Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) wx.q####.cn:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) api.icaipia####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) p####.icaipia####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) idv####.qini####.com:80
- TCP(TLS/1.0) api.icaipia####.com:443
- TCP(TLS/1.0) ti####.c####.l####.####.com:443
- TCP(TLS/1.0) ada####.m.ta####.com:443
- TCP(TLS/1.0) u.zhug####.com:443
- TCP(TLS/1.0) sh.wagbr####.ta####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5225
DNS requests:
- 7j####.c####.z0.####.com
- 7x####.c####.z0.####.com
- a####.man.aliy####.com
- a####.u####.com
- ada####.ut.ta####.com
- adas####.ut.ta####.com
- api.icaipia####.com
- c####.g####.ig####.com
- c-h####.g####.com
- odqcj####.bkt.clo####.com
- oozxj####.bkt.clo####.com
- op079####.bkt.clo####.com
- p####.icaipia####.com
- p.wangca####.com
- p.zhangko####.cn
- s0.icaipia####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- u.zhug####.com
- wx.q####.cn
HTTP GET requests:
- api.icaipia####.com/api/v1/c/p?p=####
- api.icaipia####.com/api/v5/server/timestamp
- api.icaipia####.com/api/v6/lotterynums/list/shuangseqiu/-1
- idv####.qini####.com/FA816D9504AC4266BECDA547BEEC0F70.jpg?imageVi####
- idv####.qini####.com/hongqiududan.png?imageVi####
- idv####.qini####.com/hongqiusandan.png?imageVi####
- idv####.qini####.com/hongqiusha3.png?imageVi####
- idv####.qini####.com/hongqiusha6.png?imageVi####
- idv####.qini####.com/hongqiushuangdan.png?imageVi####
- idv####.qini####.com/lanqiuding3.png?imageVi####
- idv####.qini####.com/lanqiuding5.png?imageVi####
- idv####.qini####.com/lanqiusha5ma.png?imageVi####
- idv####.qini####.com/week.png
- t####.c####.q####.####.com/avatar/170624/fc6007d21309e5329c960d98421437b...
- t####.c####.q####.####.com/fu9.jpg?imageVi####
- t####.c####.q####.####.com/recommend/master/171023132946/376.jpg?imageVi...
- t####.c####.q####.####.com/recommend/master/171023132946/589.jpg?imageVi...
- t####.c####.q####.####.com/tdata_JNg986
- t####.c####.q####.####.com/tdata_MkX219
- t####.c####.q####.####.com/tdata_nxn539
- t####.c####.q####.####.com/tdata_zzW503
- t####.c####.q####.####.com/user/views20.jpg?imageVi####
- t####.c####.q####.####.com/user/views519.jpg?imageVi####
- t####.c####.q####.####.com/usericon_default.png?imageVi####
- ti####.c####.l####.####.com/20170129/5a869b9fd693b317c5b46b781e35bb21.jp...
- ti####.c####.l####.####.com/20190109/A478E6D651F1E8B6C943819C80283BF9.jp...
- ti####.c####.l####.####.com/20190221/A3630993F762AFA154D97F47DF4705D2.jp...
- ti####.c####.l####.####.com/avatar/181231/305ee7d2af6f3325b28013a63775bd...
- ti####.c####.l####.####.com/avatar/190114/de64406bc3e0b8e2c23b8f80971e85...
- ti####.c####.l####.####.com/avatar/190201/fa3eadc7421608e947772040d12f09...
- ti####.c####.l####.####.com/avatar/190220/09b5d287bb373297a253749a682786...
- ti####.c####.l####.####.com/avatar/190221/a6828594c5707f6a2aef1de5fd2cb1...
- ti####.c####.l####.####.com/avatar/190225/f96f75c05e0e7267264b1fb133a0ea...
- ti####.c####.l####.####.com/avatar/190227/da5b44ac185811638b437630f90930...
- ti####.c####.l####.####.com/avatar/190228/0926b21cfe83556ae5693d5c866c61...
- ti####.c####.l####.####.com/chengji68.jpg?imageVi####
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- ti####.c####.l####.####.com/usericon_default.jpg?imageVi####
- wx.q####.cn/mmopen/XAic7xzDWLIFdRiaicmQk1LZJYCWemsjHMDrMdJvZ9D1dBH8SSc2h...
HTTP POST requests:
- a####.u####.com/app_logs
- api.icaipia####.com/api/v5/server/activate
- c-h####.g####.com/api.php?format=####&t=####
- p####.icaipia####.com/push/v1/online
- sdk.o####.p####.####.com/api.php?format=####&t=####
File system changes:
Creates the following files:
- /data/data/####/-1163121005650934794
- /data/data/####/-11788933491545824674
- /data/data/####/-1234185188-1324679244
- /data/data/####/-1255261132-749543626
- /data/data/####/-14932529442085446822
- /data/data/####/-149325294475075523
- /data/data/####/-1748768375876593193
- /data/data/####/-1748768820-1306384069
- /data/data/####/-1789398712-1582959583
- /data/data/####/-179068707780875142
- /data/data/####/-179068707780875142 (deleted)
- /data/data/####/-1827242012-679838644
- /data/data/####/-19096045061170456815
- /data/data/####/-1996074536-1054192401
- /data/data/####/-1996074536-1143965102
- /data/data/####/-365225614-939825238
- /data/data/####/-5572054021776360141
- /data/data/####/-570228506934770950
- /data/data/####/-719432389838425267
- /data/data/####/-738392485-480254817
- /data/data/####/-818456764-127771439
- /data/data/####/-8745641591123412855
- /data/data/####/-9161834431908097335
- /data/data/####/-946725179-1922929943
- /data/data/####/-9467251791465399785
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/00bae3f549604326053fd0e6184c8d43abd240439ecf611....0.tmp
- /data/data/####/013e1e8a1eabfe399a754e2466c857dc3a8ff0ba0ad9da8....0.tmp
- /data/data/####/0de09b776490b71e4678d9e4f4e573069a967bc8ceaa33b....0.tmp
- /data/data/####/110287571-31143495
- /data/data/####/1149057739-500392752
- /data/data/####/1149057739871414546
- /data/data/####/1187710116-978887029
- /data/data/####/1193811515-1732750922
- /data/data/####/1261066022-2121649853
- /data/data/####/12616309581873189709
- /data/data/####/137506132-1857851435
- /data/data/####/137506132839374769
- /data/data/####/15823922321483301102
- /data/data/####/1971478726-1326267591
- /data/data/####/1bb69f896ebe4bcf12214bee203cbd3e8e9672799d24581....0.tmp
- /data/data/####/1cdf836877205af96e9efb632c4393be4d047e356deb88a....0.tmp
- /data/data/####/2108512515623526630
- /data/data/####/21090119561046727059
- /data/data/####/2111876672710598081
- /data/data/####/2567439931927667514
- /data/data/####/2666f2a34f9c65ab1dfe93894620f0fd285a069bf75f863....0.tmp
- /data/data/####/28d2e11df3b79faac589f9984ca61ea6568eaba60ce0ac9....0.tmp
- /data/data/####/2c34206cae5c06dd3e915f6266534d6c1f58af47d4cd873....0.tmp
- /data/data/####/2d3275abcea5767104d98f915575a127d301f490ca743b7....0.tmp
- /data/data/####/3243b1fd0dc54a74f4b78c93a31de435b8ea8b174bce163....0.tmp
- /data/data/####/3328a56ce7936cd85924a592adf60b6ee679c3555a8ad70....0.tmp
- /data/data/####/3389219052078653508
- /data/data/####/345610831-872360466
- /data/data/####/357ad18533139052892d41b2cd9a83db6047ff1785048d3....0.tmp
- /data/data/####/3e5539a944bc0824ca572bf75b8d75e78c6c0c8d8669ec4....0.tmp
- /data/data/####/412ac5ae113379f7967b390af458fdaef0eb0da61dd9b48....0.tmp
- /data/data/####/472f17bb33464b068e7d1995e087b993e1edda601eb3dba....0.tmp
- /data/data/####/479b6433a8eaf5c9c21f8efb5d418e2f96017397ff53742....0.tmp
