Adware.Gexin.18633

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) q####.c####.l####.####.com:80
TCP(HTTP/1.1) i.ti####.com:80
TCP(HTTP/1.1) lib.sin####.com:80
TCP(HTTP/1.1) www.ba####.com:80
TCP(HTTP/1.1) st####.tianqis####.com:80
TCP(HTTP/1.1) s####.jom####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) pl####.tianqis####.com:80
TCP(HTTP/1.1) i####.51.la:80
TCP(HTTP/1.1) pag####.googles####.com:80
TCP(HTTP/1.1) js.u####.51.####.com:80
TCP(HTTP/1.1) sdk-ope####.g####.com:80
TCP(HTTP/1.1) cdn-sdk####.g####.com.####.com:80
TCP(HTTP/1.1) 1####.163.249.17:80
TCP(TLS/1.0) z.c####.com:443
TCP(TLS/1.0) www.googlet####.com:443
TCP(TLS/1.0) googl####.g.doublec####.net:443
TCP(TLS/1.0) c.c####.com:443
TCP(TLS/1.0) adser####.go####.nl:443
TCP(TLS/1.0) pag####.googles####.com:443
TCP(TLS/1.0) hm.b####.com:443
TCP(TLS/1.0) adser####.go####.com:443
TCP cm-1####.ig####.com:5225
TCP sdk.o####.t####.####.com:5224
TCP cm-1####.ig####.com:5226

DNS requests:

7j####.c####.z0.####.com
adser####.go####.com
adser####.go####.nl
api.s####.b####.com
c-h####.g####.com
c.c####.com
cdn-sdk####.g####.com
cm-1####.ig####.com
cm-1####.ig####.com
googl####.g.doublec####.net
hm.b####.com
i####.51.la
i.ti####.com
js.u####.51.la
lib.sin####.com
p####.zhanz####.b####.com
pag####.googles####.com
pl####.tianqis####.com
pub-####.qin####.com
s5.c####.com
sdk-ope####.g####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
st####.tianqis####.com
www.ba####.com
www.googlet####.com
z9.c####.com

HTTP GET requests:

cdn-sdk####.g####.com.####.com/tdata_dkP635
i####.51.la/go1?id=####&rt=####&rl=####&lang=####&ct=####&pf=####&ins=##...
i.ti####.com/index.php?c=####&id=####&icon=####&py=####&wind=####&num=##...
js.u####.51.####.com/16711088.js
lib.sin####.com/js/jquery/1.8.2/jquery.min.js
pag####.googles####.com/pagead/js/adsbygoogle.js
pl####.tianqis####.com/static/images/tianqi/b0.png
pl####.tianqis####.com/static/images/tianqi/b1.png
pl####.tianqis####.com/static/images/tqicon1/b0.png
pl####.tianqis####.com/static/images/tqicon1/b1.png
q####.c####.l####.####.com/config/hz-hzv6.conf
q####.c####.l####.####.com/tdata_EDT369
q####.c####.l####.####.com/tdata_SzD730
q####.c####.l####.####.com/tdata_zdX887
s####.jom####.com/push.js
s####.jom####.com/s.gif?r=http://www.bayan8.com/m/index.php?mod=category...
s####.jom####.com/s.gif?r=http://www.bayan8.com/m/index.php?mod=informat...
sdk.o####.p####.####.com/api/addr.htm
st####.tianqis####.com/static/css/mobile.css
www.ba####.com/
www.ba####.com/attachment/editor/201811/1541332726puf6x.jpg
www.ba####.com/attachment/information/201808/pre_1535348702tjv6n.jpg
www.ba####.com/attachment/information/201809/pre_15377617906vgjq.jpg
www.ba####.com/attachment/information/201904/pre_1556179547meqoe.jpg
www.ba####.com/attachment/information/201905/pre_15582307376pogc.png
www.ba####.com/attachment/information/201906/pre_15593468475hosw.jpg
www.ba####.com/attachment/information/201906/pre_155934684779an1.jpg
www.ba####.com/attachment/information/201910/pre_15714886617tyhx.jpg
www.ba####.com/attachment/information/201910/pre_1571488936db3lh.jpg
www.ba####.com/attachment/information/201910/pre_1571489039mmxsw.jpg
www.ba####.com/attachment/information/201910/pre_1572532417gughn.jpg
www.ba####.com/attachment/mobile_gg/151660269220jaa.jpg
www.ba####.com/attachment/mobile_gg/1516602771viokb.png
www.ba####.com/attachment/mobile_gg/1516602862g7drs.gif
www.ba####.com/attachment/mobile_gg/1535250917eij3g.jpg
www.ba####.com/attachment/mobile_gg/1557709090qfyfw.jpg
www.ba####.com/attachment/mobile_gg/15577093173myem.jpg
www.ba####.com/images/20160810161510_93760.jpg
www.ba####.com/images/20160810184136_29880.jpg
www.ba####.com/images/apk.jpg
www.ba####.com/images/nophoto.jpg
www.ba####.com/logo.gif
www.ba####.com/m/index.php
www.ba####.com/m/index.php?mod=####&catid=####
www.ba####.com/m/index.php?mod=####&id=####
www.ba####.com/m/template/css/filter.css
www.ba####.com/m/template/css/global.css
www.ba####.com/m/template/css/index.css
www.ba####.com/m/template/css/index2017-mb.css
www.ba####.com/m/template/css/info.css
www.ba####.com/m/template/css/list.css
www.ba####.com/m/template/css/mb-base.css?tc=####
www.ba####.com/m/template/css/mb-common.css?tc=####
www.ba####.com/m/template/css/mb-index.css
www.ba####.com/m/template/css/style.css
www.ba####.com/m/template/css/touch_common_bottom.css
www.ba####.com/m/template/images/1.png
www.ba####.com/m/template/images/2.png
www.ba####.com/m/template/images/4.png
www.ba####.com/m/template/images/5.png
www.ba####.com/m/template/images/close_ico.png
www.ba####.com/m/template/images/headIcon.png
www.ba####.com/m/template/images/icon_location.png
www.ba####.com/m/template/images/index-2016-3-sp.png
www.ba####.com/m/template/images/indicator2_c.png
www.ba####.com/m/template/images/jobxin.png
www.ba####.com/m/template/images/noimg.gif
www.ba####.com/m/template/images/rz-icon.png
www.ba####.com/m/template/images/slide_tit_bg.png
www.ba####.com/m/template/images/sp_icon.png
www.ba####.com/m/template/js/common.js
www.ba####.com/m/template/js/index_m2017.js
www.ba####.com/m/template/js/iscroll.js
www.ba####.com/m/template/js/jq_min.211.js
www.ba####.com/m/template/js/jq_min.js
www.ba####.com/m/template/js/jquery-2.1.1.min.js?tc=####
www.ba####.com/m/template/js/jquery.cookie.js
www.ba####.com/m/template/js/json2.js
www.ba####.com/m/template/js/slide.js
www.ba####.com/m/template/js/slider.js
www.ba####.com/m/template/js/touch_common_bottom.js
www.ba####.com/m/template/js/wap_common.js
www.ba####.com/m/template/js/wap_common_2015.js?tc=####
www.ba####.com/member.php?mod=####&action=####&cityid=####
www.ba####.com/randcode.php
www.ba####.com/template/default/css/global.css
www.ba####.com/template/default/css/index.css
www.ba####.com/template/default/css/login.css
www.ba####.com/template/default/css/style.css
www.ba####.com/template/default/images/index/icon_bbs.png
www.ba####.com/template/default/images/index/icon_business.gif
www.ba####.com/template/default/images/index/icon_che.gif
www.ba####.com/template/default/images/index/icon_corp.gif
www.ba####.com/template/default/images/index/icon_edu.gif
www.ba####.com/template/default/images/index/icon_ershou.gif
www.ba####.com/template/default/images/index/icon_fang.gif
www.ba####.com/template/default/images/index/icon_goods.gif
www.ba####.com/template/default/images/index/icon_jianli.gif
www.ba####.com/template/default/images/index/icon_jzzhaopin.gif
www.ba####.com/template/default/images/index/icon_life.gif
www.ba####.com/template/default/images/index/icon_love.gif
www.ba####.com/template/default/images/index/icon_news.gif
www.ba####.com/template/default/images/index/icon_nongye.gif
www.ba####.com/template/default/images/index/icon_zhaopin.gif
www.ba####.com/template/default/images/login/orange_submit.gif
www.ba####.com/template/default/images/login/pw_check.gif
www.ba####.com/template/default/images/login/step.gif
www.ba####.com/template/default/images/yesno.gif
www.ba####.com/template/default/js/global.js
www.ba####.com/template/default/js/jquery-1.11.min.js
www.ba####.com/template/default/js/jquery.min.js
www.ba####.com/template/default/js/sendsms.js
www.ba####.com/template/default/js/uaredirect.js
www.ba####.com/template/default/js/validator.common.js
www.ba####.com/template/default/js/validator.js
www.ba####.com/template/default/js/validator2.js

HTTP POST requests:

c-h####.g####.com/api.php?format=####&t=####
sdk-ope####.g####.com/api.php?format=####&t=####
sdk-ope####.g####.com/api.php?format=####&t=####&d=####&k=####

File system changes:

Creates the following files:

/data/data/####/.jg.ic
/data/data/####/bayanshenghuow.xml
/data/data/####/cc.db
/data/data/####/cc.db-journal
/data/data/####/clientid_igexin.xml
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/f_000001
/data/data/####/f_000002
/data/data/####/f_000003
/data/data/####/f_000004
/data/data/####/f_000005
/data/data/####/f_000006
/data/data/####/f_000007
/data/data/####/f_000008
/data/data/####/f_000009
/data/data/####/f_00000a
/data/data/####/f_00000b
/data/data/####/f_00000c
/data/data/####/f_00000d
/data/data/####/f_00000e
/data/data/####/f_00000f
/data/data/####/f_000010
/data/data/####/f_000011
/data/data/####/f_000012
/data/data/####/fd660d7b3b80
/data/data/####/gx_sp.xml
/data/data/####/index
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/jg_app_update_settings_random.xml
/data/data/####/libjiagu.so
/data/data/####/pdr.xml
/data/data/####/push.pid
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/tdata_dkP635
/data/data/####/tdata_dkP635.jar
/data/data/####/umeng_general_config.xml
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/data/####/webviewCookiesChromiumPrivate.db-journal
/data/media/####/app.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/http_i.tianqi.com_0.localstorage-journal
/data/media/####/http_www.bayan8.com_0.localstorage-journal
/data/media/####/io.dcloud.bayanshw.db
/data/media/####/tdata_dkP635

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /proc/cpuinfo
cat /sys/class/net/wlan0/address
chmod 755 <Package Folder>/.jiagu/libjiagu.so
mount
sh

Loads the following dynamic libraries:

getuiext2
libjiagu

Uses the following algorithms to encrypt data:

AES-CFB-NoPadding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-ECB-PKCS5Padding

Accesses the ITelephony private interface.

Uses special library to hide executable bytecode.

Gets information about location.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

技术

术语

教育培训

误区

Technical information

Curing recommendations

Free trial