Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Gains access to the ITelephony private interface.
Network activity:
Connecting to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) 1####.31.219.50:80
- TCP(HTTP/1.1) api.zantou####.com:80
- TCP(HTTP/1.1) s####.s.360.cn:80
- TCP(HTTP/1.1) qos.l####.360.cn:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) and####.b####.qq.com:80
- TCP(HTTP/1.1) log.zantou####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) sf3-ttc####.ps####.com:80
- TCP(HTTP/1.1) cn-hang####.oss####.aliyun####.com:80
- TCP(HTTP/1.1) cloud####.fengkon####.com:80
- TCP(HTTP/1.1) sf1-ttc####.ps####.com:80
- TCP(HTTP/1.1) sdk.l####.360.cn:80
- TCP(HTTP/1.1) s####.l####.360.####.com:80
- TCP(HTTP/1.1) sf6-ttc####.ps####.com.####.com:80
- TCP(HTTP/1.1) f####.fengkon####.com:80
- TCP(TLS/1.0) av1.x####.com:443
- TCP(TLS/1.0) s####.l####.360.####.com:443
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) c####.x####.com:443
- TCP(TLS/1.0) sh####.me####.com:443
- TCP(TLS/1.0) 1####.217.17.142:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) openins####.io:443
- TCP(TLS/1.0) sdkc####.e.360.cn:443
- TCP(TLS/1.0) 1####.143.216.164:443
- TCP(TLS/1.0) 1####.217.20.110:443
- TCP sdk.o####.t####.####.com:5224
- TCP 1####.131.1.101:5227
DNS requests:
- 7j####.c####.z0.####.com
- and####.b####.qq.com
- api.zantou####.com
- av1.x####.com
- c####.x####.com
- c-h####.g####.com
- cloud####.fengkon####.com
- cn-hang####.oss####.aliyun####.com
- f####.fengkon####.com
- i.t####.com
- log.u####.com
- log.zantou####.com
- mt####.go####.com
- openins####.io
- plb####.u####.com
- qos.l####.360.cn
- res####.a####.com
- s####.l####.360.cn
- s####.s.360.cn
- sdk####.l####.360.cn
- sdk.c####.ig####.com
- sdk.l####.360.cn
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sdkc####.e.360.cn
- sf1-ttc####.ps####.com
- sf3-ttc####.ps####.com
- sf6-ttc####.ps####.com
- sh####.me####.com
- u####.u####.com
HTTP GET requests:
- api.zantou####.com/dot-app-api/api/advertisement/tabActivity?bundleId=##...
- api.zantou####.com/dot-app-api/api/blacklist
- api.zantou####.com/dot-app-api/api/content/article/recommend/1?toUp=####...
- api.zantou####.com/dot-app-api/api/content/article/recommend/22?toUp=###...
- api.zantou####.com/dot-app-api/api/content/article/recommend/26?toUp=###...
- api.zantou####.com/dot-app-api/api/device/version/v2?timestamp=####&plat...
- api.zantou####.com/dot-app-api/api/task/sign/hour?timestamp=####&token=#...
- api.zantou####.com/dot-app-api/api/user/blacklist?params=####&aos=TSe####
- api.zantou####.com/dot-app-api/api/user/blacklist?params=####&aos=V9W####
- api.zantou####.com/dot-app-api/api/user/blacklist?params=####&aos=Xsw####
- api.zantou####.com/dot-app-api/api/user/blacklist?params=####&aos=tcU####
- api.zantou####.com/dot-app-api/api/user/message/mark?timestamp=####&toke...
- api.zantou####.com/dot-app-api/api/v1_6/article/category?type=####×...
- cn-hang####.oss####.aliyun####.com/amap-api/comm/upload/CoordinateSoEnhe...
- qos.l####.360.cn/vc.gif?&bid=####&pid=####&ver=####&c_ver=####&os=####&m...
- s####.l####.360.####.com/Object.getFile/livecloudsdk/YW5kcm9pZF9wbHVnaW5...
- s####.s.360.cn/ak/2e65f2f2fdaf6c699b223c61b1b5ab89.html?m2=####
- sdk.l####.360.cn/codec?os=####&tm=####&model=####&r=####&package=####&pi...
- sdk.l####.360.cn/qvideo_sdk_and_android_176.conf?os=####&tm=####&r=####&...
- sdk.l####.360.cn/rtc?os=####&tm=####&model=####&r=####&package=####&pid=...
- sf1-ttc####.ps####.com/obj/ad.union.api/e0802b1ab2960c91100ca826b0f242ea
- sf3-ttc####.ps####.com/obj/ad.union.api/2bf700240aefd85b8b99691115764da9
- sf3-ttc####.ps####.com/obj/ad.union.api/f1c15f61d5e80a0b47601e678519a871
- sf6-ttc####.ps####.com.####.com/obj/ad.union.api/2ea0a2523c67dff74787316...
- t####.c####.q####.####.com/config/hz-hzv3.conf
- t####.c####.q####.####.com/tdata_YYn966
- t####.c####.q####.####.com/tdata_eOt091
HTTP POST requests:
- and####.b####.qq.com/rqd/async?aid=####
- api.zantou####.com/dot-app-api/api/user/recordUser
- c-h####.g####.com/api.php?format=####&t=####
- cloud####.fengkon####.com/v2/device/conf
- f####.fengkon####.com/v2/device/profile
- log.zantou####.com/dot-app-log/log/app/behaviorlog
- sdk.o####.p####.####.com/api.php?format=####&t=####
Modified file system:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/1004
- /data/data/####/1538377584927_2276
- /data/data/####/1538377585442_2276
- /data/data/####/1538377586029_2276
- /data/data/####/1538377588457_2276
- /data/data/####/1538377589513_2276
- /data/data/####/1538377590324_2276
- /data/data/####/1538377591568_2276
- /data/data/####/1538377592170_2276
- /data/data/####/1538377602624_2628
- /data/data/####/1538377606552_2628
- /data/data/####/1538377610297_2628
- /data/data/####/1538377617160_2931
- /data/data/####/1538377618416_2931
- /data/data/####/1538377620443_2931
- /data/data/####/1538377627245_3193
- /data/data/####/1538377628160_3193
- /data/data/####/1538377629841_3193
- /data/data/####/1538377633245_3193
- /data/data/####/1d2b904cbeadfb72ed9546111a231c85.0
- /data/data/####/25250a361840b9ed7530cef86cbd4d68294f921fde7b544....0.tmp
- /data/data/####/7b63763ccf7c0b2a13c6741f6daab5a332c873cb3c3788e....0.tmp
- /data/data/####/96374be755d6f4716e618bcbff78710f2e9a1785aa90b92....0.tmp
- /data/data/####/9d486ab46f95f0044516ab5c26c5a5c778143cabe8c4b55....0.tmp
- /data/data/####/AKDownload.db
- /data/data/####/AKDownload.db-journal
- /data/data/####/Alvin2.xml
- /data/data/####/Archimedes_p1
- /data/data/####/Archimedes_p2
- /data/data/####/Archimedes_p3
- /data/data/####/Archimedes_p4
- /data/data/####/Archimedes_p5
- /data/data/####/ContextData.xml
- /data/data/####/CookiePersistence.xml
- /data/data/####/FM_config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/QH_DeviceSDK.xml
- /data/data/####/QH_SDK_M2.xml
- /data/data/####/QH_SDK_UserData2e65f2f2fdaf6c699b223c61b1b5ab89.xml
- /data/data/####/TD_app_pefercen_profile.xml
- /data/data/####/TDpref_cloudcontrol1.xml
- /data/data/####/TDpref_longtime.xml
- /data/data/####/TDpref_longtime0.xml
- /data/data/####/TDpref_shorttime.xml
- /data/data/####/TDpref_shorttime0.xml
- /data/data/####/app_globel_config_file.xml
- /data/data/####/bugly_db_-journal
- /data/data/####/cloudms.conf.xml
- /data/data/####/com.diandi.app_preferences.xml
- /data/data/####/com.qihoo.livecloud.settings.GPWebrtcSettings.pref.xml
- /data/data/####/com.shumei.xml
- /data/data/####/crashrecord.xml
- /data/data/####/diandi.db
- /data/data/####/diandi.db-journal
- /data/data/####/dso_deps
- /data/data/####/dso_lock
- /data/data/####/dso_manifest
- /data/data/####/dso_state
- /data/data/####/e70c36b59122b0c3cac458c1e30f29945a1503ae563082f....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/finalcore.jar
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gx_sp.xml
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/i==1.2.0&&1.7.6_1538377584553_envelope.log
- /data/data/####/i==1.2.0&&1.7.6_1538377605419_envelope.log
- /data/data/####/i==1.2.0&&1.7.6_1538377616518_envelope.log
- /data/data/####/i==1.2.0&&1.7.6_1538377626862_envelope.log
- /data/data/####/info.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/is.xml
- /data/data/####/iv
- /data/data/####/journal
- /data/data/####/journal.tmp
- /data/data/####/k.store
- /data/data/####/libdvrender.so.tmp
- /data/data/####/libjiagu195634731.so
- /data/data/####/libjplayer.so.tmp
- /data/data/####/liblocalserver.so.tmp
- /data/data/####/libmyssl.so.1.1.tmp
- /data/data/####/libtranscore.so
- /data/data/####/libtranscore.so.tmp
- /data/data/####/libviewer.so.tmp
- /data/data/####/libwgs2gcj.so
- /data/data/####/local_crash_lock
- /data/data/####/localserver_2.0.3.18042602.zip
- /data/data/####/localserver_2.0.3.18042602.zip (deleted)
- /data/data/####/locker
- /data/data/####/loctemp.so
- /data/data/####/logdb.db
- /data/data/####/logdb.db-journal
- /data/data/####/multidex.version.xml
- /data/data/####/new_sp.xml
- /data/data/####/player_2.0.3.18051401.zip
- /data/data/####/player_2.0.3.18051401.zip (deleted)
- /data/data/####/pref.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/qhvc_plugin.xml
- /data/data/####/run.pid
- /data/data/####/salt
- /data/data/####/sdk_config.xml
- /data/data/####/security_info
- /data/data/####/share.db-journal
- /data/data/####/share_data.xml
- /data/data/####/slldate.xml
- /data/data/####/sp.livecloud.database.xml
- /data/data/####/tdata_YYn966
- /data/data/####/tdata_YYn966.jar
- /data/data/####/tdata_eOt091
- /data/data/####/tdata_eOt091.jar
- /data/data/####/tdid.xml
- /data/data/####/tools_2.0.3.18051401.zip
- /data/data/####/tools_2.0.3.18051401.zip (deleted)
- /data/data/####/tracker.db-journal
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/um_pri.xml
- /data/data/####/umdat.xml
- /data/data/####/umeng_common_config.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/media/####/.a.dat
- /data/media/####/.adfwe.dat
- /data/media/####/.cca.dat
- /data/media/####/.deviceId
- /data/media/####/.nomedia
- /data/media/####/.sfp
- /data/media/####/.tcookieid
- /data/media/####/.testf
- /data/media/####/.thumbcache_idx0
- /data/media/####/.umm.dat
- /data/media/####/000f06ad849402251ae647596a2472ed.0.tmp
- /data/media/####/000f06ad849402251ae647596a2472ed.1.tmp
- /data/media/####/0447f5ea79cea75866a3a5a743628562.0.tmp
- /data/media/####/0447f5ea79cea75866a3a5a743628562.1.tmp
- /data/media/####/0b6f11877f177a5f0071410ffc20fb82.0.tmp
- /data/media/####/0b6f11877f177a5f0071410ffc20fb82.1.tmp
- /data/media/####/14a1675f2434562140a286b0ec910bfa.0.tmp
- /data/media/####/14a1675f2434562140a286b0ec910bfa.1.tmp
- /data/media/####/1538377582832.db
- /data/media/####/1538377600716.db
- /data/media/####/1538377616617.db
- /data/media/####/1538377626871.db
- /data/media/####/25c5457d25365b71ca6af74a061b29a3.0.tmp
- /data/media/####/25c5457d25365b71ca6af74a061b29a3.1.tmp
- /data/media/####/26337a392fcb6011456e7c9c4ac1fc21.0.tmp
- /data/media/####/26337a392fcb6011456e7c9c4ac1fc21.1.tmp
- /data/media/####/29331a3cc6f90b53134776822bcf149f.0.tmp
- /data/media/####/29331a3cc6f90b53134776822bcf149f.1.tmp
- /data/media/####/39b3253140871121e3462b1727f28f30.0.tmp
- /data/media/####/39b3253140871121e3462b1727f28f30.1.tmp
- /data/media/####/3b7a7281bde7ed789cf13b38d72cf8f5.0.tmp
- /data/media/####/3b7a7281bde7ed789cf13b38d72cf8f5.1.tmp
- /data/media/####/3fd82d388e5f3b53ccf6a448755ed7c7.0.tmp
- /data/media/####/3fd82d388e5f3b53ccf6a448755ed7c7.1.tmp
- /data/media/####/40c58650393ddb70cf93dc54cfa94f12.0.tmp
- /data/media/####/40c58650393ddb70cf93dc54cfa94f12.1.tmp
- /data/media/####/4d13d610bb866068b05969a450b32c54.0.tmp
- /data/media/####/4d13d610bb866068b05969a450b32c54.1.tmp
- /data/media/####/4fd160eb096f6b2597fff0344450cbd9.0.tmp
- /data/media/####/4fd160eb096f6b2597fff0344450cbd9.1.tmp
- /data/media/####/530925df252d647274f5f0d023322c43.0.tmp
- /data/media/####/530925df252d647274f5f0d023322c43.1.tmp
- /data/media/####/5bd3b93e8d3b1e173e0332f5db15347c.0.tmp
- /data/media/####/5bd3b93e8d3b1e173e0332f5db15347c.1.tmp
- /data/media/####/5f5a94e93a68027e4332502a1d871bc5.0.tmp
- /data/media/####/5f5a94e93a68027e4332502a1d871bc5.1.tmp
- /data/media/####/69405d8e58d358aedee9e8c6ade61000.0.tmp
- /data/media/####/69405d8e58d358aedee9e8c6ade61000.1.tmp
- /data/media/####/69908242
- /data/media/####/6fe39b175f50af18d6f070ae32a476b1.0.tmp
- /data/media/####/6fe39b175f50af18d6f070ae32a476b1.1.tmp
- /data/media/####/729edb64738992cd229b6225ef17add5.0.tmp
- /data/media/####/729edb64738992cd229b6225ef17add5.1.tmp
- /data/media/####/8c997fa3d773521cdb7f37277de0f90f.0.tmp
- /data/media/####/8c997fa3d773521cdb7f37277de0f90f.1.tmp
- /data/media/####/8e2a58051d64628a4a28f21fdb8b0747.0.tmp
- /data/media/####/8e2a58051d64628a4a28f21fdb8b0747.1.tmp
- /data/media/####/9103ed5add0184cb3ce83d4f754b63dc.0.tmp
- /data/media/####/9103ed5add0184cb3ce83d4f754b63dc.1.tmp
- /data/media/####/9e6fbc951968d888444a62c7d75febc1.0.tmp
- /data/media/####/9e6fbc951968d888444a62c7d75febc1.1.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/Jgg3KEpwB1Lbn9Qv7PGJwbgG2BI.106419662.tmp
- /data/media/####/PAe4Br9NAH7IGTwkufXGLbp6Mog.106419662.tmp
- /data/media/####/__VERSION__
- /data/media/####/a5fa6999a17c2c525521bafa2dcd3c1b.0.tmp
- /data/media/####/a5fa6999a17c2c525521bafa2dcd3c1b.1.tmp
- /data/media/####/alsn20170807.db
- /data/media/####/alsn20170807.db-journal
- /data/media/####/app.db
- /data/media/####/b51588cae1cb6c8e6c0ca886d53bcba1.0.tmp
- /data/media/####/b51588cae1cb6c8e6c0ca886d53bcba1.1.tmp
- /data/media/####/c0cdc007949f390267fa78f9d58ec06f.0.tmp
- /data/media/####/c0cdc007949f390267fa78f9d58ec06f.1.tmp
- /data/media/####/cf4629074c26dbc95a35657c210431f5.0.tmp
- /data/media/####/cf4629074c26dbc95a35657c210431f5.1.tmp
- /data/media/####/cf48682474074cad3b5dfe5202243e98.0.tmp
- /data/media/####/cf48682474074cad3b5dfe5202243e98.1.tmp
- /data/media/####/com.diandi.app.bin
- /data/media/####/com.diandi.app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/crashs-2018-10-01.log
- /data/media/####/d257270240e679d8930c05588f1ab315.0.tmp
- /data/media/####/d257270240e679d8930c05588f1ab315.1.tmp
- /data/media/####/dTG
- /data/media/####/dTG (deleted)
- /data/media/####/e167df165bebc33116e1591f18bacc7a.0.tmp
- /data/media/####/e167df165bebc33116e1591f18bacc7a.1.tmp
- /data/media/####/e63b3471814865eaa1feabafa0f0583d.0.tmp
- /data/media/####/e63b3471814865eaa1feabafa0f0583d.1.tmp
- /data/media/####/ea7a6d4b1ab1d5761fee848de96a175a.0.tmp
- /data/media/####/ea7a6d4b1ab1d5761fee848de96a175a.1.tmp
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/kTZxlaAeZTemNZr4JHthv82BSJY.106419662.tmp
- /data/media/####/p113gp
- /data/media/####/shumei.txt
- /data/media/####/sysid.dat
- /data/media/####/tdata_YYn966
- /data/media/####/tdata_eOt091
- /data/media/####/test.log
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- /system/bin/sh -c getprop
- /system/bin/sh -c type su
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.ui.service.MeGTPushService 24349 300 0
- app_process /system/bin com.android.commands.pm.Pm list package -3
- cat /proc/self/cgroup
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu195634731.so
- getprop
- logcat -d -v threadtime
- ls -l /system/bin/su
- ls /sys/class/thermal
- pm list package -3
- ps
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.ui.service.MeGTPushService 24349 300 0
Loads the following dynamic libraries:
- Bugly
- getuiext2
- libdvrender
- libimagepipeline
- libjiagu195634731
- libjplayer
- liblocalserver
- libtranscore
- libviewer
- smsdk
Uses the following algorithms to encrypt data:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS7Padding
- AES-GCM-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Uses the following algorithms to decrypt data:
- AES
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-GCM-NoPadding
- DES-ECB-NoPadding
Uses special library to hide executable bytecode.
Gains access to camera interface.
Gains access to geolocation.
Gains access to network information.
Gains access to telephone information (number, imei, etc.).
Gains access to information about installed applications.
Adds tasks to the system scheduler.
Displays its own windows over windows of other applications.
