Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) i####.c####.com:80
- TCP(HTTP/1.1) o.z####.zj.cn:80
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) norma-e####.m####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) c.c####.com:80
- TCP(HTTP/1.1) m.z####.zj.cn:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) z.c####.com:80
- TCP(HTTP/1.1) aexcep####.b####.qq.com:8011
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) sso.z####.zj.cn:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) i.z####.zj.cn:80
- TCP(HTTP/1.1) www.webdiss####.com:80
- TCP(HTTP/1.1) qin####.com.www.####.com:80
- TCP(HTTP/1.1) rec####.gridsum####.com:80
- TCP(TLS/1.0) i.v####.cc.####.com:443
- TCP(TLS/1.0) j.v####.cc.####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) v####.com:443
- TCP(TLS/1.0) 1####.217.17.78:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP c####.g####.ig####.com:5226
- TCP sdk.o####.t####.####.com:5224
DNS requests:
- 7j####.c####.z0.####.com
- a####.b####.qq.com
- a####.exc.mob.com
- aexcep####.b####.qq.com
- and####.b####.qq.com
- c####.g####.ig####.com
- c-h####.g####.com
- c.c####.com
- d.z####.zj.cn
- h####.c####.com
- hm.b####.com
- i####.c####.com
- i####.v####.cc
- i.v####.cc
- i.z####.zj.cn
- j.v####.cc
- l####.tbs.qq.com
- m.z####.zj.cn
- new.z####.zj.cn
- norma-e####.m####.com
- o.z####.zj.cn
- pub-####.qin####.com
- rec####.gridsum####.com
- res####.a####.com
- s65.c####.com
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sso.z####.zj.cn
- v####.com
- www.webdiss####.com
HTTP GET requests:
- c.c####.com/core.php?web_id=####&show=####&t=####
- c.c####.com/stat.php?id=####&web_id=####&show=####
- i####.c####.com/img/pic1.gif
- i.z####.zj.cn/advert?app_id=####&signature=####×tamp=####&client_id...
- i.z####.zj.cn/app?sku=####&type=####&v=####&app_id=####&signature=####&t...
- i.z####.zj.cn/columns_new/10789?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/columns_new/10792?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/columns_new/10794?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/columns_new/10814?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/columns_new/10815?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/columns_new/10816?page=####&app_id=####&signature=####&tim...
- i.z####.zj.cn/events/11?app_id=####&signature=####×tamp=####&client...
- i.z####.zj.cn/events?page=####&per_page=####&app_id=####&signature=####&...
- i.z####.zj.cn/menu?type=####&app_id=####&signature=####×tamp=####&c...
- i.z####.zj.cn/tip/list?page=####&per_page=####&app_id=####&signature=###...
- m.z####.zj.cn/service
- m.z####.zj.cn/wap/info-index?stemFrom=####&authorize_token=####
- m.z####.zj.cn/wapwzDetail.html?data_id=####
- m.z####.zj.cn/wapwzIndex.html?stemFrom=####&authorize_token=####
- m.z####.zj.cn/wapwzList.html
- norma-e####.m####.com/android/exchange/getpublickey.do
- o.z####.zj.cn/236/4864999/css/serviceForAPP.css
- o.z####.zj.cn/236/4864999/images/17-m-icon01.png
- o.z####.zj.cn/236/4864999/images/17-m-icon02.png
- o.z####.zj.cn/236/4864999/images/17-m-icon04.png
- o.z####.zj.cn/236/4864999/images/17-m-icon05.png
- o.z####.zj.cn/236/4864999/images/17-m-icon06.png
- o.z####.zj.cn/236/4864999/images/17-m-icon07.png
- o.z####.zj.cn/236/4864999/images/17-m-icon08.png
- o.z####.zj.cn/236/4864999/images/17-m-icon13.png
- o.z####.zj.cn/236/4864999/images/17-m-icon22.png
- o.z####.zj.cn/236/4864999/images/17-m-icon25.png
- o.z####.zj.cn/236/4864999/images/17-m-icon26.png
- o.z####.zj.cn/236/4864999/images/17-m-icon28.png
- o.z####.zj.cn/236/4864999/images/17-m-icon29.png
- o.z####.zj.cn/236/4864999/images/17-m-icon32.png
- o.z####.zj.cn/236/4864999/images/17-m-icon41.png
- o.z####.zj.cn/236/4864999/images/20190320153815.jpg
- o.z####.zj.cn/236/4864999/images/TB1YXg4skzoK1RjSZFlXXai4VXa-140-140.png
- o.z####.zj.cn/236/4864999/js/jquery-2.1.0.js
- o.z####.zj.cn/236/5275765/css/wapInfoindex.css
- o.z####.zj.cn/236/5275765/images/float1.png
- o.z####.zj.cn/236/5275765/images/float2.png
- o.z####.zj.cn/236/5275765/images/float3.png
- o.z####.zj.cn/236/5275765/images/pageBack.png
- o.z####.zj.cn/236/5275765/images/returnTop.png
- o.z####.zj.cn/236/5275765/images/tsbsMore.png
- o.z####.zj.cn/236/5275765/js/common.js
- o.z####.zj.cn/236/5275765/js/index.js
- o.z####.zj.cn/236/5275765/js/jquery-2.1.0.js
- o.z####.zj.cn/236/5275767/css/wapwzCommon.css
- o.z####.zj.cn/236/5275767/css/wapwzDetail.css
- o.z####.zj.cn/236/5275767/css/wapwzIndex.css
- o.z####.zj.cn/236/5275767/css/wapwzList.css
- o.z####.zj.cn/236/5275767/images/blockHead.png
- o.z####.zj.cn/236/5275767/images/commandsu.png
- o.z####.zj.cn/236/5275767/images/inputIcon.png
- o.z####.zj.cn/236/5275767/images/inputShare.png
- o.z####.zj.cn/236/5275767/images/lastProgress.png
- o.z####.zj.cn/236/5275767/images/logtab1.png
- o.z####.zj.cn/236/5275767/images/logtab2.png
- o.z####.zj.cn/236/5275767/images/logtab3.png
- o.z####.zj.cn/236/5275767/images/mainHead.png
- o.z####.zj.cn/236/5275767/images/myPostListBg.png
- o.z####.zj.cn/236/5275767/images/pageBack.png
- o.z####.zj.cn/236/5275767/images/sb.png
- o.z####.zj.cn/236/5275767/images/sl.png
- o.z####.zj.cn/236/5275767/images/sp.jpg
- o.z####.zj.cn/236/5275767/images/sq.jpg
- o.z####.zj.cn/236/5275767/images/sw.jpg
- o.z####.zj.cn/236/5275767/images/totop.png
- o.z####.zj.cn/236/5275767/images/unitImg.png
- o.z####.zj.cn/236/5275767/images/wantPost.png
- o.z####.zj.cn/236/5275767/js/clipboard.js
- o.z####.zj.cn/236/5275767/js/jquery-2.1.0.js
- o.z####.zj.cn/236/5275767/js/wapwzCommon.js
- o.z####.zj.cn/236/5275767/js/wapwzDetail.js
- o.z####.zj.cn/236/5275767/js/wapwzIndex.js?2019####
- o.z####.zj.cn/236/5275767/js/wapwzList.js
- o.z####.zj.cn/236/logos/2018/10/19/38eb045d70c250587e0fb9c6b2457a37.png
- o.z####.zj.cn/236/politics/thumbnails/2019/03/28/b0c7c10037683f4e9b8ed74...
- o.z####.zj.cn/236/posts/2019/03/27/1ec5371a13232fafd18d70906e98a071.jpg
- o.z####.zj.cn/236/posts/2019/03/28/1efe2b6033804bf94c4e434e4adf3609.jpg
- o.z####.zj.cn/236/posts/2019/03/28/46e70e0fb79cff60b031bdea3cc3d2b1.jpg
- o.z####.zj.cn/236/posts/2019/03/28/6cce5398941e97f479294c82d367cc6a.jpg
- o.z####.zj.cn/236/posts/2019/03/28/e8e4cc7ce7eb68ad62c5707276cea065.jpg
- o.z####.zj.cn/236/thumb/2018/09/28/14746c9ebb16ab4d9b996ec665f113b9.png
- o.z####.zj.cn/236/thumb/2018/09/28/42ec5acbb485d496e869bc6cb87640fd.png
- o.z####.zj.cn/236/thumb/2018/09/28/4ea32ef3057360e37e3bedf662412a91.png
- o.z####.zj.cn/236/thumb/2018/09/28/c9dc1b5555492ac6625895db72297987.png
- o.z####.zj.cn/236/thumb/2019/02/27/99afbf8d61170da6fefaeb1b561538bd.jpg
- o.z####.zj.cn/baoliao/2018/10/19/da65274ccb79c5bf538bb44dafe9a2cf.jpg
- o.z####.zj.cn/politics/getPoliticsList?order=####&type=####&desc=####&sc...
- o.z####.zj.cn/politics/getPoliticsListSearch?order=####&desc=####&size=#...
- qin####.com.www.####.com/tdata_EDT369
- rec####.gridsum####.com/gs.gif?gsdelay=####&gsver=####&gscmd=####&gssrvi...
- rec####.gridsum####.com/gs.gif?gsdelay=2725&gsver=3.5.2.1&gscmd=spv&gssr...
- sso.z####.zj.cn/life/hotLife?channel_id=####&category_id=####&page=####&...
- sso.z####.zj.cn/life/listPublishCategory?channel_id=####&_=####
- sso.z####.zj.cn/me/politicsDetail?json=####&data_id=####&size=####&page=...
- t####.c####.q####.####.com/tdata_Jga153
- t####.c####.q####.####.com/tdata_Wqf010
- t####.c####.q####.####.com/tdata_bca864
- t####.c####.q####.####.com/tdata_duV457
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- www.webdiss####.com/recv/gs.gif?gsdelay=####&gsver=####&gscmd=####&gssrv...
- www.webdiss####.com/recv/gs.gif?gsdelay=2161&gsver=3.5.2.1&gscmd=spv&gss...
- z.c####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&sho...
HTTP POST requests:
- a####.exc.mob.com/errconf
- aexcep####.b####.qq.com:8011/rqd/async
- aexcep####.b####.qq.com:8012/rqd/async
- and####.b####.qq.com/rqd/async
- c-h####.g####.com/api.php?format=####&t=####
- l####.tbs.qq.com/ajax?c=####&k=####
- norma-e####.m####.com/push/android/external/add.do
- res####.a####.com/v3/weather/weatherInfo
- sdk.o####.p####.####.com/api.php?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####&d=####&k=####
- sso.z####.zj.cn/auth/info
- sso.z####.zj.cn/auth/info?authorize_token=####
File system changes:
Creates the following files:
- /data/data/####/.duid
- /data/data/####/.lock
- /data/data/####/.vpl_lock
- /data/data/####/19fbba0706bf72e1f7dc6ddc4aaf11c461e3e5fe404ef21....0.tmp
- /data/data/####/1c910cc0139649e8281f84063a3c9daf34ac6433eb7550b....0.tmp
- /data/data/####/28b394056a684fcf83c19a1092e80cd4767316a3aa3fb30....0.tmp
- /data/data/####/3b563e16cb9f
- /data/data/####/3bafbb579d93872bbf9ddc0902b10ee90ecbe673de34a20....0.tmp
- /data/data/####/6152552759794.0
- /data/data/####/6d605cbf357fabb14a362b12b804ee68eb5f5f91fc9a521....0.tmp
- /data/data/####/7c0a4a3b148cacbe8916a9768c70401e54aebc0a1da4034....0.tmp
- /data/data/####/824b1aec910fbec658ce8f7ea97f58427fff3d8c122f39a....0.tmp
- /data/data/####/90d951caebf1a0a10665dd2f6e265b2ea588f7f5b22e937....0.tmp
- /data/data/####/92a399a91075b49322c5b329df9ddd6f6216400e6064cea....0.tmp
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/SP_AROUTER_CACHE.xml
- /data/data/####/SystemInfo.xml
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/bugly_db_legu-journal
- /data/data/####/c0586a10777146560765a69231d89beb.xml
- /data/data/####/com.x.y.1.xml
- /data/data/####/com.x.y.2.xml
- /data/data/####/core_info
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/domain_1
- /data/data/####/e3a73c8187340eb66af529040b54eb909322a1deba800cc....0.tmp
- /data/data/####/e3c6dfff7b4746e98bf9b24e038e12da0c2487207497fba....0.tmp
- /data/data/####/e60606d99609f008e59e26e93c990d3bc0b9ffdb3a97202....0.tmp
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/f_000029
- /data/data/####/f_00002a
- /data/data/####/f_00002b
- /data/data/####/f_00002c
- /data/data/####/f_00002d
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/libnfix.so
- /data/data/####/libshella-2.9.1.2.so
- /data/data/####/libufix.so
- /data/data/####/local_crash_lock
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/mix.dex
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/multidex.version.xml
- /data/data/####/mz_push_preference.xml
- /data/data/####/native_record_lock
- /data/data/####/push.pid
- /data/data/####/push.xml
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushk.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/pushset.xml
- /data/data/####/run.pid
- /data/data/####/security_info
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_Jga153
- /data/data/####/tdata_Jga153.jar
- /data/data/####/tdata_Wqf010
- /data/data/####/tdata_Wqf010.jar
- /data/data/####/tdata_bca864
- /data/data/####/tdata_bca864.jar
- /data/data/####/tdata_duV457
- /data/data/####/tdata_duV457.jar
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.artc_lock
- /data/media/####/.di
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.im_lock
- /data/media/####/.lesd_lock
- /data/media/####/.mn_-1464060969
- /data/media/####/.nomedia
- /data/media/####/.pkg_lock
- /data/media/####/.pkgs_lock
- /data/media/####/.rc_lock
- /data/media/####/.slw
- /data/media/####/.ss_lock
- /data/media/####/.wkl
- /data/media/####/2019-03-28.log.txt
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.shixian.qingtian.db
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/tdata_Jga153
- /data/media/####/tdata_Wqf010
- /data/media/####/tdata_bca864
- /data/media/####/tdata_duV457
- /data/media/####/test.log
Miscellaneous:
Executes the following shell scripts:
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 25026 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.9.1.2.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- mount
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 25026 300 0
Loads the following dynamic libraries:
- Bugly
- getuiext3
- libnfix
- libshella-2.9.1.2
- libufix
- nfix
- ufix
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- AES-GCM-NoPadding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
