Adware.Gexin.1900

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Gains access to the ITelephony private interface.

Network activity:

Connecting to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) ti####.c####.l####.####.com:80
TCP(HTTP/1.1) m.d####.mob.com:80
TCP(HTTP/1.1) a####.exc.mob.com:80
TCP(HTTP/1.1) t####.c####.q####.####.com:80
TCP(HTTP/1.1) c.appj####.com:80
TCP(HTTP/1.1) cgi.con####.qq.com:80
TCP(HTTP/1.1) loc.map.b####.com:80
TCP(HTTP/1.1) api.s####.mob.com:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) sdk.o####.p####.####.com:80
TCP(TLS/1.0) e1.im####.com:443
TCP c####.g####.ig####.com:5226
TCP sdk.o####.t####.####.com:5224

DNS requests:

7j####.c####.z0.####.com
a####.exc.mob.com
api.s####.mob.com
c####.g####.ig####.com
c-h####.g####.com
c.appj####.com
cgi.con####.qq.com
e1.im####.com
loc.map.b####.com
m.d####.mob.com
sdk.c####.ig####.com
sdk.o####.p####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net

HTTP GET requests:

cgi.con####.qq.com/qqconnectopen/openapi/policy_conf?sdkv=####&appid=###...
m.d####.mob.com/v2/cconf?appkey=####&plat=####&apppkg=####&appver=####&n...
t####.c####.q####.####.com/tdata_Soq141
t####.c####.q####.####.com/tdata_vxj811
ti####.c####.l####.####.com/config/hz-hzv3.conf

HTTP POST requests:

a####.exc.mob.com/errconf
api.s####.mob.com/conf5
api.s####.mob.com/conn
api.s####.mob.com/log4
api.s####.mob.com/snsconf
c-h####.g####.com/api.php?format=####&t=####
c.appj####.com/ad/splash/stats.html
loc.map.b####.com/sdk.php
sdk.o####.p####.####.com/api.php?format=####&t=####

Modified file system:

Creates the following files:

/data/data/####/.jg.ic
/data/data/####/.lock
/data/data/####/.mrecord
/data/data/####/.mrlock
/data/data/####/.statistics
/data/data/####/ThrowalbeLog.db-journal
/data/data/####/ad_show_time.xml
/data/data/####/com.showself.ui_preferences.xml
/data/data/####/com.showself.ui_prefs.xml
/data/data/####/com.tencent.open.config.json.100294405
/data/data/####/du.lock
/data/data/####/foxmessage.db
/data/data/####/foxmessage.db-journal
/data/data/####/gdaemon_20161017
/data/data/####/getui_sp.xml
/data/data/####/gx_sp.xml
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/jg_app_update_settings_random.xml
/data/data/####/libjiagu.so
/data/data/####/md5_info.xml
/data/data/####/mob_commons_1.xml
/data/data/####/mob_sdk_exception_1.xml
/data/data/####/mob_sdk_exception_1.xml (deleted)
/data/data/####/mob_sdk_exception_1.xml.bak (deleted)
/data/data/####/multidex.version.xml
/data/data/####/netType.xml
/data/data/####/note.xml
/data/data/####/pref_key.xml
/data/data/####/push.pid
/data/data/####/pushext.db-journal
/data/data/####/pushg.db-journal
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/share_sdk_1.xml
/data/data/####/share_sdk_1.xml.bak (deleted)
/data/data/####/sharesdk.db-journal
/data/data/####/showself_guide.xml
/data/data/####/shuzilm.db
/data/data/####/tdata_Soq141
/data/data/####/tdata_Soq141.jar
/data/data/####/tdata_vxj811
/data/data/####/tdata_vxj811.jar
/data/data/####/tencent_analysis.db-journal
/data/media/####/._android.dat
/data/media/####/._driver.dat
/data/media/####/._system.dat
/data/media/####/.aio.dat
/data/media/####/.cuid
/data/media/####/.dic_lock
/data/media/####/.duid
/data/media/####/.globalLock
/data/media/####/.nulplt
/data/media/####/.pkg_lock
/data/media/####/.rcTag
/data/media/####/.rc_lock
/data/media/####/_android.dat
/data/media/####/_driver.dat
/data/media/####/_system.dat
/data/media/####/aio.dat
/data/media/####/app.db
/data/media/####/com.getui.sdk.deviceId.db
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/com.showself.ui.bin
/data/media/####/com.showself.ui.db
/data/media/####/con.dat
/data/media/####/ls.db
/data/media/####/ls.db-journal
/data/media/####/tdata_Soq141
/data/media/####/tdata_vxj811
/data/media/####/test.log
/data/media/####/yoh.dat
/data/media/####/yol.dat
/data/media/####/yom.dat

Miscellaneous:

Executes next shell scripts:

<Package Folder>/files/gdaemon_20161017 0 <Package>/com.showself.service.ShowselfGetuiService 24508 300 0
chmod 700 <Package Folder>/files/gdaemon_20161017
chmod 755 <Package Folder>/.jiagu/libjiagu.so
date
df
id
ls /dev/socket
ls /system/fonts
mkdir -p <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/
ps
service call iphonesubinfo 1
sh
sh -c cat
sh -c cat /proc/meminfo
sh -c cat /proc/sys/kernel/osrelease
sh -c cat /proc/sys/kernel/random/boot_id
sh -c cat /proc/sys/kernel/random/uuid
sh -c cat /proc/uptime
sh -c cat /sys/block/mmcblk0/device/cid
sh -c cat /sys/class/net/eth0/address
sh -c cat /sys/class/net/eth1/address
sh -c cat /sys/class/net/eth2/address
sh -c cat <SD-Card>/../../../../../..<SD-Card>/._android.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/._driver.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/._system.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/.aio.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_driver.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
sh -c cat <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/aio.dat
sh -c cd /proc/;cat cpuinfo
sh -c cd /proc/net/ && cat arp
sh -c cd /proc/self/;cat status
sh -c cd /sys/class/net/eth0/ && cat address
sh -c cd /sys/class/net/wlan0/ && cat address
sh -c echo NDJBRTk4RUE5M0JGQkQwQ0Y3RkM0MzgwNDY3MjFGQTRGNjVENEE6M0UzNjBDOkY0QTAxNA== > <SD-Card>/../../../../../..<SD-Card>/._driver.dat
sh -c echo NDJBRTk4RUE5M0JGQkQwQ0Y3RkM0MzgwNDY3MjFGQTRGNjVENEE6M0UzNjBDOkY0QTAxNA== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_driver.dat
sh -c echo NzI3Qzc5N0ZGNEE4OUFBRjdENkY4QjM4MzdCOUMxNTQxNTM1NTUwNjc5 > <SD-Card>/../../../../../..<SD-Card>/.aio.dat
sh -c echo NzI3Qzc5N0ZGNEE4OUFBRjdENkY4QjM4MzdCOUMxNTQxNTM1NTUwNjc5 > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/aio.dat
sh -c echo OTc0QjA1RDEzRDgwOUE2RUUxMzc3MkIyRUJFNDJDNTExMEQ3RjQ6RTM5QzUxOkZDOTc5Nw== > <SD-Card>/../../../../../..<SD-Card>/._android.dat
sh -c echo OTc0QjA1RDEzRDgwOUE2RUUxMzc3MkIyRUJFNDJDNTExMEQ3RjQ6RTM5QzUxOkZDOTc5Nw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_android.dat
sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/._system.dat
sh -c echo QjU4NUVFQTBCMEQ3MkI1Mzg5QjM5ODQ1MzQ1NUNFMDMzQzdBQjU6ODg2Qzc4OjI3RERDMw== > <SD-Card>/../../../../../..<SD-Card>/Android/Data/System/local/_system.dat
sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.showself.service.ShowselfGetuiService 24508 300 0

Loads the following dynamic libraries:

aes
du
getuiext2
libjiagu
locSDK4
neh

Uses the following algorithms to encrypt data:

AES-CBC-PKCS5Padding
AES-ECB-PKCS7Padding
DES
RSA
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-ECB-NoPadding
DES

Uses special library to hide executable bytecode.

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about APN settings.

Gains access to information about installed applications.

Gains access to information about running applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial