Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) 1####.114.114.114:53
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z12.tua####.com.####.com:80
- TCP(HTTP/1.1) m####.chinane####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) anal####.tua####.com:80
- TCP(HTTP/1.1) 1####.254.116.117:80
- TCP(HTTP/1.1) res####.a####.com:80
- TCP(HTTP/1.1) z11.tua####.com.####.com:80
- TCP(HTTP/1.1) t####.qq.com:8080
- TCP(HTTP/1.1) reso####.msg.xi####.net:80
- TCP(HTTP/1.1) m####.wa####.com:80
- TCP(HTTP/1.1) 2####.243.236.22:80
- TCP(TLS/1.0) ssl.gst####.com:443
- TCP(TLS/1.0) www.go####.com:443
- TCP(TLS/1.0) www.gst####.com:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP(TLS/1.0) www.go####.nl:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP 47.74.1####.155:5222
- TCP 4####.62.94.2:443
- TCP t####.qq.com:80
- TCP t####.qq.com:14000
- TCP maa####.chinane####.com:6666
DNS requests:
- adser####.go####.com
- anal####.tua####.com
- api####.a####.com
- i0.tua####.com
- m####.chinane####.com
- m####.m.zh####.com
- m####.wa####.com
- m.api.zh####.com
- maa####.chinane####.com
- p####.m.zh####.com
- pi####.qq.com
- regi####.xm####.xi####.com
- res####.a####.com
- reso####.msg.xi####.net
- ssl.gst####.com
- t####.qq.com
- th5.m.zh####.com
- www.go####.com
- www.go####.nl
- www.gst####.com
- z####.zh####.com
- z11.tua####.com
- z12.tua####.com
- z3.tua####.com
HTTP GET requests:
- anal####.tua####.com/app/cart/item/count
- anal####.tua####.com/app_record/monitor.gif?logData=####
- anal####.tua####.com/cn/f/brand_and_deal/status
- anal####.tua####.com/config/switch/shopdetail?platform=####&version=####
- anal####.tua####.com/config/switch?keys=####&platform=####&trackid=####&...
- anal####.tua####.com/cs/zhe800rapp/page_dot_menu.json
- anal####.tua####.com/deals/count/today/v1?user_type=####&user_role=####&...
- anal####.tua####.com/deals/muying/filter/v1
- anal####.tua####.com/deals/v1?image_type=####&support_new_user=####&user...
- anal####.tua####.com/deals/v1?parent_tag=####&url_name=####&user_type=##...
- anal####.tua####.com/feedback/unreadcounts
- anal####.tua####.com/gateway/mapi/personal?user_type=####&user_role=####...
- anal####.tua####.com/h5new/real/homemodule?area=####&model=####&paid=###...
- anal####.tua####.com/homepromotion/suspension/v2?user_type=####&user_rol...
- anal####.tua####.com/j/wireless/rest/bubble/list?point=####
- anal####.tua####.com/label/age
- anal####.tua####.com/mobilelog/applog/mobilelog.gif?key=####&header=####...
- anal####.tua####.com/mobilelog/normal/report?header=####&data=####
- anal####.tua####.com/operation/abtest/pageconfig/v1
- anal####.tua####.com/operation/banner/v1?cityid=####&show_location=####&...
- anal####.tua####.com/operation/click/v2/getmobileinit?ip=####&bssid=####
- anal####.tua####.com/operation/startinfo/v1?cityid=####&image_model=####...
- anal####.tua####.com/operation/userinfo/v1
- anal####.tua####.com/pin_api/list/get_subject_list.json?version=####
- anal####.tua####.com/push/deviceinfo/xg?token=####&brand=####&sdk=####&m...
- anal####.tua####.com/push/sdkconfig?brand=####&model=####
- anal####.tua####.com/search/recommend/v1?user_type=####&user_role=####&s...
- anal####.tua####.com/tags/label/v1?user_type=####&user_role=####&student...
- anal####.tua####.com/tao800/commonbanner.json?ad_type=####&image_model=#...
- anal####.tua####.com/tao800/hotbanner.json?pagetype=####&platform=####&c...
- anal####.tua####.com/zhe800_n_api/xsq/na/right_tab?version=####
- reso####.msg.xi####.net/gslb/?ver=####&type=####&conpt=d####&uuid=####&l...
- z11.tua####.com.####.com/bi/sca/android_041800_tao800.json?time=####
- z11.tua####.com.####.com/imagev2/wxyy/128x50.ac6b89b6be9ff265ef72be041ed...
- z11.tua####.com.####.com/imagev2/wxyy/150x150.9ffacd92111314a6f62d98da54...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.68527724143d7f576ce6fa7816...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.a6010f28ca136bed664578a5f7...
- z11.tua####.com.####.com/imagev2/wxyy/256x100.d695041a5772456c951e04929d...
- z12.tua####.com.####.com/imagev2/trade/600x600.10195abbad68c07f0c00cae84...
- z12.tua####.com.####.com/imagev2/trade/750x750.9f1701da75a78a64247573edb...
- z12.tua####.com.####.com/imagev2/trade/800x800.21f9c1a80e71c5a22c8345813...
- z12.tua####.com.####.com/imagev2/trade/800x800.5fd5fdd895b6779b8fc7ee14a...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.3455a7ea7a46db29cc03c8de35...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.5cae34f688346b579a49f9b7e1...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.937c2d60408120faae09801679...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.a568816d3fc22f07cd5047bd2c...
- z12.tua####.com.####.com/imagev2/wxyy/111x110.ce958e9f3862da9df91ccce6fd...
- z12.tua####.com.####.com/imagev2/wxyy/128x50.68a798fc32a7b99dab3db916f85...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.3e4bbb820556db7f55a6e9ea6c...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.ddb7147f2d0420eeae7b7a36d2...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.198246dcfade247fe049970cdc...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.1d1c03e186c8db7fc1eee46e4e...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.85f98c40d2b35a3df457651d02...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.908a85ca240e2e41c3f3d6e864...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.d764e7f440ec1174c50b418780...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.da59ffb95e4688f5cd4edb30c9...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.ee4c4243380464a5fadd906d21...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.f82676732b3c006e590acda36e...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.04b244561307ef919dc8febc4d...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.093895b0aab9e6c40c8f2a7e5a...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.353b044c62d39bef9b2420ae29...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.7fa7b849c014872029013efe22...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.c43774258c99a18a1bae010f07...
- z12.tua####.com.####.com/imagev2/wxyy/36x36.ef472aa4be126ddb1100fc66fc75...
- z12.tua####.com.####.com/imagev2/wxyy/375x188.502eb2e7887b2ced7b86a6ad6b...
- z12.tua####.com.####.com/imagev2/wxyy/375x376.143a1a8d7795e8c6f568eef5f9...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.707c6bd97b2195259103277912dc...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.f238fdf8c0f634f1b12cd8200c31...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.1c04611016ca3e301bc6900c67ec...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5193d7e2c180c415a2936c76e023...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5614f8d3e6129edd8ca723cfae1f...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.69d98c0d4e2d0d4fb9af3361dbe9...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.ba128a8b54c77998187ea9ec2a9a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.d6fe72234e66b205789eef55ff0a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.df784ed38b2abda57a53df0f56f3...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.fbe63bfe8783ba6f6da3c9d11861...
- z12.tua####.com.####.com/imagev2/wxyy/50x51.47a396dea2c5d4a8ec4cc78644b9...
- z12.tua####.com.####.com/imagev2/wxyy/750x220.c379696b69ea1ead46d5ef9cac...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.869b329c34c678595deacee811...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.95ba1e68d53390b75f7a77c2a3...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.cebe37b4b28653e7a58e5d88c3...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.e40541feb95e99395d4f7936de...
- z12.tua####.com.####.com/imagev2/zhaoshang/600x600.2b941f4b81d47080a7b97...
- z12.tua####.com.####.com/imagev2/zhaoshang/800x800.be3a35cf52179bb91b76e...
HTTP POST requests:
- anal####.tua####.com/mobilelog/errorlog/android.gif
- m####.chinane####.com/frontoffice/checkAuthority
- m####.wa####.com/sce/log/req
- pi####.qq.com/mstat/report/?index=####
- res####.a####.com/v3/log/init
- t####.qq.com:8080/203.205.146.122:8080/
File system changes:
Creates the following files:
- /data/data/####/-569801007-2050950786
- /data/data/####/-64370372780133442
- /data/data/####/-744666919-630763037
- /data/data/####/-lcGop2GYiIqljjmF2QDyAhTero.-227232912.tmp
- /data/data/####/.com.tuan800.tao800;pushservice.xg.stat..xml
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/.tpns.service.xml.xml
- /data/data/####/.tpns.settings.xml.xml
- /data/data/####/.tpush_mta.xml
- /data/data/####/0zefTeOB2rdJ5T_ZnoJj2WssIlA.-1020502500.tmp
- /data/data/####/25-7c24eKiWPsd_SK7yEoVaYB1Q.-1271186230.tmp
- /data/data/####/2a8oGcqwABEn-kXC-GrTpPhK4cU.-1219411047.tmp
- /data/data/####/4601248761631842734
- /data/data/####/5cwxlspkHwtPPjsdlF12AQ6PUPg.1212491036.tmp
- /data/data/####/5iFhtAk4_3ud6HYtRUmQgdUOhb8.-244673195.tmp
- /data/data/####/6zo_OzcfBLRHEjL8x204mk065lI.-1795835109.tmp
- /data/data/####/85dDu1ZpU5qSa8x9rFHo5HglaVg.-563426197.tmp
- /data/data/####/9xXKl1Gkb7xnTXPkCTg82oLDkis.-1056412640.tmp
- /data/data/####/AhfYJd4f1VsZCK7fficVu2Jjg6g.-11418971.tmp
- /data/data/####/AzCG31BmN73FIQD4XMQEA5wvAQA.-820096874.tmp
- /data/data/####/Cdrahdo4wmewgeVQuqMAGUkDDR8.-48545885.tmp
- /data/data/####/EWwgEuEaDOS0WiiSjU91o9mccSE.1632095298.tmp
- /data/data/####/GZ4qQoiUYUijb1QvqABYTMYw0Tg.-1489981442.tmp
- /data/data/####/H5qOhP62oJBDZbTpPSL1OFDY0dI.449030952.tmp
- /data/data/####/Iki1fpyEYW6B0NcCBZ8lgizcdQs.-1160348350.tmp
- /data/data/####/KPaJp9IxTwTyzZgxKBp6XAE50u8.1818348658.tmp
- /data/data/####/KT0yQkPc3vkdmxU9W-WZ3cg5Qh8.1512498387.tmp
- /data/data/####/Kdl64QjnXK_v5mf6Q0C-vvn4SmI.238366321.tmp
- /data/data/####/Lz4njhAt9Mb4PwRANDcdLS6t4xQ.1930434295.tmp
- /data/data/####/MDgGn2-18SQT88puciEAjiIva_U.2070053457.tmp
- /data/data/####/PJp8vccAwkPasb073vezFv1tKX4.1539341995.tmp
- /data/data/####/Q4i-FJ5w8_vBvZYZK8wIN4AZJh0.2037368000.tmp
- /data/data/####/QppROp3H0QBmi9Ct-8nLtCIPRNg.-850031479.tmp
- /data/data/####/R0IUMIc3XAQkp91Qy66jQxUVUtM.91998584.tmp
- /data/data/####/RvTyRYqM7TbTS4lg_UjUqA7fVmQ.1613416383.tmp
- /data/data/####/S8_99Cvpl-nT7VrxlBP_vshmjqU.952366324.tmp
- /data/data/####/WSPXCrashPreference.xml
- /data/data/####/XMPushServiceConfig.xml
- /data/data/####/YlUF_xQ_oALzrn6MCp7wtPcJnCE.673721026.tmp
- /data/data/####/YzdlvzSx5Nle0wwxymKJ6k11VBY.-74367875.tmp
- /data/data/####/atlas_configs.xml
- /data/data/####/bQ0ARa749YBpzCYppvAJvgrcrN4.-1387793078.tmp
- /data/data/####/com.tuan800.tao800.userCenter.xml
- /data/data/####/com.tuan800.tao800;pushservice
- /data/data/####/com.tuan800.tao800SWITCH_SP.xml
- /data/data/####/com.tuan800.tao800_cart.xml
- /data/data/####/com.tuan800.tao800_h5urlsp.xml
- /data/data/####/com.tuan800.tao800_homeheader.xml
- /data/data/####/com.tuan800.tao800_jump_to_h5_url.xml
- /data/data/####/com.tuan800.tao800_order.xml
- /data/data/####/com.tuan800.tao800_pintuan.xml
- /data/data/####/com.tuan800.tao800_preferences.xml
- /data/data/####/com.tuan800.tao800_sign.xml
- /data/data/####/com.tuan800.tao800_user_center.xml
- /data/data/####/com.tuan800.tao800collected_brand.xml
- /data/data/####/com.tuan800.tao800should_notify.xml
- /data/data/####/com.tuan800.tao800static_file_click_model.xml
- /data/data/####/com.tuan800.tao800static_file_exp.xml
