Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- UDP(DNS) 1####.114.114.114:53
- TCP(HTTP/1.1) z12.tua####.com.####.com:80
- TCP(HTTP/1.1) na61-####.wagbr####.ali####.####.com:80
- TCP(HTTP/1.1) ada####.m.ta####.com:80
- TCP(HTTP/1.1) hk.wagbr####.non####.####.com:80
- TCP(HTTP/1.1) z2.tua####.com.####.cn:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) anal####.tua####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) ad####.m.ta####.com:80
- TCP(HTTP/1.1) 1####.254.116.117:80
- TCP(HTTP/1.1) aexcep####.b####.qq.com:8011
- TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
- TCP(HTTP/1.1) z11.tua####.com.####.com:80
- TCP(HTTP/1.1) reso####.msg.xi####.net:80
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) 1####.185.144.108:80
- TCP(HTTP/1.1) 2####.243.236.22:80
- TCP(HTTP/1.1) t####.qq.com:14000
- TCP(HTTP/1.1) ope####.m.ta####.com:80
- TCP(TLS/1.0) nbsdk-b####.al####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) hotfix####.aliy####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP 4####.62.94.2:443
- TCP t####.qq.com:8080
- TCP 47.74.1####.157:5222
- TCP maa####.chinane####.com:6666
- TCP t####.qq.com:80
- TCP t####.qq.com:14000
DNS requests:
- a####.b####.qq.com
- a####.man.aliy####.com
- acs4bai####.m.ta####.com
- ad####.m.ta####.com
- ada####.m.ta####.com
- aexcep####.b####.qq.com
- amap####.cn-hang####.oss####.####.com
- anal####.tua####.com
- and####.b####.qq.com
- hotfix####.aliy####.com
- i0.tua####.com
- m####.m.zh####.com
- m.api.zh####.com
- m.k####.com
- maa####.chinane####.com
- nbsdk-b####.al####.com
- out.zh####.com
- p####.m.zh####.com
- pi####.qq.com
- regi####.xm####.xi####.com
- res####.a####.com
- reso####.msg.xi####.net
- t####.qq.com
- th5.m.zh####.com
- u1.tua####.com
- wb.110.ta####.com
- y####.al####.com
- z####.zh####.com
- z11.tua####.com
- z12.tua####.com
- z2.tua####.com
- z3.tua####.com
- z8.tua####.com
HTTP GET requests:
- ad####.m.ta####.com/rest/gc2?ak=####&av=####&c=####&d=####&sv=####&t=###...
- anal####.tua####.com/app/cart/item/count
- anal####.tua####.com/app/detail/comment/list?productId=####&page=####&pe...
- anal####.tua####.com/app_record/monitor.gif?logData=####
- anal####.tua####.com/bgl_v2.gif?deals=####
- anal####.tua####.com/cn/f/brand_and_deal/status
- anal####.tua####.com/cn/f/deal/status
- anal####.tua####.com/cn/zhe800_n_api/muying/baby_info
- anal####.tua####.com/cns/push/query_download_by_pin.jsonp
- anal####.tua####.com/config/switch/shopdetail?platform=####&version=####
- anal####.tua####.com/config/switch?keys=####&platform=####&trackid=####&...
- anal####.tua####.com/deals/count/today/v1?user_type=####&user_role=####&...
- anal####.tua####.com/deals/muying/filter/v1
- anal####.tua####.com/feedback/unreadcounts
- anal####.tua####.com/gateway/app/detail/benefit/v2?productId=####&paid=#...
- anal####.tua####.com/gateway/app/detail/comment?productId=####
- anal####.tua####.com/gateway/app/detail/graph?productId=####
- anal####.tua####.com/gateway/app/detail/inspection?productId=####
- anal####.tua####.com/gateway/app/detail/operation?productId=####&userRol...
- anal####.tua####.com/gateway/app/detail/pricebanner?productId=####&paid=...
- anal####.tua####.com/gateway/app/detail/product/v2?productId=####&paid=#...
- anal####.tua####.com/gateway/app/detail/promise/v2?productId=####
- anal####.tua####.com/gateway/app/detail/promotion?productId=####&paid=####
- anal####.tua####.com/gateway/app/detail/shop?productId=####
- anal####.tua####.com/gateway/app/detail/status?productId=####
- anal####.tua####.com/gateway/mapi/personal?user_type=####&user_role=####...
- anal####.tua####.com/h5new/real/homemodule?area=####&model=####&paid=###...
- anal####.tua####.com/homepromotion/suspension/v2?user_type=####&user_rol...
- anal####.tua####.com/imagev2/trade/563x750.38534db5a99ad112dbcaed31a6914...
- anal####.tua####.com/imagev2/trade/563x750.aeaf37ca7af41b43c4f4f05e87c10...
- anal####.tua####.com/imagev2/trade/750x1000.181f0955bda62eb59f5882aecfa7...
- anal####.tua####.com/imagev2/trade/750x1000.35ae7467e35847fc9eaa6e75f6bb...
