Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) ti####.c####.l####.####.com:80
- TCP(HTTP/1.1) img.zwka####.com:80
- TCP(HTTP/1.1) res.ika####.cn:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) c.appj####.com:80
- TCP(HTTP/1.1) d####.c####.l####.####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) sdk.o####.p####.####.com:80
- TCP(HTTP/1.1) us####.ika####.cn:80
- TCP(HTTP/1.1) z####.ika####.cn:80
- TCP(TLS/1.0) wap.cm####.com:443
- TCP(TLS/1.0) regi####.xm####.xi####.com:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5227
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.u####.com
- api.a####.z####.com
- c####.g####.ig####.com
- c####.ika####.cn
- c-h####.g####.com
- c.appj####.com
- cdn.ika####.cn
- dn####.iw####.com
- hm.b####.com
- i####.ika####.cn
- img.zwka####.com
- pub-####.qin####.com
- regi####.xm####.xi####.com
- res.ika####.cn
- sdk.c####.ig####.com
- sdk.o####.p####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- us####.ika####.cn
- wap.cm####.com
- z####.ika####.cn
- z####.ika####.cn
- z####.ika####.cn
Запросы HTTP GET:
- d####.c####.l####.####.com/211/images/222566.jpg
- d####.c####.l####.####.com/211/images/245907.jpg
- d####.c####.l####.####.com/211/images/245966.jpg
- d####.c####.l####.####.com/211/images/272737.jpg
- d####.c####.l####.####.com/211/images/306479.jpg
- d####.c####.l####.####.com/211/images/320851.jpg
- d####.c####.l####.####.com/211/images/326298.jpg
- d####.c####.l####.####.com/211/images/328202.jpg
- d####.c####.l####.####.com/211/images/329019.jpg
- d####.c####.l####.####.com/211/images/329366.jpg
- d####.c####.l####.####.com/211/images/358089.jpg
- d####.c####.l####.####.com/211/images/50013396.jpg
- d####.c####.l####.####.com/211/images/50017813.jpg
- d####.c####.l####.####.com/211/images/60003253.jpg
- d####.c####.l####.####.com/211/images/60349719.jpg
- d####.c####.l####.####.com/211/images/60440416.jpg
- d####.c####.l####.####.com/211/images/60450278.jpg
- d####.c####.l####.####.com/211/images/60452041.jpg
- d####.c####.l####.####.com/211/images/60455958.jpg
- d####.c####.l####.####.com/211/images/60458469.jpg
- d####.c####.l####.####.com/211/images/60465968.jpg
- d####.c####.l####.####.com/211/images/60489826.jpg
- d####.c####.l####.####.com/211/images/60548647.jpg
- d####.c####.l####.####.com/211/images/60560865.jpg
- d####.c####.l####.####.com/211/images/60591455.jpg
- d####.c####.l####.####.com/211/images/60592861.jpg
- d####.c####.l####.####.com/211/images/60592878.jpg
- d####.c####.l####.####.com/211/images/60636898.jpg
- d####.c####.l####.####.com/211/images/60642473.jpg
- d####.c####.l####.####.com/211/images/60733638.jpg
- d####.c####.l####.####.com/211/images/80000432.jpg
- d####.c####.l####.####.com/211/images/80001456.jpg
- d####.c####.l####.####.com/211/images/80002152.jpg
- d####.c####.l####.####.com/211/images/80010798.jpg
- d####.c####.l####.####.com/211/images/802900049.jpg
- d####.c####.l####.####.com/211/images/803201961.jpg
- d####.c####.l####.####.com/211/images/803202465.jpg
- d####.c####.l####.####.com/211/images/803202797.jpg
- d####.c####.l####.####.com/211/images/803202911.jpg
- d####.c####.l####.####.com/211/images/804100001.jpg
- d####.c####.l####.####.com/211/images/804500016.jpg
- d####.c####.l####.####.com/211/images/804500021.jpg
- d####.c####.l####.####.com/211/images/804500914.jpg
- d####.c####.l####.####.com/211/images/804501627.jpg
- d####.c####.l####.####.com/211/images/805000133.jpg
- d####.c####.l####.####.com/211/images/805000203.jpg
- d####.c####.l####.####.com/211/images/805000765.jpg
- d####.c####.l####.####.com/211/images/805200047.jpg
- d####.c####.l####.####.com/211/images/805200073.jpg
- d####.c####.l####.####.com/211/images/807000107.jpg
- d####.c####.l####.####.com/211/images/807000132.jpg
- d####.c####.l####.####.com/211/images/807000162.jpg
- d####.c####.l####.####.com/211/images/808500052.jpg
- d####.c####.l####.####.com/211/images/808500570.jpg
- d####.c####.l####.####.com/211/images/808800165.jpg
- d####.c####.l####.####.com/211/images/809301181.jpg
- d####.c####.l####.####.com/211/images/809500137.jpg
- d####.c####.l####.####.com/211/images/809500318.jpg
- d####.c####.l####.####.com/211/images/809500463.jpg
- d####.c####.l####.####.com/211/images/810300014.jpg
- d####.c####.l####.####.com/211/images/810300020.jpg
- d####.c####.l####.####.com/211/images/810300100.jpg
- d####.c####.l####.####.com/211/images/810300676.jpg
- d####.c####.l####.####.com/211/images/810500075.jpg
- d####.c####.l####.####.com/211/images/811200219.jpg
- d####.c####.l####.####.com/211/images/813600146.jpg
- d####.c####.l####.####.com/211/images/813602384.jpg
- d####.c####.l####.####.com/211/images/813800086.jpg
- d####.c####.l####.####.com/211/images/813800203.jpg
- d####.c####.l####.####.com/211/images/814800002_1.jpg
- d####.c####.l####.####.com/211/images/814800007_1.jpg
- d####.c####.l####.####.com/211/images/814800010_1.jpg
- d####.c####.l####.####.com/211/images/814800011_1.jpg
- d####.c####.l####.####.com/211/images/816000021.jpg
- d####.c####.l####.####.com/211/images/816400107.jpg
- d####.c####.l####.####.com/211/images/817000011.jpg
- d####.c####.l####.####.com/css/style-4.1.css
- d####.c####.l####.####.com/images/blank.png
- d####.c####.l####.####.com/images/zwsc/remindImage/7977b49fdfda4c5ea9b2d...