- /data/data/####/com.tuan800.tao800static_file_mobilelog.xml
- /data/data/####/com.tuan800.tao800static_file_model.xml
- /data/data/####/com.tuan800.tao800static_file_outclick.xml
- /data/data/####/com.tuan800.tao800static_file_page.xml
- /data/data/####/com.tuan800.tao800static_file_pageclick.xml
- /data/data/####/com.tuan800.tao800static_file_setkey_value.xml
- /data/data/####/com.tuan800.tao800static_file_static.xml
- /data/data/####/device_id.xml
- /data/data/####/dynamicamapfile.db
- /data/data/####/dynamicamapfile.db-journal
- /data/data/####/event_com.tuan800.tao800.log
- /data/data/####/hDmY5feEKPlc7HqDoFK8t6XsSJI.-1517003700.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/libjiagu.so
- /data/data/####/lock
- /data/data/####/lock.tmp
- /data/data/####/loctemp.so
- /data/data/####/matosdk_preference.xml
- /data/data/####/meta
- /data/data/####/mipush.xml
- /data/data/####/mipush_account.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pQuwvQJxyD4b4Ev4aTJWCzvaauQ.2014923040.tmp
- /data/data/####/pZ6Vr365Wrprpy4C4YsdqGrRhC0.-489855155.tmp
- /data/data/####/ppa4JT3jZB1eZ52dd4E9tw7ziLA.1515476167.tmp
- /data/data/####/pref.xml
- /data/data/####/q79PYNBPJjQb8lxgLihsnA4Jmq8.968645443.tmp
- /data/data/####/qR52LyfYjWXf6xQ7YGOuCWIPe4U.1696124898.tmp
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/rxrtG9ZSkfI-awFK0_JxE9v_ndA.-132527354.tmp
- /data/data/####/tG_iJt-0jtxrZWa6HQxDD9ug15k.1191362552.tmp
- /data/data/####/tao800.db-journal
- /data/data/####/tpush.shareprefs.xml
- /data/data/####/uzojjomrabCdqsKS0Hg1SY8klSQ.1045269406.tmp
- /data/data/####/vv1LVERvcfNhVbyKnGYFfqdWfqo.-1709666806.tmp
- /data/data/####/wspx
- /data/data/####/xg_message.db
- /data/data/####/xg_message.db-journal
- /data/data/####/yz3JUpx-rQi96oLU7AhiWiTZG2Q.582720233.tmp
- /data/data/####/zHTOOH9kmfHg2GdUeAsorGiMSOw.-1626226987.tmp
- /data/media/####/.mid.txt
- /data/media/####/.nomedia
- /data/media/####/1jr65m4qb6xv4redv1bmluj2c
- /data/media/####/1x4v67b3y2gs4501m0yawk0ul
- /data/media/####/1xpkdo9tzugkvmqyvrugeun9w
- /data/media/####/3u8ha68w1v3suvyz3lo7kgtfk
- /data/media/####/42b3goe37jr22dz5cnjxlphhg
- /data/media/####/44sue9aleeoulk4i4uwm3rg3z
- /data/media/####/5gzmjcoqdnedwc3o1pyax1dky
- /data/media/####/636nz9dcje0zuytvdq16puq2n
- /data/media/####/6rdvkzlpmeyl0zxyn39n8je0o
- /data/media/####/android_041800_tao800.json
- /data/media/####/d6bzkjyt771vpmlpeoh94xk6
- /data/media/####/log.lock
- /data/media/####/log1.txt
Miscellaneous:
Executes the following shell scripts:
- <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55486 203.205.128.130 [{"idx":0,"ts":%d,"et":2000,"si":0,"ui":"<IMEI>","ky":"Axg%lu","mid":"45e7463edeef559dbd657dd57bec390b56d78312","ev":{"ov":"18","sr":"600*752","md":"<System Property>","lg":"en","sv":"3.0","mf":"unknown","apn":"%s"}}] 0 18
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- sh <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55486 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : 45e7463edeef559dbd657dd57bec390b56d78312 , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.0 , mf : unknown , apn : %s }}] 0 18
Loads the following dynamic libraries:
- com.maa
- dalvikhack
- dalvikpatch
- fb_jpegturbo
- imagepipeline
- libjiagu
- pl_droidsonroids_gif
- tpnsSecurity
Uses the following algorithms to encrypt data:
- AES-CFB8-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CFB8-NoPadding
- DES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
