Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) q####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) a####.pin-####.com:80
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) 1####.217.20.106:443
- TCP(TLS/1.0) and####.cli####.go####.com:443
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) 1####.217.168.238:443
- TCP(TLS/1.0) p####.google####.com:443
- TCP(TLS/1.2) p####.google####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP cm-1####.ig####.com:5224
DNS requests:
- 7j####.c####.z0.####.com
- a####.pin-####.com
- and####.cli####.go####.com
- and####.google####.com
- c-h####.g####.com
- cm-1####.ig####.com
- f####.gst####.com
- instant####.google####.com
- p####.google####.com
- pub-####.qin####.com
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
HTTP GET requests:
- a####.pin-####.com/rider/mobileApp/newVersion?data=####
- q####.c####.l####.####.com/config/hz-hzv6.conf
- q####.c####.l####.####.com/tdata_EDT369
- q####.c####.l####.####.com/tdata_MkX219
- q####.c####.l####.####.com/tdata_RTc910
- q####.c####.l####.####.com/tdata_XeE960
- q####.c####.l####.####.com/tdata_mtl581
- sdk.o####.p####.####.com/api/addr.htm
HTTP POST requests:
- c-h####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####&d=####&k=####
File system changes:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/078ca2b4
- /data/data/####/1feceb76fa2f
- /data/data/####/PrefsFile.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/f9b78866
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/proc_auxv
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushk.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_MkX219
- /data/data/####/tdata_MkX219.dex.flock (deleted)
- /data/data/####/tdata_MkX219.jar
- /data/data/####/tdata_RTc910
- /data/data/####/tdata_RTc910.dex
- /data/data/####/tdata_RTc910.dex.flock (deleted)
- /data/data/####/tdata_RTc910.jar
- /data/data/####/tdata_XeE960
- /data/data/####/tdata_XeE960.dex.flock (deleted)
- /data/data/####/tdata_XeE960.jar
- /data/data/####/tdata_mtl581
- /data/data/####/tdata_mtl581.dex
- /data/data/####/tdata_mtl581.dex.flock (deleted)
- /data/data/####/tdata_mtl581.jar
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- /system/bin/cat /proc/cpuinfo
- /system/bin/dex2oat --instruction-set=x86 --dex-file=<Package Folder>/.jiagu/classes.dex --dex-file=<Package Folder>/.jiagu/classes.dex:classes2.dex --oat-file=<Package Folder>/.jiagu/classes.oat --inline-depth-limit=0 --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tdata_MkX219.jar --oat-fd=42 --oat-location=/data/user/0/<Package>/files/tdata_MkX219.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tdata_RTc910.jar --oat-fd=49 --oat-location=/data/user/0/<Package>/files/tdata_RTc910.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tdata_XeE960.jar --oat-fd=51 --oat-location=/data/user/0/<Package>/files/tdata_XeE960.dex --compiler-filter=speed
- /system/bin/dex2oat --runtime-arg -classpath --runtime-arg & --instruction-set=x86 --instruction-set-features=smp,ssse3,sse4.1,sse4.2,-avx,-avx2,-lock_add,popcnt --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --dex-file=/data/user/0/<Package>/files/tdata_mtl581.jar --oat-fd=49 --oat-location=/data/user/0/<Package>/files/tdata_mtl581.dex --compiler-filter=speed
- cat /proc/uid_stat/10065/tcp_rcv
- cat /proc/uid_stat/10065/tcp_snd
- cat /sys/class/net/wlan0/address
- mount
- sh
Uses the following algorithms to encrypt data:
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Displays its own windows over windows of other apps.
