Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
- Android.RemoteCode.127.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) q####.c####.l####.####.com:80
- TCP(HTTP/1.1) c####.t####.cn:80
- TCP(TLS/1.0) hd.a####.com:443
- TCP(TLS/1.0) cdn.t####.cn:443
- TCP(TLS/1.0) ap####.moretic####.com:443
- TCP(TLS/1.0) i####.t####.cn:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) c####.t####.cn:443
- TCP(TLS/1.0) adt.x####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP cm-1####.ig####.com:5224
DNS requests:
- 7j####.c####.z0.####.com
- a####.u####.com
- adt.x####.com
- amap####.cn-hang####.oss####.####.com
- ap####.moretic####.com
- app.moretic####.com
- c####.t####.cn
- c-h####.g####.com
- cdn.t####.cn
- cm-1####.ig####.com
- i####.t####.cn
- i####.t####.cn
- i####.t####.cn
- i.t####.com
- res####.a####.com
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- www.t####.cn
HTTP GET requests:
- c####.t####.cn/config/Android.conf
- c####.t####.cn/config/Android.conf?project=####&token=####
- q####.c####.l####.####.com/config/hz-hzv6.conf
HTTP POST requests:
- a####.u####.com/app_logs
- c-h####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####
File system changes:
Creates the following files:
- /data/data/####/-121594284-1587103188
- /data/data/####/-1371959333-676584419
- /data/data/####/-1861133908-1586413285
- /data/data/####/-25179321201700289
- /data/data/####/-5624518291073067058
- /data/data/####/-757492299-1178962703
- /data/data/####/-757492299-1178962820
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/0rlF84oyuVfc5Lf5qb8_58kv2Sw.-1497460758.tmp
- /data/data/####/1201977905-801464961
- /data/data/####/13Q-IBXsZrPf-3_uE6kVg-eeWWw.-2076352761.tmp
- /data/data/####/1535570840-1477038608
- /data/data/####/1535570840-2085412415
- /data/data/####/1566342404694_2159
- /data/data/####/1566342404728_2159
- /data/data/####/1566342404786_2159
- /data/data/####/1566342405127_2159
- /data/data/####/1566342408588_2242
- /data/data/####/1566342408642_2242
- /data/data/####/1967631068-1055993548
- /data/data/####/1967631068-1664367357
- /data/data/####/1s9AJ-GaAVhyVvt_JX4no-IEBvc.2105052196.tmp
- /data/data/####/3B2dE4XsgxHoICoUYMsWCEKceSM.1974846270.tmp
- /data/data/####/3Wiy6zNQmAcOvEPamVeSM443AhE.637368132.tmp
- /data/data/####/54110151881709.0
- /data/data/####/5wbBKr93-mut4O8ZEcmq_0aAnwA.-1332723067.tmp
- /data/data/####/71140769747937.0
- /data/data/####/AXi8xB9YCnXQ66TtUX37jMPcbAY.2024425786.tmp
- /data/data/####/AlruIC8vVuw66kdjPeZ46TJm09Q.609572021.tmp
- /data/data/####/CKSdPJ-C3tswRFqNnIb4UkqzVxo.-502175451.tmp
- /data/data/####/CookiePrefsFile.xml
- /data/data/####/CookiePrefsFile.xml (deleted)
- /data/data/####/Ius6xJGPBUCuWfsXyMTIh60Nxp8.1101653873.tmp
- /data/data/####/JlrCnKXK0lvlpOkx2vQVQoxgCFg.2133571964.tmp
- /data/data/####/NMWDefaultNoticeSp.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime1.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime1.xml
- /data/data/####/VvvAtVdxd55rN9beZkEebsiskt4.646510171.tmp
- /data/data/####/WS3yNRuSpw4zx74Zdh_eiFB57QY.-111944897.tmp
- /data/data/####/YQJyHmieZ2xSE50YyRIM-IIwVa8.999667702.tmp
- /data/data/####/ZjaVPJwYW58dHQEufJ0RmYN5PzM.1814872215.tmp
- /data/data/####/aDexkr-jJP1uKFXEwea_1TYNihk.1514352512.tmp
- /data/data/####/all_m4b1sG2xEocuKZetmaTAVgY.-1943186055.tmp
- /data/data/####/android_rn_1_0_0.zip
- /data/data/####/c0aM2iM42Ky0GcEoGZgxvlTWu4k.cnt
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/com.juqitech.niumowang-journal
- /data/data/####/com.juqitech.niumowang_preferences.xml
- /data/data/####/com.sensorsdata.analytics.android.sdk.SensorsDataAPI.xml
- /data/data/####/dGaVGawRyunK5_tDDz11wY1QW3w.700254247.tmp
- /data/data/####/dafile.db
- /data/data/####/dafile.db-journal
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/eFf7G1LUUtqeBlslzH7he8Zx7gY.2028908217.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/getui_sp.xml
- /data/data/####/hAEwNd0QY6ngYsDhc1zP-2qPXDc.-1908951077.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/htg97wVLEITzvnZC66ncf6rnbmw.2144984464.tmp
- /data/data/####/index.jsbundle
- /data/data/####/index.jsbundle.meta
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/kCg4wBJCwrmpmdlg63TqzqgcOAk.-2023986707.tmp
- /data/data/####/libjiagu-1290856949.so
- /data/data/####/location.json
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/ly_WCnpUkqr1_lixE5vUvOdy2Zs.2107989450.tmp
- /data/data/####/multidex.version.xml
- /data/data/####/niuniu.xml
- /data/data/####/nmw-site.xml
- /data/data/####/nmwdb-journal
- /data/data/####/oJrOrSbscPYtiEOV0k_VODoOVT4.-277582739.tmp
- /data/data/####/pref.xml
- /data/data/####/push.pid
- /data/data/####/pushsdk.db-journal
- /data/data/####/qlKmtLDKuZfpWOfNjimm2fPpezw.2118472848.tmp
- /data/data/####/resources_images_comment_comment_action.png
- /data/data/####/resources_images_comment_comment_empty_icon.png
- /data/data/####/resources_images_comment_comment_icon_default.png
- /data/data/####/resources_images_comment_comment_image_default.png
- /data/data/####/resources_images_comment_comment_navi_share.png
- /data/data/####/resources_images_comment_comment_praise_normal.png
- /data/data/####/resources_images_comment_comment_praise_selected.png
- /data/data/####/resources_images_comment_comment_prefer.png
- /data/data/####/resources_images_comment_comment_share.png
- /data/data/####/resources_images_comment_comment_show_shadow.png
- /data/data/####/resources_images_show_pgc_vip.png
- /data/data/####/resources_images_show_show_discount_bg.png
- /data/data/####/resources_images_show_show_list_ad.png
- /data/data/####/resources_images_starter_back.png
- /data/data/####/resources_images_starter_back_w.png
- /data/data/####/resources_images_starter_close_sm.png
- /data/data/####/resources_images_starter_default_poster.png
- /data/data/####/resources_images_starter_disclosure.png
- /data/data/####/resources_images_starter_star_0.png
- /data/data/####/resources_images_starter_star_1.png
- /data/data/####/resources_images_starter_star_2.png
- /data/data/####/resources_images_starter_warning.png
- /data/data/####/resources_images_user_award_point_bg.png
- /data/data/####/resources_images_user_award_point_empty.png
- /data/data/####/resources_images_user_award_point_expire_triangle.png
- /data/data/####/resources_images_user_award_point_guide_indicator.png
- /data/data/####/resources_images_user_award_point_icon.png
- /data/data/####/run.pid
- /data/data/####/sensorsdata.xml
- /data/data/####/svH_mWx7UFskalCc13yZZixKj6A.-1079077093.tmp
- /data/data/####/tdid.xml
- /data/data/####/tempfile
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/vPrjcA7V7ZCSY6qWjwcTW4Fc3qY.-2081473233.tmp
- /data/data/####/yWl4BGZUSJ0JdEw5hKyBrbwd_1Y.493702819.tmp
- /data/data/####/zXs1dMqrVWC0VqDVIno13-SMWvY.1557657354.tmp
- /data/media/####/.tcookieid
- /data/media/####/alsn.db
- /data/media/####/alsn.db-journal
- /data/media/####/app.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.juqitech.niumowang.bin
- /data/media/####/com.juqitech.niumowang.db
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/.jiagu/libjiagu-1290856949.so
- getprop
Loads the following dynamic libraries:
- getuiext2
- gifimage
- imagepipeline
- libjiagu-1290856949
- securitylib
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- DES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
