Adware.Gexin.7246

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Accesses the ITelephony private interface.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) aexcep####.b####.qq.com:8011
TCP(HTTP/1.1) scs.opensp####.cn:80
TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
TCP(HTTP/1.1) s29.9####.cn:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) pi####.qq.com:80
TCP(TLS/1.0) 1####.217.17.46:443
TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
TCP(TLS/1.0) s29.9####.cn:443
TCP(TLS/1.0) res####.bx####.com:443
TCP(TLS/1.0) ti####.bx####.com:443

DNS requests:

a####.b####.qq.com
aexcep####.b####.qq.com
and####.b####.qq.com
bxd.9####.cn
d####.opensp####.cn
log.u####.com
pi####.qq.com
plb####.u####.com
res####.bx####.com
s28.9####.cn
s29.9####.cn
scs.opensp####.cn
ti####.bx####.com
u####.u####.com

HTTP GET requests:

s29.9####.cn/attach/product/05/86/05863f6fb67168d9e50a6c42d7b993e1_L.jpg
s29.9####.cn/attach/product/91/e8/91e844893bff7dbef634aa0016bbb74e_L.jpg
s29.9####.cn/attach/product/f7/75/f775c9d672e65755a6fedc2213040985_L.jpg
s29.9####.cn/attach/product/ff/1b/ff1b2992228a1f215b7e33e9353bb130_L.jpg
s29.9####.cn/attach/wenwen/23/08/230890d5849f1079fc70559db4b1bc2b_IMGINF...

HTTP POST requests:

aexcep####.b####.qq.com:8011/rqd/async
aexcep####.b####.qq.com:8012/rqd/async
and####.b####.qq.com/rqd/async
pi####.qq.com/mstat/report/?index=####
scs.opensp####.cn/scs?cmd=####&logver=####&size=####

File system changes:

Creates the following files:

/data/data/####/.imprint
/data/data/####/01fa2882f0240a8a5eaede4759bfc6994461fb449bb10a9....0.tmp
/data/data/####/1320c8748eb0f9b762807688487f063f5e077b3946babe5....0.tmp
/data/data/####/1c53d8b31d7bc8b8f4e8edb9f36bf6a975b517bbb35d2ff...7376.0
/data/data/####/20190103102186.v1.crash
/data/data/####/201901031022124.v1.crash
/data/data/####/201901031022262.v1.crash
/data/data/####/201901031022293.v1.crash
/data/data/####/201901031022355.v1.crash
/data/data/####/201901031022374.v1.crash
/data/data/####/201901031022526.v1.crash
/data/data/####/201901031022593.v1.crash
/data/data/####/201901031022607.v1.crash
/data/data/####/201901031022668.v1.crash
/data/data/####/201901031022966.v1.crash
/data/data/####/201901031022992.v1.crash
/data/data/####/2548a9798c991637e29a82fff17ceaa1fc8fe1e2d7cfcc9....0.tmp
/data/data/####/350cf766d7e855eec78ae792ce038ff35a734b1cc606256....0.tmp
/data/data/####/4646532cc192ef3aa89c646e2a85566f0db633dffb9f1c4....0.tmp
/data/data/####/4b47ce8b1899b315673cf76e1d15183169b4c71fff6aa5b....0.tmp
/data/data/####/6ce19de0548ff24aec68163874502d0d533afd388ae8def....0.tmp
/data/data/####/ApplicationCache.db-journal
/data/data/####/ApplicationCache.db-journal (deleted)
/data/data/####/QALConfigStore.dat
/data/data/####/TLS_DEVICE_INFO.xml
/data/data/####/WLOGIN_DEVICE_INFO.xml
/data/data/####/a==7.5.3&&6.2.5_1546510916606_envelope.log
/data/data/####/bugly_db_legu-journal
/data/data/####/com.iflytek.id.xml
/data/data/####/com.iflytek.msc.xml
/data/data/####/com.jiuyang.baoxian.mid.world.ro.xml
/data/data/####/com.jiuyang.baoxian_preferences.xml
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTExNzcy;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTI3MjMz;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTIwNzA0;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTM3OTYx;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTQ1NzUw;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTU0NTQ3;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTU3MTY4;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTUwNDgw;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTY0MTg0;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTY5NDE5;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTYwMzk2;
/data/data/####/dW1weF9pbnRlcm5hbF8xNTQ2NTEwOTc2MDI4;
/data/data/####/dW1weF9zaGFyZV8xNTQ2NTEwOTE1MjMz;
/data/data/####/dW1weF9zaGFyZV8xNTQ2NTEwOTE1NjAw;
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/i==1.2.0&&6.2.5_1546510911856_envelope.log
/data/data/####/i==1.2.0&&6.2.5_1546510920810_envelope.log
/data/data/####/i==1.2.0&&6.2.5_1546510927321_envelope.log
/data/data/####/i==1.2.0&&6.2.5_1546510938050_envelope.log
/data/data/####/i==1.2.0&&6.2.5_1546510945836_envelope.log
/data/data/####/iflytek_state_com.jiuyang.baoxian.xml
/data/data/####/imei
/data/data/####/index
/data/data/####/info.xml
/data/data/####/insure.db-journal
/data/data/####/journal.tmp
/data/data/####/libnfix.so
/data/data/####/libshella-2.9.1.1.so
/data/data/####/libufix.so
/data/data/####/local_crash_lock
/data/data/####/mix.dex
/data/data/####/multidex.version.xml
/data/data/####/native_record_lock
/data/data/####/pri_tencent_analysis.db_com.jiuyang.baoxian-journal
/data/data/####/pri_tencent_analysis.db_com.jiuyang.baoxian;QAL...ournal
/data/data/####/report_v5.msgstore-journal
/data/data/####/security_info
/data/data/####/share.db-journal
/data/data/####/tencent_analysis.db_com.jiuyang.baoxian-journal
/data/data/####/tencent_analysis.db_com.jiuyang.baoxian;QALSERVICE-journal
/data/data/####/tls_device.dat
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/um_pri.xml
/data/data/####/umdat.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_location.xml
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/umeng_socialize.xml
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/webviewCookiesChromium.db-journal (deleted)
/data/data/####/wlogin_device.dat
/data/media/####/.a.dat
/data/media/####/.adfwe.dat
/data/media/####/.cca.dat
/data/media/####/.umm.dat
/data/media/####/app.19.01.03.10.log
/data/media/####/iflyworkdir_test
/data/media/####/imsdk_20190103.log
/data/media/####/sdk.19.01.03.10.log
/data/media/####/sysid.dat

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/sh -c getprop ro.aa.romver
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.build.rom.id
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.version.emui
/system/bin/sh -c getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.lenovo.series
/system/bin/sh -c getprop ro.lewa.version
/system/bin/sh -c getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.vivo.os.build.display.id
/system/bin/sh -c type su
chmod 700 <Package Folder>/tx_shell/libnfix.so
chmod 700 <Package Folder>/tx_shell/libshella-2.9.1.1.so
chmod 700 <Package Folder>/tx_shell/libufix.so
getprop ro.aa.romver
getprop ro.board.platform
getprop ro.build.fingerprint
getprop ro.build.nubia.rom.name
getprop ro.build.rom.id
getprop ro.build.tyd.kbstyle_version
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.gn.gnromvernumber
getprop ro.lenovo.series
getprop ro.lewa.version
getprop ro.meizu.product.model
getprop ro.miui.ui.version.name
getprop ro.vivo.os.build.display.id
getprop ro.yunos.version
logcat -c
logcat -d -v threadtime
logcat -d -v time
ls /sys/class/thermal

Loads the following dynamic libraries:

Bugly
MtaNativeCrash_v2
_imcore_jni_gyp
libnfix
libshella-2.9.1.1
libufix
libwtcrypto
msc
nfix
qalcodecwrapper
qalmsfboot
ufix

Uses the following algorithms to encrypt data:

AES
AES-CBC-PKCS7Padding
AES-GCM-NoPadding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
AES-GCM-NoPadding

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial