Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) amdc####.m.ta####.com:80
- TCP(HTTP/1.1) n####.k####.cn:80
- TCP(HTTP/1.1) log.k####.cn:80
- TCP(HTTP/1.1) beacon####.aliy####.com:80
- TCP(HTTP/1.1) jx.k####.cn.####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) v####.k####.cn:80
- TCP(HTTP/1.1) norma-e####.m####.com:80
- TCP(TLS/1.0) adt.cp####.net:443
- TCP(TLS/1.0) adash####.man.aliy####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) msg.umengc####.com:443
- TCP(TLS/1.0) ap####.uc.cn:443
- TCP(TLS/1.0) 2####.107.1.97:443
- TCP(TLS/1.0) sdk.verific####.jig####.cn:443
- TCP(TLS/1.0) ali-s####.j####.cn:443
- TCP(TLS/1.0) 64.2####.164.101:443
- TCP(TLS/1.0) safebro####.google####.com:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP(TLS/1.0) md####.google####.com:443
- TCP(TLS/1.0) bj####.j####.cn:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) n####.k####.cn:443
- TCP(TLS/1.0) 74.1####.205.95:443
- TCP(TLS/1.0) al####.u####.com:443
- TCP(TLS/1.2) 74.1####.205.95:443
- TCP(TLS/1.2) 1####.251.1.139:443
- TCP(TLS/1.2) 74.1####.131.95:443
- TCP(TLS/1.2) 64.2####.163.94:443
- TCP zb-cent####.m.ta####.com:443
- TCP 43.2####.88.91:7006
- UDP easytom####.com:19000
- TCP zb-cent####.m.ta####.com:80
DNS requests:
- a####.man.aliy####.com
- adt.cp####.net
- ali-s####.j####.cn
- amdc####.m.ta####.com
- and####.google####.com
- ap####.uc.cn
- beacon####.aliy####.com
- bj####.j####.cn
- c####.x####.com
- co####.cmpass####.com
- easytom####.com
- i####.me
- instant####.google####.com
- jx.k####.cn
- l####.cmpass####.com
- l####.tbs.qq.com
- log.k####.cn
- m####.go####.com
- m####.k####.cn
- m####.k####.cn
- md####.google####.com
- mobi####.k####.cn
- msg.umengc####.com
- n####.k####.cn
- norma-e####.m####.com
- o####.e.189.cn
- one####.cmpass####.com
- openc####.wos####.cn
- s.j####.cn
- safebro####.google####.com
- sdk.verific####.jig####.cn
- sis.j####.io
- t####.j####.cn
- tin####.k####.cn
- u####.u####.com
- umen####.m.ta####.com
- umengj####.m.ta####.com
- v####.k####.cn
- wap.cmpass####.com
- we####.k####.cn
- www.cmpass####.com
- www.gst####.com
HTTP GET requests:
- jx.k####.cn.####.com/KuwoLive/GetAppPhoneConfigNew?type=####&src=####
- n####.k####.cn/MobileAdServer/GetMobileAd.do?isNew=####&ver=####&appuid=...
- n####.k####.cn/MobileAdServer/getIsHideAd.do?ver=####&src=####&appuid=##...
- n####.k####.cn/mobi.s?f=####&q=Wdti8####
- n####.k####.cn/mobi.s?f=####&q=ec2Hz####
- n####.k####.cn/tingshu?ver=####&appuid=####&cid=####&android_id=####&src...
- n####.k####.cn:443/v2/api/product/redDot/show?pageType=####&loginUid=###...
- norma-e####.m####.com/android/exchange/getpublickey.do
- v####.k####.cn/regsvr.auth?1####&XwgED1QLD0JLUlEOXglZRU0DXAkNSQZERAEEDlt...
- v####.k####.cn/vip/v2/sysinfo?op=####&platform=####&isShowNewPayConfig=#...
HTTP POST requests:
- adash####.man.aliy####.com:443/man/api?ak=####&s=####
- adt.cp####.net:443/16a968e3/1
- adt.cp####.net:443/7bf8ff3d/1
- al####.u####.com:443/unify_logs
- al####.u####.com:443/zcfg
- ali-s####.j####.cn:443/v3/report
- amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
- ap####.uc.cn:443/collect?chk=####&vno=####&uuid=####&app=####&enc=####
- beacon####.aliy####.com/beacon/fetch/config/byappkey
- bj####.j####.cn:443/v2/appawake/status
- c####.x####.com:443/configcloud/rest/sdk/match
- l####.tbs.qq.com/ajax?c=####&k=####
- log.k####.cn/music.yl
- msg.umengc####.com:443/alias
- norma-e####.m####.com/push/android/external/add.do
- sdk.verific####.jig####.cn:443/config/ver/v4/android
- t####.j####.cn:443/
File system changes:
Creates the following files:
- /data/anr/traces.txt
- /data/data/####/.cl
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/.jgck
- /data/data/####/002a4ee4-c4e5-4439-9177-ba2e71b95318
- /data/data/####/1641373896583_3657
- /data/data/####/1641373928756_3657
- /data/data/####/1641373933936_3657
- /data/data/####/1641373934021_3657
- /data/data/####/1641373934255_3657
- /data/data/####/1641373936924_3657
- /data/data/####/2a564b5c-4184-4075-bcee-ec78fe5bbe29
- /data/data/####/3282747652.apk
- /data/data/####/3b05dd8e-5651-40f3-a1e9-736106bd520a
- /data/data/####/777ff370-0e7b-4851-ae4d-7dca14e8e31b
- /data/data/####/ACCS_BINDdefault.xml
- /data/data/####/ACCS_SDK.xml
- /data/data/####/ACCS_SDK_CHANNEL.xml
- /data/data/####/AGOO_BIND.xml
- /data/data/####/Agoo_AppStore.xml
- /data/data/####/Alvin2.xml
- /data/data/####/AppInfo.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/ContextData.xml
- /data/data/####/ECIVRES1UHSGNIT0OWUK0NC.anr
- /data/data/####/ECIVRES1UHSGNIT0OWUK0NC.anrpid
- /data/data/####/ECIVRES1UHSGNIT0OWUK0NC.ss
- /data/data/####/ECIVRESHSUP1UHSGNIT0OWUK0NC.st
- /data/data/####/IpInfos.xml
- /data/data/####/LENNAHC1UHSGNIT0OWUK0NC.anr
- /data/data/####/LENNAHC1UHSGNIT0OWUK0NC.anrpid
- /data/data/####/LENNAHC1UHSGNIT0OWUK0NC.st
- /data/data/####/MessageStore.db-journal
- /data/data/####/PrefsFile.xml
- /data/data/####/Push_Page_Config.xml
- /data/data/####/Push_Page_Config.xml.bak (deleted)
- /data/data/####/StrategyConfig
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TD_app_pefercen_profile.xml.bak
- /data/data/####/TDpref_cloudcontrol2.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime1.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime1.xml
- /data/data/####/UHSGNIT0OWUK0NC.bati
- /data/data/####/UHSGNIT0OWUK0NC.end
- /data/data/####/UHSGNIT0OWUK0NC.hdr
- /data/data/####/UHSGNIT0OWUK0NC.meminfo
- /data/data/####/UHSGNIT0OWUK0NC.pid
- /data/data/####/UHSGNIT0OWUK0NC.ps
- /data/data/####/UHSGNIT0OWUK0NC.st
- /data/data/####/UHSGNIT0OWUK0NC.start
- /data/data/####/UHSGNIT0OWUK0NC.status
- /data/data/####/UHSGNIT0OWUK0NC.sts
- /data/data/####/UHSGNIT0OWUK0NC.time
- /data/data/####/UHSGNIT0OWUK0NC.uptime
- /data/data/####/UM_PROBE_DATA.xml
- /data/data/####/VERIFY_SP.xml
- /data/data/####/a1560f4a7eb443fea623c274d046cdf2
- /data/data/####/accs.db
- /data/data/####/accs.db-journal
- /data/data/####/agoo.pid
- /data/data/####/b9adcdbb7c0f45028f10bc22b21bfb10
- /data/data/####/bwc.catch
- /data/data/####/cdt.wa
- /data/data/####/channel_umeng_common_config.xml
- /data/data/####/classes.dex
- /data/data/####/classes.dex.flock (deleted)
- /data/data/####/classes.dex;classes2.dex
- /data/data/####/classes.dex;classes3.dex
- /data/data/####/classes.dex;classes4.dex
- /data/data/####/classes.dex;classes5.dex
- /data/data/####/classes.dex;classes6.dex
- /data/data/####/classes.oat
- /data/data/####/cn.jiguang.common.xml
- /data/data/####/cn.jiguang.jverify_v4.xml
- /data/data/####/cn.jiguang.sdk.address.xml
- /data/data/####/cn.jiguang.sdk.report.xml
- /data/data/####/cn.jiguang.sdk.user.profile.xml
- /data/data/####/cn.jiguang.verifysdk.sms.xml
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/cn.kuwo.tingshu_preferences.xml
- /data/data/####/cn.kuwo.tingshu_preferences.xml.bak
- /data/data/####/cn.kuwo.tingshu_preferences.xml.bak (deleted)
- /data/data/####/com.x.y.1.xml
- /data/data/####/com.x.y.2.xml
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info_
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info_cn.kuw...ervice
- /data/data/####/com_alibaba_aliyun_crash_defend_sdk_info_cn.kuw...hannel
- /data/data/####/core_info
- /data/data/####/cr.wa
- /data/data/####/crash_dump.log
- /data/data/####/delayed_transmission_flag_new.xml
- /data/data/####/deviceinfo.xml
- /data/data/####/dt.wa
- /data/data/####/ecf98ada-cebd-4009-bc76-543e0caea4cc
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/flow.xml
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/httpdns_config_cache.xml
- /data/data/####/httpdns_config_enable.xml
- /data/data/####/i==1.2.0&&9.0.6.0_1641373866391_envelope.log
- /data/data/####/info.xml
- /data/data/####/iv
- /data/data/####/kw_tingshu.db-journal
- /data/data/####/kwplayer.db-journal
- /data/data/####/kwshow.db-journal (deleted)
- /data/data/####/libjiagu.so
- /data/data/####/libweexjsb.so
- /data/data/####/message_accs_db
- /data/data/####/message_accs_db-journal
- /data/data/####/mipush_country_code
- /data/data/####/mipush_country_code.lock
- /data/data/####/mipush_region
- /data/data/####/mipush_region.lock
- /data/data/####/mz_push_preference.xml
- /data/data/####/proc_auxv
- /data/data/####/push_stat_cache.json
- /data/data/####/pushservice_umeng_common_config.xml
- /data/data/####/pv.wa
- /data/data/####/rl.catch
- /data/data/####/salt
- /data/data/####/service_umeng_common_config.xml
- /data/data/####/ssoconfigs.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdid.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/um_session_id.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_common_location.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_message_state.xml
- /data/data/####/umeng_sp_oaid.xml
- /data/data/####/umeng_sp_zdata.xml
- /data/data/####/umeng_zcfg_flag
- /data/data/####/umeng_zero_cache.db
- /data/data/####/umeng_zero_cache.db-journal
- /data/data/####/unique
- /data/data/####/ver
- /data/data/####/weex_default_settings.xml
- /data/data/####/z==1.2.0&&9.0.6.0_1641373858004_envelope.log
- /data/misc/####/primary.prof
- /data/user_de/####/move_to_de_records.xml
Miscellaneous:
Executes the following shell scripts:
- /data/app/<Package>-1/lib/arm//libweexjsb.so 124 163 1 /data/user/0/<Package>/app_crash/crash_dump.log
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- getprop
- getprop ro.product.cpu.abi
- grep 4010
- ls /
- ls /sys/class/thermal
- ps
- sh
- sh -c type su
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- RC4-ECB-NoPadding
- RSA-ECB-NoPadding
- RSA-ECB-OAEPWithSHA-256AndMGF1Padding
- RSA-ECB-OAEPWithSHA256AndMGF1Padding
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Accesses the ITelephony private interface.
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Requests the system alert window permission.
