Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Adware.Gexin.455

Added to the Dr.Web virus database: 2018-07-22

Virus description added:

Technical information

Malicious functions:
Executes code of the following detected threats:
  • Adware.Gexin.2.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
  • UDP(DNS) <Google DNS>
  • TCP(HTTP/1.1) p2.q####.com:80
  • TCP(HTTP/1.1) yx####.d####.com:80
  • TCP(HTTP/1.1) up####.sdk.jig####.cn:80
  • TCP(HTTP/1.1) m####.me####.com:80
  • TCP(HTTP/1.1) s####.s.360.cn:80
  • TCP(HTTP/1.1) sh####.360t####.com:80
  • TCP(HTTP/1.1) qos.l####.360.cn:80
  • TCP(HTTP/1.1) fu####.5####.com:80
  • TCP(HTTP/1.1) m3.s.3####.cn:80
  • TCP(HTTP/1.1) api.k.36####.com:80
  • TCP(HTTP/1.1) dsp.tou####.com:80
  • TCP(HTTP/1.1) sdk.o####.p####.####.com:80
  • TCP(HTTP/1.1) sf3-ttc####.ps####.com:80
  • TCP(HTTP/1.1) p1.q####.com:80
  • TCP(HTTP/1.1) u.api.l####.####.cn:80
  • TCP(HTTP/1.1) ab####.m.s.####.cn:80
  • TCP(HTTP/1.1) amdc####.m.ta####.com:80
  • TCP(HTTP/1.1) p8.q####.com:80
  • TCP(HTTP/1.1) p10.qhi####.com:80
  • TCP(HTTP/1.1) sf1-ttc####.ps####.com:80
  • TCP(HTTP/1.1) sni.c####.q####.####.net:80
  • TCP(HTTP/1.1) sdk.l####.360.cn:80
  • TCP(HTTP/1.1) p.s.3####.cn:80
  • TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
  • TCP(HTTP/1.1) p4.q####.com:80
  • TCP(HTTP/1.1) s####.l####.360.####.com:80
  • TCP(HTTP/1.1) sh####.me####.com:80
  • TCP(HTTP/1.1) k####.36####.com:80
  • TCP(HTTP/1.1) sf6-ttc####.ps####.com.####.com:80
  • TCP(TLS/1.0) ssl.gst####.com:443
  • TCP(TLS/1.0) msg.umengc####.com:443
  • TCP(TLS/1.0) 36.1####.213.225:443
  • TCP(TLS/1.0) m####.me####.com:443
  • TCP(TLS/1.0) c.c####.com:443
  • TCP(TLS/1.0) www.go####.com:443
  • TCP(TLS/1.0) www.gst####.com:443
  • TCP(TLS/1.0) mdm.ope####.360.cn:443
  • TCP(TLS/1.0) 2####.107.1.97:443
  • TCP(TLS/1.0) sh.wagbr####.alibaba####.com:443
  • TCP(TLS/1.0) adser####.go####.com:443
  • TCP(TLS/1.0) z.c####.com:443
  • TCP(TLS/1.0) s####.tf.360.cn:443
  • TCP(TLS/1.0) sdkc####.e.360.cn:443
  • TCP(TLS/1.0) cc.p####.dc.####.cn:443
  • TCP(TLS/1.0) api####.me####.com:443
  • TCP(TLS/1.0) s####.j####.cn:443
  • TCP(TLS/1.0) w.vip.a####.####.cn:443
  • TCP sdk.o####.t####.####.com:5224
  • UDP s.j####.cn:19000
  • TCP ope####.m.ta####.com:443
  • TCP 1####.163.230.185:443
  • TCP umengj####.m.ta####.com:80
  • TCP 1####.121.49.90:7000
DNS requests:
  • a####.man.aliy####.com
  • ab####.m.s.####.cn
  • adser####.go####.com
  • ag####.m.ta####.com
  • amdc####.m.ta####.com
  • api####.me####.com
  • api.k.36####.com
  • app.v.k.####.com
  • c2s.w.in####.cn
  • cc.p####.dc.####.cn
  • dsp.tou####.com
  • fu####.5####.com
  • k####.36####.com
  • m####.me####.com
  • m3.s.3####.cn
  • mdm.ope####.360.cn
  • msg.umengc####.com
  • p.s.3####.cn
  • p0.q####.com
  • p1.q####.com
  • p10.qhi####.com
  • p2.q####.com
  • p3.q####.com
  • p4.q####.com
  • p5.q####.com
  • p6.q####.com
  • p7.q####.com
  • p8.q####.com
  • p9.q####.com
  • plb####.u####.com
  • qos.l####.360.cn
  • s####.j####.cn
  • s####.l####.360.cn
  • s####.s.360.cn
  • s####.tf.360.cn
  • s.j####.cn
  • s22.c####.com
  • s3m.me####.com
  • sdk.c####.ig####.com
  • sdk.l####.360.cn
  • sdk.l####.360.cn
  • sdk.me####.com
  • sdk.o####.p####.####.com
  • sdk.o####.t####.####.com
  • sdk.o####.t####.####.com
  • sdk.o####.t####.####.net
  • sdkc####.e.360.cn
  • sf1-ttc####.ps####.com
  • sf3-ttc####.ps####.com
  • sf6-ttc####.ps####.com
  • sh####.360t####.com
  • sh####.me####.com
  • ssl.gst####.com
  • t####.me####.com
  • tgana####.5####.com
  • u####.u####.com
  • u.api.l####.####.cn
  • umen####.m.ta####.com
  • umengj####.m.ta####.com
  • up####.sdk.jig####.cn
  • www.go####.com
  • www.go####.nl
  • www.gst####.com
  • yx####.d####.com
  • z1.c####.com
HTTP GET requests:
  • ab####.m.s.####.cn/abtest/cloud.so?appkey=####&dt=####&os=####&ov=####&m...
  • dsp.tou####.com/api/max/ads/click?extra=0####
  • dsp.tou####.com/api/max/ads/show?extra=0####&price=####
  • dsp.tou####.com/api/max/ads/show?extra=6####&price=####
  • fu####.5####.com/Analyze/Update?callback=####&pubId=####&isClick=####&_=...
  • fu####.5####.com/tg/Content/zhuolu-swiper?v=####
  • fu####.5####.com/tg/bundles/wap-utility?v=####
  • fu####.5####.com/tg/bundles/wap-zhuolu?v=####
  • fu####.5####.com/tg/m/ttb4
  • k####.36####.com//k2/appconfig/getjar?appid=####&m=####&m2=####&ch=####&...
  • k####.36####.com/hotrizon2/appConfig?os=####&use_gear=####&time=####&sys...
  • k####.36####.com/hotrizon2/channelnew?m2=####&appid=####&m=####&ch=####&...
  • k####.36####.com/hotrizon2/list?svc=####&kw=####&os=####&ckw=####&sys=##...
  • k####.36####.com/hotrizon2/list?svc=####&os=####&sys=####&direction=####...
  • k####.36####.com/hotrizon2/myfollower?appid=####&maxOffset=####&m=####&m...
  • k####.36####.com/hotrizon2/play?id=####&m2=####&strategy=####&appid=####...
  • k####.36####.com/k2/api/privacy/config?appid=####&m=####&m2=####&ch=####...
  • k####.36####.com/k2/appconfig/getAbRole?os=####&time=####&sys=####&m2=##...
  • k####.36####.com/k2/appconfig/getNewinfo?appid=####&m=####&m2=####&ch=##...
  • k####.36####.com/k2/appconfig/getRedpackPop?appid=####&m=####&m2=####&ch...
  • k####.36####.com/k2/appconfig/getplugin?appid=####&m=####&m2=####&ch=###...
  • k####.36####.com/k2/appconfig/getpopup?appid=####&m=####&m2=####&ch=####...
  • k####.36####.com/k2/hotrizon2/aconfig?appid=####&m=####&m2=####&ch=####&...
  • k####.36####.com/k2/hotrizon2/gettime?os=####&sys=####&m2=####&appid=###...
  • m####.me####.com/rtb?type=####&d=####&b=####&p=####&l=####&s=####&m=####...
  • p1.q####.com/dr/_100_70/t01877e70e4c2cbbf8b.jpg
  • p1.q####.com/dr/_280_50/t0161ec3c13f9f80b18.webp
  • p1.q####.com/dr/_280_50/t01d6dd00fc16edaa01.webp
  • p1.q####.com/dr/_280_50/t01dc47478622ff9f38.webp
  • p1.q####.com/t0139db1f7521b3ca59.png
  • p1.q####.com/t013db82533aa9e5a9a.jpg
  • p1.q####.com/t0147eeb331a280d627.jpg
  • p1.q####.com/t014c318678fc885988.png
  • p1.q####.com/t01644595cf5896441e.png
  • p1.q####.com/t0178bccfe750f110a1.jpg
  • p1.q####.com/t0182d92993563c5d99.jpg
  • p1.q####.com/t018a091efca6865662.jpg
  • p1.q####.com/t019a1595c125875918.jpg
  • p1.q####.com/t019f6478307ad0eea6.jpg
  • p1.q####.com/t01a6e5f1d80e698090.jpg
  • p1.q####.com/t01ae70f3f6372b712d.jpg
  • p1.q####.com/t01c284e24d09f6b14d.jpg
  • p1.q####.com/t01c94347ad9cab8684.jpg
  • p1.q####.com/t01d2969abcc5ec820f.jpg
  • p1.q####.com/t01e69681fa8d4220ab.jpg
  • p1.q####.com/t01f9458c7931fe73bc.jpg
  • p10.qhi####.com/dr/_280_50/t01071b064db2e27029.webp
  • p10.qhi####.com/dr/_280_50/t013d55f6025eea32ec.webp
  • p10.qhi####.com/dr/_280_50/t01fc780755ae89bf3e.webp
  • p10.qhi####.com/t01153c265593f3258e.jpg
  • p10.qhi####.com/t014931b01232eb8554.jpg
  • p2.q####.com/t01c3fccec2a8e82eca.png
  • p4.q####.com/dr/_100_70/t01b1de631ded2baf96.jpg
  • p4.q####.com/t01653ca630bb9e633a.png
  • p4.q####.com/t019e9bdf43f2666ada.jpg
  • p4.q####.com/t01c1ff533a19145140.jpg
  • p8.q####.com/dr/_100_70/t012ac6f2ad2d3aad9b.jpg
  • p8.q####.com/dr/_100_70/t01300cef916f5555e4.jpg
  • p8.q####.com/dr/_100_70/t0158e88c05c9724b84.jpg
  • p8.q####.com/dr/_100_70/t0165391b20da2a86c8.jpg
  • p8.q####.com/dr/_100_70/t01849acbabe878f9f7.jpg
  • p8.q####.com/dr/_100_70/t0186e16724eb0167ae.jpg
  • p8.q####.com/dr/_100_70/t018fd6377a92c6df36.jpg
  • p8.q####.com/dr/_100_70/t019434deb3fa8f155d.jpg
  • p8.q####.com/dr/_100_70/t019fa4be77fd991413.jpg
  • p8.q####.com/dr/_100_70/t01c8fc05aaa88814d6.png
  • p8.q####.com/dr/_100_70/t01cf6023ee573204fe.png
  • p8.q####.com/dr/_100_70/t01d638c240d73dfab5.jpg
  • p8.q####.com/dr/_100_70/t01f98008ad8d809d5e.jpg
  • p8.q####.com/t0123c635ba164c94d6.png
  • p8.q####.com/t0152971269d7221ca4.png
  • p8.q####.com/t0166586d86bbb37d2c.png
  • p8.q####.com/t018a9cc33fe4135800.jpg
  • p8.q####.com/t018af40d754eb2552d.jpg
  • p8.q####.com/t019ce7479f425c4051.png
  • p8.q####.com/video/568_320_70/t0100976d9c77672a7f.webp
  • p8.q####.com/video/568_320_70/t01044c6c9eefe95553.webp
  • p8.q####.com/video/568_320_70/t0104ae6847703a964d.webp
  • p8.q####.com/video/568_320_70/t01071b064db2e27029.webp
  • p8.q####.com/video/568_320_70/t011841f6eef117544a.webp
  • p8.q####.com/video/568_320_70/t0128e5ee0903c6a139.webp
  • p8.q####.com/video/568_320_70/t012950963824b4275a.webp
  • p8.q####.com/video/568_320_70/t012a94794d439e89a3.webp
  • p8.q####.com/video/568_320_70/t013ab3726da35bac9e.webp
  • p8.q####.com/video/568_320_70/t013d55f6025eea32ec.webp
  • p8.q####.com/video/568_320_70/t01429f34ab6fb1b39c.webp
  • p8.q####.com/video/568_320_70/t0146cc95d6ceba0721.webp
  • p8.q####.com/video/568_320_70/t014725503764b43376.webp
  • p8.q####.com/video/568_320_70/t014a34f576f7eb653b.webp
  • p8.q####.com/video/568_320_70/t014b1255b0438b0ad2.webp
  • p8.q####.com/video/568_320_70/t0155fc770017902127.webp
  • p8.q####.com/video/568_320_70/t015640d9a76dcfe321.webp
  • p8.q####.com/video/568_320_70/t015ac0c2b085edd3b0.webp
  • p8.q####.com/video/568_320_70/t015cf9575bf30196ca.webp
  • p8.q####.com/video/568_320_70/t015e75714c4648dc78.webp
  • p8.q####.com/video/568_320_70/t0161ec3c13f9f80b18.webp
  • p8.q####.com/video/568_320_70/t0164f5fa89c4202c38.webp
  • p8.q####.com/video/568_320_70/t016b9ad905a554b963.webp
  • p8.q####.com/video/568_320_70/t016bae188182bed160.webp
  • p8.q####.com/video/568_320_70/t0173d4e5a097fc25a2.webp
  • p8.q####.com/video/568_320_70/t0189c6b1833e77c9d8.webp
  • p8.q####.com/video/568_320_70/t01943834975bac04b7.webp
  • p8.q####.com/video/568_320_70/t01c1d3c3e5ef8c170e.webp
  • p8.q####.com/video/568_320_70/t01c52a0a79a819857c.webp
  • p8.q####.com/video/568_320_70/t01c8467ffd94c52449.webp
  • p8.q####.com/video/568_320_70/t01ca683d9c9d54d62a.webp
  • p8.q####.com/video/568_320_70/t01d144b775690e5562.webp
  • p8.q####.com/video/568_320_70/t01d6dd00fc16edaa01.webp
  • p8.q####.com/video/568_320_70/t01dc47478622ff9f38.webp
  • p8.q####.com/video/568_320_70/t01e93d2807d6bd0884.webp
  • p8.q####.com/video/568_320_70/t01f3e39e1f40c95725.webp
  • p8.q####.com/video/568_320_70/t01f70bd0c6d9423178.webp
  • p8.q####.com/video/568_320_70/t01f8e87a33410c6e42.webp
  • p8.q####.com/video/568_320_70/t01fc14101793351f84.webp
  • p8.q####.com/video/568_320_70/t01fc780755ae89bf3e.webp
  • qos.l####.360.cn/vc.gif?&bid=####&pid=####&ver=####&c_ver=####&os=####&m...
  • s####.l####.360.####.com/Object.getFile/livecloudsdk/YW5kcm9pZF9wbHVnaW5...
  • s####.l####.360.####.com/Object.getFile/livecloudsdk/cGx1Z2luX3lmX3AycF8...
  • s####.s.360.cn/ak/6766aa2750c19aad2fa1b32f36ed4aee.html?m2=####
  • s####.s.360.cn/galileo/104020_dspsourcelogo_66082d97b040fe088704e7919be8...
  • s####.s.360.cn/su/index.php?k=####&av=####&slv=####&sv=####&be=####&cv=#...
  • sdk.l####.360.cn/codec?os=####&tm=####&model=####&r=####&package=####&pi...
  • sdk.l####.360.cn/rtc?os=####&tm=####&model=####&r=####&package=####&pid=...
  • sdk.l####.360.cn/sdkconf/videoplace?sign=####&u=####&version=####&sdk_ve...
  • sdk.l####.360.cn/xinxiliu_tv_android_10228.conf?os=####&tm=####&r=####&p...
  • sf1-ttc####.ps####.com/img/ad.union.api/d11e0eab897e19e9f8a37bb3c321509e...
  • sf1-ttc####.ps####.com/obj/ad.union.api/1c8086ee208c5febac5f3d3ea378049b
  • sf3-ttc####.ps####.com/obj/ad.union.api/14eba6f556e9771a96411a77a96e321d
  • sf6-ttc####.ps####.com.####.com/obj/web.business.image/201807055d0df9147...
  • sh####.360t####.com/171122/c867c6e2f627a813302a3a0d0d891203/FZLTHK.TTF
  • sni.c####.q####.####.net/config/hz-hzv3.conf
  • yx####.d####.com/tg/fugu/V201803_04/2.jpg
  • yx####.d####.com/tg/fugu/V201803_04/3.jpg
  • yx####.d####.com/tg/fugu/V201803_04/4.jpg
  • yx####.d####.com/tg/fugu/V201803_04/5.jpg
  • yx####.d####.com/tg/fugu/V201803_04/top.jpg
HTTP POST requests:
  • amdc####.m.ta####.com/amdc/mobileDispatch?appkey=####&deviceId=####&plat...
  • api.k.36####.com/k2/api/lockscreen/config?os=####&time=####&sys=####&m2=...
  • k####.36####.com/hotrizon2/report2?os=####&time=####&sys=####&m2=####&ap...
  • k####.36####.com/k2/appconfig/getjarlist?appid=####&curEnv=####&m=####&m...
  • k####.36####.com/k2/hotrizon2/getSInfo?os=####&sys=####&psw2=d7####&ssid...
  • m3.s.3####.cn/api/v1/newid
  • p.s.3####.cn/pstat/plog.php
  • p.s.3####.cn/update/update.php?p=####
  • sdk.o####.p####.####.com/api.php?format=####&t=####
  • sh####.me####.com/adsdk?pver=####&skey=Ew####
  • sh####.me####.com/adsdk?pver=####&skey=LM####
  • sh####.me####.com/adsdk?pver=####&skey=PS####
  • sh.wagbr####.aliyun####.com/man/api?ak=####&s=####
  • u.api.l####.####.cn/comment/lists
  • up####.sdk.jig####.cn/v1/push/sdk/postlist
Modified file system:
Creates the following files:
  • /data/data/####/.imprint
  • /data/data/####/.jg.ic
  • /data/data/####/017921dfd7fc8844c4c4025a9d47fcc2d41
  • /data/data/####/01cfc544657ebbc37ab3bb2599f47fe440x
  • /data/data/####/0845dd3c-c6e9-4649-b596-d9daec2481ad
  • /data/data/####/0f33f138-3b0b-4af4-9d05-2a5e0932d2ca
  • /data/data/####/10704f66-8839-4ada-969a-2fbceec4506d
  • /data/data/####/1f6e5faa-dd47-419e-9d58-16dd318ec5fa
  • /data/data/####/2033145970-602345128
  • /data/data/####/5284bdf3-f722-400d-abf4-cb798d1ee30c
  • /data/data/####/62dba45b-fb5b-4ac3-80c9-e02b9a9ec9ea
  • /data/data/####/727E4F9E3DF834239309BBBDC87BC476.png
  • /data/data/####/7a3ab503-f6e2-485e-8688-3f23a66e0adb
  • /data/data/####/7b9a564d-3fd2-4c34-beba-339160924bc2
  • /data/data/####/7e2de118-5f94-4ee0-8515-ab212f7efc97
  • /data/data/####/ACCS_BINDumeng;5a56c9198f4a9d0c2f0001a8.xml
  • /data/data/####/ACCS_SDK.xml
  • /data/data/####/ACCS_SDK_CHANNEL.xml
  • /data/data/####/AGOO_BIND.xml
  • /data/data/####/AKTorchDownload.db
  • /data/data/####/AKTorchDownload.db-journal
  • /data/data/####/Agoo_AppStore.xml
  • /data/data/####/Alliance.xml
  • /data/data/####/Alvin2.xml
  • /data/data/####/ContextData.xml
  • /data/data/####/DaemonServer
  • /data/data/####/FZ.TTF
  • /data/data/####/JPushSA_Config.xml
  • /data/data/####/MENU_CACHE.xml
  • /data/data/####/MessageStore.db-journal
  • /data/data/####/MsgLogStore.db-journal
  • /data/data/####/PendantConfig.xml
  • /data/data/####/QHA_JSON_PERSISTER_42998cf32d552343bc8e460416382dca
  • /data/data/####/QHDeviceFile
  • /data/data/####/QHDeviceID.lock
  • /data/data/####/QH_DeviceSDK.xml
  • /data/data/####/QH_SDK_M2.xml
  • /data/data/####/QH_SDK_UserData42998cf32d552343bc8e460416382dca.xml
  • /data/data/####/QH_SDK_UserData6766aa2750c19aad2fa1b32f36ed4aee.xml
  • /data/data/####/QH_SDK_sessionID42998cf32d552343bc8e460416382dca.xml
  • /data/data/####/TAB_CACHE.xml
  • /data/data/####/UM_PROBE_DATA.xml
  • /data/data/####/Y29tLmxpZ2h0c2t5LnZpZGVv.tick.lock
  • /data/data/####/ab_test_config.xml
  • /data/data/####/abtest_base_sp_filename42998cf32d552343bc8e4604...ca.xml
  • /data/data/####/abtest_base_sp_filename42998cf32d552343bc8e4604...ml.bak
  • /data/data/####/accs.db-journal
  • /data/data/####/ad_config_file.xml
  • /data/data/####/agoo.pid
  • /data/data/####/android_player_20180722_114906_000.log_0
  • /data/data/####/appPackageNames_v2
  • /data/data/####/app_globel_config_file.xml
  • /data/data/####/auth_guide_config_sdk.xml
  • /data/data/####/b16ef5a6-504d-4e31-9c59-78393c3aaf1d
  • /data/data/####/banner.db-journal
  • /data/data/####/cache.ttf
  • /data/data/####/channel_webview.db-journal
  • /data/data/####/cloud_config_file.xml
  • /data/data/####/cloud_push_config_file.xml
  • /data/data/####/cloud_switch_cache
  • /data/data/####/cn.jpush.android.user.profile.xml
  • /data/data/####/cn.jpush.preferences.v2.rid.xml
  • /data/data/####/cn.jpush.preferences.v2.xml
  • /data/data/####/cn.jpush.preferences.v2.xml.bak (deleted)
  • /data/data/####/com.qihoo.livecloud.settings.GPWebrtcSettings.pref.xml
  • /data/data/####/core_update
  • /data/data/####/core_update_locker
  • /data/data/####/critical_service_config.xml
  • /data/data/####/daemon_webview.db-journal
  • /data/data/####/data_0
  • /data/data/####/data_1
  • /data/data/####/data_2
  • /data/data/####/data_3
  • /data/data/####/dbfocus-journal
  • /data/data/####/device_collector
  • /data/data/####/device_collector_locker
  • /data/data/####/download-journal
  • /data/data/####/dso_deps
  • /data/data/####/dso_lock
  • /data/data/####/dso_manifest
  • /data/data/####/dso_state
  • /data/data/####/exchangeIdentity.json
  • /data/data/####/exid.dat
  • /data/data/####/f_000001
  • /data/data/####/f_000002
  • /data/data/####/f_000003
  • /data/data/####/f_000004
  • /data/data/####/fa5d8329-a743-4b9e-a7db-7e42645aa6ef
  • /data/data/####/finalcore.jar
  • /data/data/####/getui_sp.xml
  • /data/data/####/hotrizon_sharepref.xml
  • /data/data/####/http_cookie.xml
  • /data/data/####/httpdns_config_cache.xml
  • /data/data/####/i==1.2.0&&1.2.28_1532260121952_envelope.log
  • /data/data/####/index
  • /data/data/####/info.xml
  • /data/data/####/init.pid
  • /data/data/####/init_c1.pid
  • /data/data/####/jpush_device_info.xml
  • /data/data/####/jpush_local_notification.db
  • /data/data/####/jpush_local_notification.db-journal
  • /data/data/####/jpush_local_notification.db-wal
  • /data/data/####/jpush_stat_cache.json
  • /data/data/####/jpush_stat_cache_history.json
  • /data/data/####/jpush_statistics.db
  • /data/data/####/jpush_statistics.db-journal
  • /data/data/####/jpush_statistics.db-shm (deleted)
  • /data/data/####/jpush_statistics.db-wal
  • /data/data/####/jpushservice_webview.db-journal
  • /data/data/####/libdvrender.so.tmp
  • /data/data/####/libjiagu-71411075.so
  • /data/data/####/libjplayer.so.tmp
  • /data/data/####/liblocalserver.so.tmp
  • /data/data/####/libmyssl.so.1.1.tmp
  • /data/data/####/libtranscore.so.tmp
  • /data/data/####/libviewer.so.tmp
  • /data/data/####/libyfnet_360.so.tmp
  • /data/data/####/light_sky_avast.xml
  • /data/data/####/localserver_2.0.3.18042602.zip
  • /data/data/####/locker
  • /data/data/####/log_reupload_task
  • /data/data/####/log_reupload_task_locker
  • /data/data/####/message.db-journal
  • /data/data/####/message_accs_db
  • /data/data/####/message_accs_db-journal
  • /data/data/####/msg_queue
  • /data/data/####/msplugin_ksp.xml
  • /data/data/####/multidex.version.xml
  • /data/data/####/p.l
  • /data/data/####/player_20180722_114911_000.log_0
  • /data/data/####/player_record_2.0.3.18051401.zip
  • /data/data/####/privacy_config_file.xml
  • /data/data/####/profile_task
  • /data/data/####/profile_task_locker
  • /data/data/####/profile_torch_platform
  • /data/data/####/push.db-journal
  • /data/data/####/push.pid
  • /data/data/####/push_share.xml
  • /data/data/####/pushsdk.db-journal
  • /data/data/####/qhvc_plugin.xml
  • /data/data/####/qpush_msg.xml
  • /data/data/####/run.pid
  • /data/data/####/safe_user_info_file.xml
  • /data/data/####/screen_conf.xml
  • /data/data/####/session_base_sp_filename42998cf32d552343bc8e460...ca.xml
  • /data/data/####/session_base_sp_filenameandroidID.xml
  • /data/data/####/share_data.xml
  • /data/data/####/sp.livecloud.database.xml
  • /data/data/####/sp_file_recommend_upload.xml
  • /data/data/####/tab_request_name.xml
  • /data/data/####/tools_2.0.3.18051401.zip
  • /data/data/####/torch_sdk_config.xml
  • /data/data/####/trans_20180722_114911_000.log_0
  • /data/data/####/um_pri.xml
  • /data/data/####/umdat.xml
  • /data/data/####/umeng_common_config.xml
  • /data/data/####/umeng_general_config.xml
  • /data/data/####/umeng_it.cache
  • /data/data/####/umeng_message_state.xml
  • /data/data/####/uninstall_apk
  • /data/data/####/uninstall_apk_locker
  • /data/data/####/universalPopup.xml
  • /data/data/####/videolist.db-journal
  • /data/data/####/waitingDown
  • /data/data/####/waitingDown_locker
  • /data/data/####/webview.db-journal
  • /data/data/####/webviewCookiesChromium.db
  • /data/data/####/webviewCookiesChromium.db-journal
  • /data/data/####/webviewCookiesChromiumPrivate.db
  • /data/data/####/webviewCookiesChromiumPrivate.db-journal
  • /data/data/####/yf_p2p_201804191558.zip
  • /data/media/####/-81aRN3XmqQ5oCFbGySJwQQqgc0.1437793998.tmp
  • /data/media/####/.a.dat
  • /data/media/####/.adfwe.dat
  • /data/media/####/.cca.dat
  • /data/media/####/.deviceId
  • /data/media/####/.iddata
  • /data/media/####/.nomedia
  • /data/media/####/.push_deviceid
  • /data/media/####/.sfp
  • /data/media/####/.testf
  • /data/media/####/.umm.dat
  • /data/media/####/0Qh4ouo0dre8QOFq-qtByhRFMuM.806306252.tmp
  • /data/media/####/1BX6mFtbJVcC5k_cGW7mB1WUT20.-1102293248.tmp
  • /data/media/####/2ILK9I4GJO1fGDlHLF98vkZKNX0.1439571229.tmp
  • /data/media/####/331cf98ac1254c02ae62b1b84fba40db
  • /data/media/####/39eAtiVcsxvKo_ez4h08WxqaZ4o.-343396593.tmp
  • /data/media/####/42998cf32d552343bc8e460416382dca
  • /data/media/####/42aDz_LSLKhyjlSNxW-YHEIuo7k.-304051848.tmp
  • /data/media/####/4LNBO7o5R4d5gvNalQ8mU9kM5J4.-1848259123.tmp
  • /data/media/####/4NBIVw8g_1ZQCic63pJZ7Z3P3eg.1008995368.tmp
  • /data/media/####/4QDLc0Skng-4q21rS9dWRXqQNPk.105287768.tmp
  • /data/media/####/4_Qyh8tLxnRlvLwBh_7LBKWgzyA.-1994670446.tmp
  • /data/media/####/5UR91GU6P5kJZI0r34fctFGM9hw.1808073890.tmp
  • /data/media/####/6766aa2750c19aad2fa1b32f36ed4aee
  • /data/media/####/6766aa2750c19aad2fa1b32f36ed4aee (deleted)
  • /data/media/####/6766aa2750c19aad2fa1b32f36ed4aee.tmp
  • /data/media/####/6JNw6YQfiPnXtj_Y7RRpHPKM8Uc.647351396.tmp
  • /data/media/####/6VzzC07JSEQODUKPvcU_1em1xjk.998206944.tmp
  • /data/media/####/7JYM3-esxf4V8N3hMDngGmnyjmQ.1962816902.tmp
  • /data/media/####/82m9X_dT8zLY-1Tm74cwbwxKzeY.-1501234978.tmp
  • /data/media/####/9Kq2TtzKY6lKvhfnvp3uIwmVfk8.-380052832.tmp
  • /data/media/####/9WxOB7OObra2rR9nYPhkm4nq3yk.1830897200.tmp
  • /data/media/####/Alvin2.xml
  • /data/media/####/C5wAolkHDUmmocqjj5xvqwxeU7A.805283166.tmp
  • /data/media/####/CbLwYamechcm8kjUJw6O-8xJAhY.-2000347957.tmp
  • /data/media/####/ContextData.xml
  • /data/media/####/ECxGE9A1SO6M9MC1IdqpQw3G8xU.1236686339.tmp
  • /data/media/####/FOo8uWGoWbkiZNpnyhM8RDzAIFE.1796502369.tmp
  • /data/media/####/FdNU_XlkRuQQ0SbNhO-rVTR8wdk.1457290146.tmp
  • /data/media/####/GEXXEp7QC0HhYYUVfqhfsXMe0vQ.-661047153.tmp
  • /data/media/####/Gi237f0nHbG7g4WiRB3nDuAgYcE.-1796800960.tmp
  • /data/media/####/HTle-nzlNgvhV-Z5k8gBsZt9qTI.1134687922.tmp
  • /data/media/####/HV6jxKxIGTvuByc85Xl2nD5U6F8.-1938357590.tmp
  • /data/media/####/H_5Kp5xaJLeHlxhO4OtDWKr0ArI.-999630542.tmp
  • /data/media/####/HnVIGnWY7zBKp-IXYe8F67CeUS0.-77446573.tmp
  • /data/media/####/I1j
  • /data/media/####/I1j (deleted)
  • /data/media/####/IfsBgD4k9c9mrIAjNtW1CwRMA1Q.939358699.tmp
  • /data/media/####/J-j99-TFSUlfFswsKvURxqiesAs.1102166742.tmp
  • /data/media/####/J5jOrZgqfcj7fyh25ojo7T7hY9I.508702397.tmp
  • /data/media/####/K2e
  • /data/media/####/K2e (deleted)
  • /data/media/####/LeUaNPe5BQwz-p7ULuQyCyuEXjw.-1877693995.tmp
  • /data/media/####/LkL
  • /data/media/####/LkL (deleted)
  • /data/media/####/LkM09u4ppDZ9G-IybpQVGT_-Czs.-433819562.tmp
  • /data/media/####/M_Ra6mgVkY7Ov6S_jUX6_3j1Zw8.713370444.tmp
  • /data/media/####/Maa89WlBmXyKtnA9PiOYQCoArPw.658046655.tmp
  • /data/media/####/MdzkIMMnw-Pqb_s9BIRWUNs4v1g.618067645.tmp
  • /data/media/####/MtrK02ANGBEPApoqGUdKc41ijqM.1980319116.tmp
  • /data/media/####/OBsFdNaPqU7Efx_jWRsSbOorSBk.72805305.tmp
  • /data/media/####/P25yfFn9-BCAx0ARDAe3kre5K_8.-1433103829.tmp
  • /data/media/####/PXGdgBpVxH327ipknn9PLp0Rlqw.1910900470.tmp
  • /data/media/####/Q0BVnMLPd2XMYuPmrubZOEvw4_0.1523646916.tmp
  • /data/media/####/Q8x2cBdor6TZtbwsLA9QfQxFEyU.-2113596016.tmp
  • /data/media/####/QOKvLpdo0mGowD46jx_VPU54rzI.-1636899752.tmp
  • /data/media/####/QR1KkyhlyIasWiysuMgFNC9S_4M.-669151827.tmp
  • /data/media/####/QpOe2cW0PlsCoghLnPkjH1LIVHU.456572709.tmp
  • /data/media/####/Qt6RAt3fQzVpYav-E6MTKs3Jwo8.-331193044.tmp
  • /data/media/####/R2BLBye3OZn2FZRYlTiE9OveNhA.-1289173422.tmp
  • /data/media/####/Rf_OvekMZrOEfFeRH9cCGME7j2o.-1133006751.tmp
  • /data/media/####/Rz2kxzHC0O-oVz_J4d2u8ddenD8.2076204194.tmp
  • /data/media/####/SFsDIJ4OLEL_EmLjXDaG12DOems.159017454.tmp
  • /data/media/####/TsYtXvgA5ULImEYaOBi1u22JIuw.-1051394275.tmp
  • /data/media/####/VMkeRqS5tqKiD9bk5lsxDj4zT4s.1882646752.tmp
  • /data/media/####/VVE6oN4OggNpl7Klr6BcacCg87k.-35447236.tmp
  • /data/media/####/VekFGKIqud63r9OelkYN0sVKsss.-1004765662.tmp
  • /data/media/####/WYyIhksfybSdr2grMzvle2mm4Y8.1239903047.tmp
  • /data/media/####/Y29tLmxpZ2h0c2t5LnZpZGVv
  • /data/media/####/Y29tLmxpZ2h0c2t5LnZpZGVv (deleted)
  • /data/media/####/Y6nAJRWLyCbPnYvWJDRuAGM9RG0.-417128940.tmp
  • /data/media/####/Y7EBE1Vk6cv8KdEaSHsdy5lMaEc.1428039331.tmp
  • /data/media/####/YRaJ94WrPT_5CpvSKBiyR9qiH70.-1773838360.tmp
  • /data/media/####/__VERSION__
  • /data/media/####/a5Pwqm3ZOs59J8AQewOa6FwH7h8.1640680091.tmp
  • /data/media/####/avast_done
  • /data/media/####/b05ce39c1fe9e72dc1df70989e7e6d14
  • /data/media/####/b6e186ab213f487ca345c3cd1b05f64f
  • /data/media/####/bVKCCmigv0pnQSLzbauGUZC1Pfo.315385301.tmp
  • /data/media/####/c0LJXlbDNwYdcwI_RYDjMjZjj-E.1621101249.tmp
  • /data/media/####/cVijljXJGfsDo4f1FPn3-3pa450.-1936189905.tmp
  • /data/media/####/com.lightsky.video.bin
  • /data/media/####/data.lock
  • /data/media/####/deviceToken
  • /data/media/####/dmewFKdfdZYyp0p38RVXriHOBoc.-1906121898.tmp
  • /data/media/####/eGAcWner8nzbmfk6zRjVdcvDcEM.-31102242.tmp
  • /data/media/####/ee522ca740cc458b9383cf7e669d8a50
  • /data/media/####/f23f0c9379f84a7f870f37d135b1e675
  • /data/media/####/gC8_8Ztf21UMWkboHoCRV6rNiNQ.-901712277.tmp
  • /data/media/####/gKl
  • /data/media/####/gKl (deleted)
  • /data/media/####/hB6SkoE3X8E4DsRNg9nHwo_bFbk.-940979132.tmp
  • /data/media/####/iTVL-9flfZKQOSlzVDyBTgweGdg.-1333900699.tmp
  • /data/media/####/irXtPbL6-gP-Nw6rI5fppN_7slY.-855302620.tmp
  • /data/media/####/iti4KDFKZeMOi3YCWFqPTKakjHc.1761727293.tmp
  • /data/media/####/j2h9D0u_L64CltNT6yAd95DulIg.-2179143.tmp
  • /data/media/####/jXLWbrT3_ZYrVHfZRFQwOwku0zA.-1376355050.tmp
  • /data/media/####/jcSAOr9jGZwkhQZMXMgqUBAFH0c.-134942106.tmp
  • /data/media/####/jkdMVHCwR-ZBlAoe-hT2K1W3v1Q.1266720886.tmp
  • /data/media/####/kuBKVjcB10o4Zg_cFbDGEr_rS58.1885751632.tmp
  • /data/media/####/l9c--tqGHhv8-Yj8fIbI0gNWtko.-845789994.tmp
  • /data/media/####/mkbmPqcXaW384maO9X5f_M_TxzE.31353252.tmp
  • /data/media/####/nh1AM1nfgPqUdzyQczk0tT2z_g8.-133442460.tmp
  • /data/media/####/nkbt1FFU0cdQow-lT1EAhxY1clc.-1456980923.tmp
  • /data/media/####/oPoNwpQXE5F6lE7ybUJOR87TdhE.-414463947.tmp
  • /data/media/####/rGT4NCnKZ5fLZRQKeaEVifcC93s.-1687255325.tmp
  • /data/media/####/report.lock
  • /data/media/####/rvPPMHd6nU4gVEEWovY5TwD14qw.504042961.tmp
  • /data/media/####/sJnIb3zEoI4KbQSGdEvKB8pt8Xs.-56397806.tmp
  • /data/media/####/uXBrkNo8fqdVCgd4LtkWlooaB1U.-632373415.tmp
  • /data/media/####/uhWQgVtFbF8S0OMDPthGBAMoGAg.367936729.tmp
  • /data/media/####/uninstall_apk_list
  • /data/media/####/vwRhKgp8_F8NxfQPQP3etqwa9EA.-1100310362.tmp
  • /data/media/####/wNbN5dl2eD1-wRQzBo2S1-xvU1g.98102099.tmp
  • /data/media/####/x4JJl2iNe5X_tqv7eSvSNV9ARkY.-710022965.tmp
  • /data/media/####/xUm-uHLZseen7-xzU1dB1QKFots.-849843311.tmp
  • /data/media/####/xncG0UWEcZe-M114jbk_07YfJMY.-1005700939.tmp
  • /data/media/####/yiDEbnuRI0nmWDX1xnqwPzJ32k0.-1688612350.tmp
  • /data/media/####/yngqpSzseqiwTNN-f_Lb5XQbrK8.1776144022.tmp
  • /data/media/####/zcpBkLxgb6-jjreqcBlSM5zmcDU.-677388433.tmp
Miscellaneous:
Executes next shell scripts:
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
  • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
  • /system/xbin/which su
  • <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.taobao.accs.ChannelService --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_accs_eudemon_1.1.3 -L http://agoodm.m.taobao.com/agoo/report -D {"package":"<Package>","appKey":"umeng:5a56c9198f4a9d0c2f0001a8","utdid":"W1RvFyBK/fgDAGdzx1F7ZgRe","sdkVersion":"221"} -I agoodm.m.taobao.com -O 80 -T -Z
  • cat /proc/version
  • chmod 500 <Package Folder>/files/DaemonServer
  • chmod 755 <Package Folder>/.jiagu/libjiagu-71411075.so
  • ls /
  • ls /sys/class/thermal
  • sh
Loads the following dynamic libraries:
  • GPBreakpad
  • getuiext2
  • jcore120
  • libdvrender
  • libimagepipeline
  • libjiagu-71411075
  • libjplayer
  • liblocalserver
  • libtranscore
  • libviewer
  • libyfnet_360
  • tnet-3.1
Uses the following algorithms to encrypt data:
  • AES-CBC-NoPadding
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-PKCS7Padding
  • DES
  • RSA-ECB-PKCS1Padding
  • RSA-NONE-OAEPWithSHA1AndMGF1Padding
  • RSA-None-PKCS1Padding
Uses the following algorithms to decrypt data:
  • AES-CBC-NoPadding
  • AES-CBC-PKCS5Padding
  • AES-CBC-PKCS7Padding
  • AES-ECB-NoPadding
  • DES
Uses elevated priveleges.
Uses special library to hide executable bytecode.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Gains access to information about running applications.
Gains access to information about accounts (Google, Facebook, etc.) registered on the device.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android