Adware.Gexin.6999

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Accesses the ITelephony private interface.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(TLS/1.0) av1.x####.com:443
TCP(TLS/1.0) and####.cli####.go####.com:443

DNS requests:

7f5e492####.bug####.com
and####.cli####.go####.com
av1.x####.com
i.t####.com

File system changes:

Creates the following files:

/data/data/####/1545645185292_2296
/data/data/####/1545645185329_2296
/data/data/####/1545645185372_2296
/data/data/####/1545645186115_2347
/data/data/####/1545645186162_2347
/data/data/####/1545645186982_2397
/data/data/####/1545645187062_2397
/data/data/####/1545645188608_2457
/data/data/####/1545645188708_2457
/data/data/####/1545645189548_2509
/data/data/####/1545645189615_2509
/data/data/####/1545645190458_2560
/data/data/####/1545645194186_2621
/data/data/####/1545645195144_2670
/data/data/####/1545645196042_2719
/data/data/####/1545645198234_2778
/data/data/####/1545645199154_2827
/data/data/####/1545645200075_2876
/data/data/####/1545645202466_2937
/data/data/####/1545645203420_2986
/data/data/####/1545645204386_3035
/data/data/####/1545645207229_3094
/data/data/####/1545645210861_3141
/data/data/####/1545645212322_3190
/data/data/####/1545645216541_3249
/data/data/####/1545645217437_3298
/data/data/####/1545645218383_3347
/data/data/####/1545645222136_3406
/data/data/####/1545645223080_3455
/data/data/####/1545645224181_3504
/data/data/####/1545645226379_3563
/data/data/####/1545645227386_3612
/data/data/####/1545645228324_3660
/data/data/####/1545645231836_3721
/data/data/####/1545645232862_3770
/data/data/####/1545645233887_3819
/data/data/####/1545645236113_3878
/data/data/####/1545645237097_3927
/data/data/####/1545645238149_3975
/data/data/####/1545645239842_4034
/data/data/####/1545645240846_4082
/data/data/####/1545645241907_4131
/data/data/####/1545645243785_4188
/data/data/####/1545645244810_4235
/data/data/####/1545645245742_4282
/data/data/####/MultiDex.lock
/data/data/####/TD_app_pefercen_profile.xml
/data/data/####/TDpref_longtime.xml
/data/data/####/TDpref_longtime0.xml
/data/data/####/journal.tmp
/data/data/####/libjiagu-917064677.so
/data/data/####/multidex.version.xml
/data/data/####/tdid.xml
/data/media/####/.nomedia
/data/media/####/.tcookieid
/drw/cmds/10043.3190.cf81b390-572f-389f-9107-037c4a2047f5.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.0c25b1aa-87...9.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.0c25b1aa-87...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.40520bc1-9f...4.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.40520bc1-9f...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.436af643-04...a.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.436af643-04...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.44acbb22-fd...a.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.44acbb22-fd...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.5ce12e9f-d1...6.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.5ce12e9f-d1...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.7eec8e37-a8...9.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.7eec8e37-a8...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.9fa5dadb-3e...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.9fa5dadb-3e...f.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.a24393f7-3c...4.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.a24393f7-3c...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.ad42746f-5c...3.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.ad42746f-5c...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.afe5b71d-81...5.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.afe5b71d-81...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.b21d3d57-39...c.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.b21d3d57-39...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.bba323c5-c1...6.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.bba323c5-c1...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.c9f257da-68...0.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.c9f257da-68...ck.txt
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.dc4caacb-57...4.dump
/drw/crypto/10043.3190.decrypt.DES-CBC-PKCS5Padding.dc4caacb-57...ck.txt

Miscellaneous:

Executes the following shell scripts:

getprop
logcat -v time -t 500 2296
logcat -v time -t 500 2347
logcat -v time -t 500 2397
logcat -v time -t 500 2457
logcat -v time -t 500 2509
logcat -v time -t 500 2560
logcat -v time -t 500 2621
logcat -v time -t 500 2670
logcat -v time -t 500 2719
logcat -v time -t 500 2778
logcat -v time -t 500 2827
logcat -v time -t 500 2876
logcat -v time -t 500 2937
logcat -v time -t 500 2986
logcat -v time -t 500 3035
logcat -v time -t 500 3094
logcat -v time -t 500 3141
logcat -v time -t 500 3190
logcat -v time -t 500 3249
logcat -v time -t 500 3298
logcat -v time -t 500 3347
logcat -v time -t 500 3406
logcat -v time -t 500 3455
logcat -v time -t 500 3504
logcat -v time -t 500 3563
logcat -v time -t 500 3612
logcat -v time -t 500 3660
logcat -v time -t 500 3721
logcat -v time -t 500 3770
logcat -v time -t 500 3819
logcat -v time -t 500 3878
logcat -v time -t 500 3927
logcat -v time -t 500 3975
logcat -v time -t 500 4034
logcat -v time -t 500 4082
logcat -v time -t 500 4131
logcat -v time -t 500 4188
logcat -v time -t 500 4235
logcat -v time -t 500 4282

Loads the following dynamic libraries:

Bugtags
LanSongffmpeg
libjiagu-917064677

Uses the following algorithms to encrypt data:

DES-CBC-PKCS5Padding

Uses the following algorithms to decrypt data:

DES-CBC-PKCS5Padding

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial