Adware.Gexin.17657

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>

DNS requests:

ebf3ee5####.bug####.com

File system changes:

Creates the following files:

/data/data/####/1567732753961
/data/data/####/jg_so_upgrade_setting.xml
/data/data/####/journal.tmp
/data/data/####/libjiagu.so
/data/data/####/multidex.version.xml

Miscellaneous:

Executes the following shell scripts:

chmod 755 <Package Folder>/.jiagu/libjiagu.so
logcat -v time -t 500 2153
logcat -v time -t 500 2190
logcat -v time -t 500 2224
logcat -v time -t 500 2269
logcat -v time -t 500 2304
logcat -v time -t 500 2338
logcat -v time -t 500 2383
logcat -v time -t 500 2420
logcat -v time -t 500 2454
logcat -v time -t 500 2500
logcat -v time -t 500 2534
logcat -v time -t 500 2568
logcat -v time -t 500 2614
logcat -v time -t 500 2648
logcat -v time -t 500 2682
logcat -v time -t 500 2727
logcat -v time -t 500 2761
logcat -v time -t 500 2795
logcat -v time -t 500 2839
logcat -v time -t 500 2873
logcat -v time -t 500 2907
logcat -v time -t 500 2951
logcat -v time -t 500 2987
logcat -v time -t 500 3021
logcat -v time -t 500 3066
logcat -v time -t 500 3100
logcat -v time -t 500 3134
logcat -v time -t 500 3178
logcat -v time -t 500 3213
logcat -v time -t 500 3247
logcat -v time -t 500 3291
logcat -v time -t 500 3325
logcat -v time -t 500 3359
logcat -v time -t 500 3403
logcat -v time -t 500 3437
logcat -v time -t 500 3471
logcat -v time -t 500 3514
logcat -v time -t 500 3550
logcat -v time -t 500 3584
logcat -v time -t 500 3631
logcat -v time -t 500 3665
logcat -v time -t 500 3699
logcat -v time -t 500 3743
logcat -v time -t 500 3777
logcat -v time -t 500 3811
logcat -v time -t 500 3855
logcat -v time -t 500 3889
logcat -v time -t 500 3923
logcat -v time -t 500 3967
logcat -v time -t 500 4001
logcat -v time -t 500 4035
logcat -v time -t 500 4079
logcat -v time -t 500 4113
logcat -v time -t 500 4147
logcat -v time -t 500 4191
logcat -v time -t 500 4225
logcat -v time -t 500 4259
logcat -v time -t 500 4303
logcat -v time -t 500 4337
logcat -v time -t 500 4371
logcat -v time -t 500 4449

Loads the following dynamic libraries:

Bugtags
LanSongffmpeg
libjiagu

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Curing recommendations

If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.

Free trial

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

Download Dr.Web

Download by serial number

If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
- Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
- Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
- Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android