Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Gexin.2.origin
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(HTTP/1.1) a####.wagbr####.t####.####.com:80
- TCP(HTTP/1.1) m.d####.mob.com:80
- TCP(HTTP/1.1) adash####.man.aliy####.com:80
- TCP(HTTP/1.1) a####.exc.mob.com:80
- TCP(HTTP/1.1) p####.app.c####.com:80
- TCP(HTTP/1.1) www.webdiss####.com:80
- TCP(HTTP/1.1) log.mm####.com:80
- TCP(HTTP/1.1) rec####.gridsum####.com:80
- TCP(HTTP/1.1) gm.mm####.com:80
- TCP(TLS/1.0) and####.google####.com:443
- TCP(TLS/1.0) 1####.177.14.95:443
- TCP(TLS/1.0) aq####.y####.net.####.cn:443
- TCP(TLS/1.0) ihu####.c####.com:443
- TCP(TLS/1.0) instant####.google####.com:443
- TCP(TLS/1.0) apihudo####.c####.com:443
- TCP(TLS/1.0) hotfix####.aliy####.com:443
- TCP(TLS/1.0) android####.go####.com:443
- TCP(TLS/1.0) 1####.194.222.101:443
- TCP(TLS/1.2) 1####.251.1.102:443
- TCP(TLS/1.2) 64.2####.163.94:443
- TCP(TLS/1.2) 1####.177.14.95:443
- TCP ope####.3g.qq.com:8080
DNS requests:
- a####.exc.mob.com
- a####.man.aliy####.com
- af####.ali####.com
- and####.google####.com
- android####.go####.com
- api.s####.mob.com
- apihudo####.c####.com
- clou####.y####.net
- gm.mm####.com
- hotfix####.aliy####.com
- ihu####.c####.com
- instant####.google####.com
- log.mm####.com
- m.d####.mob.com
- ope####.3g.qq.com
- p####.app.c####.com
- rec####.gridsum####.com
- tz.cztvc####.com
- tz.cztvc####.com.####.8
- www.webdiss####.com
HTTP GET requests:
- a####.exc.mob.com/v3/cconf?appkey=####&plat=####&apppkg=####&appver=####...
- a####.wagbr####.t####.####.com/sdk/ad?aid=####&sz=####&vt=####&sco=####&...
- a####.wagbr####.t####.####.com/sdk/cf?osv=####&mac=####&protv=####&dpr=#...
- a####.wagbr####.t####.####.com/sdk/cf?osv=####&ts+=####&mac=####&protv=#...
- gm.mm####.com/wapebs.5.1?osv=####&plugv=####&apvn=####&load_status=####&...
- hotfix####.aliy####.com:443/u/98538-1/YdWZ4hQ8t9IDAGdzx1GqUXoW/2.0.7/0/
- hotfix####.aliy####.com:443/u/98538-1/YdWZwFIunZIDAGdzx1GrLZlD/2.0.7/0/
- hotfix####.aliy####.com:443/u/98538-1/YdWZzJbdSUIDAGdzx1HIiQ7//2.0.7/0/
- hotfix####.aliy####.com:443/u/98538-1/YdWaFq08m7ADAGdzx1Hk4+B8/2.0.7/0/
- ihu####.c####.com:443/stations?app_id=####×tamp=####&client_id=####...
- ihu####.c####.com:443/subscription/getkeyword?app_id=####×tamp=####...
- log.mm####.com/t.gif
- p####.app.c####.com/getNoticeList.do?×tamp=####
- rec####.gridsum####.com/gs.gif?gsdelay=####&gsver=####&gscmd=####&gssrvi...
- www.webdiss####.com/recv/gs.gif?gsdelay=####&gsver=####&gscmd=####&gssrv...
HTTP POST requests:
- a####.exc.mob.com/errconf
- adash####.man.aliy####.com/man/api?ak=####&s=####
- m.d####.mob.com/conf5
- m.d####.mob.com/conn
- m.d####.mob.com/log4
- m.d####.mob.com/snsconf
File system changes:
Creates the following files:
- /data/data/####/.dic_lock
- /data/data/####/.globalLock
- /data/data/####/.jg.ic
- /data/data/####/.lock
- /data/data/####/.mrecord
- /data/data/####/.mrecord (deleted)
- /data/data/####/.mrlock
- /data/data/####/.old_file_converted
- /data/data/####/.pkg_lock
- /data/data/####/.statistics
- /data/data/####/Alvin2.xml
- /data/data/####/BonreeActionTest.xml
- /data/data/####/CommonPlugin-5.0.apk
- /data/data/####/CommonPlugin-5.0.dex
- /data/data/####/CommonPlugin-5.0.dex.flock (deleted)
- /data/data/####/ContextData.xml
- /data/data/####/CookiePrefsFile.xml
- /data/data/####/Cookies-journal
- /data/data/####/FrameworkPlugin-3.3.apk
- /data/data/####/FrameworkPlugin-3.3.dex
- /data/data/####/FrameworkPlugin-3.3.dex.flock (deleted)
- /data/data/####/LecloudDownload.db-journal
- /data/data/####/MSF.C.NetConnInfo.xml
- /data/data/####/QALConfigStore.dat
- /data/data/####/ThrowalbeLog.db-journal
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/WelcomePlugin-3.6.apk
- /data/data/####/WelcomePlugin-3.6.dex
- /data/data/####/WelcomePlugin-3.6.dex.flock (deleted)
- /data/data/####/a1c20833d02ee534cee4b54df83d93ad.0.tmp
- /data/data/####/a1c20833d02ee534cee4b54df83d93ad.1
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/classes.dex
- /data/data/####/classes2.dex
- /data/data/####/classes3.dex
- /data/data/####/classes4.dex
- /data/data/####/com.chinablue.tv.xml
- /data/data/####/com.chinablue.tv_preferences.xml
- /data/data/####/d72fc2fc3ec683e0ffe0c1b2549829b1.0.tmp
- /data/data/####/d72fc2fc3ec683e0ffe0c1b2549829b1.1.tmp
- /data/data/####/de9011fb427e1596a666069cbf7e063b.0.tmp
- /data/data/####/de9011fb427e1596a666069cbf7e063b.1.tmp
- /data/data/####/fcbe5ceed1cef0c47a01bc00ad085b7e.0.tmp
- /data/data/####/fcbe5ceed1cef0c47a01bc00ad085b7e.1.tmp
- /data/data/####/fdf38ae946505d31f49e506fd5192de4.0.tmp
- /data/data/####/fdf38ae946505d31f49e506fd5192de4.1
- /data/data/####/filedownloader.db-journal
- /data/data/####/index
- /data/data/####/jg_so_upgrade_setting.xml
- /data/data/####/journal
- /data/data/####/libjiagu.so
- /data/data/####/metrics_guid
- /data/data/####/mob_commons_1
- /data/data/####/mob_sdk_exception_1
- /data/data/####/proc_auxv
- /data/data/####/qalimid_v2
- /data/data/####/qihoo_jiagu_crash_report.xml
- /data/data/####/share_sdk_1
- /data/data/####/sharesdk.db-journal
- /data/data/####/sp_sophix.xml
- /data/data/####/the-real-index
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_general_config.xml.bak
- /data/data/####/umeng_general_config.xml.bak (deleted)
- /data/data/####/webview_data.lock
- /data/data/####/wv_web_info.dat
- /data/data/####/xUtils.db-journal
- /data/media/####/.dic_lock
- /data/media/####/.duid
- /data/media/####/.globalLock
- /data/media/####/.pkg_lock
- /data/media/####/.rc_lock
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/YfNetCfg.ini
- /data/media/####/crash-2022-01-05-16-15-01-1641388501239.log
- /data/media/####/crash-2022-01-05-16-15-56-1641388556964.log
- /data/misc/####/primary.prof
Miscellaneous:
Executes the following shell scripts:
- cat /sys/class/net/wlan0/address
- chmod 755 /data/user/0/<Package>/.jiagu/libjiagu.so
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- DES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS7Padding
Uses special library to hide executable bytecode.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Displays its own windows over windows of other apps.
Requests the system alert window permission.
