Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) cai####.163.com:80
- TCP(HTTP/1.1) m####.58.com:80
- TCP(HTTP/1.1) n####.v####.qq.####.net:80
- TCP(HTTP/1.1) aserver####.m.ta####.com:80
- TCP(HTTP/1.1) a####.jd.com:80
- TCP(HTTP/1.1) st####.fin####.s####.####.cn:80
- TCP(HTTP/1.1) sso.l####.com:80
- TCP(HTTP/1.1) s.u####.360.cn:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) s.m####.so.com:80
- TCP(HTTP/1.1) 1####.232.126.37:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) tr####.ti####.cn:80
- TCP(HTTP/1.1) wap.s####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) c####.me####.com:80
- TCP(HTTP/1.1) a####.b####.com:80
- TCP(HTTP/1.1) c####.c####.net:80
- TCP(HTTP/1.1) e.s####.com:80
- TCP(HTTP/1.1) we####.wisecha####.com:80
- TCP(HTTP/1.1) sni.c####.q####.####.net:80
- TCP(HTTP/1.1) 1####.11.53.98:80
- TCP(HTTP/1.1) 360f####.me####.com:80
- TCP(HTTP/1.1) w1.im.b####.####.cn:80
- TCP(HTTP/1.1) www.p####.com:80
- TCP(HTTP/1.1) www.h####.net:80
- TCP(HTTP/1.1) tin####.t####.b####.com:80
- TCP(HTTP/1.1) gs.a.s####.com:80
- TCP(TLS/1.0) l####.s####.com.cn:443
- TCP(TLS/1.0) cm.fas####.net:443
- TCP(TLS/1.0) w####.jd.com:443
- TCP(TLS/1.0) 3m.me####.com:443
- TCP(TLS/1.0) n####.v####.qq.####.net:443
- TCP(TLS/1.0) cm.pos.b####.com:443
- TCP(TLS/1.0) c.o####.163.com:443
- TCP(TLS/1.0) cc.xtg####.com:443
- TCP(TLS/1.0) ald.ta####.com:443
- TCP(TLS/1.0) j####.jd.com:443
- TCP(TLS/1.0) m####.dmp.360.cn:443
- TCP(TLS/1.0) a####.wagbr####.t####.####.com:443
- TCP(TLS/1.0) cm.g.doublec####.net:443
- TCP(TLS/1.0) agent-p####.xu####.com:443
- TCP(TLS/1.0) api.map.b####.com:443
- TCP(TLS/1.0) pass####.i####.com:443
- TCP(TLS/1.0) s####.wagbr####.ta####.com:443
- TCP(TLS/1.0) tag.b####.com:443
- TCP(TLS/1.0) cdn.boo####.com.####.com:443
- TCP(TLS/1.0) cm.vam####.com:443
- TCP(TLS/1.0) aserver####.m.ta####.com:443
- TCP(TLS/1.0) c####.c####.net:443
- TCP c####.g####.ig####.com:5225
- TCP sdk.o####.t####.####.com:5224
DNS requests:
- 360f####.me####.com
- 3m.me####.com
- 7j####.c####.z0.####.com
- a####.b####.com
- a####.jd.com
- agent-p####.xu####.com
- ald.ta####.com
- api.map.b####.com
- c####.c####.net
- c####.g####.ig####.com
- c####.me####.com
- c-h####.g####.com
- c.o####.163.com
- cai####.163.com
- cc.xtg####.com
- cdn.boo####.com
- cm.fas####.net
- cm.g.doublec####.net
- cm.miao####.atm.####.com
- cm.pos.b####.com
- cm.qt####.com
- cm.vam####.com
- cms.t####.com
- con####.b####.s####.####.cn
- e.s####.com
- hm.b####.com
- j####.jd.com
- l####.s####.com.cn
- m####.58.com
- m####.dmp.360.cn
- mt####.go####.com
- my.tv.s####.com
- n####.v####.qq.com
- pass####.58.com
- pass####.i####.com
- pay.y####.com
- pub-####.qin####.com
- s####.fin####.s####.####.cn
- s.m####.so.com
- s.ta####.com
- s.u####.360.cn
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sso.l####.com
- tag.b####.com
- tin####.t####.b####.com
- tr####.ti####.cn
- vip.y####.com
- w1.im.b####.####.cn
- wap.s####.com
- we####.wisecha####.com
- wq####.jd.com
- www.h####.net
- www.p####.com
HTTP GET requests:
- 360f####.me####.com/85025.js
- 360f####.me####.com/mv.html
- 360f####.me####.com/s.gif?lts=####&et=####&ck=####&adb=####&cl=####&ds=#...
- 360f####.me####.com/s.gif?lts=####&et=####&eid=####&ep=####&vid==lf####&...
- 360f####.me####.com/s.gif?lts=####&et=####&ep=####&url=####&si=####&su=#...
- 360f####.me####.com/s.gif?lts=####&et=####&si=####&ldt=####&vis=####&prv...
- a####.b####.com/libs/jquery/2.1.1/jquery.js
- a####.jd.com/index_new?app=####&action=####&callback=####&_=####
- aserver####.m.ta####.com/?c=####&a=####&callback=####&_=####
- aserver####.m.ta####.com/ajax/vip_preorder?&productid=####&amount=####&a...
- c####.c####.net/cart/mini_cart_ajax?is_ajax=####&callback=####&_=####
- c####.me####.com/b?type=####
- cai####.163.com/my/topCoupon.html?clientproto=####&callback=####&_=####
- e.s####.com/search/c.js?u=####&_=####
- gs.a.s####.com/user/connect/index_update.do?callback=####&_=####
- gs.a.s####.com/user/private/api/router.do?passport=####&token=####&ch=##...
- gs.a.s####.com/user/profile/basic_update.do?callback=####&_=####
- hm.b####.com/h.js?9bb92d0####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=843&ep=1386,1386&e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=843&ep=8215,8215&e...
- hm.b####.com/hm.gif?cc=0&ck=1&cl=16-bit&ds=600x800&vl=843&ep={"netAll":0...
- m####.58.com/webpart/userbasicinfo?r=####&vipcallback=####&callback=####...
- n####.v####.qq.####.net/x/api/quick_open?vid=####&callback=####&_=####
- n####.v####.qq.####.net/x/vip/api/common/?_m=####&callback=####&_=####
- s.m####.so.com/u/intfInfo?_=####&callback=####
- s.u####.360.cn/85025.js
- s.u####.360.cn/s.gif?lts=####&et=####&ck=####&adb=####&cl=####&ds=####&l...
- s.u####.360.cn/s.gif?lts=####&et=####&si=####&ldt=####&vis=####&prv=####...
- sni.c####.q####.####.net/config/hz-hzv3.conf
- sni.c####.q####.####.net/tdata_Soq141
- sni.c####.q####.####.net/tdata_vxj811
- sso.l####.com/open/checklogin?jsonp=leshi1&callback=so.letv.com/open/che...
- st####.fin####.s####.####.cn/portfolio/api/jsonp.php/readMystocks/Portfo...
- t####.c####.q####.####.com/tdata_EDT356
- tin####.t####.b####.com/v1/restserver/ting?method=####×tamp=####&pa...
- tr####.ti####.cn/interface/trip/planTos?destId=####&pageNo=####&pageSize...
- w1.im.b####.####.cn/subscribe?callback=####&_=####
- wap.s####.com/passport?op=####&_=####&callback=####
- we####.wisecha####.com/api/v3610/service-provision?type=####
- www.h####.net/
- www.h####.net/Casesview.asp?P_ID=####
- www.h####.net/Jscript/qq.js
- www.h####.net/Newsview.asp?newsId=####&classid=####
- www.h####.net/about.asp
- www.h####.net/bg.gif
- www.h####.net/css/default.css
- www.h####.net/images/a.png
- www.h####.net/images/ab.gif
- www.h####.net/images/ab1.gif
- www.h####.net/images/ab2.gif
- www.h####.net/images/about.jpg
- www.h####.net/images/arr2.gif
- www.h####.net/images/b1.gif
- www.h####.net/images/b2.gif
- www.h####.net/images/b3.gif
- www.h####.net/images/bg1.jpg
- www.h####.net/images/bg2.jpg
- www.h####.net/images/bg4.jpg
- www.h####.net/images/bg8.gif
- www.h####.net/images/bottom_split.gif
- www.h####.net/images/bs.gif
- www.h####.net/images/bt1.gif
- www.h####.net/images/bt1.jpg
- www.h####.net/images/bt2.jpg
- www.h####.net/images/bt21.jpg
- www.h####.net/images/bt3.jpg
- www.h####.net/images/bt5.jpg
- www.h####.net/images/case1.gif
- www.h####.net/images/case2.gif
- www.h####.net/images/cases.jpg
- www.h####.net/images/cbt1.gif
- www.h####.net/images/cp1.gif
- www.h####.net/images/cp2.gif
- www.h####.net/images/ct1.gif
- www.h####.net/images/ct2.gif
- www.h####.net/images/down1.gif
- www.h####.net/images/down2.gif
- www.h####.net/images/foot1.gif
- www.h####.net/images/foot2.gif
- www.h####.net/images/gg.jpg
- www.h####.net/images/home1.gif
- www.h####.net/images/home2.gif
- www.h####.net/images/left_bt1.gif
- www.h####.net/images/line.gif
- www.h####.net/images/logo.gif
- www.h####.net/images/menu3.gif
- www.h####.net/images/more1.gif
- www.h####.net/images/nbt1.gif
- www.h####.net/images/net.jpg
- www.h####.net/images/news.jpg
- www.h####.net/images/news1.gif
- www.h####.net/images/news2.gif
- www.h####.net/images/online_arrow.jpg
- www.h####.net/images/online_botbg.jpg
- www.h####.net/images/public.css
- www.h####.net/images/qq.png
- www.h####.net/images/shipin.jpg
- www.h####.net/images/tel.gif
- www.h####.net/images/web/bg.jpg
- www.h####.net/images/web/bg8.gif
- www.h####.net/images/xbt1.gif
- www.h####.net/images/yx1.gif
- www.h####.net/images/yx2.gif
- www.h####.net/index.asp
- www.h####.net/net.asp
- www.h####.net/s.png
- www.h####.net/scripts/AC_RunActiveContent.js
- www.h####.net/scroll.asp
- www.h####.net/uppics/201181010361857845.jpg
- www.h####.net/uppics/201181010373245578.jpg
- www.h####.net/uppics/2011810103778224.jpg
- www.h####.net/uppics/201181010384773890.jpg
- www.h####.net/uppics/20118101043762702.jpg
- www.h####.net/uppics/201181010534469946.jpg
- www.h####.net/uppics/201181010594131259.jpg
- www.h####.net/uppics/20118101094465394.jpg
- www.h####.net/uppics/20118109385086126.jpg
- www.h####.net/uppics/20118109432949878.jpg
- www.h####.net/uppics/20118109451718920.jpg
- www.h####.net/uppics/20118109471047144.jpg
- www.h####.net/uppics/2011810947756252.jpg
- www.h####.net/uppics/20118109505567250.jpg
- www.h####.net/uppics/20118151613739635.bmp
- www.h####.net/uppics/2011815161910565.bmp
- www.h####.net/uppics/2011815162518277.bmp
- www.h####.net/uppics/2011830160359.jpg
- www.h####.net/uppics/20118914483989462.jpg
- www.h####.net/uppics/image/20180612/20180612134192869286.jpg
HTTP POST requests:
- c-h####.g####.com/api.php?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####
- www.p####.com/apiv1/sdkstat/install
- www.p####.com/apiv1/sdkstat/launch
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/MultiDex.lock
- /data/data/####/authStatus_com.huasu.dianxiang.xml
- /data/data/####/authStatus_com.huasu.dianxiang;pushservice.xml
- /data/data/####/c7f117289514
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/dingding_entreprise.xml
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gx_sp.xml
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/libjiagu-1457394834.so
- /data/data/####/multidex.version.xml
- /data/data/####/pgyersdk.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_Soq141
- /data/data/####/tdata_Soq141.jar
- /data/data/####/tdata_vxj811
- /data/data/####/tdata_vxj811.jar
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.cuid
- /data/media/####/.nomedia
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.huasu.dianxiang.bin
- /data/media/####/com.huasu.dianxiang.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/journal.tmp
- /data/media/####/tdata_Soq141
- /data/media/####/tdata_vxj811
- /data/media/####/test.log
Miscellaneous:
Executes next shell scripts:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.net.service.DemoPushService 24908 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu-1457394834.so
- mount
Loads the following dynamic libraries:
- BaiduMapSDK_base_v3_7_0
- getuiext2
- libjiagu-1457394834
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