- anal####.tua####.com/j/wireless/rest/bubble/list?point=####
- anal####.tua####.com/jxh5/js_dtz?ver=####
- anal####.tua####.com/list/deals/v2?image_type=####&tab=####&url_name=###...
- anal####.tua####.com/list/deals/v2?parent_tag=####&url_name=####&tab=###...
- anal####.tua####.com/mobilelog/activelog/v2/activeinfo.gif?data=####
- anal####.tua####.com/mobilelog/applog/mobilelog.gif?key=####&header=####...
- anal####.tua####.com/mobilelog/normal/report.gif?header=####&data=####
- anal####.tua####.com/ms/zhe800h5/ntfiles/dotmenu.json
- anal####.tua####.com/native/jump?mId=####&pub_page_from=####&pos_value=#...
- anal####.tua####.com/operation/abtest/pageconfig/v1
- anal####.tua####.com/operation/banner/v1?cityid=####&show_location=####&...
- anal####.tua####.com/operation/click/v2/getmobileinit?ip=####&bssid=####
- anal####.tua####.com/operation/notipopupinterval
- anal####.tua####.com/operation/startinfo/v1?cityid=####&image_model=####...
- anal####.tua####.com/operation/userinfo/v1
- anal####.tua####.com/push/deviceinfo?sdk=####&token=####&brand=####&mode...
- anal####.tua####.com/push/sdkconfig?brand=####&model=####
- anal####.tua####.com/search/recommend/v1?user_type=####&user_role=####&s...
- anal####.tua####.com/socialshare/content?share_type=####
- anal####.tua####.com/tao800/clientcontrol/android/1/client.json
- anal####.tua####.com/tao800/commonbanner.json?ad_type=####&image_model=#...
- anal####.tua####.com/tao800/hotbanner.json?pagetype=####&platform=####&c...
- ope####.m.ta####.com/gw-open/mtop.taobao.tbk.sdk.config/1.0/?data=####
- reso####.msg.xi####.net/gslb/?ver=4.0&type=wap&conpt=dvidpodv >>4>>4>>4...
- z11.tua####.com.####.com/bi/sca/android_043300_tao800.json?time=####
- z11.tua####.com.####.com/imagev2/wxyy/128x50.68a798fc32a7b99dab3db916f85...
- z11.tua####.com.####.com/imagev2/wxyy/150x150.9ffacd92111314a6f62d98da54...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.04b244561307ef919dc8febc4d...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.289e362b50205bfdbccd0e3f86...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.68527724143d7f576ce6fa7816...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.a6010f28ca136bed664578a5f7...
- z12.tua####.com.####.com/imagev2/cpc/750x750.26cfd4603e9884aefafcbe17ae7...
- z12.tua####.com.####.com/imagev2/cpc/800x800.0c0d2f48adce1dc7cf2903cd748...
- z12.tua####.com.####.com/imagev2/cpc/800x800.a79925185f299128e2ea9931c46...
- z12.tua####.com.####.com/imagev2/cpc/800x800.c16ee0e1a14991dfbe8d92ce860...
- z12.tua####.com.####.com/imagev2/cpc/800x800.d9040d106e701ca2dc6d742ad2b...
- z12.tua####.com.####.com/imagev2/cpc/990x990.c6cbf6310a145850de89c32a069...
- z12.tua####.com.####.com/imagev2/customerservice/50x52.45f54e4b5356d75a0...
- z12.tua####.com.####.com/imagev2/site/50x50.4de2ab18bb2706121390beaf0b04...
- z12.tua####.com.####.com/imagev2/site/50x50.700e22ae31f8868ae6c687443938...
- z12.tua####.com.####.com/imagev2/trade/400x400.1891ea23ac4ba2540c9280779...
- z12.tua####.com.####.com/imagev2/trade/400x400.6fa511350c3c361834bc6e1e8...
- z12.tua####.com.####.com/imagev2/trade/400x400.b38055a24ef5742fdccd0a95f...
- z12.tua####.com.####.com/imagev2/trade/400x400.e5e1dd59ffbdcff152c0727b9...
- z12.tua####.com.####.com/imagev2/trade/400x400.fbe0434865003f55760afe878...
- z12.tua####.com.####.com/imagev2/trade/563x750.aeaf37ca7af41b43c4f4f05e8...
- z12.tua####.com.####.com/imagev2/trade/700x700.31769439b7ebe33a740ef36a0...
- z12.tua####.com.####.com/imagev2/trade/700x700.a2d791c7cf494b1b3d45b8293...
- z12.tua####.com.####.com/imagev2/trade/750x1000.181f0955bda62eb59f5882ae...
- z12.tua####.com.####.com/imagev2/trade/750x1000.35ae7467e35847fc9eaa6e75...
- z12.tua####.com.####.com/imagev2/trade/750x750.1538959e0356117d152fd7d42...
- z12.tua####.com.####.com/imagev2/trade/800x488.194bfee772dbd29daba01725f...
- z12.tua####.com.####.com/imagev2/trade/800x561.f1180be0ea996f69918302a35...
- z12.tua####.com.####.com/imagev2/trade/800x576.2084e624f578d994ef540ef05...
- z12.tua####.com.####.com/imagev2/trade/800x760.82ccdbd92cda0ebebc0fe25dc...
- z12.tua####.com.####.com/imagev2/trade/800x800.091dff2cdc73e03dfa16c77af...
- z12.tua####.com.####.com/imagev2/trade/800x800.18827267b0f01e34ec617b75c...
- z12.tua####.com.####.com/imagev2/trade/800x800.1d3bb6404312e2bc6d670c453...
- z12.tua####.com.####.com/imagev2/trade/800x800.269d7554c7d74dce6eda2d49e...
- z12.tua####.com.####.com/imagev2/trade/800x800.27945611bb3c46d9e6d6cd6c9...
- z12.tua####.com.####.com/imagev2/trade/800x800.2eb3ce70d744767530c78e490...
- z12.tua####.com.####.com/imagev2/trade/800x800.2f30a4a329b300cbedbbf05eb...
- z12.tua####.com.####.com/imagev2/trade/800x800.358714e8d611d93e11565a83d...
- z12.tua####.com.####.com/imagev2/trade/800x800.3644bd5111bda4568a8f2c8a7...
- z12.tua####.com.####.com/imagev2/trade/800x800.3bf52d2b68e7b8aae84b86d89...
- z12.tua####.com.####.com/imagev2/trade/800x800.48db37024efddc55a678c4ff7...
- z12.tua####.com.####.com/imagev2/trade/800x800.55320f9d292377e6a5f74266b...
- z12.tua####.com.####.com/imagev2/trade/800x800.5f1b0f2a3455572f14e2e3f9c...
- z12.tua####.com.####.com/imagev2/trade/800x800.747a17c8eefa48606a1d2802f...
- z12.tua####.com.####.com/imagev2/trade/800x800.80041ba2f3abee33791518666...
- z12.tua####.com.####.com/imagev2/trade/800x800.895d66f72273c5ad21f859b72...
- z12.tua####.com.####.com/imagev2/trade/800x800.90cab01d8a1b9779266bc0b06...
- z12.tua####.com.####.com/imagev2/trade/800x800.95a56a027fed7751d27f59028...
- z12.tua####.com.####.com/imagev2/trade/800x800.9a3ea76b06fd2f5129dbd49d3...
- z12.tua####.com.####.com/imagev2/trade/800x800.9b562df2e61d1f0c875edce2f...
- z12.tua####.com.####.com/imagev2/trade/800x800.9c54539f6054253a5c0676309...
- z12.tua####.com.####.com/imagev2/trade/800x800.9e736e0b4a7e1992b7932551e...
- z12.tua####.com.####.com/imagev2/trade/800x800.a204ad3537f51bed063cc6cbc...
- z12.tua####.com.####.com/imagev2/trade/800x800.a4cdbaad7871bb24fd92d123c...
- z12.tua####.com.####.com/imagev2/trade/800x800.b1d11d8d78ad3c5198cbe8b06...
- z12.tua####.com.####.com/imagev2/trade/800x800.b9971fbdfdf1630c9ff030db1...
- z12.tua####.com.####.com/imagev2/trade/800x800.c2336ee8dcbf29615c5fae948...
- z12.tua####.com.####.com/imagev2/trade/800x800.cbadfeadfa47f52a043074bfb...
- z12.tua####.com.####.com/imagev2/trade/800x800.cfbc8148bfa33170af80f1a6e...
- z12.tua####.com.####.com/imagev2/trade/800x800.d0754fc7305800e32c6f04c85...
- z12.tua####.com.####.com/imagev2/trade/800x800.d61a6ab95f46ae07bfe082c5b...
- z12.tua####.com.####.com/imagev2/trade/800x800.e73153e6a82ab3486f1f2bcae...
- z12.tua####.com.####.com/imagev2/trade/800x800.f0bd5d9be020f6f3fb6e801fa...
- z12.tua####.com.####.com/imagev2/trade/800x800.f7fb8fd731558184e524d2cbf...
- z12.tua####.com.####.com/imagev2/trade/800x800.f8b7df9c247674cf31d535d6c...
- z12.tua####.com.####.com/imagev2/trade/800x807.b52cb741a8c7174cf5b96c0b8...
- z12.tua####.com.####.com/imagev2/trade/800x808.f58c61e27cade86456ab97fb7...
- z12.tua####.com.####.com/imagev2/trade/800x820.8b4f96805265e8d157b5bf9c0...
- z12.tua####.com.####.com/imagev2/trade/800x826.0ee80c9f3d96fa5673d98ba57...
- z12.tua####.com.####.com/imagev2/trade/800x832.6f6eeca16d91bc9c5327d3cb4...
- z12.tua####.com.####.com/imagev2/trade/800x838.c681f40d4d179acafb31483d5...
- z12.tua####.com.####.com/imagev2/trade/800x854.a526ff2bdc4c2c8822c838c13...
- z12.tua####.com.####.com/imagev2/trade/800x872.6a96dfae65b216cc192d5c0ac...
- z12.tua####.com.####.com/imagev2/trade/800x946.596701bd41ae6bf1bb04369ac...
- z12.tua####.com.####.com/imagev2/trade/800x946.b0d12d23490da093729b073db...
- z12.tua####.com.####.com/imagev2/trade/800x949.a6ebc98b37e31c1b53957f866...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.3455a7ea7a46db29cc03c8de35...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.3d20982eb2f4e8ed873268e8d2...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.5cae34f688346b579a49f9b7e1...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.6ae6b911b8ba4cf0e87d72d0b5...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.937c2d60408120faae09801679...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.a568816d3fc22f07cd5047bd2c...
- z12.tua####.com.####.com/imagev2/wxyy/111x110.ce958e9f3862da9df91ccce6fd...
- z12.tua####.com.####.com/imagev2/wxyy/128x50.ac6b89b6be9ff265ef72be041ed...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.4a1e3e291628606b4e008e522a...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.ff7f87ef4e475b6dcf9a7ff4d8...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.198246dcfade247fe049970cdc...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.1d1c03e186c8db7fc1eee46e4e...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.85f98c40d2b35a3df457651d02...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.908a85ca240e2e41c3f3d6e864...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.d764e7f440ec1174c50b418780...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.da59ffb95e4688f5cd4edb30c9...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.ee4c4243380464a5fadd906d21...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.f82676732b3c006e590acda36e...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.353b044c62d39bef9b2420ae29...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.7fa7b849c014872029013efe22...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.c43774258c99a18a1bae010f07...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.f891a0da297fd4cd46920b08e2...
- z12.tua####.com.####.com/imagev2/wxyy/36x36.372f76f8f4b46ab3b0732dd106c9...
- z12.tua####.com.####.com/imagev2/wxyy/375x188.a3e8a65544343923e4860e90c7...
- z12.tua####.com.####.com/imagev2/wxyy/375x376.564e0808a0102c21c97ba40d82...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.707c6bd97b2195259103277912dc...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.f238fdf8c0f634f1b12cd8200c31...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.1c04611016ca3e301bc6900c67ec...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5193d7e2c180c415a2936c76e023...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5614f8d3e6129edd8ca723cfae1f...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.69d98c0d4e2d0d4fb9af3361dbe9...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.ba128a8b54c77998187ea9ec2a9a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.d6fe72234e66b205789eef55ff0a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.df784ed38b2abda57a53df0f56f3...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.fbe63bfe8783ba6f6da3c9d11861...
- z12.tua####.com.####.com/imagev2/wxyy/50x51.47a396dea2c5d4a8ec4cc78644b9...
- z12.tua####.com.####.com/imagev2/wxyy/640x86.214f6ae0ed3c34c470a5a99fce9...
- z12.tua####.com.####.com/imagev2/wxyy/750x200.3dda67b2f3e254fcaa1e07f094...
- z12.tua####.com.####.com/imagev2/wxyy/750x220.a053a58cdf00e0073ddf178b79...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.18fa2c3b70aa1402975fe97be3...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.a77c737d9252a06d0f2d8a5db5...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.d1e96d4c4829c65ac2960a4b50...
- z12.tua####.com.####.com/imagev2/wxyy/800x320.499d54e5dec9e462e3dba6e6e8...
- z12.tua####.com.####.com/imagev2/wxyy/800x320.aa356ccfbca9a39d4744deea37...
- z12.tua####.com.####.com/imagev2/zhaoshang/600x600.c8db0364b83eda0b60559...
- z12.tua####.com.####.com/imagev2/zhaoshang/800x800.cfd5cc9fe3f05372fdd38...
- z2.tua####.com.####.cn/imagev2/trade/800x800.2171c1710f82cf2456ed0fbe749...
- z2.tua####.com.####.cn/imagev2/trade/800x800.7b84ed2c86ce33b7ba8c9c4021a...
- z2.tua####.com.####.cn/imagev2/trade/800x800.a0b4aebcc41d74efd10654bb44d...
HTTP POST requests:
- ada####.m.ta####.com/rest/sur?ak=####&av=####&c=####&v=####&s=####&d=###...
- aexcep####.b####.qq.com:8011/rqd/async
- aexcep####.b####.qq.com:8012/rqd/async
- and####.b####.qq.com/rqd/async
- hk.wagbr####.non####.####.com/saveWb.json
- na61-####.wagbr####.ali####.####.com/api/update.do
- pi####.qq.com/mstat/report/?index=####
- sh.wagbr####.aliyun####.com/man/api?ak=####&s=####
- t####.qq.com:14000/203.205.146.122:14000/
File system changes:
Creates the following files:
- /data/data/####/-1120630569-225863295
- /data/data/####/-1152783000-438457497
- /data/data/####/-40032426599101216
- /data/data/####/-40032426599101218
- /data/data/####/-5605657971044170427
- /data/data/####/-LfHCi4PL3qxZN_cJMg1Oz7NKqY.189435316.tmp
- /data/data/####/-lcGop2GYiIqljjmF2QDyAhTero.-2093463606.tmp
- /data/data/####/-xewIfMsPft0LwyLZVpi_iniPrs.638701753.tmp
- /data/data/####/.com.tuan800.tao800;pushservice.xg.stat..xml
- /data/data/####/.tpns.service.xml.xml
- /data/data/####/.tpns.settings.xml.xml
- /data/data/####/.tpush_mta.xml
- /data/data/####/0-kLma2JzLOp8EGbvK1FNGspgKo.537471937.tmp
- /data/data/####/0BrHiwmNKKHbGW5-ZCyaXXJ5geg.-73215163.tmp
- /data/data/####/0a231bd8575dcf72.txt
- /data/data/####/0zefTeOB2rdJ5T_ZnoJj2WssIlA.-102271259.tmp
- /data/data/####/16644611465456787
- /data/data/####/1d77ea041509fe06.lock
- /data/data/####/1hr6qKjtVItJlIioz37YnbmE6_c.43675104.tmp
- /data/data/####/1ozOiAr4MR98CtuWoc_UwD00BCU.-1971672773.tmp
- /data/data/####/2042642465-2037934476
- /data/data/####/21c22f492aba3de8.lock
- /data/data/####/25-7c24eKiWPsd_SK7yEoVaYB1Q.1401504123.tmp
- /data/data/####/3zZZWPMN36odz9LPWQN9xZi9GbI.922380432.tmp
- /data/data/####/460124876-1970022865
- /data/data/####/5cwxlspkHwtPPjsdlF12AQ6PUPg.1151553928.tmp
- /data/data/####/5iFhtAk4_3ud6HYtRUmQgdUOhb8.-1294584990.tmp
- /data/data/####/62RJceZywW1FUl4iM0oZp8_4e6A.-1253022614.tmp
- /data/data/####/6GdLQAeG4DsN6DBPkXBq0FzDz80.-1053665132.tmp
- /data/data/####/6JQh9B8-IicO_Khj2Drpg9kwdsk.-211456163.tmp
- /data/data/####/8524030111125605478
- /data/data/####/85dDu1ZpU5qSa8x9rFHo5HglaVg.1024800647.tmp
- /data/data/####/89ClAEeA6OYInTEx-wue1N9lty8.1583870876.tmp
- /data/data/####/8FPFVNJRZ8HMbsfmZeEorsaDueA.346832474.tmp
- /data/data/####/8ef9c457b3bbb403.lock
- /data/data/####/930a31b34bd52c08.lock
- /data/data/####/9Je0OUso-weqW7cvFAseRZ2r7KY.692599992.tmp
- /data/data/####/A03Kr3-R-Z-UWr-pC1vGEn6IMqg.-65097652.tmp
- /data/data/####/AL3iD3OgmK5UZRDCRjpIM2FwHXE.-632813399.tmp
- /data/data/####/AlibcLinkPartner.xml
- /data/data/####/Alvin2.xml
- /data/data/####/AzCG31BmN73FIQD4XMQEA5wvAQA.505583061.tmp
- /data/data/####/BUi5HkybUGkfZfSzJLys69tFiSU.-619255527.tmp
- /data/data/####/CF3KYVKwkMCU3_GDdnPUkCO3ewA.1553797363.tmp
- /data/data/####/CYN4OgP7jNrweazznjYSvfXIKsA.-86674881.tmp
- /data/data/####/Caf38HxqdZrHzIh0yFhYNkbaqns.-294844146.tmp
- /data/data/####/CdFLqO2bKAq86DZzQLwDTLp6ntY.-1648366894.tmp
- /data/data/####/ContextData.xml
- /data/data/####/CvnF3ND9AFL-cQtXKSiuSp9f-Bo.-1056663901.tmp
- /data/data/####/D209yOCR-ZXydcNKuTAVPyquzHA.-1482452688.tmp
- /data/data/####/DEbAkndIDu6o9zUTARxYiiHbZFs.1331559455.tmp
- /data/data/####/EBOONeA71tXe2fd50-68ImT_o7c.1668127073.tmp
- /data/data/####/EHRJoDXfkgkPJ0qc6lYyOk46AVg.17583739.tmp
- /data/data/####/EWwgEuEaDOS0WiiSjU91o9mccSE.967388593.tmp
- /data/data/####/FDRqX1fPJLLRC014B8SPT1dsL64.-1075151460.tmp
- /data/data/####/FiwtbC5foqlr2Dnz5_O4EUQimXg.2107336587.tmp
- /data/data/####/G6riB1jmaSS-MN--AjlpnIjzXJo.274778752.tmp
- /data/data/####/Gifud8puMFt5wq-Yivx2sB4ft4k.1997320786.tmp
- /data/data/####/IP7jq2mFqyd8xbAdeUH9LjJ5ipk.-2058199071.tmp
- /data/data/####/JX93yqnLO0DkY8nv2XHQAwPt4n0.1381708515.tmp
- /data/data/####/Kdl64QjnXK_v5mf6Q0C-vvn4SmI.-1203178568.tmp
- /data/data/####/Lwp_ChwNoekAPVK6oda-BxtskE8.88523415.tmp
- /data/data/####/MeObca6ofHqSLgVfDO702_tenkE.-1278911204.tmp
- /data/data/####/MultiDex.lock
- /data/data/####/N4zxReXanByQNmTfjg7juW0hxF4.-117955501.tmp
- /data/data/####/N9y9MLtKu02GHNuWRyVD02jGZ_w.1931753063.tmp
- /data/data/####/PJp8vccAwkPasb073vezFv1tKX4.-173305210.tmp
- /data/data/####/PrZ3wMCWKQcpSEpuKyAwFqdaFMU.-922078126.tmp
- /data/data/####/Qj8BQQ9kz0H0qB3jpA6MnyR6o1s.880322870.tmp
- /data/data/####/Ql1K4t-jxPisdommj8nRUSp9lac.1468756008.tmp
- /data/data/####/QppROp3H0QBmi9Ct-8nLtCIPRNg.1608561436.tmp
- /data/data/####/R0IUMIc3XAQkp91Qy66jQxUVUtM.1990302929.tmp
- /data/data/####/S5Hty8lnvVwmqkBRG9LgLm4sGc4.-1330182423.tmp
- /data/data/####/S8_99Cvpl-nT7VrxlBP_vshmjqU.-1359320131.tmp
- /data/data/####/SGMANAGER_DATA2.tmp
- /data/data/####/SN5qcUbx9ANbZNG36AvFcLpzClo.1057997789.tmp
- /data/data/####/ScvSXvrfPHV9UlzVyhbieUBQVxo.-288310999.tmp
- /data/data/####/TJvD9DHwyA-i77XDtOc4CtcpG40.986708980.tmp
- /data/data/####/TtM7vyVvNEJd_w5NagqqwBQYVDY.-1683859551.tmp
- /data/data/####/UTCommon.xml
- /data/data/####/UUKGakhmpVQ86RUE9hJ3a1AvGzs.1862305953.tmp
- /data/data/####/Udusj6P_6ElSpXSjGluUNEAjbFY.724654515.tmp
- /data/data/####/UvTSmLhLEsLx7iUHain66O579ow.1349055113.tmp
- /data/data/####/VYBbU-ifNc_sg4fllXKhZYA3YIk.-368012779.tmp
- /data/data/####/VfQzJsy8T5K92Q9C8vLLA2Xtcd8.-1729793173.tmp
- /data/data/####/Vst47TFgi2Fdm_WhWKxahoxeidk.-676156493.tmp
- /data/data/####/WSU91JUzbhn2i3pRQCeytUSnO8w.-1469942597.tmp
- /data/data/####/WmOfD0GMfeD-9cfwqSpjrBZ0Fq4.266193719.tmp
- /data/data/####/XMPushServiceConfig.xml
- /data/data/####/X_MbX4lSlLhhlEnjbTs473EBQQU.955529724.tmp
- /data/data/####/YUdc2t7kxHkl0Rp5g3X6XCunJtw.-540126775.tmp
- /data/data/####/YlUF_xQ_oALzrn6MCp7wtPcJnCE.-493602803.tmp
- /data/data/####/YzdlvzSx5Nle0wwxymKJ6k11VBY.-1238860590.tmp
- /data/data/####/ZBNo-5fgrPJfoEJR2ViJpp1Aauk.-246503284.tmp
- /data/data/####/ZRMGUeaBQF5IKY8G5aL5icWnqr4.-473200393.tmp
- /data/data/####/ZapQkhlzZqJwhNZSfABLurkqkKc.-1094294197.tmp
- /data/data/####/Zksz1-SWVbg7Hv1jKWi1xFjfi_Y.-838486477.tmp
- /data/data/####/_mvfCdTSgeUkuzICqrQATeOa11o.-1459952366.tmp
- /data/data/####/aliTradeConfigSP.xml
- /data/data/####/ap.Lock
- /data/data/####/auth_sdk_device.xml
- /data/data/####/bQ0ARa749YBpzCYppvAJvgrcrN4.-1706704037.tmp
- /data/data/####/bugly_db_legu-journal
- /data/data/####/cFomPA154mN-g9S7sP0lhf9dXG8.-365619483.tmp
- /data/data/####/cSSNBpeYhz3d-7fmhIFxn5iLwg0.-554318849.tmp
- /data/data/####/cT1B0tAaP-QEzrR4xD-v4qdYJ8g.-1685580733.tmp
- /data/data/####/cb9chI18RSjtEiX23rWhCcL0suk.1461184543.tmp
- /data/data/####/com.tuan800.tao800.userCenter.xml
- /data/data/####/com.tuan800.tao800;pushservice
- /data/data/####/com.tuan800.tao800SWITCH_SP.xml
- /data/data/####/com.tuan800.tao800_h5urlsp.xml
- /data/data/####/com.tuan800.tao800_homeheader.xml
- /data/data/####/com.tuan800.tao800_jump_to_h5_url.xml
- /data/data/####/com.tuan800.tao800_limit_buy.xml
- /data/data/####/com.tuan800.tao800_npi.xml
- /data/data/####/com.tuan800.tao800_order.xml
- /data/data/####/com.tuan800.tao800_preferences.xml
- /data/data/####/com.tuan800.tao800_preferences.xml.bak
- /data/data/####/com.tuan800.tao800_preferences.xml.bak (deleted)
- /data/data/####/com.tuan800.tao800_share_info.xml
- /data/data/####/com.tuan800.tao800_sign.xml
- /data/data/####/com.tuan800.tao800_user_center.xml
- /data/data/####/com.tuan800.tao800collected_brand.xml
- /data/data/####/com.tuan800.tao800static_file_click_model.xml
- /data/data/####/com.tuan800.tao800static_file_exp.xml
- /data/data/####/com.tuan800.tao800static_file_mobilelog.xml
- /data/data/####/com.tuan800.tao800static_file_model.xml
- /data/data/####/com.tuan800.tao800static_file_outclick.xml
- /data/data/####/com.tuan800.tao800static_file_page.xml
- /data/data/####/com.tuan800.tao800static_file_pageclick.xml
- /data/data/####/com.tuan800.tao800static_file_setkey_value.xml
- /data/data/####/com.tuan800.tao800static_file_share.xml
- /data/data/####/com.tuan800.tao800static_file_static.xml
- /data/data/####/dSvjek6QkXU14uzpUwm1RXyzWsk.12647586.tmp
- /data/data/####/dZAwB67REvb3K4-1O3Ay9L3DHJk.-787059906.tmp
- /data/data/####/deCJi9gfuj1xYClJ8afVa_n88wc.-1655103296.tmp
- /data/data/####/device_id.xml
- /data/data/####/dynamicamapfile.db
- /data/data/####/dynamicamapfile.db-journal
- /data/data/####/emJ9qf9YCeHC2Gh8TYu0LTtt2O8.1935568332.tmp
- /data/data/####/event_com.tuan800.tao800.log
- /data/data/####/geofencing.db
- /data/data/####/geofencing.db-journal
- /data/data/####/grJXJWdd2W5mxw0369MZmWG5Pvc.1294402964.tmp
- /data/data/####/gu2jWj1W1IMc3vmx-YSmxsaML7I.1281109503.tmp
- /data/data/####/h374rdGGw6cuJlqbOx1XwVOIbM8.1641310428.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/ieFzNdta_U9KOlOJKk5Fx89oGmI.-90085890.tmp
- /data/data/####/jCRZR8LwkCYYQbM65vqRvEyKprU.-497426227.tmp
- /data/data/####/jRBHrSAumMdDHH6aV9_GlgE4Ycc.449384928.tmp
- /data/data/####/jSDGL8uygAKYvE3Oce94ToE36es.-525996698.tmp
- /data/data/####/jykwdhjTAMo-6kpJWRbRHYSUDFw.-151619134.tmp
- /data/data/####/kOQZvemlZpdcPU883HrUK5YfG2Q.-829074221.tmp
- /data/data/####/lPG0umMrqJfH1mw0KfefzmuGCno.812212327.tmp
- /data/data/####/lT5XPRKQAY3NjHQ5KF3u-4GQVvw.-1909295233.tmp
- /data/data/####/libnfix.so
- /data/data/####/libsgmainso-5.1.81.so.tmp
- /data/data/####/libsgsecuritybodyso-5.1.25.so.tmp
- /data/data/####/libshella-2.10.7.1.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/lock.lock
- /data/data/####/lock.tmp
- /data/data/####/luuR0EjvE3BPZutD7R9k6NOrsWM.-1021111421.tmp
- /data/data/####/mDXdqDcn7uqEMiKxNzg8cee6Zdk.-190333288.tmp
- /data/data/####/matosdk_preference.xml
- /data/data/####/mipush.xml
- /data/data/####/mipush_account.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/mipush_region
- /data/data/####/mipush_region.lock
- /data/data/####/mix.dex
- /data/data/####/multidex.version.xml
- /data/data/####/nImoMDroCRsLKkYOIcAUnAqFY_8.204928336.tmp
- /data/data/####/native_record_lock
- /data/data/####/nbrzLeCODmScwXOTOcTJFagWGTY.-1845128517.tmp
- /data/data/####/o35P0P9ICllWk_WbhTOYJ4eeEgQ.78088984.tmp
- /data/data/####/oFAtd7v4LZme9l15M9gR74RiZqs.669886430.tmp
- /data/data/####/ooNnvN-uENa4J9yYMq4HkYELvjQ.-1554384452.tmp
- /data/data/####/pBUk7foo2tktbrApVieeXhuFl74.150461783.tmp
- /data/data/####/pQuwvQJxyD4b4Ev4aTJWCzvaauQ.1328558566.tmp
- /data/data/####/pZ6Vr365Wrprpy4C4YsdqGrRhC0.562569597.tmp
- /data/data/####/ppa4JT3jZB1eZ52dd4E9tw7ziLA.-263652224.tmp
- /data/data/####/pref.xml
- /data/data/####/q79PYNBPJjQb8lxgLihsnA4Jmq8.-897766475.tmp
- /data/data/####/qHfzXW1SeqS_c2rzYHrq43cDvsQ.1230423587.tmp
- /data/data/####/qJ23NrtBfcBd2d4gyGrbYaKB3As.1240962623.tmp
- /data/data/####/rxrtG9ZSkfI-awFK0_JxE9v_ndA.319348648.tmp
- /data/data/####/security_info
- /data/data/####/sp.lock
- /data/data/####/sp_sophix.xml
- /data/data/####/tFwsApt5hQZ6D4NQErOJvLwiXfE.1419983252.tmp
- /data/data/####/tG_iJt-0jtxrZWa6HQxDD9ug15k.1236561390.tmp
- /data/data/####/tPuiWW5pHmn6kwQs7lZwU1bt2G4.-793145845.tmp
- /data/data/####/tao800.db-journal
- /data/data/####/tempfile
- /data/data/####/timestamp
- /data/data/####/tiny_data.data
- /data/data/####/tiny_data.lock
- /data/data/####/tpush.shareprefs.xml
- /data/data/####/ttj0xyE2n1QXyzNFhNSvW_Kf6Ts.-1237746997.tmp
- /data/data/####/ut.db
- /data/data/####/ut.db-journal
- /data/data/####/uzojjomrabCdqsKS0Hg1SY8klSQ.-93755262.tmp
- /data/data/####/vGVwo4QYVKh56DCHNTiwJcVsDac.-353079815.tmp
- /data/data/####/vv1LVERvcfNhVbyKnGYFfqdWfqo.-1991239245.tmp
- /data/data/####/wWqCIOF9Wecrbi5AXxy2SBbfT8M.-2085239355.tmp
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/data/####/webviewCookiesChromium.db-journal (deleted)
- /data/data/####/webviewCookiesChromiumPrivate.db-journal
- /data/data/####/wi5kq1HH2ch0lTDFH54snZoIEKQ.604942390.tmp
- /data/data/####/wozKcim6jAZi7ApCvNGNn3vCRKU.-837625706.tmp
- /data/data/####/wspx
- /data/data/####/xg_message.db
- /data/data/####/xg_message.db-journal
- /data/data/####/z3ovEv8zduo3bGJVmmaxg70PTi0.735541477.tmp
- /data/data/####/zHTOOH9kmfHg2GdUeAsorGiMSOw.1159534830.tmp
- /data/data/####/zfYmSaB7iQDPiAAGExBr6OR128I.1884262515.tmp
- /data/data/####/zt0A1EKNEa-Gk3lfFIHDG2HzGMc.1242900756.tmp
- /data/media/####/.nomedia
- /data/media/####/1jr65m4qb6xv4redv1bmluj2c
- /data/media/####/1t6n8aaxesr0s494jniu1s8oi
- /data/media/####/1x4v67b3y2gs4501m0yawk0ul
- /data/media/####/42b3goe37jr22dz5cnjxlphhg
- /data/media/####/44sue9aleeoulk4i4uwm3rg3z
- /data/media/####/5gzmjcoqdnedwc3o1pyax1dky
- /data/media/####/636nz9dcje0zuytvdq16puq2n
- /data/media/####/6c709c11d2d46a7b
- /data/media/####/6rdvkzlpmeyl0zxyn39n8je0o
- /data/media/####/7i0ltkqanvjja7tqtrhbycndy
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/android_043300_tao800.json
- /data/media/####/d6bzkjyt771vpmlpeoh94xk6
- /data/media/####/dd7893586a493dc3
- /data/media/####/hid.dat
Miscellaneous:
Executes the following shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55438 203.205.128.130 [{"idx":0,"ts":%d,"et":2000,"si":0,"ui":"<IMEI>","ky":"Axg%lu","mid":"e3f471e708c2045edf9c6fe5debeafa309668ddc","ev":{"ov":"18","sr":"600*752","md":"<System Property>","lg":"en","sv":"3.12","mf":"unknown","apn":"%s"}}] 0 18
- <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55501 203.205.128.130 [{"idx":0,"ts":%d,"et":2000,"si":0,"ui":"<IMEI>","ky":"Axg%lu","mid":"e3f471e708c2045edf9c6fe5debeafa309668ddc","ev":{"ov":"18","sr":"600*752","md":"<System Property>","lg":"en","sv":"3.12","mf":"unknown","apn":"%s"}}] 0 18
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.7.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- sh <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55501 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : e3f471e708c2045edf9c6fe5debeafa309668ddc , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.12 , mf : unknown , apn : %s }}] 0 18
Loads the following dynamic libraries:
- Bugly
- com.maa
- fb_jpegturbo
- gifimage
- imagepipeline
- libnfix
- libshella-2.10.7.1
- libufix
- nfix
- pl_droidsonroids_gif
- sgmainso-5.1
- sgsecuritybodyso-5.1
- sqlcipher
- tpnsSecurity
- ufix
- ut_c_api
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CFB8-NoPadding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CFB8-NoPadding
- AES-GCM-NoPadding
- DES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
