Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) i####.app.h####.cn:80
- TCP(HTTP/1.1) s####.tc.qq.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) img.c####.com.cn:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) img.zh####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) app.c####.h####.cn:80
- TCP(HTTP/1.1) mo####.zh####.com:80
- TCP(HTTP/1.1) wea####.api.h####.cn:80
- TCP(HTTP/1.1) wxjs####.hoge####.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.net:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) s####.c####.hoge####.com:80
- TCP(HTTP/1.1) versi####.api.h####.cn:80
- TCP(SSL/3.0) 7064f63####.bug####.com:443
- TCP(TLS/1.0) api.w####.com:443
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) 7064f63####.bug####.com:443
- TCP c####.g####.ig####.com:5227
- TCP sdk.o####.t####.####.com:5224
DNS requests:
- 7064f63####.bug####.com
- 7j####.c####.z0.####.com
- a####.u####.com
- api.map.b####.com
- api.w####.com
- app.c####.h####.cn
- c####.g####.ig####.com
- c-h####.g####.com
- feed####.u####.com
- i####.app.h####.cn
- img.c####.com.cn
- img.zh####.com
- l####.tbs.qq.com
- loc.map.b####.com
- mm.u.h####.cn
- mo####.zh####.com
- r####.wx.qq.com
- s####.c####.hoge####.com
- s####.zh####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- versi####.api.h####.cn
- wea####.api.h####.cn
- wxjs####.hoge####.com
HTTP GET requests:
- app.c####.h####.cn/data/packinfo/165/android/4.0.0/config.zip
- i####.app.h####.cn/?appid=####&appkey=####&device_token=####&_member_id=...
- img.c####.com.cn/nf/yongpai/upload/null/image/2018/07/19/0c4b25a2-92e0-4...
- img.c####.com.cn/nf/yongpai/upload/null/image/2018/07/19/4eefa821-f74d-4...
- img.c####.com.cn/nf/yongpai/upload/null/image/2018/07/19/f4f191a9-374f-4...
- img.c####.com.cn/nf/yongpai/upload/shenyan/image/2018/07/19/cfdb0472-503...
- img.c####.com.cn/nf/yongpai/upload/shenyan/image/2018/07/22/0dc5e717-cc6...
- img.c####.com.cn/nf/yongpai/upload/zhangying/image/2018/07/20/19eb0c11-b...
- img.c####.com.cn/nf/yongpai/upload/zhangying/image/2018/07/20/1f564cde-b...
- img.c####.com.cn/nf/yongpai/upload/zhangying/image/2018/07/20/50684a29-6...
- img.zh####.com/8d2eef7bc5c2368e65ba68a4131f956e.png
- img.zh####.com/?_hgOutLink=####&id=####
- img.zh####.com/material/adv/img/600x800/2018/07/017e351d92a444157a191392...
- img.zh####.com/material/news/img/2017/12/707c89e68d0b1ae55531e9d19e13d4c...
- img.zh####.com/material/news/img/2018/03/20180304192904skOX.jpg
- img.zh####.com/material/news/img/2018/03/201803042104260V8S.jpg
- img.zh####.com/material/news/img/2018/03/20180308182320xs7S.jpg
- img.zh####.com/material/news/img/2018/07/20180720074216tkyZ.png?Z####
- img.zh####.com/material/news/img/2018/07/20180720201430r8U3.jpg?A####
- img.zh####.com/material/news/img/2018/07/20180721105703MIP.jpg
- img.zh####.com/material/news/img/2018/07/20180722124726UCpL.jpg?y####
- img.zh####.com/material/news/img/2018/07/57c9668613b249305cc75f655e0dab4...
- img.zh####.com/material/news/img/2018/07/6d9fc2cf394d35a648beb7fc202a498...
- img.zh####.com/material/news/img/2018/07/6ec6e77025667a8e390cb47953ae351...
- img.zh####.com/material/news/img/2018/07/7cc93a5693cc79aed4cb2c11959c75e...
- img.zh####.com/material/news/img/2018/07/b786a6390f3684d56bf40b1ee9a57c1...
- img.zh####.com/material/news/img/2018/07/d11d95cdaa899cdb04a4624d7d75307...
- img.zh####.com/material/news/img/2018/07/dde5a8279e6eb06f6c316f3e43029c4...
- img.zh####.com/material/news/img/2018/07/fc98dd9433ef5ab1e9db7be1c521e13...
- img.zh####.com/material/news/img/351x320/2018/07/20180719153828BjYp.jpg
- img.zh####.com/views//res/css/common/swipebox.css
- img.zh####.com/views//res/css/video/video.css
- img.zh####.com/views//res/images/icons.png
- img.zh####.com/views//res/js/common/jquery.min.js
- img.zh####.com/views//res/js/common/jquery.swipebox.js
- img.zh####.com/views/res/css/common/common.css
- img.zh####.com/views/res/css/common/idangerous.swiper.css
- img.zh####.com/views/res/css/common/reset.css
- img.zh####.com/views/res/css/news/news.css
- img.zh####.com/views/res/images/common/click_btn.png
- img.zh####.com/views/res/images/common/menu.png
- img.zh####.com/views/res/images/qq.png
- img.zh####.com/views/res/images/sina.png
- img.zh####.com/views/res/images/weixin.png
- img.zh####.com/views/res/js/common/ajaxload_new.js
- img.zh####.com/views/res/js/common/idangerous.swiper.2.6.1.min.js
- img.zh####.com/views/res/js/common/jquery-ui.min.js
- img.zh####.com/views/res/js/common/jquery.min.js
- img.zh####.com/views/res/js/common/tuji_app.js
- mo####.zh####.com/zhenhai/ad.php?appid=####&appkey=####&device_token=###...
- mo####.zh####.com/zhenhai/ad_news.php?appid=####&appkey=####&client_id_a...
- mo####.zh####.com/zhenhai/news.php?site_id=####&column_id=####&weight=##...
- mo####.zh####.com/zhenhai/news_recomend_column.php?site_id=####&id=####&...
- s####.tc.qq.com/open/js/jweixin-1.0.0.js
- sni.c####.q####.####.net/config/hz-hzv3.conf
- sni.c####.q####.####.net/tdata_MkX219
- sni.c####.q####.####.net/tdata_iGj879
- t####.c####.q####.####.com/mxu/2017/1221/6e/6e2cba56a8f390468cb90eef5146...
- versi####.api.h####.cn/?m=####&c=####&bundle_id=####&app_version=####&cl...
- wea####.api.h####.cn/?m=####&c=####&appid=####&appkey=####&client_id_and...
- wxjs####.hoge####.com/index.php?site_id=273&url=http://share.zhxwzx.com/...
HTTP POST requests:
- a####.u####.com/app_logs
- c-h####.g####.com/api.php?format=####&t=####
- l####.tbs.qq.com/ajax?c=####&k=####
- mo####.zh####.com/zhenhai/mobile_client.php?appid=####&appkey=####&devic...
- s####.c####.hoge####.com/app/ad_stat.php
- sdk.o####.p####.####.com/api.php?format=####&t=####
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/Alvin2.xml
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/ContextData.xml
- /data/data/####/WebViewSettings.xml
- /data/data/####/audio.xml
- /data/data/####/authStatus_com.aheading.news.zhenhairb.xml
- /data/data/####/authStatus_com.aheading.news.zhenhairb;pushservice.xml
- /data/data/####/authStatus_com.aheading.news.zhenhairb;remote.xml
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/debug.conf
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/firll.dat
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gx_sp.xml
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libcuid.so
- /data/data/####/libjiagu.so
- /data/data/####/multidex.version.xml
- /data/data/####/mxu.db-journal
- /data/data/####/ofl_location.db
- /data/data/####/ofl_location.db-journal
- /data/data/####/ofl_statistics.db
- /data/data/####/ofl_statistics.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/setting.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_iGj879
- /data/data/####/tdata_iGj879.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_feedback_conversations.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/weibo_sdk_aid1
- /data/media/####/.cuid
- /data/media/####/.cuid2
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/app.db
- /data/media/####/c6d6789a3f55799bb9ccc613d661b572979ba8c30156d9....0.tmp
- /data/media/####/com.aheading.news.zhenhairb.bin
- /data/media/####/com.aheading.news.zhenhairb.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/config.zip
- /data/media/####/e0eed40d4fab4af05cdf8daf76258d31bcbbff7750fed9....0.tmp
- /data/media/####/journal.tmp
- /data/media/####/ller.dat
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/main.json
- /data/media/####/module_aizhenhai.json
- /data/media/####/module_baoming.json
- /data/media/####/module_contribute.json
- /data/media/####/module_ershou.json
- /data/media/####/module_fw.json
- /data/media/####/module_guajiang.json
- /data/media/####/module_home.json
- /data/media/####/module_huzhu.json
- /data/media/####/module_ktv.json
- /data/media/####/module_ld.json
- /data/media/####/module_lsts.json
- /data/media/####/module_my.json
- /data/media/####/module_road.json
- /data/media/####/module_sb.json
- /data/media/####/module_search.json
- /data/media/####/module_shake.json
- /data/media/####/module_special.json
- /data/media/####/module_spot.json
- /data/media/####/module_sqbm.json
- /data/media/####/module_sqtp.json
- /data/media/####/module_telephone.json
- /data/media/####/module_tgb.json
- /data/media/####/module_tuji.json
- /data/media/####/module_vote.json
- /data/media/####/module_weather.json
- /data/media/####/module_xiangqin.json
- /data/media/####/module_zhenqing.json
- /data/media/####/module_zhuanpan.json
- /data/media/####/module_zxc.json
- /data/media/####/tdata_MkX219
- /data/media/####/tdata_iGj879
- /data/media/####/test.0
- /data/media/####/test.log
- /data/media/####/yoh.dat
- /data/media/####/yol.dat
- /data/media/####/yom.dat
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.hoge.android.factory.GeituiPushService 25674 300 0
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
Loads the following dynamic libraries:
- BaiduMapSDK_base_v4_0_0
- Bugtags
- getuiext2
- libjiagu
- locSDK6a
- m2o_jni
- weibosdkcore
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- desede-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about APN settings.
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
