Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) rq####.sp####.mig.####.net:80
- TCP(HTTP/1.1) log####.ku####.cn:80
- TCP(HTTP/1.1) l####.cc:80
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) dai.shu####.cn:443
- TCP(TLS/1.0) s####.ml####.cc:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) 3d####.a####.shu####.cn:443
- TCP(TLS/1.0) 3d####.d####.shu####.cn:443
- TCP(TLS/1.0) dualsta####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) 2####.58.214.10:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) dcc.shu####.cn:443
- TCP(TLS/1.0) digital####.google####.com:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.0) 1####.217.19.202:443
- TCP(TLS/1.0) daa.shu####.cn:443
- TCP(TLS/1.2) 1####.217.168.238:443
- TCP(TLS/1.2) 2####.58.214.10:443
- TCP(TLS/1.2) 1####.217.19.195:443
DNS requests:
- 3d####.a####.shu####.cn
- 3d####.d####.shu####.cn
- 60.162.95.####.arpa
- and####.b####.qq.com
- and####.cli####.go####.com
- android####.go####.com
- daa.shu####.cn
- dai.shu####.cn
- dcc.shu####.cn
- digital####.google####.com
- down####.shu####.cn
- down####.shu####.cn.####.8
- instant####.google####.com
- l####.cc
- log####.ku####.cn
- m####.go####.com
- md####.google####.com
- mo####.shu####.cn
- p####.google####.com
- plb####.u####.com
- res####.a####.com
- s####.ml####.cc
- tel####.shu####.cn
- u####.u####.com
- un####.shu####.cn
HTTP POST requests:
- l####.cc/i/sdk/install
- log####.ku####.cn/collect/event/v3
- rq####.sp####.mig.####.net/rqd/async?aid=####
File system changes:
Creates the following files:
- /data/data/####/.cl
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/1004
- /data/data/####/A3AEECD8.dex
- /data/data/####/A3AEECD8.dex.flock (deleted)
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/LKME_Server_Request_Queue.xml
- /data/data/####/Reader.xml
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/WLNOVEL_preference.xml
- /data/data/####/WLNOVEL_preference.xml.bak
- /data/data/####/alsn20170807.db
- /data/data/####/alsn20170807.db-journal
- /data/data/####/analyticsdata.xml
- /data/data/####/bugly_db_-journal
- /data/data/####/c0586a10777146560765a69231d89beb.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/cn.weli.analytics.b.xml
- /data/data/####/cn.weli.novel-journal
- /data/data/####/cn.weli.novel_dna.xml
- /data/data/####/cn.weli.novel_prefs.xml
- /data/data/####/cn.weli.novel_prefs.xml.bak
- /data/data/####/cn.weli.novel_prefs.xml.bak (deleted)
- /data/data/####/crashrecord.xml
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTkyNTAwNzI4NzUz;
- /data/data/####/dW1weF9pbnRlcm5hbF8xNTkyNTAwNzM1Nzc1;
- /data/data/####/du.lock
- /data/data/####/e2aea0d4a4fb1b90ba01bdac2fc4a2c0.0
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/i==1.2.0&&1.7.0_1592500728804_envelope.log
- /data/data/####/i==1.2.0&&1.7.0_1592500735725_envelope.log
- /data/data/####/info.xml
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/k.store
- /data/data/####/libjiagu.so
- /data/data/####/linkedme_referral_shared_pref.xml
- /data/data/####/linkedme_referral_shared_pref.xml.bak
- /data/data/####/local_crash_lock
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/native_record_lock
- /data/data/####/persistent_data.xml
- /data/data/####/persistent_data.xml.bak
- /data/data/####/pref.xml
- /data/data/####/proc_auxv
- /data/data/####/security_info
- /data/data/####/suishen_ad_pramas.xml
- /data/data/####/suishen_ad_pramas.xml.bak
- /data/data/####/t==8.1.6&&1.7.0_1592500730361_envelope.log
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak (deleted)
- /data/data/####/umeng_it.cache
- /data/data/####/update.xml
- /data/data/####/wlnovle.db-journal
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/.00000000000/A3AEECD8.dex --oat-fd=35 --oat-location=/data/user/0/<Package>/.11111111111/A3AEECD8.dex --compiler-filter=speed
- date
- getprop
- grep u0_a65
- id
- ip link
- ls /
- ls /sys/class/thermal
- mkdir -p <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/
- netstat -apn
- ping -c 3 -w 10 mobile.shuzilm.cn
- ping -c 3 -w 10 telecom.shuzilm.cn
- ping -c 3 -w 10 unicom.shuzilm.cn
- ps
- service call iphonesubinfo 1
- sh -c echo 0brezpSGcJ5Xr89hSkpnbPpf00XFLms6 > <SD-Card>/../../../../../..<SD-Card>/Android/ZHVzY2Lk
- sh -c echo N0d8I1Rjg3NEQyRDMyRTg0OTFGQzk5NDVGMUU4MEZBNTUwYnJlenBTR2NKNVhyODloU2twbmJQcGYwMFhGTG1zNg== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ZHVzY2Lk
- sh -c echo NUEzOTkxNUVFRkYyMkYzRTVGODhCMDBFMDE3OEI3MkVZMzAwVw== > <SD-Card>/../../../../../..<SD-Card>/.n_d
- sh -c echo NUEzOTkxNUVFRkYyMkYzRTVGODhCMDBFMDE3OEI3MkVZMzAwVw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/n_d
- sh -c echo NkM3NjVBRkE3MTk5MUQ5NTVGNjc4QzZGMjg2NzgyNjExVE5P > <SD-Card>/../../../../../..<SD-Card>/.n_c
- sh -c echo NkM3NjVBRkE3MTk5MUQ5NTVGNjc4QzZGMjg2NzgyNjExVE5P > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/n_c
- sh -c echo QTQ1NDE4MDAxMEUyNjdDQUVEOEE0NjgzREMwRUIwQTEyMDE5MDgwMTAwMDE= > <SD-Card>/../../../../../..<SD-Card>/..ccvid
- sh -c echo QTQ1NDE4MDAxMEUyNjdDQUVEOEE0NjgzREMwRUIwQTEyMDE5MDgwMTAwMDE= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccvid
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/._system.dat
- sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
- sh -c echo QjcyOEVEM0JFODkyQzNGNEE1NjI0OTE0QTQ2QTVEMzgwS0JM > <SD-Card>/../../../../../..<SD-Card>/.n_b
- sh -c echo QjcyOEVEM0JFODkyQzNGNEE1NjI0OTE0QTQ2QTVEMzgwS0JM > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/n_b
- sh -c echo QzZCODhDMEU5QkVDRkZCMENFRjlDMEI3QzQ4M0MwMjdENTAyNDc6NjA5ODU4OjRFQzgwMg== > <SD-Card>/../../../../../..<SD-Card>/._android.dat
- sh -c echo QzZCODhDMEU5QkVDRkZCMENFRjlDMEI3QzQ4M0MwMjdENTAyNDc6NjA5ODU4OjRFQzgwMg== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
- sh -c echo RDBCNTk5QjlGNDU2MkI4NTU3MUE3Qzk0NzRCMzE2NjN5QWdTdXM0c3pzQ1RqbWFmOThUc0Q1YWd1M25vRzBvdDNVdlhkT1RVM2pVa3d3L1UyakdqTGZtVFdIb0hzeFNBUGJKVG1GaS80bHBJZEk3aUdXc3hob0tkdnRScm5EbmM0SEFMOEhjNnA2VWJxUG1TamY4Y2xmWHAwak1vOVlNaHpBOUVkcU9mSkcyeEFOcVlnMWlDRXVFYmFvY3dIb0JPVk9wMWFaTStydlVzYk5ja0lnbnY4VmQycVpQbWVWVzE= > <SD-Card>/../../../../../..<SD-Card>/..ccdid
- sh -c echo RDBCNTk5QjlGNDU2MkI4NTU3MUE3Qzk0NzRCMzE2NjN5QWdTdXM0c3pzQ1RqbWFmOThUc0Q1YWd1M25vRzBvdDNVdlhkT1RVM2pVa3d3L1UyakdqTGZtVFdIb0hzeFNBUGJKVG1GaS80bHBJZEk3aUdXc3hob0tkdnRScm5EbmM0SEFMOEhjNnA2VWJxUG1TamY4Y2xmWHAwak1vOVlNaHpBOUVkcU9mSkcyeEFOcVlnMWlDRXVFYmFvY3dIb0JPVk9wMWFaTStydlVzYk5ja0lnbnY4VmQycVpQbWVWVzE= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/.ccdid
- sh -c echo RUNFNUJDQ0JCNDZERjgzNDBBNzY2NTVCOTk4QTdBQjJSSUoxSzY= > <SD-Card>/../../../../../..<SD-Card>/.n_a
- sh -c echo RUNFNUJDQ0JCNDZERjgzNDBBNzY2NTVCOTk4QTdBQjJSSUoxSzY= > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/n_a
- sh -c ps | grep u0_a65
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- DESede
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- desede-CBC-NoPadding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about active device administrators.
Gets information about installed apps.
Displays its own windows over windows of other apps.