Adware.Gexin.23536

Technical information

Malicious functions:

Executes code of the following detected threats:

Adware.Gexin.2.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) sdk.c####.g####.####.cn:80
TCP(HTTP/1.1) c-h####.g####.com:80
TCP(HTTP/1.1) sdk-ope####.g####.com:80
TCP(HTTP/1.1) appapi####.ts####.cn:80
TCP(TLS/1.0) and####.a####.go####.com:443
TCP(TLS/1.0) 64.2####.165.94:443
TCP(TLS/1.0) sysi####.ts####.cn:443
TCP(TLS/1.0) tbsreco####.i####.qq.com:443
TCP(TLS/1.0) new-####.u####.com:443
TCP(TLS/1.0) rr9---s####.g####.com:443
TCP(TLS/1.0) a.g####.qq.com:443
TCP(TLS/1.0) u####.u####.com:443
TCP(TLS/1.0) p####.google####.com:443
TCP(TLS/1.0) t####.m.qq.com:443
TCP(TLS/1.0) im####.cqxi####.com:443
TCP(TLS/1.2) p####.google####.com:443
TCP(TLS/1.2) 64.2####.165.94:443
TCP(TLS/1.2) 1####.177.14.106:443
TCP(TLS/1.2) 74.1####.131.138:443
UDP rr2---s####.g####.com:443
TCP cm-1####.g####.com:5225
TCP sdk.o####.t####.####.com:5224
UDP p####.google####.com:443

DNS requests:

a####.u####.com
a.g####.qq.com
and####.a####.go####.com
and####.google####.com
appapi####.ts####.cn
c-h####.g####.com
cdn-sdk####.g####.com
cm-1####.g####.com
gmscomp####.google####.com
im####.cqxi####.com
im####.ts####.cn
p####.google####.com
rr2---s####.g####.com
rr9---s####.g####.com
sdk-ope####.g####.com
sdk.c####.g####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.com
sdk.o####.t####.####.net
sysi####.ts####.cn
t####.m.qq.com
tbsreco####.i####.qq.com
u####.u####.com
www.google####.com

HTTP GET requests:

appapi####.ts####.cn/ok.txt
im####.cqxi####.com:443/trade/2024/05/30/4a3a9429b5ee440477785b264eb0ef7...
im####.cqxi####.com:443/trade/2024/06/11/a0948147b0bb04f3a6ce4faa81fe356...
sdk.c####.g####.####.cn/config/hzv9.conf
sysi####.ts####.cn:443/2021/07/09/13/60e7db887acbd.jpg
sysi####.ts####.cn:443/2023/07/28/64c33c7920307.jpg
sysi####.ts####.cn:443/2024/01/29/65b785a55f973.jpg
sysi####.ts####.cn:443/2024/02/04/65bf35170b40f.png
sysi####.ts####.cn:443/2024/05/24/66506d94ba486.jpg
sysi####.ts####.cn:443/2024/05/24/66506d94ba802.jpg
sysi####.ts####.cn:443/2024/05/24/66506d94bab1a.jpg
sysi####.ts####.cn:443/2024/05/24/66506d94bae83.jpg
sysi####.ts####.cn:443/2024/05/24/66506d94bb170.jpg

HTTP POST requests:

a.g####.qq.com:443/getSdkConf
a.g####.qq.com:443/package_name
a.g####.qq.com:443/sdk
appapi####.ts####.cn//index.php/App/index
appapi####.ts####.cn/index.php/App/index?api=####
c-h####.g####.com/api.php?format=####&t=####
new-####.u####.com:443/api/postZdata
sdk-ope####.g####.com/api.php?format=####&t=####
t####.m.qq.com:443/?mc=####
tbsreco####.i####.qq.com:443/getconfig
u####.u####.com:443/unify_logs
u####.u####.com:443/zcfg

File system changes:

Creates the following files:

/data/data/####/.dex2oatlock
/data/data/####/.imprint
/data/data/####/.t.log
/data/data/####/.turing.dat
/data/data/####/.updateIV.dat
/data/data/####/.updateIV.dat_0
/data/data/####/.updateIV.dat_1
/data/data/####/0000000lllll_0.dex
/data/data/####/0000000lllll_1.dex
/data/data/####/000O00ll111l_0.dex
/data/data/####/000O00ll111l_1.dex
/data/data/####/00O000ll111l_0.dex
/data/data/####/00O000ll111l_0.dex.flock
/data/data/####/00O000ll111l_0.dex.flock (deleted)
/data/data/####/00O000ll111l_1.dex
/data/data/####/00O000ll111l_1.dex.flock
/data/data/####/00O000ll111l_1.dex.flock (deleted)
/data/data/####/0OO00l111l1l
/data/data/####/0OO00l111l1l.lock
/data/data/####/105548_ad_1
/data/data/####/1186757090
/data/data/####/Alvin2.xml
/data/data/####/BuglySdkInfos.xml
/data/data/####/ContextData.xml
/data/data/####/INSTALLATION
/data/data/####/SP_COMMON_NAME.xml
/data/data/####/SP_MARKET_INIT.xml
/data/data/####/SP_PUSH_SERVICE.xml
/data/data/####/SP_USER_INFO_MODEL.xml
/data/data/####/UM_PROBE_DATA.xml
/data/data/####/WebViewChromiumPrefs.xml
/data/data/####/XR_REFRESH_KEY.xml
/data/data/####/com.lehihi01.game.fuli_preferences.xml
/data/data/####/com.qq.gdt.action.DeviceIdPref.xml
/data/data/####/com.qq.gdt.action.SessionTimePref_b018f673ef3f6...a8.xml
/data/data/####/core_info
/data/data/####/exchangeIdentity.json
/data/data/####/exid.dat
/data/data/####/gdt_action_b018f673ef3f6960117c95467734bda8.db
/data/data/####/gdt_action_b018f673ef3f6960117c95467734bda8.db-journal
/data/data/####/gdt_event_b018f673ef3f6960117c95467734bda8.db-journal
/data/data/####/gdt_user_message_v5
/data/data/####/getui_sp.xml
/data/data/####/i==1.2.0&&8.3.9_1718426594394_dW5pZnlfbG9ncw==;.log
/data/data/####/info.xml
/data/data/####/init.pid
/data/data/####/init_c1.pid
/data/data/####/journal
/data/data/####/metrics_guid
/data/data/####/mpdc_105548_1
/data/data/####/o0oooOO0ooOo.dat
/data/data/####/okgo.db-journal
/data/data/####/prefs.lock
/data/data/####/proc_auxv
/data/data/####/push.pid
/data/data/####/pushsdk.db-journal
/data/data/####/run.pid
/data/data/####/t==9.3.8&&8.3.9_1718426598183_dW5pZnlfbG9ncw==;.log
/data/data/####/tbs_emergence.xml
/data/data/####/tbs_pv_config
/data/data/####/tbscoreinstall.txt
/data/data/####/tosversion
/data/data/####/turingfd_conf_105548_ad.xml
/data/data/####/turingfd_conf_105548_ad.xml.bak
/data/data/####/ua.db
/data/data/####/ua.db-journal
/data/data/####/um_pri.xml
/data/data/####/um_session_id.xml
/data/data/####/umeng_common_config.xml
/data/data/####/umeng_common_config.xml.bak
/data/data/####/umeng_common_config.xml.bak (deleted)
/data/data/####/umeng_general_config.xml
/data/data/####/umeng_general_config.xml.bak (deleted)
/data/data/####/umeng_it.cache
/data/data/####/umeng_zcfg_flag
/data/data/####/umeng_zero_cache.db
/data/data/####/umeng_zero_cache.db-journal
/data/data/####/umzid_general_config.xml
/data/data/####/umzid_general_config.xml.bak (deleted)
/data/data/####/z==1.2.0&&8.3.9_1718426593254_emNmZw==;.log
/data/media/####/07715f69f8fb7b144c4d38cf410c47694e2ee0b0868555...b2e2.0
/data/media/####/0b41b1567335a5a423da707cd0466295194e389aed855e...ea38.0
/data/media/####/1481064600
/data/media/####/1fad5e7f649db9f91359d9f9fc92695e3da70748a75f61...ebd1.0
/data/media/####/2bd9e3384aa6185669d7d8f7f1227c2945955a8cefc694...b296.0
/data/media/####/51b598b3b001be0687c804c4ca455304d03ec74fac8939....0.tmp
/data/media/####/51b598b3b001be0687c804c4ca455304d03ec74fac8939...9e35.0
/data/media/####/Alvin2.xml
/data/media/####/ContextData.xml
/data/media/####/app.db
/data/media/####/c87e056419de77ae9c4afd5cefb57baca3420e32cdb14d....0.tmp
/data/media/####/c87e056419de77ae9c4afd5cefb57baca3420e32cdb14d...098f.0
/data/media/####/com.igexin.sdk.deviceId.db
/data/media/####/com.lehihi01.game.fuli.bin
/data/media/####/com.lehihi01.game.fuli.db
/data/media/####/e4170736ad007b5c0b865fed489edb880cf55bd5df3269....0.tmp
/data/media/####/e4170736ad007b5c0b865fed489edb880cf55bd5df3269...2391.0
/data/media/####/f0b8d6f211d1b21acdd186e1ecc0908f8c1c3dceb0c7a0....0.tmp
/data/media/####/f0b8d6f211d1b21acdd186e1ecc0908f8c1c3dceb0c7a0...2e5c.0
/data/media/####/journal
/data/media/####/journal.tmp
/data/media/####/tbslog.txt
/data/misc/####/primary.prof

Miscellaneous:

Executes the following shell scripts:

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
/system/bin/df
/system/bin/getprop
cat /sys/class/net//address
getprop ro.miui.ui.version.name
getprop wifi.interface
ls /
ls /sys/class/thermal
sh

Loads the following dynamic libraries:

libgetuiext3
libsecsdk
libshell-super.2019
libturingad
libumeng-spy

Uses the following algorithms to encrypt data:

AES
AES-CBC-PKCS5Padding
AES-CBC-PKCS7Padding
DES-CBC-PKCS5Padding
RC4
RSA-ECB-PKCS1Padding
RSA-NONE-OAEPWithSHA1AndMGF1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS7Padding
RSA-ECB-PKCS1Padding

Accesses the ITelephony private interface.

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about phone status (number, IMEI, etc.).

Gets information about installed apps.

Displays its own windows over windows of other apps.

Requests the system alert window permission.

Tecnologías

Términos

Formación y educación

Mitos

Technical information

Curing recommendations

Free trial