- /data/data/####/47a419f5b4a5f0205691256769ff616c4a382cd2468ed6c....0.tmp
- /data/data/####/5045b542eb96b2b1001ebb1b0fd09d1e0917ac1f91a9fe1....0.tmp
- /data/data/####/50d357250f637b55bc2c2866d70649e8918de39246d4d05....0.tmp
- /data/data/####/6bf637b2e4ab0755714542d43e6790d80760b1650a1e1bd....0.tmp
- /data/data/####/70186b02d8e1ad39d84192c52d64b27778b592851a0aa58....0.tmp
- /data/data/####/7571afc2570e17c59ccc74e18328dee4741f3c3876d8e35....0.tmp
- /data/data/####/8189759841908097335
- /data/data/####/846455311-1106656140
- /data/data/####/939469246623526630
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/UTCommon.xml
- /data/data/####/__cfg_lk_1312
- /data/data/####/a90c11dcef1af89fa3e5fcdee795a1c54b0ca29ff7aca03....0.tmp
- /data/data/####/ac32a18c9a4db6c5a371bcf219696ef7d4dac70ce4a9fe6....0.tmp
- /data/data/####/ap.Lock
- /data/data/####/b5e847c143781a1dbcc80c3263d08309b2779d83c3cfa27....0.tmp
- /data/data/####/c575b4c712f2fbcd659db3916451dba25031f82f01fdff1....0.tmp
- /data/data/####/cache.xml
- /data/data/####/cache_int.xml
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cd43e00c527c8c5adc57cc09cc51e45c8f1b4af3450cd8c....0.tmp
- /data/data/####/cf113d592e3c88fb49c99e94c6c5ad405a9ed6a74eb38f4....0.tmp
- /data/data/####/com.mango.kaijiang_preferences.xml
- /data/data/####/com.mango.kaijiangb0347782b15e4c6b9e1ddfd01ef71edc.xml
- /data/data/####/db_recentpreview.db
- /data/data/####/db_recentpreview.db-journal
- /data/data/####/df3cfceb6c4c99a629e5f4a31106ec2e7e180632236ef8b....0.tmp
- /data/data/####/efd9ad6b86906267301e0e217dffc2bb181f8f31c1fe47e....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f126bf7f048d5c072a64b4ae5a33a917ac067111ccab1e0....0.tmp
- /data/data/####/f7b77ec5402e1e240d303bd5ca6993716c525ef2a6fc697....0.tmp
- /data/data/####/fb216e7f998d6d45c72841577ff55d6bd77cb35a810d113....0.tmp
- /data/data/####/fb651fc5a6cf176fd7fd4eac6d2a5fd858761d0b720da87....0.tmp
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/multidex.version.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushk.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_JNg986
- /data/data/####/tdata_JNg986.jar
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_nxn539
- /data/data/####/tdata_nxn539.jar
- /data/data/####/tdata_zzW503
- /data/data/####/tdata_zzW503.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/ut.db
- /data/data/####/ut.db-journal
- /data/data/####/webview.db-journal
- /data/data/####/zhuge
- /data/data/####/zhuge-journal
- /data/media/####/5w6a5bk3eykck8r02cds4v6tt
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.mango.kaijiang.bin
- /data/media/####/com.mango.kaijiang.db
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/tdata_JNg986
- /data/media/####/tdata_MkX219
- /data/media/####/tdata_nxn539
- /data/media/####/tdata_zzW503
- /data/media/####/test.log
Miscellaneous:
Executes the following shell scripts:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.mango.push.processor.CustomerPushService 24771 300 0
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.mango.push.processor.CustomerPushService 24771 300 0
Loads the following dynamic libraries:
- getuiext2
- libjiagu
- ut_c_api
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- DES
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Gets information about running apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.