Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.1.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) 18t####.qin####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(HTTP/1.1) mzst####.com.edg####.net:80
- TCP(HTTP/1.1) g####.18t####.com:80
- TCP(HTTP/1.1) rpc.api.18t####.com:80
- TCP(HTTP/1.1) i####.mzst####.com.####.net:80
- TCP(TLS/1.0) s####.j####.cn:443
- TCP 1####.202.151.13:7005
- UDP s.j####.cn:19000
DNS requests:
- 18t####.qin####.com
- a1.mzst####.com
- a2.mzst####.com
- a3.mzst####.com
- a4.mzst####.com
- a5.mzst####.com
- api.18t####.com
- box.18t####.com
- c####.mm####.com
- c.c####.com
- g####.18t####.com
- h####.c####.com
- hm.b####.com
- is2.mzst####.com
- qn.18t####.com
- rpc.api.18t####.com
- s####.j####.cn
- s.j####.cn
- s11.c####.com
HTTP GET requests:
- 18t####.qin####.com/tq/Images/18touch.png
- c.c####.com/core.php?web_id=####&t=####
- c.c####.com/stat.php?id=####&web_id=####
- g####.18t####.com/?c=####&a=####&pkg=####&os=####&dk=####&ak=####
- g####.18t####.com/api2_2/category226?orderby=####>ype=####&type=####&p...
- g####.18t####.com/api2_2/game228/index/id/10318221?dk=####&ak=####
- g####.18t####.com/public/images/gametype_icon/celue.png
- g####.18t####.com/public/images/gametype_icon/dongzuo.png
- g####.18t####.com/public/images/gametype_icon/ertong.png
- g####.18t####.com/public/images/gametype_icon/jiemi.png
- g####.18t####.com/public/images/gametype_icon/jingying.png
- g####.18t####.com/public/images/gametype_icon/juese.png
- g####.18t####.com/public/images/gametype_icon/kapai.png
- g####.18t####.com/public/images/gametype_icon/minjie.png
- g####.18t####.com/public/images/gametype_icon/qipai.png
- g####.18t####.com/public/images/gametype_icon/saiche.png
- g####.18t####.com/public/images/gametype_icon/sheji.png
- g####.18t####.com/public/images/gametype_icon/tiyu.png
- g####.18t####.com/public/images/gametype_icon/xiaochu.png
- g####.18t####.com/public/images/gametype_icon/xiuxian.png
- g####.18t####.com/public/images/gametype_icon/yangcheng.png
- g####.18t####.com/public/images/gametype_icon/yinyue.png
- gm.mm####.com/9.gif?abc=####&rnd=####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?6b0d092####
- i####.mzst####.com.####.net/image/thumb/Purple127/v4/f2/4f/d2/f24fd2b0-7...
- mzst####.com.edg####.net/jp/r30/Purple20/v4/98/d5/7f/98d57f7b-67a1-8bbf-...
- mzst####.com.edg####.net/jp/r30/Purple69/v4/86/a0/48/86a0480b-9d94-c7df-...
- mzst####.com.edg####.net/us/r30/Purple2/v4/59/6d/de/596dde1a-998a-34c7-9...
- mzst####.com.edg####.net/us/r30/Purple3/v4/75/fe/c8/75fec819-5760-041e-9...
- mzst####.com.edg####.net/us/r30/Purple30/v4/1c/16/29/1c162957-7610-4586-...
- mzst####.com.edg####.net/us/r30/Purple30/v4/5b/c6/02/5bc6022f-9368-cc7a-...
- mzst####.com.edg####.net/us/r30/Purple30/v4/9c/36/e9/9c36e9a0-9192-0a67-...
- mzst####.com.edg####.net/us/r30/Purple30/v4/e6/6b/09/e66b0940-2602-068d-...
- mzst####.com.edg####.net/us/r30/Purple49/v4/71/4a/9f/714a9f78-2f35-2351-...
- mzst####.com.edg####.net/us/r30/Purple49/v4/d3/ad/3a/d3ad3ae0-f317-a5d9-...
- mzst####.com.edg####.net/us/r30/Purple5/v4/64/0e/2a/640e2a09-af03-d61b-2...
- mzst####.com.edg####.net/us/r30/Purple5/v4/e3/1e/c9/e31ec9e0-3031-3fb1-a...
- mzst####.com.edg####.net/us/r30/Purple60/v4/ba/9b/9f/ba9b9fb4-e4af-77f1-...
- mzst####.com.edg####.net/us/r30/Purple62/v4/fd/f0/65/fdf0656b-947b-bfc3-...
- mzst####.com.edg####.net/us/r30/Purple69/v4/1d/14/0a/1d140aed-91b1-a351-...
- rpc.api.18t####.com/api2_2/Choice250?dk=####&ak=####
- rpc.api.18t####.com/api2_2/game/type
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-05-24/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-06-02/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-08-10/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-08-16/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-09-22/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2016-10-24/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-06-23/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-11-20/5...
- t####.c####.q####.####.com/magicbox_images/upload/game_icon/2017-12-07/5...
- t####.c####.q####.####.com/magicbox_images/upload/res_icon/2015-03-09/54...
- t####.c####.q####.####.com/magicbox_images/upload/res_icon/2015-05-18/55...
- t####.c####.q####.####.com/magicbox_images/upload/res_icon/2015-05-22/55...
- t####.c####.q####.####.com/magicbox_images/upload/res_icon/2015-07-02/55...
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
HTTP POST requests:
- rpc.api.18t####.com/tasks/new_abdata?dk=####&ak=####
- rpc.api.18t####.com/tasks/new_bounty?dk=####&ak=####
Modified file system:
Creates the following files:
- /data/data/####/.jg.ic
- /data/data/####/.old_file_converted
- /data/data/####/JPushSA_Config.xml
- /data/data/####/TypeListIcon.txt
- /data/data/####/appPackageNames
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.touch18.player_preferences.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/filedownloader.db-journal
- /data/data/####/index
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_local_notification.db
- /data/data/####/jpush_local_notification.db-journal
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/libjiagu.so
- /data/data/####/mobclick_agent_cached_com.touch18.player252
- /data/data/####/openudid_prefs.xml
- /data/data/####/tasksmanager.db
- /data/data/####/tasksmanager.db-journal
- /data/data/####/topicList_0100.txt
- /data/data/####/topicList_0101.txt
- /data/data/####/umeng_general_config.xml
- /data/data/####/wanju_getHomeGameData.txt
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/11w2cyiv9ccvbk76t9jou3uuw
- /data/media/####/170x5q2fzxad2aumr94s8bzv7
- /data/media/####/1cejvrqnomwxgfoq3yalkk33w
- /data/media/####/1jvf24wfgzp2qc37tok9nx6s8
- /data/media/####/1o9g5zwffc30esqfc4r5356mo
- /data/media/####/1t74ja6gs8bykps399k2k7e4q
- /data/media/####/24bv4ty5q22ehscyaqlhewj1d
- /data/media/####/2dkxivbjsvv8hv7scz327vrh0
- /data/media/####/2gj98jifz860zp6g4f93pyz9x
- /data/media/####/2njnrd3mbky6alcwmrfzt8s4o
- /data/media/####/2yk95gxpdo4yyputcrn5iuwdo
- /data/media/####/3gmliul2zv88hfm2uk9g8mlpu
- /data/media/####/3qwuiiby4edqxn8hgh5hm0e1l
- /data/media/####/3rq5mxxpumanimtf93ia0m96w
- /data/media/####/3ylmxtkgqa5i02zhp9gu0xxix
- /data/media/####/43p4lxymtipujxdmixwq4l7zm
- /data/media/####/497wsgm4kvfcipuqgogi8bkii
- /data/media/####/4cwi00icm9mxjzx0106pjcxre
- /data/media/####/4dy710slfm0j098thi65sqdes
- /data/media/####/4gktdvohzqgs431atmr7xlh9g
- /data/media/####/4kcplb2naki9unedwturnyz9g
- /data/media/####/4uacrhifjmrzh18f4aklc03js
- /data/media/####/54em4jzf2sce6wlvbbf1avkgl
- /data/media/####/55pdho5phj7il65b5cnfa3ilb
- /data/media/####/56yqdujrqoigpr8b9373wp4jx
- /data/media/####/57ibfyciartf3mqgooha2s370
- /data/media/####/5czqigvqhcpajgjjst85nii8l
- /data/media/####/5ic7m3h7okqbp8gn0xxohkn41
- /data/media/####/5sv6kjuhncoux45i4n58e62d9
- /data/media/####/5x3ixdkf3k2ajmpv457nyup8e
- /data/media/####/64l4se51j1pfgccgtdkc0a0da
- /data/media/####/69prn4bntbzeh4bjk5647f9jn
- /data/media/####/6azi7jhchv1jy07rjvm12njzd
- /data/media/####/6eh3zpbqyfq7pjkt4rtecd2lj
- /data/media/####/6hy5jr0eizbimuj3955u7vge
- /data/media/####/6qfd16nvxstp0zde9g8uoeln8
- /data/media/####/6qsbv4njfm5w6endgku6tiyov
- /data/media/####/7ep0danshdo3ro9hea98lbgjx
- /data/media/####/89qa5v6wo3y0wru77b97x0ma
- /data/media/####/ceiiqhsf4bi5r6wixbzzv5ph
- /data/media/####/dk
- /data/media/####/l69wrvu8rnd3nnt56e2dwbc
- /data/media/####/ljikbzp8hi8sgbftyqfgsftk
- /data/media/####/mng4uni52api60a8wf5nh3ov
- /data/media/####/mtnq6nxohxn52hjzvui1phxr
- /data/media/####/phoneInfo.dat
- /data/media/####/vtze7pkqznd6g3yla3rk2uyj
- /data/media/####/ygnxw6mbps39y7qpuwvx3tpy
Miscellaneous:
Executes next shell scripts:
- chmod 755 <Package Folder>/files/libjiagu.so
Loads the following dynamic libraries:
- jpush216
- libjiagu
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
