Adware.Gexin.8658

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) ti####.c####.l####.####.com:80
TCP(HTTP/1.1) st####.b####.cn:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) a.appj####.com:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(TLS/1.0) so####.b####.cn:443
TCP(TLS/1.0) 1####.217.168.238:443
TCP(TLS/1.0) api.b####.cn:443
TCP c####.g####.ig####.com:5225
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a.appj####.com
api.b####.cn
c####.g####.ig####.com
c####.g####.ig####.com
c-h####.g####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
so####.b####.cn
st####.b####.cn

HTTP GET requests:

st####.b####.cn/Appversion/bevol-3.0.1-(mlxx).apk
t####.c####.q####.####.com/tdata_SzD730
t####.c####.q####.####.com/tdata_ZCi456
ti####.c####.l####.####.com/config/hz-hzv3.conf

HTTP POST requests:

a.appj####.com/ad-service/ad/mark
a.appj####.com/jiagu/check/upgrade
c-h####.g####.com/api.php?format=####&t=####
sdk.o####.p####.####.com/api.php?format=####&t=####

File system changes:

Creates the following files:

/data/data/####/.imei.txt
/data/data/####/.jg.ic
/data/data/####/.log.lock
/data/data/####/.log.ls
/data/data/####/H5D43A324.xml
/data/data/####/H5D43A324_download_dcloud.xml
/data/data/####/H5D43A324_storages.xml
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/clientid_igexin.xml
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/f_000001
/data/data/####/f_000002
/data/data/####/f_000003
/data/data/####/f_000004
/data/data/####/gdaemon_20161017
/data/data/####/gx_sp.xml
/data/data/####/index
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/jg_app_update_settings_random.xml
/data/data/####/libjiagu.so
/data/data/####/mobclick_agent_cached_cn.bevol.p10028
/data/data/####/pdr.xml
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/qihoo_jiagu_crash_report.xml
/data/data/####/run.pid
/data/data/####/tdata_SzD730
/data/data/####/tdata_SzD730.jar
/data/data/####/tdata_ZCi456
/data/data/####/tdata_ZCi456.jar
/data/data/####/umeng_general_config.xml
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/webviewCookiesChromiumPrivate.db-journal
/data/media/####/.imei.txt
/data/media/####/07F9E32508947ADC768ACC4FEE70288F
/data/media/####/0D7343D68A470A4C8281887F3E6996A0
/data/media/####/12002699AB4108950D02678BD7EF9F88
/data/media/####/203E80549BD12D7E206CD94E87E9CBB5
/data/media/####/36CD161EA319B575CAE716B18598AFC6
/data/media/####/3C3F4E9D701EB434DE7409A31051BC8E
/data/media/####/4A68652AE5F0212A9A39D71799AFDD15
/data/media/####/5D1F04F12CFE3A56BD89515E0D7D6688
/data/media/####/AB2F3CBBD34DEDB8FFB8E5381DCA1FBF
/data/media/####/AE7F77735F8C5B23BF9BE6E48D6F0C6C
/data/media/####/B5CAF7B601958454CBFBE425E4BEB61C
/data/media/####/app.db
/data/media/####/bevol-3.0.1-(mlxx)(1).apk
/data/media/####/bevol-3.0.1-(mlxx).apk
/data/media/####/cn.bevol.p.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/crash_1550260239143_2019-02-15-19-50-39.log
/data/media/####/dt271550260206047.download
/data/media/####/dt271550260222836.download
/data/media/####/file__0.localstorage
/data/media/####/file__0.localstorage-journal
/data/media/####/tdata_SzD730
/data/media/####/tdata_ZCi456
/data/media/####/test.log

Miscellaneous:

Executes the following shell scripts:

<Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 23949 300 0
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu.so

Loads the following dynamic libraries:

getuiext2
libjiagu

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial