Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) pub-####.qin####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) img.newairc####.com:80
- TCP(HTTP/1.1) h####.opensp####.cn:80
- TCP(HTTP/1.1) a.appj####.com:80
- TCP(HTTP/1.1) oss.newairc####.com:80
- TCP(HTTP/1.1) h5.newairc####.com:80
- TCP(HTTP/1.1) d####.opensp####.cn:80
- TCP(TLS/1.0) oss.newairc####.com:443
- TCP(TLS/1.0) s####.ml####.cc:443
- TCP(TLS/1.0) h5.newairc####.com:443
- TCP c####.g####.ig####.com:5225
- TCP sdk.o####.t####.####.com:5224
DNS requests:
- 7j####.c####.z0.####.com
- a####.u####.com
- a.appj####.com
- c####.g####.ig####.com
- c-h####.g####.com
- d####.opensp####.cn
- h####.opensp####.cn
- h5.newairc####.com
- img.newairc####.com
- l####.tbs.qq.com
- oss.newairc####.com
- pub-####.qin####.com
- s####.ml####.cc
- sdk.c####.ig####.com
- sdk.o####.i####.####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
HTTP GET requests:
- h####.opensp####.cn/launchconfig?t=####&p=dXl1b####
- h5.newairc####.com/api/getArticleAdv?sid=####&cid=####
- h5.newairc####.com/api/getArticleStat?sid=####&aid=####
- h5.newairc####.com/api/getComments?sid=####&rootID=####&sourceType=####&...
- img.newairc####.com/dzy/pic/201804/08/affaed4c-7caa-4616-b35e-cabad7d2d3...
- oss.newairc####.com/dzy/article/201811/05/c5063875.json
- oss.newairc####.com/dzy/pic/201702/23/0c094cba-cfc4-4b04-8016-844d3deffb...
- oss.newairc####.com/dzy/pic/201702/23/0e33ca54-898b-4e8c-823a-3ef3c0830d...
- oss.newairc####.com/dzy/pic/201702/23/32921ae2-9b98-4292-9008-b8e1b3bc1f...
- oss.newairc####.com/dzy/pic/201702/23/3506fd42-79d2-4ad6-af9f-9fc00d041f...
- oss.newairc####.com/dzy/pic/201702/23/45abeecd-78e4-4dc2-ace2-33b78eef6e...
- oss.newairc####.com/dzy/pic/201702/23/5d0da10a-e48f-42bd-9b33-1a85d545fb...
- oss.newairc####.com/dzy/pic/201702/23/65fbcca9-960c-49f5-ba7d-f3072e49c2...
- oss.newairc####.com/dzy/pic/201702/23/81164d24-6ca4-4918-87f2-388c74c7ce...
- oss.newairc####.com/dzy/pic/201702/23/d35eeefe-a66b-4233-9782-577e736e64...
- oss.newairc####.com/dzy/pic/201703/07/826479b8-abc1-4a7a-b370-cc4f58b6ce...
- oss.newairc####.com/dzy/pic/201703/07/98918918-d16f-4686-ba23-6d666c953e...
- oss.newairc####.com/dzy/pic/201703/07/ee965e5c-98ec-4945-9ff8-48cc172aa4...
- oss.newairc####.com/dzy/pic/201703/20/062eb310-ea99-4a8b-a5e9-52e10c5904...
- oss.newairc####.com/dzy/pic/201703/20/0fbae30d-b83e-4f02-9ced-9b1aa8bf44...
- oss.newairc####.com/dzy/pic/201703/20/148f66c5-7725-47e0-af57-2692457160...
- oss.newairc####.com/dzy/pic/201703/20/1c6224cd-12b7-41b6-bb67-1ad23de4b8...
- oss.newairc####.com/dzy/pic/201703/20/da1eb3a1-1693-4c9e-9ff6-9d7cf247cd...
- oss.newairc####.com/dzy/pic/201703/20/f6f778c2-f5c0-448f-9353-b120939073...
- oss.newairc####.com/dzy/pic/201704/10/9a348b3d-78c6-4dc5-9b8c-3b9c225a9c...
- oss.newairc####.com/dzy/pic/201704/13/75d0727e-473f-4ca7-bb8e-35cf6d4572...
- oss.newairc####.com/dzy/pic/201704/13/c234712e-7589-4562-95b6-fa54e0dce7...
- oss.newairc####.com/dzy/pic/201704/13/f329dcca-5bfe-4443-98a0-e41e697c39...
- oss.newairc####.com/dzy/pic/201706/18/647907a8-cafe-4a8a-be52-50e0c74827...
- oss.newairc####.com/dzy/pic/201802/05/1c8954ee-859a-4521-862b-6fe602b751...
- oss.newairc####.com/dzy/pic/201802/05/42f9081e-df08-45f2-82fe-c3c4fd2ee6...
- oss.newairc####.com/dzy/pic/201802/05/8ca4b826-ed0a-4387-a0d2-48ac256aa7...
- oss.newairc####.com/dzy/pic/201809/11/db5030a0-69e7-4ac9-b051-20eece3118...
- oss.newairc####.com/dzy/pic/201811/05/07ddc321-56ce-4714-ac4c-462a600ee2...
- oss.newairc####.com/dzy/pic/201811/05/af59b9c3-5008-403a-84a5-9faff18bd2...
- oss.newairc####.com/dzy/pic/201811/05/f0da1e68-58d9-48d8-8939-a19e7249c6...
- pub-####.qin####.com/tdata_EDT356
- t####.c####.q####.####.com/config/hz-hzv3.conf
- t####.c####.q####.####.com/tdata_SzD730
- t####.c####.q####.####.com/tdata_ZCi456
HTTP POST requests:
- a####.u####.com/app_logs
- a.appj####.com/ad-service/ad/mark
- c-h####.g####.com/api.php?format=####&t=####
- d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
- h5.newairc####.com/api/event
- l####.tbs.qq.com/ajax?c=####&k=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
File system changes:
Creates the following files:
- /data/data/####/-124252062
- /data/data/####/-1312716470
- /data/data/####/-1383014913
- /data/data/####/-1383014914
- /data/data/####/-1383014915
- /data/data/####/-1383909508
- /data/data/####/-1383909509
- /data/data/####/-1383909512
- /data/data/####/-1383911251
- /data/data/####/-1383940320
- /data/data/####/-1383940321
- /data/data/####/-1383940322
- /data/data/####/-1383940323
- /data/data/####/-1383940324
- /data/data/####/-1383940325
- /data/data/####/-1383940326
- /data/data/####/-1383940327
- /data/data/####/-1383940328
- /data/data/####/-1383940329
- /data/data/####/-1383940352
- /data/data/####/-1383940353
- /data/data/####/-1383940354
- /data/data/####/-1383940355
- /data/data/####/-217311483
- /data/data/####/-417488228
- /data/data/####/-578210025
- /data/data/####/-93232255
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/1084282501
- /data/data/####/1389023919
- /data/data/####/1526646622
- /data/data/####/1623003206
- /data/data/####/1654023013
- /data/data/####/1673818992
- /data/data/####/1685042820
- /data/data/####/1695857311
- /data/data/####/1716062627
- /data/data/####/1747082434
- /data/data/####/1778102241
- /data/data/####/1809122048
- /data/data/####/1840141855
- /data/data/####/1871161662
- /data/data/####/1902181469
- /data/data/####/2014236780
- /data/data/####/2078847054
- /data/data/####/225271840
- /data/data/####/256291647
- /data/data/####/287311454
- /data/data/####/386967948
- /data/data/####/492175042
- /data/data/####/5063875_article.js
- /data/data/####/722582569
- /data/data/####/816488224
- /data/data/####/847508031
- /data/data/####/878527838
- /data/data/####/909547645
- /data/data/####/FZLTXHK-GBK_YS.ttf
- /data/data/####/abd9e1acdd31
- /data/data/####/amazeui.min.css
- /data/data/####/amazeui.min.js
- /data/data/####/angular1.4.6.min.js
- /data/data/####/article.js
- /data/data/####/base.css
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/columnId.xml
- /data/data/####/com.iflytek.id.xml
- /data/data/####/com.iflytek.msc.xml
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/db_founder0-journal
- /data/data/####/debug.conf
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/file__0.localstorage-journal
- /data/data/####/fontawesome-webfont.ttf
- /data/data/####/gdaemon_20161017
- /data/data/####/great_button.png
- /data/data/####/great_cancel_button.png
- /data/data/####/gx_sp.xml
- /data/data/####/helpMsg.xml
- /data/data/####/icon-images.png
- /data/data/####/icon_audio_play.png
- /data/data/####/icon_file.png
- /data/data/####/icon_file_down.png
- /data/data/####/icon_meta_voice.png
- /data/data/####/icon_praise.png
- /data/data/####/icon_praiseStar.png
- /data/data/####/icon_selector_normal.png
- /data/data/####/icon_selector_press.png
- /data/data/####/icon_wbo.png
