005a516df566368bf0b6c0.1
- /data/data/####/eb07bb29e1ba8b19087b4e4037396ec1.0.tmp
- /data/data/####/eb07bb29e1ba8b19087b4e4037396ec1.1
- /data/data/####/eb07bb29e1ba8b19087b4e4037396ec1.1.tmp
- /data/data/####/event_db
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f8fdb5d40c8dad1ea52e74cd6ee7eb60.0.tmp
- /data/data/####/f8fdb5d40c8dad1ea52e74cd6ee7eb60.1
- /data/data/####/f8fdb5d40c8dad1ea52e74cd6ee7eb60.1.tmp
- /data/data/####/hdl_0429.jar
- /data/data/####/i==1.2.0&&1.0.122_1727359549409_dW5pZnlfbG9ncw==;.log
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/kk.xml
- /data/data/####/kk.xml.bak (deleted)
- /data/data/####/kklive_cjzm_2.xml
- /data/data/####/libvaci_tvcore.so
- /data/data/####/local_crash_lock
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/native_record_lock
- /data/data/####/player.tmp
- /data/data/####/proc_auxv
- /data/data/####/risk_user_info.xml
- /data/data/####/settings.prefs.xml
- /data/data/####/spider_prefs.xml
- /data/data/####/spider_prefs.xml.bak
- /data/data/####/t==9.5.2&&1.0.122_1727359546543_dW5pZnlfbG9ncw==;.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_policy_grant.xml
- /data/data/####/um_push_ut.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_policy_result_flag
- /data/data/####/umeng_push.xml
- /data/data/####/umeng_push.xml.bak
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/umzid_general_config.xml
- /data/data/####/vaci_epg.dex
- /data/data/####/vaci_epg.dex.flock (deleted)
- /data/data/####/vaci_epg.tmp
- /data/data/####/vaci_plugin.dex
- /data/data/####/vaci_plugin.dex.flock (deleted)
- /data/data/####/vaci_plugin.tmp
- /data/data/####/vaci_plugin_config.xml
- /data/data/####/vaci_pp.dex
- /data/data/####/vaci_pp.dex.flock (deleted)
- /data/data/####/vaci_pp.tmp
- /data/data/####/wdc_mapping.txt
- /data/data/####/z==1.2.0&&1.0.122_1727359540317_emNmZw==;.log
- /data/media/####/conf.dat
- /data/media/####/uuid.data
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_max_freq
- /system/bin/sh -c getprop
- getprop
- getprop ro.product.brand
- getprop ro.product.model
- getprop ro.system.build.id
- ls /
- ls /sys/class/thermal
Loads the following dynamic libraries:
- libBugly_Native
- libmmkv
- libplayer
- libtnet-3.1.14
- libumeng-spy
- libvaci_tvcore
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Accesses the ITelephony private interface.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
