Adware.Gexin.990

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) m.d####.mob.com:80
TCP(HTTP/1.1) d####.d####.mob.com:80
TCP(HTTP/1.1) a####.exc.mob.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) sni.c####.q####.####.net:80
TCP(HTTP/1.1) api.s####.mob.com:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(HTTP/1.1) 2####.107.1.1:80
TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
TCP(TLS/1.0) ja####.rjs.com.####.com:443
TCP c####.g####.ig####.com:5226
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a####.exc.mob.com
a####.man.aliy####.com
a####.u####.com
and####.b####.qq.com
api.s####.mob.com
c####.g####.ig####.com
c-h####.g####.com
d####.d####.mob.com
im####.rjs.com
ja####.rjs.com
m.d####.mob.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net

HTTP GET requests:

m.d####.mob.com/cconf?appkey=####&plat=####&apppkg=####&appver=####&netw...
sni.c####.q####.####.net/config/hz-hzv3.conf
sni.c####.q####.####.net/tdata_MkX219
sni.c####.q####.####.net/tdata_iGj879

HTTP POST requests:

a####.exc.mob.com/errconf
a####.u####.com/app_logs
and####.b####.qq.com/rqd/async?aid=####
api.s####.mob.com/conf5
api.s####.mob.com/conn
c-h####.g####.com/api.php?format=####&t=####
d####.d####.mob.com/dinfo
sdk.o####.p####.####.com/api.php?format=####&t=####
sh.wagbr####.aliyun####.com/man/api?ak=####&s=####

Modified file system:

Creates the following files:

/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/.lock
/data/data/####/.mrecord
/data/data/####/.mrlock
/data/data/####/.statistics
/data/data/####/1002
/data/data/####/1004
/data/data/####/Alvin2.xml
/data/data/####/BUGLY_COMMON_VALUES.xml
/data/data/####/ContextData.xml
/data/data/####/ThrowalbeLog.db-journal
/data/data/####/area.db
/data/data/####/bugly_db_-journal
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/com.rjs.rongjinsuo.anrdoid.xml
/data/data/####/com.rongjinsuo.android.BETA_VALUES.xml
/data/data/####/com.rongjinsuo.android_preferences.xml
/data/data/####/crashrecord.xml
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/journal.tmp
/data/data/####/libjiagu1078570848.so
/data/data/####/local_crash_lock
/data/data/####/mob_sdk_exception_1.xml
/data/data/####/multidex.version.xml
/data/data/####/native_record_lock
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/security_info
/data/data/####/share_sdk_1.xml
/data/data/####/tdata_MkX219
/data/data/####/tdata_MkX219.jar
/data/data/####/tdata_iGj879
/data/data/####/tdata_iGj879.jar
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/media/####/.ccLock
/data/media/####/.ccc
/data/media/####/.dk
/data/media/####/.duid
/data/media/####/.globalLock
/data/media/####/1b9ed5bc772bf08df02870c22d96623bd15c4b25a7226b....0.tmp
/data/media/####/23e092c7eb022f47ccab1f89a3d0f1dd50d58a71e3c319....0.tmp
/data/media/####/30445d7e20a3aff7cf811638ea0b6a361e3797207adc1d....0.tmp
/data/media/####/3c6b1ba94da0c2d18da8ac68f52877b831265fedc321fb....0.tmp
/data/media/####/457e769e58c4cd4bdb93a04da038951e74e7521ad90f49....0.tmp
/data/media/####/50d56a0840fb913bf66b92d00d6d9e0e8849d8ef573f66...c844.0
/data/media/####/55961aba5350ded21881cca45d3f242f540f2fce780938....0.tmp
/data/media/####/5692906a7ac78a174b6cc1990a5c6a4b3e796a96a7f2e0....0.tmp
/data/media/####/741ea0e854fa11c717fe58a4527ce7c80252ae112fdcef....0.tmp
/data/media/####/92ff7fe468a235d16e2fc7a720582e51025d0122e7bf44....0.tmp
/data/media/####/Alvin2.xml
/data/media/####/ContextData.xml
/data/media/####/a231a6435826af877faa4d5665ee752dfd3d8b2ce55413....0.tmp
/data/media/####/app.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/com.rongjinsuo.android.bin
/data/media/####/com.rongjinsuo.android.db
/data/media/####/dd085023c3f63522f48b1214a65fc5db288aa3d7e08ccd....0.tmp
/data/media/####/jiaxin_log_2018-08-08.log
/data/media/####/journal.tmp
/data/media/####/tdata_MkX219
/data/media/####/tdata_iGj879
/data/media/####/test.log

Miscellaneous:

Executes next shell scripts:

/system/bin/sh -c getprop
/system/bin/sh -c type su
<Package Folder>/files/gdaemon_20161017 0 <Package>/com.rjs.rongjinsuo.android.service.pushService.RjsPushService 25250 300 0
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu1078570848.so
getprop

Loads the following dynamic libraries:

Bugly
getuiext2
libjiagu1078570848
neh
pl_droidsonroids_gif

Uses the following algorithms to encrypt data:

AES
AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-ECB-PKCS7Padding
AES-GCM-NoPadding
RSA-ECB-PKCS1Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES
AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
AES-GCM-NoPadding

Uses special library to hide executable bytecode.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial