Adware.Gexin.2452

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) a####.u####.com:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) cn-hang####.oss####.aliyun####.com:80
TCP(HTTP/1.1) ti####.c####.l####.####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(TLS/1.0) ssl.gst####.com:443
TCP(TLS/1.0) www.go####.com:443
TCP(TLS/1.0) www.gst####.com:443
TCP(TLS/1.0) api.growi####.com:443
TCP(TLS/1.0) res####.a####.com:443
TCP(TLS/1.0) adser####.go####.com:443
TCP(TLS/1.0) www.go####.nl:443
TCP(TLS/1.0) t.growi####.com:443
TCP(TLS/1.0) eco####.me####.com.####.com:443
TCP c####.g####.ig####.com:5226
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a####.u####.com
adser####.go####.com
api.growi####.com
c####.g####.ig####.com
c-h####.g####.com
cn-hang####.oss####.aliyun####.com
eco####.me####.com
res####.a####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
ssl.gst####.com
t.growi####.com
www.go####.com
www.go####.nl
www.gst####.com

HTTP GET requests:

cn-hang####.oss####.aliyun####.com/amap-api/comm/upload/CoordinateSoEnhe...
t####.c####.q####.####.com/tdata_YYn966
t####.c####.q####.####.com/tdata_eOt091
ti####.c####.l####.####.com/config/hz-hzv3.conf

HTTP POST requests:

a####.u####.com/app_logs
c-h####.g####.com/api.php?format=####&t=####
sdk.o####.p####.####.com/api.php?format=####&t=####

Modified file system:

Creates the following files:

/data/data/####/.imprint
/data/data/####/.jg.ic
/data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
/data/data/####/3149823633160.0
/data/data/####/BQMMSDKVersion.xml
/data/data/####/Bqmm.db-journal
/data/data/####/BuglySdkInfos.xml
/data/data/####/Meiqia.xml
/data/data/####/MultiDex.lock
/data/data/####/bqmm_keyword_emojis.xml
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/church_login_info.xml
/data/data/####/com.gtan.church;pushservice.growing.db
/data/data/####/com.gtan.church;pushservice.growing.db-journal
/data/data/####/com.gtan.church_preferences.xml
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/growing.db
/data/data/####/growing.db-journal
/data/data/####/growing_ecsid.xml
/data/data/####/growing_persist_data.xml
/data/data/####/growing_profile.xml
/data/data/####/gx_sp.xml
/data/data/####/hmdb
/data/data/####/hmdb-journal
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/journal
/data/data/####/journal.tmp
/data/data/####/k.store
/data/data/####/libjiagu-1550719694.so
/data/data/####/libwgs2gcj.so
/data/data/####/loctemp.so
/data/data/####/logdb.db
/data/data/####/logdb.db-journal
/data/data/####/login_auth.xml
/data/data/####/meiqia.db
/data/data/####/meiqia.db-journal
/data/data/####/multidex.version.xml
/data/data/####/otherData.xml
/data/data/####/package_downstate.xml
/data/data/####/pref.xml
/data/data/####/pref.xml.bak
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/tdata_YYn966
/data/data/####/tdata_YYn966.jar
/data/data/####/tdata_eOt091
/data/data/####/tdata_eOt091.jar
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_it.cache
/data/media/####/.nomedia
/data/media/####/1536741594458.db
/data/media/####/alsn20170807.db
/data/media/####/alsn20170807.db-journal
/data/media/####/app.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.gtan.church.bin
/data/media/####/com.gtan.church.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/journal.tmp
/data/media/####/tdata_YYn966
/data/media/####/tdata_eOt091
/data/media/####/test.log

Miscellaneous:

Executes next shell scripts:

<Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GeTuiPushService 24474 300 0
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu-1550719694.so
sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.getui.GeTuiPushService 24474 300 0

Loads the following dynamic libraries:

getuiext2
libjiagu-1550719694

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
RSA-ECB-PKCS1Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical information

Recommandations pour le traitement

Free trial