Report #1710 cancel

Binary
ABI
ELFOSABI_SYSV
Size
333.46KB
Type
ET_DYN
trid
100.0% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
38f32c0b60644aefdf5e8df76e798ed2
sha1
3b555e5dab1dd054d3d1b29c9d60bba025271d73
crc32
0x79384afe
sha224
ebbdbec2d667a5b201da30e0ed571b060c012a16f38df26bc4c45ee0
sha256
28e816985b8924512ba19241fccd6cc4e1b98c49a491962b3d6ac042a36ed418
sha384
5b0eaf0439f42e5326b2d710a9ad3325b3722fc564914c65df9f4e508285323d0e4c576788f6fd9a6bed641c32da6abe
sha512
59c3848abb1b3b3b0c4e388baeefabe7b39a41b18f777860848c41716ef10ae457df21c8d0a80527dd9d0198b5212b500f7eb50c4e648cf379d1ec0e71d4ffe1
ssdeep
6144:3u21oJI9eumV5Ba4Pl7wWqXy2Z4suDfCQHPvoeEJ0bXJQIz4lSpVi0zBh:ebJI9ezBFWWqPgfCQvAJE1z8Q
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, url, contentis_base64, android_meterpreter, ldpreload, is__elf, MD5_Constants, Big_Numbers1

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc
/proc/%d/stat, /proc/%d/cmdline, /proc/meminfo, Could not open /proc/meminfo, Could not read /proc/meminfo, /proc/%d/stat, /proc/%d/cmdline
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
liblandlord.so, http://api.koiok.info/v4/index.php, ro.build.display.id, ro.product.name, ro.build.id, ar.com.eudaimonia.JAVAACTIVITY, http://s.joymedia.mobi/?c=201&o=193229&q=, libcorkscrew.so, libunwind.so, .data.rel.ro
Mails

Suspicious
True check_circle
Strings
List
ro.build.host
http://api.koiok.info/v4/index.php
ro.product.name
http://s.joymedia.mobi/?c=201&o=193229&q=
.note.gnu.build-id
.note.gnu.build-id
ro.build.type
ro.build.tags
ro.build.version.sdk
ro.build.version.sdk
.note.gnu.gold-version
.note.gnu.gold-version
/data/data/com.land.lord/dex
.data.rel.ro
com.land.lord
ro.build.id
libunwind.so
libcorkscrew.so
/data/data/com.land.lord/files/1.jar
liblandlord.so
liblog.so
libdl.so
libm.so
libm.so
libc.so
libc.so
libdl.so
liblog.so
/com.land.lord.WorkerService
com.land.lord:worker_service
com.hard.worker.Plugin%s
com.land.lord.widget.HighAdViewService
com.land.lord/com.land.lord.WorkService
ro.build.display.id
com.land.lord.WorkerActivity
ar.com.eudaimonia.JAVAACTIVITY
/com.land.lord.ServiceActivity
p.TAX
POST /%s HTTP/1.1
http_request req_url=%s
http_request req ret=%d
GET /%s HTTP/1.1
host_is_ipv4
classes.dex
ro.product.cpu.abi
.got.plt
.rel.plt
.rel.plt
.rel.dyn
.rel.dyn
/mnt/sdcard/landlog/log.txt
com.hard.worker.Plugin1
**************************plugin_triger pkg_name=%s
T.lan
cmdbuf=%s
com.monkey.king.clean
/proc/%d/cmdline
/proc/%d/cmdline
ro.build.version.release
- host: '%s' (%s)
- username: '%s'
- password: '%s'
plugin pclass->%s
Write on a pipe with no one to read it
register_receiver receiverclass=%x
Host: %s
Host: %s
org/jsoup/nodes/entities-base.properties-T
browser flag=%s
hashcode: %d
http_plugin_test
org/jsoup/nodes/entities-full.properties}}
Sg[#d9>1aY-
.note.android.ident
=======receiver detach=======
tcp_server_init
JNI Java_com_land_lord_jni_1init check_signature=%d
LE'd
socket_fopen_file_error=%s
&ope
===========file not exist->init_plugins_file %s -> %s
s&ogD
start_download() sockfd=%d
&operator=
charReleaseSignature=%s
start_download img_file%d=%s
/proc/%d/stat
/proc/%d
/proc/%d/stat
Cached:
=========================open_workactivity typevalue=%s
,0O%s
ret=%d
*******************pkgname=%s
===========save_file_dir=%s
===========req_url=%s
===========api=%d
/data/data/%s/dex
img_url%d=%s
Floating-point

Symbols
List

Number
0
Reason
Stripped
Suspicious
True check_circle
Version
Version
EV_CURRENT
Foremost
Matches
214.zip, 42 KB, 513.zip, 16 KB
Suspicious
True check_circle
Sections
List
, .note.gnu.build-id, .dynsym, .dynstr, .hash, .gnu.version, .gnu.version_d, .gnu.version_r, .rel.dyn, .rel.plt, .plt, .text, .rodata, .eh_frame, .eh_frame_hdr, .fini_array, .data.rel.ro, .init_array, .dynamic, .got, .got.plt, .data, .bss, .comment, .note.gnu.gold-version, .shstrtab
Number
26
Suspicious
False cancel
Segments
Number
8
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.9.x 20150123 (prerelease), GCC: (GNU) 4.9.x 20150123 (prerelease)
Identified
2
Suspicious
True check_circle
Functions
List
, , __cxa_finalize, @LIBC (2), __cxa_atexit, @LIBC (2), __stack_chk_fail, @LIBC (2), __system_property_get, @LIBC (2), get_base_url, , get_cpu_file, , get_device_data, , get_device_model, , get_host_pkg_name, , get_main_activity_name, , get_pkg_name, , get_pkg_service_name, , get_sdk_version, , get_service_name, , init_pkg_service_names, , log_android, , strtol, @LIBC (2), malloc, @LIBC (2), rewind, @LIBC (2), memcpy, @LIBC (2), memset, @LIBC (2), set_host_pkg_name, , set_main_activity_name, , set_pkg_name, , set_pkg_service_name, , exit, @LIBC (2), set_service_name, , strcmp, @LIBC (2), strcpy, @LIBC (2), strndup, @LIBC (2), strlen, @LIBC (2), realloc, @LIBC (2), get_plugin2_data, , system, @LIBC (2), get_plugin2_data_len, , get_plugin2_name, , fprintf, @LIBC (2), MD5Final, , __sF, @LIBC (2), MD5Init, , MD5Update, , kill, @LIBC (2), __android_log_print, , strtoul, @LIBC (2), _exit, @LIBC (2), strsep, @LIBC (2), atoi, @LIBC (2), change_dog_file_mode, , strcasecmp, @LIBC (2), char_to_jstring, , getppid, @LIBC (2), check_app_open_do, , getpid, @LIBC (2), check_file_exist, , class_land_utility, , closedir, @LIBC (2), config_data_update, , cp_from_asset, , create_dir, , usleep, @LIBC (2), create_uuid, , execlp, @LIBC (2), fork, @LIBC (2), free, @LIBC (2), get_ad_show_datetime, , get_admob_click_count, , flock, @LIBC (2), get_admob_flag, , get_admob_show_count, , get_admob_show_count_alread, , get_adown_count, , get_adown_statistic, , get_android_id, , get_app_id, , perror, @LIBC (2), get_cfg_url, , fwrite, @LIBC (2), get_channel_id, , get_data_admob, , strtok, @LIBC (2), get_data_adown, , get_data_apk_name, , get_data_application, , get_data_browser, , get_data_search, , get_device_id, , get_dog_armv7_data, , get_dog_armv7_data_len, , get_dog_armv7_name, , memmove, @LIBC (2), get_dog_file, , get_file_dir, , _ctype_, @LIBC (2), get_files_dir, , get_flag_admob, , get_language, , get_manifest_data, , sleep, @LIBC (2), get_net_type, , get_package_name, , get_package_name1, , get_plugin1_data, , get_plugin1_data_len, , get_plugin1_name, , get_plugins_file, , get_serial_adown, , get_sign_code, , get_sim_operator, , get_telepone_id, , get_timestamp, , get_uuid, , get_version_code, , http_request, , init_asserts_file, , init_dog_file, , init_para, , init_plugins_file, , is_file_exist, , is_net_connected, , is_root, , jniCheckException, , jniFindClass, , jstring_to_char, , jvm, , launchJavaActivity, , launchJavaActivity2, , launch_browser, , make_dog_file, , make_jar_file, , mkdir, @LIBC (2), object_context, , openActivity, , open_work_activity, , opendir, @LIBC (2), strchr, @LIBC (2), pref_get_value, , pref_set_value, , readdir, @LIBC (2), strrchr, @LIBC (2), sdk_version, , set_ad_show_datetime, , set_admob_click_count, , set_admob_show_count, , set_admob_show_count_alread, , set_adown_count, , set_adown_statistic, , set_data_admob, , set_data_adown, , set_data_apk_name, , set_data_application, , set_data_browser, , set_data_notification, , set_data_order, , set_data_search, , set_data_shortcut, , set_flag_admob, , set_flag_adown, , set_flag_order, , set_flag_search, , set_serial_adown, , set_timestamp, , sprintf, @LIBC (2), stat, @LIBC (2), strcat, @LIBC (2), strdup, @LIBC (2), strncpy, @LIBC (2), strstr, @LIBC (2), vsprintf, @LIBC (2), waitpid, @LIBC (2), __errno, @LIBC (2), bind, @LIBC (2), bsd_signal, , close, @LIBC (2), connect, @LIBC (2), get_ip, , gethostbyname, @LIBC (2), inet_ntop, @LIBC (2), inet_pton, @LIBC (2), listen, @LIBC (2), printf, @LIBC (2), recv, @LIBC (2), send, @LIBC (2), setsockopt, @LIBC (2), socket, @LIBC (2), socket_connect, , socket_recv, , socket_send, , tcp_server_init, , coffeecatch_cleanup, , coffeecatch_get_ctx, , coffeecatch_get_message, , coffeecatch_inside, , coffeecatch_setup, , deal_adown_data, , gettimeofday, @LIBC (2), http_request_test, , parse_cfg_file, , pthread_cond_timedwait, @LIBC (2), pthread_create, @LIBC (2), pthread_mutex_lock, @LIBC (2), pthread_mutex_unlock, @LIBC (2), sigsetjmp, @LIBC (2), start_download, , start_thread_handle_req, , strerror, @LIBC (2), check_display_step, , check_open_app, , is_current_day, , json_get_int, , json_get_str, , localtime, @LIBC (2), start_activity_adown, , start_activity_pop, , start_thread_handle_pop, , strftime, @LIBC (2), time, @LIBC (2), load_jar_file, , run_class_from_jar, , run_class_from_jar_test, , run_string_method_from_jar_file, , run_void_method_from_jar_file, , http_build_get_header, , http_build_post_header, , http_get_body_pos, , strncmp, @LIBC (2), check_log_cat, , execl, @LIBC (2), open, @LIBC (2), read, @LIBC (2), unlink, @LIBC (2), get_current_day, , get_current_daytime, , mktime, @LIBC (2), strptime, @LIBC (2), getInstance, , getIntentFilterInstance, , receiver_detach, , register_receiver, , abort, @LIBC (2), alarm, @LIBC (2), calloc, @LIBC (2), coffeecatch_abort, , coffeecatch_cancel_pending_alarm, , coffeecatch_get_backtrace, , coffeecatch_get_backtrace_info, , coffeecatch_get_backtrace_size, , coffeecatch_get_signal, , dladdr, @LIBC (3), dlclose, @LIBC (3), dlopen, @LIBC (3), dlsym, @LIBC (3), native_code_thread, , pthread_getspecific, @LIBC (2), pthread_key_create, @LIBC (2), pthread_key_delete, @LIBC (2), pthread_setspecific, @LIBC (2), sigaction, @LIBC (2), sigaltstack, @LIBC (2), siglongjmp, @LIBC (2), snprintf, @LIBC (2), strerror_r, @LIBC (2), get_plugin_by_name, , init_plugins_so, , unload_plugins_so, , fclose, @LIBC (2), fopen, @LIBC (2), fread, @LIBC (2), fseek, @LIBC (2), ftell, @LIBC (2), get_datetime, , json_get_array_body, , json_get_array_field, , json_get_data, , json_get_record, , json_get_record_array, , json_get_records, , readfile, , deal_application_data, , deal_notification_data, , deal_shortcut_data, , get_trim_str, , get_url_file, , parse_admob_data, , parse_adown_data, , parse_application_data, , parse_browser_data, , parse_notification_data, , parse_order_data, , parse_search_data, , parse_shortcut_data, , parse_timestamp, , test_json_parse, , JNI_OnLoad, , JNI_OnUnload, , Java_com_land_lord_Manager_jni_1init, , Java_com_land_lord_Manager_jni_1receiver, , Java_com_land_lord_Manager_jni_1receiverdetach, , Java_com_land_lord_Manager_jni_1run_1child, , Java_com_land_lord_Manager_jni_1start, , Java_com_land_lord_Manager_jni_1start_1dog, , Java_com_land_lord_Manager_jni_1test, , check_signature, , class_worker_activity, , class_worker_service, , init_plugins_jar, , jniGetFieldID, , jniGetMethodID, , jniGlobalRef, , jniNewObject, , plugin_triger, , report_exit, , start_thread_handle_app, , start_thread_monitor_service, , cmd_handle, , char2nible, , chartrim, , decrypt, , hex, , hex2bytes, , spilt_pkg_name, , str_replace, , str_split, , str_strip, , trim_string, , trimspace, , dog_armv7_data, , http_plugin_test, , start_thread_handle_plugin, , url_free, , url_get_field, , url_parse, , dbg_print_plugin, , unload_plugins_jar, , Java_com_land_lord_Manager_jni_1start_1daemon, , java_callback, , coffeecatch_throw_exception, , ByteToHexStr, , ToMd5, , getSignatureMd5, , jstringTostring, , loadSignature, , loadSignature1, , check_app_process, , kill_zombie_process, , install_app, , host_is_ipv4, , parse_query, , url_field_print, , check_mem_info, , parse_meminfo, , _edata, , _end, , __bss_start,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x0
Suspicious
False cancel
Embedded ELF
List
279556
Identified
1
Program Header
Size
32
Number
8
Offset
52
Section Header
Size
40
Number
26
Offset
340428
AVclass
zadmo
1
VirusTotal
md5
38f32c0b60644aefdf5e8df76e798ed2
sha1
3b555e5dab1dd054d3d1b29c9d60bba025271d73
SCANS (DETECTION RATE = 6.78%)
AVG
update: 20170807
version: 8.0.1489.320
detected: False cancel

CMC
update: 20170805
version: 1.1.0.977
detected: False cancel

MAX
update: 20170807
version: 2017.6.26.1
detected: False cancel

Bkav
update: 20170807
version: 1.3.0.9282
detected: False cancel

K7GW
update: 20170807
version: 10.20.24212
detected: False cancel

ALYac
update: 20170807
version: 1.1.1.2
detected: False cancel

Avast
update: 20170807
version: 8.0.1489.320
detected: False cancel

Avira
update: 20170807
version: 8.3.3.4
detected: False cancel

Baidu
update: 20170807
version: 1.0.0.2
detected: False cancel

Cyren
update: 20170807
version: 5.4.30.7
detected: False cancel

DrWeb
update: 20170807
version: 7.0.28.2020
detected: False cancel

GData
update: 20170807
version: A:25.13734B:25.10170
detected: False cancel

Panda
update: 20170807
version: 4.6.4.2
detected: False cancel

VBA32
update: 20170803
version: 3.12.26.4
detected: False cancel

VIPRE
update: 20170807
version: 60118
detected: False cancel

Zoner
update: 20170807
version: 1.0
detected: False cancel

AVware
update: 20170807
version: 1.5.0.42
detected: False cancel

ClamAV
update: 20170807
version: 0.99.2.0
detected: False cancel

Comodo
update: 20170807
version: 27566
detected: False cancel

F-Prot
update: 20170807
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20170807
version: 0.1.5.2
detected: False cancel

