Запускает следующие shell-скрипты:
- /system/bin/sh
- app_process32 / c.j.a.f.h AgAAAEcAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEMAbABlAGEAbgBTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBvAHQAaABlAHIAAABIAAAALwBkAGEAdABhAC8AdQBzAGUAcgAvADAALwBjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAC8AYQBwAHAAXwBUAG0AcABEAGkAcgAvAFAAbwB3AGUAcgBBAHMAcwBpAHMAdABTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBvAHQAaABlAHIAAAAAAAUAAABvAHQAaABlAHIAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAAKgAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBFAHgAcABvAHIAdABTAGUAcgB2AGkAYwBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAAIQAAAGEAbgBkAHIAbwBpAGQAeAAuAGMAbwByAGUALgBhAHAAcAAuAFUAUABEAEEAVABFAF8AUgBFAEMARQBJAFYARQBSAAAAAAAAAP////8AAAAAEAAAAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQAAAAAAP////8AAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAALAAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBJAG4AcwB0AHIAdQBtAGUAbgB0AGEAdABpAG8AbgAAAAAAAAAAAAAAAAAAAAAAAAAAAP7///8AAAAA --application --nice-name=other --daemon
- app_process32 / c.j.a.f.h AgAAAEgAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEEAcwBzAGkAcwB0AFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGMAbABlAGEAbgAAAAAARwAAAC8AZABhAHQAYQAvAHUAcwBlAHIALwAwAC8AYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAvAGEAcABwAF8AVABtAHAARABpAHIALwBQAG8AdwBlAHIATwB0AGgAZQByAFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGMAbABlAGEAbgAAAAUAAABjAGwAZQBhAG4AAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAAKgAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBFAHgAcABvAHIAdABTAGUAcgB2AGkAYwBlAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAAIQAAAGEAbgBkAHIAbwBpAGQAeAAuAGMAbwByAGUALgBhAHAAcAAuAFUAUABEAEEAVABFAF8AUgBFAEMARQBJAFYARQBSAAAAAAAAAP////8AAAAAEAAAAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQAAAAAAP////8AAAAAAAAAAAAAAAAAAAAA/v///wAAAAABAAAA/////wAAAAD/////AAAAAP////8QAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAALAAAAGMAbwBtAC4AZABvAHQAYwAuAGsAZQBlAHAAbABpAHYAZQAuAHAAbwB3AGUAcgAuAFAAbwB3AGUAcgBJAG4AcwB0AHIAdQBtAGUAbgB0AGEAdABpAG8AbgAAAAAAAAAAAAAAAAAAAAAAAAAAAP7///8AAAAA --application --nice-name=clean --daemon
- app_process32 / c.j.a.f.h AgAAAEgAAAAvAGQAYQB0AGEALwB1AHMAZQByAC8AMAAvAGMAbwBtAC4AaABhAGkALgB2AGkAZABlAG8ALgBiAGQALwBhAHAAcABfAFQAbQBwAEQAaQByAC8AUABvAHcAZQByAEMAbABlAGEAbgBTAGUAcgB2AGkAYwBlAF8AbgBhAHQAaQB2AGUAXwBhAHMAcwBpAHMAdAAAAAAASAAAAC8AZABhAHQAYQAvAHUAcwBlAHIALwAwAC8AYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAvAGEAcABwAF8AVABtAHAARABpAHIALwBQAG8AdwBlAHIATwB0AGgAZQByAFMAZQByAHYAaQBjAGUAXwBuAGEAdABpAHYAZQBfAGEAcwBzAGkAcwB0AAAAAAAGAAAAYQBzAHMAaQBzAHQAAAAAAAEAAAD/////AAAAAP////8AAAAA/////xAAAABjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAAAAAAAqAAAAYwBvAG0ALgBkAG8AdABjAC4AawBlAGUAcABsAGkAdgBlAC4AcABvAHcAZQByAC4AUABvAHcAZQByAEUAeABwAG8AcgB0AFMAZQByAHYAaQBjAGUAAAAAAAAAAAAAAAAAAAAAAAAAAAD+////AAAAAAEAAAAhAAAAYQBuAGQAcgBvAGkAZAB4AC4AYwBvAHIAZQAuAGEAcABwAC4AVQBQAEQAQQBUAEUAXwBSAEUAQwBFAEkAVgBFAFIAAAAAAAAA/////wAAAAAQAAAAYwBvAG0ALgBoAGEAaQAuAHYAaQBkAGUAbwAuAGIAZAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAD+////AAAAAAEAAAD/////AAAAAP////8AAAAA/////xAAAABjAG8AbQAuAGgAYQBpAC4AdgBpAGQAZQBvAC4AYgBkAAAAAAAsAAAAYwBvAG0ALgBkAG8AdABjAC4AawBlAGUAcABsAGkAdgBlAC4AcABvAHcAZQByAC4AUABvAHcAZQByAEkAbgBzAHQAcgB1AG0AZQBuAHQAYQB0AGkAbwBuAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAA= --application --nice-name=assist --daemon
- cat /sys/class/net/wlan0/address
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.letv.release.version
- getprop ro.miui.ui.version.name
- getprop ro.product.system.manufacturer
- getprop ro.smartisan.version
- getprop ro.vivo.os.build.display.id
- getprop ro.vivo.os.version
- sh
Загружает динамические библиотеки:
- libjiagu
- libkwad-fb
- libkwad-j2v8
- libkwad-yoga
- libleoric
- libnets
- libsgcore
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7PADDING
- RSA-ECB-PKCS1Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о телефоне (номер, IMEI и т. д.).
Отрисовывает собственные окна поверх других приложений.
Запрашивает разрешение на отображение системных уведомлений.