- /data/data/####/icon_wx.png
- /data/data/####/icon_wxcicle.png
- /data/data/####/ifly_launch_lib.xml
- /data/data/####/iflytek_state_com.founder.dezhouyun.xml
- /data/data/####/increment.db-journal
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/jquery.min2.2.0.js
- /data/data/####/js.combine.min.js
- /data/data/####/libjiagu.so
- /data/data/####/loading.png
- /data/data/####/mwsdk_analytics.db-journal
- /data/data/####/news_detail.html
- /data/data/####/persistent_data.xml
- /data/data/####/play.png
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/reader.db-journal
- /data/data/####/run.pid
- /data/data/####/sanjiaoxing.png
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_SzD730
- /data/data/####/tdata_SzD730.jar
- /data/data/####/tdata_ZCi456
- /data/data/####/tdata_ZCi456.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/video.png
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.nomedia
- /data/media/####/03c36602430844d4b83d05dff00612727cef7e6c66d4a4....0.tmp
- /data/media/####/05b165ca95d4ee81153921279571b3aa7de962d39642a8....0.tmp
- /data/media/####/06e20c157f428649d50ca38aa54afc8aeed6805c573d82....0.tmp
- /data/media/####/13a7a0efbea2133cde8d32ef4d9d8ebcadd7648bd5828a....0.tmp
- /data/media/####/1fec52f0eea5ef0032fb17a71e04bb860a1afcff3b886e....0.tmp
- /data/media/####/44a7228a4bc95c1321132d287d68cb1ff213bb0387f5cd....0.tmp
- /data/media/####/469222a2f14b25224415cc8e34eb6cd69272e7aa5dab18....0.tmp
- /data/media/####/654d8c1afb044db2fda058cd1b442a39c320300f5cc816....0.tmp
- /data/media/####/6803bc6c0c6afa6b36e0229a351ac02d1d0ab73d7b4bdb....0.tmp
- /data/media/####/6ae8fcb1d46989ad52ffa9d97db146eb1d7fcbf086195b....0.tmp
- /data/media/####/8d991bb98f7082795b460fb7f869c5388e38225bcd0771....0.tmp
- /data/media/####/923bedc5737f0f22b32fa56ba57844eef87b73506eb066....0.tmp
- /data/media/####/96b7b6e0b0db822d8ff10b3fa70137817da67fc04b52db....0.tmp
- /data/media/####/982bc412a4b129cc708a5a928fe9d07ea856a2b70752d2....0.tmp
- /data/media/####/98525587d64cad638aee9600b847c25ae5bfa1075f6100....0.tmp
- /data/media/####/99f5a8b311645523dd4ee84175f7280d404677b69e2b4b....0.tmp
- /data/media/####/9da8973b4755d8e40b5de9ae0e6b26706a6b5cac15b500....0.tmp
- /data/media/####/a455b1781a32624bac57a60069a4b9d9d0b098e3e2b373....0.tmp
- /data/media/####/a737948a81775ee4464ae40a3d2839e74166bbf7fde640....0.tmp
- /data/media/####/a88ca5199d7341258bd768fd66a42d7666317bccffd672....0.tmp
- /data/media/####/app.db
- /data/media/####/b5dca7fe479dbc569d347b614299026f4ab7acf9bb4b5c....0.tmp
- /data/media/####/c0a507d7b20fa8305baa5bf76937b97925eea5909a2d1d....0.tmp
- /data/media/####/c2d065205e0319e4f5ac51b04a46a3b58e69b40118118b....0.tmp
- /data/media/####/c639d52bfdf44b84d9b6e76b27353943defaa78789bf55....0.tmp
- /data/media/####/cdaf19c1d03fdcae41a71d6656543f4972d83658aa37dc....0.tmp
- /data/media/####/com.founder.dezhouyun.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/dae1aaafb78bfaf45c0157c5fb66ad1a1e23efb0250879....0.tmp
- /data/media/####/f57ea65215c1aa82f4770c89b96623de6f5d535e814148....0.tmp
- /data/media/####/f77e29c4a946894a9089224e690badddea2ab1837af2e0....0.tmp
- /data/media/####/ff993cd7fdc3d22bdbedc065e61da7895a40d82c7b1dc8....0.tmp
- /data/media/####/iflyworkdir_test
- /data/media/####/journal.tmp
- /data/media/####/localTemplate.zip
- /data/media/####/tdata_SzD730
- /data/media/####/tdata_ZCi456
- /data/media/####/test.log
Miscellaneous:
Executes the following shell scripts:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 25169 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- getprop ro.product.cpu.abi
- mount
Loads the following dynamic libraries:
- getuiext2
- libjiagu
- msc
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- RSA-ECB-NoPadding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about running apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
