Adware.Gexin.8670

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Accesses the ITelephony private interface.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) 1####.29.29.29:80
TCP(HTTP/1.1) loc.map.b####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(TLS/1.0) api.map.b####.com:443
TCP(TLS/1.0) c####.api.auto####.####.cn:443
TCP(TLS/1.0) c####.aut####.cn.####.com:443
TCP(TLS/1.0) new####.aut####.ca####.com:443
TCP(TLS/1.0) wz.auto####.com.cn:443
TCP(TLS/1.0) wzcarp####.auto####.com.cn:443
TCP(TLS/1.0) sdc-####.pi####.com:12743
TCP(TLS/1.0) al.auto####.com.cn:443
TCP c####.g####.ig####.com:5224
TCP sdk.o####.t####.####.com:5224

DNS requests:

a####.u####.com
al.auto####.com.cn
api.map.b####.com
c####.api.auto####.####.cn
c####.aut####.cn
c####.g####.ig####.com
c.sz.gt.####.com
loc.map.b####.com
sdc-####.pi####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
wz.auto####.com.cn
wz0.aut####.cn
wzcarp####.auto####.com.cn
x.aut####.cn

HTTP POST requests:

a####.u####.com/app_logs
loc.map.b####.com/offline_loc
loc.map.b####.com/sdk.php
sdk.o####.p####.####.com/api.php?format=####&t=####

File system changes:

Creates the following files:

/data/data/####/-573769116
/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/.log.lock
/data/data/####/.log.ls
/data/data/####/1550343611902.apk
/data/data/####/1550343611902.dex
/data/data/####/1550343611972.apk
/data/data/####/1550343611972.dex
/data/data/####/1550343612854.apk
/data/data/####/1550343612854.dex
/data/data/####/1550343613026.apk
/data/data/####/1550343613026.dex
/data/data/####/600573751
/data/data/####/UMS_Online_Setting.xml
/data/data/####/UMS_Session_ID.xml
/data/data/####/UMS_Session_ID_Save_Time.xml
/data/data/####/WzTimeStamp.xml
/data/data/####/adpv-journal
/data/data/####/authStatus_com.autohome.mycar.xml
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/city.db
/data/data/####/city.db-journal
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/dealerprice.xml
/data/data/####/dealerprice.xml.bak
/data/data/####/dns.db-journal
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/f_000001
/data/data/####/f_000002
/data/data/####/f_000003
/data/data/####/f_000004
/data/data/####/f_000005
/data/data/####/f_000006
/data/data/####/f_000007
/data/data/####/f_000008
/data/data/####/f_000009
/data/data/####/f_00000a
/data/data/####/f_00000b
/data/data/####/f_00000c
/data/data/####/f_00000d
/data/data/####/f_00000e
/data/data/####/f_00000f
/data/data/####/f_000010
/data/data/####/f_000011
/data/data/####/f_000012
/data/data/####/f_000013
/data/data/####/f_000014
/data/data/####/firll.dat
/data/data/####/getxinPrefs.xml
/data/data/####/index
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/libcuid.so
/data/data/####/libjiagu.so
/data/data/####/mycar.db-journal
/data/data/####/mycar.xml
/data/data/####/mycar.xml.bak (deleted)
/data/data/####/news.xml
/data/data/####/ofl.config
/data/data/####/ofl_location.db
/data/data/####/ofl_location.db-journal
/data/data/####/ofl_statistics.db
/data/data/####/ofl_statistics.db-journal
/data/data/####/plugin.installedlist
/data/data/####/push.pid
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/zeusplugin_installinfo
/data/media/####/.cuid
/data/media/####/.cuid2
/data/media/####/.nomedia
/data/media/####/1dfv17pkqqedlijj4gztv62pj0.tmp
/data/media/####/1i8ofb7xqk99phbs42cv3uhh40.tmp
/data/media/####/1irj3n60ey0mhm0t3myd7ixav0.tmp
/data/media/####/23jw850kcwvbmrmo6zxppipoz0.tmp
/data/media/####/37doz35dv051km79mdmsyin9o0.tmp
/data/media/####/3otmsyhdmulmp0ittyw8yk0bx0.tmp
/data/media/####/3xzlaaypoiv10ogkz55ex7kgl0.tmp
/data/media/####/41asw7s9h4hj73oqrotapb08z0.tmp
/data/media/####/4yhsm1e1o3gulpoqakp42673c0.tmp
/data/media/####/62d8151k0ujvc3f09k6wickht0.tmp
/data/media/####/6f2z7mzd4v33a9y3zqshfvwrh0.tmp
/data/media/####/6tbp5vxxyd3tj2mehsif8rpjn0.tmp
/data/media/####/7121ucbtbtjosqt5t33oa1i0r0.tmp
/data/media/####/7bgn6ej6gfbmrysl060io3fr10.tmp
/data/media/####/7dammzrw8l8pni3mvalf048dp0.tmp
/data/media/####/7g5rjwm1d9c1n3hf704zfil1c0.tmp
/data/media/####/7jrm0xfre0btfge9twjtzso4h0.tmp
/data/media/####/app.db
/data/media/####/com.autohome.mycar.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/conlts.dat
/data/media/####/hnfji9y0g5zlkw04616ash3a0.tmp
/data/media/####/journal.tmp
/data/media/####/ller.dat
/data/media/####/ls.db
/data/media/####/ls.db-journal
/data/media/####/q3oxcgllyr5knd7b4ctwuz7x0.tmp
/data/media/####/test.0
/data/media/####/yoh.dat
/data/media/####/yol.dat
/data/media/####/yom.dat

Miscellaneous:

Executes the following shell scripts:

chmod 755 <Package Folder>/.jiagu/libjiagu.so
getprop wifi.interface
sh

Loads the following dynamic libraries:

BaiduMapSDK_base_v3_7_3
getuiext2
libjiagu
locSDK6a
wzk

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES-ECB-PKCS5Padding
DESede
RSA-NONE-OAEPWithSHA1AndMGF1Padding
desede-CBC-PKCS7Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES-ECB-PKCS5Padding

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Gets information about running apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Technologies

Terminology

Training and education

Myths

Technical information

Curing recommendations

Free trial