Adware.Gexin.1151

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) www.xiao####.store:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(HTTP/1.1) sni.c####.q####.####.net:80
TCP(TLS/1.0) co####.8####.com.####.com:443
TCP c####.g####.ig####.com:5224
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
and####.b####.qq.com
c####.g####.ig####.com
c-h####.g####.com
co####.8####.com
mt####.go####.com
pub-####.qin####.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
www.xiao####.ai
www.xiao####.store

HTTP GET requests:

sni.c####.q####.####.net/config/hz-hzv3.conf
sni.c####.q####.####.net/tdata_YYn966
sni.c####.q####.####.net/tdata_eOt091
t####.c####.q####.####.com/tdata_EDT356
www.xiao####.store/
www.xiao####.store/app/yinsi
www.xiao####.store/build/css/negotiate-82f594a8e7.css
www.xiao####.store/build/html/privacynegotiate.html
www.xiao####.store/build/js/vendors-ef2e71df0e.js
www.xiao####.store/main/css/index-ff2f42f4b4.css
www.xiao####.store/main/css/platform-68181539c0.css
www.xiao####.store/main/css/public-0de2513d60.css
www.xiao####.store/main/css/public/swiper.min.scss
www.xiao####.store/main/fonts/fzlt-tx.TTF
www.xiao####.store/main/html/
www.xiao####.store/main/html/fun.html
www.xiao####.store/main/html/index.html
www.xiao####.store/main/img/1920-right-blue-3955f577ae.png
www.xiao####.store/main/img/favicon.ico
www.xiao####.store/main/img/footer/1920-ewm-xqgzh-534aa1a09d.jpg
www.xiao####.store/main/img/footer/1920-ewm-xqwb-f2a49cedfb.jpg
www.xiao####.store/main/img/footer/1920-logo-caf4c5032f.png
www.xiao####.store/main/img/footer/960-ewm-platform-f2ae10cf61.jpg
www.xiao####.store/main/img/gzh-ewm-34d8a1e7c3.jpg
www.xiao####.store/main/img/index/1920-page1-bg-258d15e2e4.jpg
www.xiao####.store/main/img/index/1920-page1-xt-70c33de9f9.png
www.xiao####.store/main/img/index/1920-page2-bg-c78fda8532.jpg
www.xiao####.store/main/img/index/1920-page3-bg-81aa12ea6f.jpg
www.xiao####.store/main/img/index/1920-page3-qm-left-1f0949ac5e.png
www.xiao####.store/main/img/index/1920-page3-qm-right-10fdc24d57.png
www.xiao####.store/main/img/index/1920-page4-structure-316dec2fc4.png
www.xiao####.store/main/img/index/1920-page5-bg-5cda794222.jpg
www.xiao####.store/main/img/index/1920-page5-yy-8bdf3a59c5.png
www.xiao####.store/main/img/index/1920-page6-bg-f71584ee9c.jpg
www.xiao####.store/main/img/index/1920-page7-bg-a578d545ee.jpg
www.xiao####.store/main/img/index/1920-page7-yy-77361d8f2a.png
www.xiao####.store/main/img/index/1920-page8-icon1-e281c2b67e.png
www.xiao####.store/main/img/index/1920-page8-icon2-eed3e16741.png
www.xiao####.store/main/img/index/1920-page8-icon3-7eab43eebe.png
www.xiao####.store/main/img/index/1920-page8-icon4-868a16bf9a.png
www.xiao####.store/main/img/index/1920-page8-icon5-0645c2e2b2.png
www.xiao####.store/main/img/index/1920-page8-icon6-fcc26d4bc7.png
www.xiao####.store/main/img/index/1920-page8-icon7-bac431144e.png
www.xiao####.store/main/img/index/1920-play-cd10020199.png
www.xiao####.store/main/img/platform/1920-page1-ewm-f534983292.jpg
www.xiao####.store/main/img/platform/1920-page1-item-img1-1132132531.jpg
www.xiao####.store/main/img/platform/1920-page1-item-img2-b9178a5c5d.jpg
www.xiao####.store/main/img/platform/1920-page1-item-img3-eec7978b5b.jpg
www.xiao####.store/main/img/platform/1920-page2-img1-8bf8f32859.jpg
www.xiao####.store/main/img/platform/1920-page2-img2-533b9b6f34.jpg
www.xiao####.store/main/img/platform/1920-page2-img3-99b7b9d6e5.jpg
www.xiao####.store/main/img/platform/1920-page2-img4-bead7ae924.jpg
www.xiao####.store/main/img/platform/1920-page2-img5-02f0b2672e.jpg
www.xiao####.store/main/img/platform/1920-page2-lc-img1-301fcdad7b.jpg
www.xiao####.store/main/img/platform/1920-page2-lc-img4-b03834b033.png
www.xiao####.store/main/img/platform/1920-page2-lc-img5-5e164d732c.png
www.xiao####.store/main/img/platform/1920-page2-lc-img6-b465da9dcc.png
www.xiao####.store/main/img/platform/1920-page2-lc-jt1-251fc901c7.png
www.xiao####.store/main/img/platform/1920-page2-lc-jt2-4f25cbe8bf.png
www.xiao####.store/main/img/platform/1920-page2-lc-jt3-8290e4595c.png
www.xiao####.store/main/img/platform/1920-page2-lc-jt4-f041cb98cc.png
www.xiao####.store/main/img/platform/1920-page2-lc-jt5-4755f2aa90.png
www.xiao####.store/main/img/platform/1920-page3-img1-f6d427cd1e.png
www.xiao####.store/main/img/platform/1920-page3-img2-fb1e71639a.png
www.xiao####.store/main/img/platform/1920-page3-img3-b00eb10846.png
www.xiao####.store/main/img/platform/1920-page4-fh1-ca34d92e20.png
www.xiao####.store/main/img/platform/1920-page4-fh2-34b076108f.png
www.xiao####.store/main/img/platform/1920-top-bg-8fb64fc0c3.jpg
www.xiao####.store/main/img/platform/1920-top-logo-4561d882f4.png
www.xiao####.store/main/img/skillIcon/icon1-7827c958eb.jpg
www.xiao####.store/main/img/skillIcon/icon10-0aea1ee648.jpg
www.xiao####.store/main/img/skillIcon/icon11-3f02a7a9e6.jpg
www.xiao####.store/main/img/skillIcon/icon12-7c77f05d0e.jpg
www.xiao####.store/main/img/skillIcon/icon13-88c29f59bb.jpg
www.xiao####.store/main/img/skillIcon/icon14-941e42fa21.jpg
www.xiao####.store/main/img/skillIcon/icon15-094f6d9011.jpg
www.xiao####.store/main/img/skillIcon/icon16-06b1aa8580.jpg
www.xiao####.store/main/img/skillIcon/icon17-89563e25ac.jpg
www.xiao####.store/main/img/skillIcon/icon18-b3ffbb032d.jpg
www.xiao####.store/main/img/skillIcon/icon2-8c657e632e.jpg
www.xiao####.store/main/img/skillIcon/icon3-7aa42380e8.jpg
www.xiao####.store/main/img/skillIcon/icon4-1ceda742f3.jpg
www.xiao####.store/main/img/skillIcon/icon5-166ccaef7a.jpg
www.xiao####.store/main/img/skillIcon/icon6-63673eae38.jpg
www.xiao####.store/main/img/skillIcon/icon7-dfe5782d16.jpg
www.xiao####.store/main/img/skillIcon/icon8-c28cdb1655.jpg
www.xiao####.store/main/img/skillIcon/icon9-f998616bea.jpg
www.xiao####.store/main/img/svg/close-4c90b40455.svg
www.xiao####.store/main/img/sys-41d5499113.png
www.xiao####.store/main/img/sys-m-88ad2a9d67.png
www.xiao####.store/main/img/xcxewm-258-3c8eb26719.jpg
www.xiao####.store/main/img/xq-logo-1920-c48f84e479.png
www.xiao####.store/main/js/index-e728291ae3.js
www.xiao####.store/main/js/jquery-1-cbb11b5847.12.0.min.js
www.xiao####.store/main/js/jquery-b218c1f601.masonry.min.js
www.xiao####.store/main/js/platform-707c17a427.js
www.xiao####.store/main/js/public-f40976c872.js
www.xiao####.store/main/js/remset-d9cceccbc5.js
www.xiao####.store/main/js/swiper-cabdd76e52.min.js
www.xiao####.store/main/js/vendors-c9f102e816.js

HTTP POST requests:

and####.b####.qq.com/rqd/async
and####.b####.qq.com/rqd/async?aid=####
c-h####.g####.com/api.php?format=####&t=####
sdk.o####.p####.####.com/api.php?format=####&t=####

Modified file system:

Creates the following files:

/data/data/####/0041ab6eef88
/data/data/####/1002
/data/data/####/1004
/data/data/####/bugly_db_-journal
/data/data/####/bugly_db_legu-journal
/data/data/####/com.linekong.speaker.BETA_VALUES.xml
/data/data/####/crashrecord.xml
/data/data/####/data_0
/data/data/####/data_1
/data/data/####/data_2
/data/data/####/data_3
/data/data/####/f_000001
/data/data/####/f_000002
/data/data/####/f_000003
/data/data/####/f_000004
/data/data/####/f_000005
/data/data/####/f_000006
/data/data/####/f_000007
/data/data/####/f_000008
/data/data/####/f_000009
/data/data/####/f_00000a
/data/data/####/f_00000b
/data/data/####/f_00000c
/data/data/####/f_00000d
/data/data/####/f_00000e
/data/data/####/f_00000f
/data/data/####/f_00000f (deleted)
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/gx_sp.xml
/data/data/####/index
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/libshella-2.8.so
/data/data/####/libufix.so
/data/data/####/local_crash_lock
/data/data/####/mix.dex
/data/data/####/multidex.version.xml
/data/data/####/native_record_lock
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/security_info
/data/data/####/tdata_YYn966
/data/data/####/tdata_YYn966.jar
/data/data/####/tdata_eOt091
/data/data/####/tdata_eOt091.jar
/data/data/####/webview.db-journal
/data/data/####/webviewCookiesChromium.db-journal
/data/media/####/.nomedia
/data/media/####/2018-08-12
/data/media/####/app.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/com.linekong.speaker.bin
/data/media/####/com.linekong.speaker.db
/data/media/####/tdata_YYn966
/data/media/####/tdata_eOt091
/data/media/####/test.log

Miscellaneous:

Executes next shell scripts:

/system/bin/sh -c getprop
/system/bin/sh -c getprop ro.aa.romver
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.build.rom.id
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.version.emui
/system/bin/sh -c getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.lenovo.series
/system/bin/sh -c getprop ro.lewa.version
/system/bin/sh -c getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.vivo.os.build.display.id
/system/bin/sh -c type su
<Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.PushService 25013 300 0
cat /sys/class/net/wlan0/address
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 700 <Package Folder>/tx_shell/libnfix.so
chmod 700 <Package Folder>/tx_shell/libshella-2.8.so
chmod 700 <Package Folder>/tx_shell/libufix.so
getprop
getprop ro.aa.romver
getprop ro.board.platform
getprop ro.build.fingerprint
getprop ro.build.nubia.rom.name
getprop ro.build.rom.id
getprop ro.build.tyd.kbstyle_version
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.gn.gnromvernumber
getprop ro.lenovo.series
getprop ro.lewa.version
getprop ro.meizu.product.model
getprop ro.miui.ui.version.name
getprop ro.vivo.os.build.display.id
getprop ro.yunos.version
logcat -d -v threadtime
mount
sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.PushService 25013 300 0

Loads the following dynamic libraries:

Bugly
getuiext2
libnfix
libshella-2.8
libufix
nfix
ufix

Uses the following algorithms to encrypt data:

AES-GCM-NoPadding
RSA-ECB-PKCS1Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-GCM-NoPadding

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial