Adware.Gexin.20448

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) sdk-ope####.g####.com:80
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) d####.opensp####.cn:80
TCP(HTTP/1.1) img.newairc####.com:80
TCP(HTTP/1.1) tinychi####.q####.com.####.com:80
TCP(HTTP/1.1) c.appj####.com:80
TCP(HTTP/1.1) cdn-sdk####.g####.com.####.com:80
TCP(HTTP/1.1) h####.opensp####.cn:80
TCP(HTTP/1.1) oss.newairc####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(HTTP/1.1) h5.newairc####.com:80
TCP(TLS/1.0) s####.ml####.cc:443
TCP(TLS/1.0) oss.newairc####.com:443
TCP sdk.o####.t####.####.com:5224
TCP cm-1####.g####.com:5227

DNS requests:

a####.u####.com
c-h####.g####.com
c.appj####.com
cdn-sdk####.g####.com
cm-1####.g####.com
d####.opensp####.cn
h####.opensp####.cn
h5.newairc####.com
img.newairc####.com
mt####.go####.com
oss.newairc####.com
s####.ml####.cc
sdk-ope####.g####.com
sdk.c####.g####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net

HTTP GET requests:

cdn-sdk####.g####.com.####.com/tdata_CoH340
cdn-sdk####.g####.com.####.com/tdata_EDB102
cdn-sdk####.g####.com.####.com/tdata_ViN250
cdn-sdk####.g####.com.####.com/tdata_pKX830
h####.opensp####.cn/launchconfig?t=####&p=####
h5.newairc####.com/api/getArticles?sid=####&cid=####&lastFileID=####&row...
h5.newairc####.com/api/getColumns?sid=####&cid=####
h5.newairc####.com/api/getConfig?sid=####
img.newairc####.com/zggsb/pic/201705/26/1e79a285-3b60-4b23-9658-8869584a...
img.newairc####.com/zggsb/pic/201705/26/bf611727-f451-4583-bf15-36fba993...
img.newairc####.com/zggsb/pic/201705/26/ce89e1a3-05d7-4f92-b799-b4d2557f...
img.newairc####.com/zggsb/pic/201707/03/2b15e7af-6f1c-424b-9b39-f147ca61...
img.newairc####.com/zggsb/pic/201707/03/47398f1e-46dd-4246-bc3f-91c9c49c...
img.newairc####.com/zggsb/pic/201707/03/65ab6754-9172-4b4f-a86e-49727f5e...
img.newairc####.com/zggsb/pic/201707/03/b4ff7b15-42ca-4a50-b605-9cb61291...
img.newairc####.com/zggsb/pic/201707/12/1d9fa8cd-ee2f-4db2-b8e1-e1388508...
oss.newairc####.com/xy/att/201703/02/e8ca40f9-ae8c-4ec9-8ec0-d8a97e32243...
sdk.o####.p####.####.com/api/addr.htm
tinychi####.q####.com.####.com/config/hzv9.conf

HTTP POST requests:

a####.u####.com/app_logs
c-h####.g####.com/api.php?format=####&t=####
c.appj####.com/ad/splash/stats.html
d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
sdk-ope####.g####.com/api.php?format=####&t=####&d=####&k=####
sdk.o####.p####.####.com/api.php?format=####&t=####

File system changes:

Creates the following files:

/data/data/####/-1312716470
/data/data/####/-1383877795
/data/data/####/-1383877797
/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/0744e9cd931ec74f63719f868114d70e024d9550415f201....0.tmp
/data/data/####/0950f4bd2ed588bf5df10ef91dc8b6d0f0324c55438cf78....0.tmp
/data/data/####/1389023919
/data/data/####/1695857311
/data/data/####/1935623587
/data/data/####/1997663201
/data/data/####/2014299341
/data/data/####/2014299342
/data/data/####/24f5b750341b
/data/data/####/26c35867ac238f1ae8c61c4f13cb6b03e28a7706cf34a6d....0.tmp
/data/data/####/2d7513058d456d02c799e55b02bb746694d88463048d212....0.tmp
/data/data/####/2dfd03507953d7fd665283ee9ff1d9c46dedaac396f98a4....0.tmp
/data/data/####/2e5d6a11a0e8148fc22c80532c66bb5526820421b85fbd9....0.tmp
/data/data/####/2f203b7b50c3979a9fb5ba06f9ba32ff1dbdfca1731a4dd....0.tmp
/data/data/####/34ce57395bada37a26f0f726a357593e17fcae0755373cf....0.tmp
/data/data/####/386967948
/data/data/####/3d10a272e31731c4202cd20dc9f634d46297cd5acecf8b5....0.tmp
/data/data/####/3fb6852442ce3d67d02187a0f466c806d5249dfc100d57f....0.tmp
/data/data/####/47ee198d3f6db23d25f38c9086fc7c6a505ba98e4394150....0.tmp
/data/data/####/47ee198d3f6db23d25f38c9086fc7c6a505ba98e4394150...0681.0
/data/data/####/492237603
/data/data/####/506614e90a2cb04d0e65c6e42417b48af023d689492bc3e....0.tmp
/data/data/####/5cc8fa899bfffb45c2a8b127d6721cd5487f98d7eb47d94....0.tmp
/data/data/####/633da523747cde669fa431c0c92feb878e26263e8c21838....0.tmp
/data/data/####/71bb76b76f0f9ccebd63b19010806fefc12433eb608ee40....0.tmp
/data/data/####/722645130
/data/data/####/781926f364cae29d7bc5e0c8a3cb0df639854a2397883ad....0.tmp
/data/data/####/8e008f4d8045b825c5408244b21841a9844a330a3eb7608....0.tmp
/data/data/####/8e0e62fe2c2355a0c80e3411302a1960147cd948cba0382....0.tmp
/data/data/####/9768b1e53e5def4b9d4c5022c9f20818c52bda00cb6d581....0.tmp
/data/data/####/9acebe51003030d3eacad7be956c060dee1fd61d0fd63a7....0.tmp
/data/data/####/9cfeb1f768fbf11380d81f3703b459102d1651855891b7b....0.tmp
/data/data/####/FZLTXHK-GBK_YS.ttf
/data/data/####/a48f4a9e8716d2548b05e5f150d75fed1aec89341bd0234....0.tmp
/data/data/####/a4cf7c98ea42e3bd13088d51b38c7b65031ae78dff50d25....0.tmp
/data/data/####/ac7bc8858511caa7a17909ce61ef4145f83b5fe8b5dcd72....0.tmp
/data/data/####/ad_show_time.xml
/data/data/####/amazeui.min.css
/data/data/####/amazeui.min.js
/data/data/####/angular1.4.6.min.js
/data/data/####/base.css
/data/data/####/bba68be75c142f7b6aa9c9624dc5b239d211d9531299d1c....0.tmp
/data/data/####/bbfbf8ff9c0589ff9157517b9402ff8bcdb36d54a58d911....0.tmp
/data/data/####/c834fed92dad8b7784811424da85747aaadfae4b2f0dd4c....0.tmp
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/columnId.xml
/data/data/####/com.iflytek.id.xml
/data/data/####/com.iflytek.msc.xml
/data/data/####/core_info
/data/data/####/d91231651e57dd557f5ef95cb2e8177b6194cd0ac9cc2cb....0.tmp
/data/data/####/db_founder0-journal
/data/data/####/ddb9a379e0dc7f5d917b345925926a5e4fa6d64fcb96efa....0.tmp
/data/data/####/ddcd6eb1eed954e815ab33c93a397ecf4faac9cacd58de4....0.tmp
/data/data/####/e8c9e664b901bf55bfa8e9d1e25e37a13136a8232cfeb2a....0.tmp
/data/data/####/ea5a6183f2109a3e07be01aabbcf85349888cc746719e45....0.tmp
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/fontawesome-webfont.ttf
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/great_button.png
/data/data/####/great_cancel_button.png
/data/data/####/gx_sp.xml
/data/data/####/helpMsg.xml
/data/data/####/icon-images.png
/data/data/####/icon_audio_play.png
/data/data/####/icon_file.png
/data/data/####/icon_file_down.png
/data/data/####/icon_meta_voice.png
/data/data/####/icon_selector_normal.png
/data/data/####/icon_selector_press.png
/data/data/####/ifly_launch_lib.xml
/data/data/####/iflytek_state_com.founder.zggsb.xml
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/jg_app_update_settings_random.xml
/data/data/####/journal.tmp
/data/data/####/jquery.min2.2.0.js
/data/data/####/js.combine.min.js
/data/data/####/libjiagu.so
/data/data/####/loading.png
/data/data/####/multidex.version.xml
/data/data/####/mwsdk_analytics.db-journal
/data/data/####/news_detail.html
/data/data/####/persistent_data.xml
/data/data/####/play.png
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushk.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/reader.db-journal
/data/data/####/run.pid
/data/data/####/sanjiaoxing.png
/data/data/####/tbs_download_config.xml
/data/data/####/tbscoreinstall.txt
/data/data/####/tbslock.txt
/data/data/####/tdata_CoH340
/data/data/####/tdata_CoH340.jar
/data/data/####/tdata_ViN250
/data/data/####/tdata_ViN250.jar
/data/data/####/tdata_pKX830
/data/data/####/tdata_pKX830.jar
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/video.png
/data/media/####/.nomedia
/data/media/####/app.db
/data/media/####/com.founder.zggsb.bin
/data/media/####/com.founder.zggsb.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/iflyworkdir_test
/data/media/####/journal.tmp
/data/media/####/localTemplate.zip
/data/media/####/tdata_CoH340
/data/media/####/tdata_ViN250
/data/media/####/tdata_pKX830
/data/media/####/test.log

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /proc/cpuinfo
<Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.push.GeTuiPushService 24707 300 0
cat /sys/class/net/wlan0/address
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu.so
getprop ro.product.cpu.abi
mount
sh
sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.push.GeTuiPushService 24707 300 0

Loads the following dynamic libraries:

getuiext2
libjiagu
msc

Uses the following algorithms to encrypt data:

AES-CBC-PKCS7Padding
AES-CFB-NoPadding
RSA
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-ECB-PKCS5Padding

Accesses the ITelephony private interface.

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical information

Curing recommendations

Free trial