McAfee
update: 20170807
version: 6.0.6.653
detected: False cancel

Rising
update: 20170807
version: 25.0.0.1
detected: False cancel

Sophos
update: 20170807
version: 4.98.0
detected: False cancel

Yandex
update: 20170801
version: 5.5.1.3
detected: False cancel

Zillya
update: 20170806
version: 2.0.0.3355
detected: False cancel

Arcabit
update: 20170807
version: 1.0.0.817
detected: False cancel

Tencent
update: 20170807
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20170807
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20170807
version: 1.0.0.207
detected: False cancel

Ad-Aware
update: 20170807
version: 3.0.3.1010
detected: False cancel

AegisLab
update: 20170807
version: 4.2
detected: False cancel

Emsisoft
update: 20170807
version: 4.0.1.883
detected: False cancel

F-Secure
update: 20170807
version: 11.0.19100.45
detected: False cancel

Fortinet
update: 20170807
version: 5.4.247.0
detected: False cancel

Jiangmin
update: 20170807
version: 16.0.100
detected: False cancel

Kingsoft
update: 20170807
version: 2013.8.14.323
detected: False cancel

Symantec
update: 20170807
version: 1.4.0.0
detected: False cancel

nProtect
update: 20170807
version: 2017-08-07.02
detected: False cancel

AhnLab-V3
update: 20170807
version: 3.9.2.18278
detected: False cancel

Antiy-AVL
result: GrayWare[AdWare]/Android.Zadmo.g
update: 20170807
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: not-a-virus:HEUR:AdWare.AndroidOS.Zadmo.g
update: 20170807
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20170807
version: 1.1.14003.0
detected: False cancel

Qihoo-360
result: Win32/Virus.Adware.867
update: 20170807
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20170806
version: 6.8.0.5.1813
detected: False cancel

ZoneAlarm
result: not-a-virus:HEUR:AdWare.AndroidOS.Zadmo.g
update: 20170807
version: 1.0
detected: True check_circle

ESET-NOD32
update: 20170807
version: 15873
detected: False cancel

TrendMicro
update: 20170807
version: 9.862.0.1074
detected: False cancel

WhiteArmor
update: 20170731
detected: False cancel

BitDefender
update: 20170807
version: 7.2
detected: False cancel

K7AntiVirus
update: 20170807
version: 10.20.24214
detected: False cancel

Malwarebytes
update: 20170807
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20170807
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20170807
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20170807
version: 1.0.94.18103
detected: False cancel

MicroWorld-eScan
update: 20170807
version: 12.0.250.0
detected: False cancel

SUPERAntiSpyware
update: 20170807
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20170807
version: v2015
detected: False cancel

TrendMicro-HouseCall
update: 20170807
version: 9.950.0.1006
detected: False cancel

total
59
sha256
28e816985b8924512ba19241fccd6cc4e1b98c49a491962b3d6ac042a36ed418
scan_id
28e816985b8924512ba19241fccd6cc4e1b98c49a491962b3d6ac042a36ed418-1502107238
resource
38f32c0b60644aefdf5e8df76e798ed2
positives
4
scan_date
2017-08-07 12:00:38
verbose_msg
Scan finished, information embedded
response_code
1
Binary
RF
confidence: 68.86%
suspicious: True check_circle
MLP
confidence: 69.60%
suspicious: True check_circle
SVM
confidence: 75.00%
suspicious: True check_circle