- hm.b####.com/h.js?daf89de####
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- img.zwka####.com/images/icons/7392_100.png
- res.ika####.cn/211/SidePackage/side_50.zip
- t####.c####.q####.####.com/tdata_RSQ274
- t####.c####.q####.####.com/tdata_RbW195
- t####.c####.q####.####.com/tdata_qHR433
- ti####.c####.l####.####.com/config/hz-hzv3.conf
- ti####.c####.l####.####.com/tdata_EDT369
- us####.ika####.cn/activityShow/getActivity?actId=####&cnid=####&uid=####...
- us####.ika####.cn/book!index.xhtml?cnid=####&cnsubid=####&umeng=####&ver...
- us####.ika####.cn/bookv3/advert?adtype=####&cnid=####&uid=####&imsi=####...
- us####.ika####.cn/bookv3/checkSidePackage?zversion=####&cnid=####&uid=##...
- us####.ika####.cn/bookv3/userinfo?cnid=####&uid=####&imsi=####&imei=####...
- us####.ika####.cn/css/style-4.1.css
- us####.ika####.cn/get?host=####
- us####.ika####.cn/images4.1/doubt.png
- us####.ika####.cn/images4.1/share.png
- us####.ika####.cn/images4.1/status-wrap.png
- us####.ika####.cn/images4.1/task-1.png
- us####.ika####.cn/images4.1/task-2.png
- us####.ika####.cn/images4.1/task-3.png
- us####.ika####.cn/images4.1/task-4.png
- us####.ika####.cn/images4.1/task-5.png
- us####.ika####.cn/images4.1/task-6.png
- us####.ika####.cn/images4.1/task-7.png
- us####.ika####.cn/images4.1/task-9.png
- us####.ika####.cn/images4.1/task-doubt.png
- us####.ika####.cn/images4.1/task-jt.png
- us####.ika####.cn/images4.1/title-bg.jpg
- us####.ika####.cn/interface!getExtendInfo.xhtml?id=####&cnid=####&uid=##...
- us####.ika####.cn/interface!getRegistGift.xhtml?cnid=####&uid=####&imsi=...
- us####.ika####.cn/js/all.js?v=####
- us####.ika####.cn/js/base-new.js
- us####.ika####.cn/js/base.js
- us####.ika####.cn/js/base.js?v=####
- us####.ika####.cn/js/book.js?v=####
- us####.ika####.cn/js/echo.min.js
- us####.ika####.cn/js/jquery-1.7.2.min.js
- us####.ika####.cn/js/lazy.js
- us####.ika####.cn/js/myself.js?v=####
- us####.ika####.cn/js/swiper.min1.js
- us####.ika####.cn/js/touch.js
- us####.ika####.cn/js/touch.js?v=####
- us####.ika####.cn/js/user.js?v=####
- us####.ika####.cn/js/zepto.min.js
- us####.ika####.cn/js/zepto.min.js?v=####
- us####.ika####.cn/pushServer/uploadClientId?cid=####&cnid=####&uid=####&...
- us####.ika####.cn/rest/user/register?pckName=####&cnid=####&uid=####&ims...
- us####.ika####.cn/user!getExitRemind.xhtml?cnid=####&uid=####&imsi=####&...
- us####.ika####.cn/user!readTask.xhtml?cnid=####&cnsubid=####&umeng=####&...
- z####.ika####.cn/log.js?$cnid=####&uid=####&imsi=####&imei=####&cnsubid=...
- z####.ika####.cn/log.js?cnid=####&uid=####&imsi=####&imei=####&cnsubid=#...
- z####.ika####.cn/log.js?uid=####&cnid=####&imsi=####&imei=####&cnsubid=#...
Запросы HTTP POST:
- a####.u####.com/app_logs
- c-h####.g####.com/api.php?format=####&t=####
- c.appj####.com/ad/splash/stats.html
- sdk.o####.p####.####.com/api.php?format=####&t=####
- sdk.o####.p####.####.com/api.php?format=####&t=####&d=####&k=####
- us####.ika####.cn/book/checkBookState?cnid=####&uid=####&imsi=####&imei=...
- us####.ika####.cn/interface!getAdInfo.xhtml?position=####&cnid=####&cnsu...
- us####.ika####.cn/validate!validateData.xhtml?v=####&n=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.log.lock
- /data/data/####/.log.ls
- /data/data/####/17kAppPrefs.xml
- /data/data/####/61b95de2d7b7
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/ch_readerv3.db-journal
- /data/data/####/common.db-journal
- /data/data/####/config.db-journal
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/f_000028
- /data/data/####/f_000029
- /data/data/####/f_00002a
- /data/data/####/f_00002b
- /data/data/####/f_00002c
- /data/data/####/f_00002d
- /data/data/####/f_00002e
- /data/data/####/f_00002f
- /data/data/####/f_000030
- /data/data/####/f_000031
- /data/data/####/f_000032
- /data/data/####/f_000033
- /data/data/####/f_000034
- /data/data/####/gdaemon_20161017
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/http_zwsc.ikanshu.cn_0.localstorage-journal
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c.pid
- /data/data/####/jg_app_update_settings_random.xml
- /data/data/####/libjiagu.so
- /data/data/####/mipush.xml
- /data/data/####/mipush_extra.xml
- /data/data/####/mobclick_agent_header_com.dz.xiaoshuo.xml
- /data/data/####/mobclick_agent_state_com.dz.xiaoshuo.xml
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/tdata_RSQ274
- /data/data/####/tdata_RSQ274.jar
- /data/data/####/tdata_RbW195
- /data/data/####/tdata_RbW195.jar
- /data/data/####/tdata_qHR433
- /data/data/####/tdata_qHR433.jar
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/._cer
- /data/media/####/.nomedia
- /data/media/####/.zb
- /data/media/####/1a32hvk53fdq0doogvfiqjszm.tmp
- /data/media/####/20190317
- /data/media/####/20190317AdRequest
- /data/media/####/23gbfkyxxv1xvb01h2pn5uit6.tmp
- /data/media/####/2e3azeco1r00g5l0net1gferh.tmp
- /data/media/####/2i97cb8xjsyr2eesc0wzoi0dv.tmp
- /data/media/####/3221076
- /data/media/####/3221076.tmp
- /data/media/####/329366.jpg
- /data/media/####/419gdcdnvvu3ptunswpseu2n6.tmp
- /data/media/####/4b3hp1tzyaey93j19qydrqvxw.tmp
- /data/media/####/4ft95av7lcf699bh332kwsz6e.tmp
- /data/media/####/4lvt4qunxwlizjmfuu64jtsin.tmp
- /data/media/####/4lyx4kevm8l6bei8xncwy1cj9.tmp
- /data/media/####/4t09ygvi67gpej41ep3mdikth.tmp
- /data/media/####/4vvqhquibewiyumg7x3enss5t.tmp
- /data/media/####/50013396.jpg
- /data/media/####/5lk9eir74fy0ie8brpe8p4dxr.tmp
- /data/media/####/5nmvbm0ub825of9cmsb6cftjn.tmp
- /data/media/####/5s5e7vnpttd7aqx6mr7at53e9.tmp
- /data/media/####/5zjubcq19q2c68gcwbe7bi19d.tmp
- /data/media/####/60360651.jpg
- /data/media/####/60371096.jpg
- /data/media/####/60592863.jpg
- /data/media/####/60733638.jpg
- /data/media/####/69br76823k60gncc1wdvy38io.tmp
- /data/media/####/6ilyg4tq9ynwi0bq4q25yzk02.tmp
- /data/media/####/75jbybor0mpri2g6fyquije2k.tmp
- /data/media/####/778n4xnwbeczrbqgouywzumy.tmp
- /data/media/####/7fckwycndvnf4bhm1axu2zg8v.tmp
- /data/media/####/app.db
- /data/media/####/app_feeds_info_data
- /data/media/####/com.dz.xiaoshuo.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/dir.ski
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/inventoryFile.txt
- /data/media/####/paihang.png
- /data/media/####/qiandao.png
- /data/media/####/renmen.png
- /data/media/####/side_50.zip
- /data/media/####/slide_frame_module_item_data
- /data/media/####/songqian.png
- /data/media/####/tdata_RSQ274
- /data/media/####/tdata_RbW195
- /data/media/####/tdata_qHR433
- /data/media/####/test.log
- /data/media/####/ufhl8im5hsp8b5qtvrez4s1.tmp
- /data/media/####/v5kydzia0uvazyswp3zcr2ds.tmp
- /data/media/####/vip.png
- /data/media/####/xianmian.png
- /data/media/####/zipJsonFile.txt
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 24513 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- logcat -d -v raw -s AndroidRuntime:E -p <Package>
- mount
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 24513 300 0
Загружает динамические библиотеки:
- getuiext2
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5PADDING
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- RSA
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
- RSA-None-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-PKCS5Padding
- RSA-None-PKCS1Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
