Adware.Gexin.4861

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Accesses the ITelephony private interface.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) pub-####.qin####.com:80
TCP(HTTP/1.1) m.d####.mob.com:80
TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
TCP(HTTP/1.1) a####.exc.mob.com:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) im####.jcpe####.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) app.jcpe####.com:80
TCP(HTTP/1.1) cgi.con####.qq.com:80
TCP(HTTP/1.1) a####.b####.qq.com:8011
TCP(HTTP/1.1) api.d####.jcpe####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(TLS/1.0) api.w####.com:443
TCP(TLS/1.0) and####.cli####.go####.com:443
TCP c####.g####.ig####.com:5225
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a####.b####.qq.com
a####.exc.mob.com
a####.man.aliy####.com
and####.b####.qq.com
and####.cli####.go####.com
api.d####.jcpe####.com
api.w####.com
app.jcpe####.com
c####.g####.ig####.com
c-h####.g####.com
cgi.con####.qq.com
im####.jcpe####.com
m.d####.mob.com
pub-####.qin####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net

HTTP GET requests:

api.d####.jcpe####.com/live/course.aspx?func=####&class_id=####&uid=####
api.d####.jcpe####.com/live/course_list?day=####&num=####&word_id=####
api.d####.jcpe####.com/live/course_list?day=####&sort=####&num=####&days...
app.jcpe####.com/app_client_api_v2/app_ad?type=####
app.jcpe####.com/faultCode/versionCode.aspx?app_type=####
cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
im####.jcpe####.com/upload/class/20180806111756513.jpg
im####.jcpe####.com/upload/class/20181009175505807.jpg
im####.jcpe####.com/upload/class/20181022142653629.jpg
im####.jcpe####.com/upload/topics/images/20180810102308834.jpg
im####.jcpe####.com/upload/topics/images/20180903190127495.jpg
im####.jcpe####.com/upload/topics/images/20181012181614130.jpg
m.d####.mob.com/v3/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
pub-####.qin####.com/tdata_EDT356
t####.c####.q####.####.com/config/hz-hzv3.conf
t####.c####.q####.####.com/tdata_MkX219
t####.c####.q####.####.com/tdata_iGj879

HTTP POST requests:

a####.b####.qq.com:8011/rqd/async
a####.exc.mob.com/errconf
and####.b####.qq.com/rqd/async
c-h####.g####.com/api.php?format=####&t=####
sdk.o####.p####.####.com/api.php?format=####&t=####
sh.wagbr####.aliyun####.com/man/api?ak=####&s=####

File system changes:

Creates the following files:

/data/data/####/.jg.ic
/data/data/####/.lock
/data/data/####/015cb5c4aef1f4fea987f62221af483545ea35a0d2f246d....0.tmp
/data/data/####/0e8125952cf364a934f7620e07a508fcd1fee9cb54a54d1....0.tmp
/data/data/####/33cd5af28028448e51bef6f1b87368d81ff63412f257a7f....0.tmp
/data/data/####/39fcb83d98b0894ccfa28193af25f77ccd4974d63b7c6f7....0.tmp
/data/data/####/3b6cb3264369f78eedd133c2e2e43745d75e94da8bd0ab4....0.tmp
/data/data/####/65a11e2ebb88176fba1d7bd85b32ab2c5287b705a56198a....0.tmp
/data/data/####/6fcd5221934730465a4aa21ff2a915bfc2413f14c11b29e....0.tmp
/data/data/####/7426c4bc2b224a12f136a67e6787ae98e883d300e68f8ba....0.tmp
/data/data/####/7490d4d0a17af7739904e7e129e6f7dbb1eae2e4d84ef41....0.tmp
/data/data/####/776e0844f23c25ae56046b70a889a90e92653ab94984ca2....0.tmp
/data/data/####/898a62635ee9b38e5e216b208c973169f0a6eb0c24bfce8....0.tmp
/data/data/####/Alvin2.xml
/data/data/####/ContextData.xml
/data/data/####/__Baidu_Stat_SDK_SendRem.xml
/data/data/####/__local_ap_info_cache.json
/data/data/####/__local_last_session.json
/data/data/####/__local_stat_cache.json
/data/data/####/__send_data_1542078978420
/data/data/####/a741b7d38813a70b16380f2cdd65f574575ea3d482bafc4....0.tmp
/data/data/####/aad892ec6453f5af74a79e797f361781912eddb4b6a3c21....0.tmp
/data/data/####/baidu_mtj_sdk_record.xml
/data/data/####/bugly_db_-journal
/data/data/####/c0fbe18a002fa851cd222da70fc83a4107938d0d7b445bc....0.tmp
/data/data/####/c435b09f6325e873d3e3522ac6bd99645eb25520971880d....0.tmp
/data/data/####/c915d226235be12ae0944532d45edeea53a9cc3c98e86a6....0.tmp
/data/data/####/cdb20f92cdcc8f954f13901c41b4c89abece0e497fe822c....0.tmp
/data/data/####/com.tencent.open.config.json.1106487909
/data/data/####/config.xml
/data/data/####/dc11c2df738903b422f1ff12505124b281daa4673abae00....0.tmp
/data/data/####/dfca519deb44
/data/data/####/e96741d80707dc2b44f9814e8cc0d397a80a4b559b6eb6e....0.tmp
/data/data/####/fe7861caf550fd9d8c3c923fbe30fae3cc984b8e55d8cba....0.tmp
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/global_version.xml
/data/data/####/gx_sp.xml
/data/data/####/httpdns_config_cache.xml
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/journal.tmp
/data/data/####/libcuid.so
/data/data/####/libjiagu.so
/data/data/####/local_crash_lock
/data/data/####/mob_commons_1
/data/data/####/mob_sdk_exception_1
/data/data/####/multidex.version.xml
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/security_info
/data/data/####/tdata_MkX219
/data/data/####/tdata_MkX219.jar
/data/data/####/tdata_iGj879
/data/data/####/tdata_iGj879.jar
/data/data/####/webview.db-journal
/data/data/####/weibo_sdk_aid1
/data/media/####/-261428641
/data/media/####/.confd
/data/media/####/.confd-journal
/data/media/####/.cuid
/data/media/####/.cuid2
/data/media/####/.dic_lock
/data/media/####/.duid
/data/media/####/.globalLock
/data/media/####/.nomedia
/data/media/####/.nulplt
/data/media/####/.pkg_lock
/data/media/####/.rcTag
/data/media/####/.rc_lock
/data/media/####/.timestamp
/data/media/####/Alvin2.xml
/data/media/####/ContextData.xml
/data/media/####/app.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/com.jicheng.daodao.bin
/data/media/####/com.jicheng.daodao.db
/data/media/####/tdata_MkX219
/data/media/####/tdata_iGj879
/data/media/####/test.log

Miscellaneous:

Executes the following shell scripts:

/system/bin/sh -c getprop androVM.vbox_dpi
/system/bin/sh -c getprop gsm.sim.state
/system/bin/sh -c getprop gsm.sim.state2
/system/bin/sh -c getprop qemu.sf.fake_camera
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.debuggable
/system/bin/sh -c getprop ro.genymotion.version
/system/bin/sh -c getprop ro.secure
/system/bin/sh -c type su
<Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.DemoPushService 24755 300 0
cat /sys/class/net/wlan0/address
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu.so
getprop androVM.vbox_dpi
getprop gsm.sim.state
getprop gsm.sim.state2
getprop qemu.sf.fake_camera
getprop ro.board.platform
getprop ro.build.display.id
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.debuggable
getprop ro.genymotion.version
getprop ro.miui.ui.version.name
getprop ro.secure
getprop ro.smartisan.version
getprop ro.vivo.os.version
mount
sh
sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.DemoPushService 24755 300 0

Loads the following dynamic libraries:

Bugly
crash_analysis
getuiext2
libjiagu
neh
polyvLiveModule
polyvModule
weibosdkcore

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-ECB-PKCS5Padding
AES-GCM-NoPadding
RSA-ECB-PKCS1Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-ECB-NoPadding
AES-GCM-NoPadding

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about APN settings.

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Технологии

Термины

Обучение и просвещение

Мифы

Technical information

Рекомендации по лечению

Демо бесплатно на 14 дней