Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z12.tua####.com.####.com:80
- TCP(HTTP/1.1) sh.wagbr####.aliyun####.com:80
- TCP(HTTP/1.1) 1####.171.130.145:80
- TCP(HTTP/1.1) m.api.zh####.com:80
- TCP(HTTP/1.1) reso####.msg.xi####.net:80
- TCP(HTTP/1.1) m####.chinane####.com:80
- TCP(HTTP/1.1) anal####.tua####.com:80
- TCP(HTTP/1.1) pi####.qq.com:80
- TCP(HTTP/1.1) 1####.254.116.117:80
- TCP(TLS/1.0) 1####.217.17.142:443
- TCP(TLS/1.0) 47.74.1####.254:443
- TCP(TLS/1.0) res####.a####.com:443
- TCP(TLS/1.0) hotfix####.aliy####.com:443
- TCP 1####.0.45.34:6666
- TCP 47.74.1####.158:5222
- TCP 4####.62.94.2:443
- TCP t####.qq.com:443
DNS requests:
- a####.man.aliy####.com
- amap####.cn-hang####.oss####.####.com
- anal####.tua####.com
- hotfix####.aliy####.com
- m.api.zh####.com
- maa####.chinane####.com
- pi####.qq.com
- res####.a####.com
- reso####.msg.xi####.net
- t####.qq.com
- z11.tua####.com
- z12.tua####.com
- z3.tua####.com
HTTP GET requests:
- 1####.171.130.145/cns/push/query_download_by_pin.jsonp
- 1####.171.130.145/config/switch/shopdetail?platform=####&version=####
- 1####.171.130.145/config/switch?keys=####&platform=####&trackid=####&pro...
- 1####.171.130.145/operation/abtest/pageconfig/v1
- 1####.171.130.145/operation/startinfo/v1?cityid=####&image_model=####&us...
- 1####.171.130.145/operation/userinfo/v1
- 1####.171.130.145/pin_api/list/get_subject_list.json?version=####
- 1####.171.130.145/tao800/clientcontrol/android/1/client.json
- 1####.171.130.145/tao800/hotbanner.json?pagetype=####&platform=####&chan...
- 1####.171.130.145/zhe800_n_api/xsq/na/bottom_tab?new_user=####&version=#...
- m.api.zh####.com/app/cart/item/count
- m.api.zh####.com/app_record/monitor.gif?logData=####
- m.api.zh####.com/cn/zhe800_n_api/muying/baby_info
- m.api.zh####.com/config/switch?keys=####&platform=####&trackid=####&prod...
- m.api.zh####.com/deals/count/today/v1?user_type=####&user_role=####
- m.api.zh####.com/deals/muying/filter/v1
- m.api.zh####.com/feedback/unreadcounts
- m.api.zh####.com/gateway/mapi/personal?user_type=####&user_role=####&tua...
- m.api.zh####.com/h5new/real/homemodule?area=####&model=####&paid=####&pl...
- m.api.zh####.com/homepromotion/suspension/v2?user_type=####&user_role=##...
- m.api.zh####.com/j/wireless/rest/bubble/list?point=####
- m.api.zh####.com/list/deals/v2?image_type=####&tab=####&url_name=####&us...
- m.api.zh####.com/list/deals/v2?parent_tag=####&url_name=####&user_type=#...
- m.api.zh####.com/mobilelog/activelog/v2/activeinfo.gif?data=####
- m.api.zh####.com/mobilelog/normal/report.gif?header=####&data=####
- m.api.zh####.com/ms/zhe800h5/ntfiles/dotmenu.json
- m.api.zh####.com/operation/banner/v1?cityid=####&show_location=####&user...
- m.api.zh####.com/push/deviceinfo/xg?token=####&brand=####&sdk=####&model...
- m.api.zh####.com/push/sdkconfig?brand=####&model=####
- m.api.zh####.com/search/recommend/v1?user_type=####&user_role=####
- m.api.zh####.com/tao800/commonbanner.json?ad_type=####&image_model=####
- m.api.zh####.com/tao800/commonbanner.json?ad_type=####&image_model=####&...
- reso####.msg.xi####.net/gslb/?ver=####&type=####&conpt=####&uuid=####&li...
- z12.tua####.com.####.com/imagev2/cpc/750x750.cc80e0b7fbe7abb9b57211551f5...
- z12.tua####.com.####.com/imagev2/customerservice/50x52.45f54e4b5356d75a0...
- z12.tua####.com.####.com/imagev2/trade/1049x1049.9f2f299a46eb1d408dd79cf...
- z12.tua####.com.####.com/imagev2/trade/800x800.8d4f70bf983478e94f4cf99e3...
- z12.tua####.com.####.com/imagev2/trade/800x800.af383e3264f6e96cac84a256a...
- z12.tua####.com.####.com/imagev2/trade/800x800.cca504b655cf2787cb008b6b5...
- z12.tua####.com.####.com/imagev2/trade/800x800.e95b3760cfc13bfa630dbcb6b...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.3455a7ea7a46db29cc03c8de35...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.3d20982eb2f4e8ed873268e8d2...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.5cae34f688346b579a49f9b7e1...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.6ae6b911b8ba4cf0e87d72d0b5...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.937c2d60408120faae09801679...
- z12.tua####.com.####.com/imagev2/wxyy/110x110.a568816d3fc22f07cd5047bd2c...
- z12.tua####.com.####.com/imagev2/wxyy/111x110.ce958e9f3862da9df91ccce6fd...
- z12.tua####.com.####.com/imagev2/wxyy/128x50.68a798fc32a7b99dab3db916f85...
- z12.tua####.com.####.com/imagev2/wxyy/128x50.ac6b89b6be9ff265ef72be041ed...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.31ae95ed0fe50d80d8ab8261d4...
- z12.tua####.com.####.com/imagev2/wxyy/187x188.4ed7db7ca4ab911a2a63a62257...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.198246dcfade247fe049970cdc...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.1d1c03e186c8db7fc1eee46e4e...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.85f98c40d2b35a3df457651d02...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.908a85ca240e2e41c3f3d6e864...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.d764e7f440ec1174c50b418780...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.d9135d1a569745cf66d06f1823...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.ee4c4243380464a5fadd906d21...
- z12.tua####.com.####.com/imagev2/wxyy/187x222.f82676732b3c006e590acda36e...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.04b244561307ef919dc8febc4d...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.093895b0aab9e6c40c8f2a7e5a...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.353b044c62d39bef9b2420ae29...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.68527724143d7f576ce6fa7816...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.7fa7b849c014872029013efe22...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.a6010f28ca136bed664578a5f7...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.c43774258c99a18a1bae010f07...
- z12.tua####.com.####.com/imagev2/wxyy/256x100.d695041a5772456c951e04929d...
- z12.tua####.com.####.com/imagev2/wxyy/36x36.ef472aa4be126ddb1100fc66fc75...
- z12.tua####.com.####.com/imagev2/wxyy/375x188.af9d17565f6ceb318974394325...
- z12.tua####.com.####.com/imagev2/wxyy/375x376.8c1d4e73e20a4dfafd1e993f0f...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.707c6bd97b2195259103277912dc...
- z12.tua####.com.####.com/imagev2/wxyy/48x48.f238fdf8c0f634f1b12cd8200c31...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.1c04611016ca3e301bc6900c67ec...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5193d7e2c180c415a2936c76e023...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.5614f8d3e6129edd8ca723cfae1f...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.69d98c0d4e2d0d4fb9af3361dbe9...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.ba128a8b54c77998187ea9ec2a9a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.d6fe72234e66b205789eef55ff0a...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.df784ed38b2abda57a53df0f56f3...
- z12.tua####.com.####.com/imagev2/wxyy/50x50.fbe63bfe8783ba6f6da3c9d11861...
- z12.tua####.com.####.com/imagev2/wxyy/50x51.47a396dea2c5d4a8ec4cc78644b9...
- z12.tua####.com.####.com/imagev2/wxyy/750x220.a053a58cdf00e0073ddf178b79...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.1d6fc05dd55f1d9bab81b38a8b...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.3eb53dc8c84af6979b505bcefe...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.6f4e12c47d9fc44f786b5ae4f8...
- z12.tua####.com.####.com/imagev2/wxyy/750x286.f59af523a3399d224ab8edaa1d...
- z12.tua####.com.####.com/imagev2/zhaoshang/600x600.1c86e7fa2d8f7041dd0c6...
- z12.tua####.com.####.com/imagev2/zhaoshang/600x600.ddea433cb9d3a1d0ce403...
HTTP POST requests:
- anal####.tua####.com/mobilelog/errorlog/android.gif
- m####.chinane####.com/frontoffice/checkAuthority
- pi####.qq.com/mstat/report/?index=####
- sh.wagbr####.aliyun####.com/man/api?ak=####&s=####
File system changes:
Creates the following files:
- /data/data/####/-1609837909-1071968528
- /data/data/####/-1995481423124495302
- /data/data/####/-5605657971044170427
- /data/data/####/-lcGop2GYiIqljjmF2QDyAhTero.-1829650379.tmp
- /data/data/####/.com.tuan800.tao800;pushservice.xg.stat..xml
- /data/data/####/.jg.ic
- /data/data/####/.tpns.service.xml.xml
- /data/data/####/.tpns.settings.xml.xml
- /data/data/####/.tpush_mta.xml
- /data/data/####/0zefTeOB2rdJ5T_ZnoJj2WssIlA.821171880.tmp
- /data/data/####/1819569985-1316478989
- /data/data/####/25-7c24eKiWPsd_SK7yEoVaYB1Q.620948432.tmp
- /data/data/####/4Cat2KYbVetXsBq0NkiBCwx85JU.872274387.tmp
- /data/data/####/5iFhtAk4_3ud6HYtRUmQgdUOhb8.-1928810804.tmp
- /data/data/####/6ZSQ7EIY0jiBAag7vYUzu_KB04U.-1782177408.tmp
- /data/data/####/6keVnWD3ljDgYmtEhoSHSl0byLQ.-1121412038.tmp
- /data/data/####/7FDf104GXCEY11YujpuGQDSxLvs.-1593746957.tmp
- /data/data/####/7FDf104GXCEY11YujpuGQDSxLvs.cnt
- /data/data/####/85dDu1ZpU5qSa8x9rFHo5HglaVg.-126904289.tmp
- /data/data/####/9z63xZkb4KsWKTbtZkGBOkVgINo.-1013985252.tmp
- /data/data/####/Alvin2.xml
- /data/data/####/AzCG31BmN73FIQD4XMQEA5wvAQA.907676591.tmp
- /data/data/####/Cdrahdo4wmewgeVQuqMAGUkDDR8.-1671363941.tmp
- /data/data/####/ContextData.xml
- /data/data/####/Dn0Z3vkFhXUT8vz4DYvbzWxVIhY.1944272292.tmp
- /data/data/####/EWwgEuEaDOS0WiiSjU91o9mccSE.864168373.tmp
- /data/data/####/KL7e4OMSmaITt43ToIiAbFIYuGw.-1516804363.tmp
- /data/data/####/Kdl64QjnXK_v5mf6Q0C-vvn4SmI.-1041637629.tmp
- /data/data/####/MooRDq60cT9nTEiLkCT9Mh6DErI.1064745440.tmp
- /data/data/####/N9y9MLtKu02GHNuWRyVD02jGZ_w.985092839.tmp
- /data/data/####/NlaPlfvSw0hnu6CtdvPczjeocWc.-1530373407.tmp
- /data/data/####/PJp8vccAwkPasb073vezFv1tKX4.-1444017628.tmp
- /data/data/####/QppROp3H0QBmi9Ct-8nLtCIPRNg.-740870324.tmp
- /data/data/####/R0IUMIc3XAQkp91Qy66jQxUVUtM.1556514999.tmp
- /data/data/####/S8_99Cvpl-nT7VrxlBP_vshmjqU.1043714915.tmp
- /data/data/####/SNC4T_FAT33xmkw1d1zzEhpZja0.-1275333055.tmp
- /data/data/####/VfQzJsy8T5K92Q9C8vLLA2Xtcd8.-1917000726.tmp
- /data/data/####/WSPXCrashPreference.xml
- /data/data/####/XMPushServiceConfig.xml
- /data/data/####/YzdlvzSx5Nle0wwxymKJ6k11VBY.1668904710.tmp
- /data/data/####/Zksz1-SWVbg7Hv1jKWi1xFjfi_Y.-1640040931.tmp
- /data/data/####/atlas_configs.xml
- /data/data/####/bQ0ARa749YBpzCYppvAJvgrcrN4.363306313.tmp
- /data/data/####/cSSNBpeYhz3d-7fmhIFxn5iLwg0.1701940033.tmp
- /data/data/####/com.tuan800.tao800.userCenter.xml
- /data/data/####/com.tuan800.tao800;pushservice
- /data/data/####/com.tuan800.tao800SWITCH_SP.xml
- /data/data/####/com.tuan800.tao800_h5urlsp.xml
- /data/data/####/com.tuan800.tao800_homeheader.xml
- /data/data/####/com.tuan800.tao800_jump_to_h5_url.xml
- /data/data/####/com.tuan800.tao800_npi.xml
- /data/data/####/com.tuan800.tao800_order.xml
- /data/data/####/com.tuan800.tao800_pintuan.xml
- /data/data/####/com.tuan800.tao800_preferences.xml
- /data/data/####/com.tuan800.tao800_sign.xml
- /data/data/####/com.tuan800.tao800_user_center.xml
- /data/data/####/com.tuan800.tao800collected_brand.xml
- /data/data/####/com.tuan800.tao800should_notify.xml
- /data/data/####/com.tuan800.tao800static_file_click_model.xml
- /data/data/####/com.tuan800.tao800static_file_exp.xml
- /data/data/####/com.tuan800.tao800static_file_mobilelog.xml
- /data/data/####/com.tuan800.tao800static_file_model.xml
- /data/data/####/com.tuan800.tao800static_file_outclick.xml
- /data/data/####/com.tuan800.tao800static_file_page.xml
- /data/data/####/com.tuan800.tao800static_file_pageclick.xml
- /data/data/####/com.tuan800.tao800static_file_setkey_value.xml
- /data/data/####/com.tuan800.tao800static_file_share.xml
- /data/data/####/com.tuan800.tao800static_file_static.xml
- /data/data/####/device_id.xml
- /data/data/####/dynamicamapfile.db
- /data/data/####/dynamicamapfile.db-journal
- /data/data/####/event_com.tuan800.tao800.log
- /data/data/####/event_com.tuan800.tao800;pushservice.log
- /data/data/####/geofencing.db
- /data/data/####/geofencing.db-journal
- /data/data/####/h3LL1T4SJ_apafHAqbYLFdxT7tE.-1931159928.tmp
- /data/data/####/hmdb
- /data/data/####/hmdb-journal
- /data/data/####/k8-mEcsC4VjyHv-ycSeIlAJnfeo.-824345874.tmp
- /data/data/####/libjiagu.so
- /data/data/####/lock
- /data/data/####/lock.tmp
- /data/data/####/matosdk_preference.xml
- /data/data/####/matosdk_preference_pushservice.xml
- /data/data/####/meta
- /data/data/####/mipush.xml
- /data/data/####/mipush_account.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/multidex.version.xml
- /data/data/####/pQdEfThw20uH25qugjJmD4PygXY.1561630996.tmp
- /data/data/####/pQuwvQJxyD4b4Ev4aTJWCzvaauQ.-1368418340.tmp
- /data/data/####/pZ6Vr365Wrprpy4C4YsdqGrRhC0.-1775238278.tmp
- /data/data/####/ppa4JT3jZB1eZ52dd4E9tw7ziLA.638057664.tmp
- /data/data/####/pref.xml
- /data/data/####/q79PYNBPJjQb8lxgLihsnA4Jmq8.52098390.tmp
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/rKd2Qw5wt2RMy6vqs5iObFqMilo.-1471573087.tmp
- /data/data/####/rxrtG9ZSkfI-awFK0_JxE9v_ndA.2126752314.tmp
- /data/data/####/sFq1xjmH5p2FMH0xdkV_GDqnzMM.1433866507.tmp
- /data/data/####/sp_sophix.xml
- /data/data/####/tG_iJt-0jtxrZWa6HQxDD9ug15k.-1485818004.tmp
- /data/data/####/tao800.db-journal
- /data/data/####/tempfile
- /data/data/####/tpush.shareprefs.xml
- /data/data/####/uLGTlly5sBuwdO5rRaNtzFQ1ysY.2063341584.tmp
- /data/data/####/uzojjomrabCdqsKS0Hg1SY8klSQ.-615453981.tmp
- /data/data/####/vv1LVERvcfNhVbyKnGYFfqdWfqo.-228638801.tmp
- /data/data/####/wspx
- /data/data/####/zHTOOH9kmfHg2GdUeAsorGiMSOw.1844968661.tmp
- /data/media/####/.mid.txt
- /data/media/####/.nomedia
- /data/media/####/1jr65m4qb6xv4redv1bmluj2c
- /data/media/####/1x4v67b3y2gs4501m0yawk0ul
- /data/media/####/1xpkdo9tzugkvmqyvrugeun9w
- /data/media/####/3u8ha68w1v3suvyz3lo7kgtfk
- /data/media/####/42b3goe37jr22dz5cnjxlphhg
- /data/media/####/44sue9aleeoulk4i4uwm3rg3z
- /data/media/####/5gzmjcoqdnedwc3o1pyax1dky
- /data/media/####/636nz9dcje0zuytvdq16puq2n
- /data/media/####/6rdvkzlpmeyl0zxyn39n8je0o
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/android_042800_tao800.json
- /data/media/####/d6bzkjyt771vpmlpeoh94xk6
- /data/media/####/log.lock
- /data/media/####/log1.txt
Miscellaneous:
Executes the following shell scripts:
- <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55451 203.205.128.130 [{ idx :0, ts :%d, et :2000, si :0, ui : <IMEI> , ky : Axg%lu , mid : 103507e66c1f15550e6be0c34f65c0ee446d4d3e , ev :{ ov : 18 , sr : 600*752 , md : <System Property> , lg : en , sv : 3.0 , mf : unknown , apn : %s }}] 0 18
- <Package Folder>/lib/libxguardian.so <Package>,2100252513;<Package>,2100252513; 55451 203.205.128.130 [{"idx":0,"ts":%d,"et":2000,"si":0,"ui":"<IMEI>","ky":"Axg%lu","mid":"103507e66c1f15550e6be0c34f65c0ee446d4d3e","ev":{"ov":"18","sr":"600*752","md":"<System Property>","lg":"en","sv":"3.0","mf":"unknown","apn":"%s"}}] 0 18
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
Loads the following dynamic libraries:
- com.maa
- dalvikhack
- dalvikpatch
- fb_jpegturbo
- gifimage
- imagepipeline
- libjiagu
- pl_droidsonroids_gif
- sqlcipher
- tpnsSecurity
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
- AES-CFB8-NoPadding
- RSA-ECB-PKCS1PADDING
- RSA-ECB-PKCS1Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
- AES-CFB8-NoPadding
- DES-ECB-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Gets information about installed apps.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
Manages Wi-Fi connectivity.
