Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) z####.i####.com:80
- TCP(HTTP/1.1) scb.c####.i####.####.com:80
- TCP(HTTP/1.1) cou####.kso####.com:80
- TCP(HTTP/1.1) p####.i####.com:80
- TCP(HTTP/1.1) 25279a5####.ksy####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) o.d####.mi####.####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) vip.i####.com:80
- TCP(HTTP/1.1) 1####.29.29.29:80
- TCP(HTTP/1.1) ser####.i####.com:80
- TCP(HTTP/1.1) mobile####.c####.i####.####.com:80
- TCP(HTTP/1.1) ai-v####.i####.com:80
- TCP(HTTP/1.1) gl####.v.kunl####.####.com:80
- TCP(HTTP/1.1) abroad-####.k####.com:80
- TCP(HTTP/1.1) www.cmpass####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) dict-mo####.i####.com:80
- TCP(TLS/1.0) s####.we####.com:443
- TCP(TLS/1.0) e####.kso####.com:443
- TCP(TLS/1.0) feed####.king####.com:443
- TCP(TLS/1.0) ap####.king####.com:443
- TCP 43.2####.145.67:5227
- TCP sdk.o####.t####.####.com:5224
- TCP t####.nz4.ig####.com:5224
Запросы DNS:
- a####.u####.com
- abroad-####.k####.com
- ai-v####.i####.com
- ap####.king####.com
- cou####.kso####.com
- d####.mi####.xi####.com
- dict-mo####.i####.com
- e####.kso####.com
- feed####.king####.com
- invite-####.c####.i####.com
- l####.tbs.qq.com
- li####.c####.i####.com
- mobile####.c####.i####.com
- mobile####.k####.ks####.com
- p####.i####.com
- s####.we####.com
- sc####.i####.com
- scb.c####.i####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- ser####.i####.com
- t####.nz4.g####.net
- t####.nz4.ge####.com
- t####.nz4.ig####.com
- vip.i####.com
- www.cmpass####.com
- z####.i####.com
Запросы HTTP GET:
- abroad-####.k####.com/proof.html
- ai-v####.i####.com/checkUseSdk?client=####&sourceId=####&source=####&uid...
- cou####.kso####.com/ad.php?q=####&_=####
- dict-mo####.i####.com/interface/index.php?c=####&m=####&client=####&v=##...
- dict-mo####.i####.com/interface/index.php?c=####&m=####&company=####&mod...
- dict-mo####.i####.com/interface/index.php?c=####&m=####&id=####&client=#...
- dict-mo####.i####.com/interface/index.php?c=####&m=####&pos=####&kind=##...
- dict-mo####.i####.com/interface/index.php?c=####&m=####&type=####&lastti...
- dict-mo####.i####.com/interface/index.php?client=####&sourceId=####&sour...
- dict-mo####.i####.com/interface/index.php?sign=####×tamp=####&uid=#...
- dict-mo####.i####.com/interface/index.php?uid=####&client=####&c=####&wi...
- dict-mo####.i####.com/msg/index.php?act=####&starttime=####&endtime=####...
- dict-mo####.i####.com/msg/index.php?mod=####&act=####&client=####&v=####...
- dict-mo####.i####.com/msg/index.php?mod=####&act=####&id=####&category=#...
- gl####.v.kunl####.####.com/v10/feature_operation/2018-08-10/1533881664da...
- gl####.v.kunl####.####.com/v10/feature_operation/2018-09-11/153666598188...
- gl####.v.kunl####.####.com/v10/feature_operation/2018-09-27/153803905768...
- mobile####.c####.i####.####.com/1470970797-3774_oldwomen.jpg
- mobile####.c####.i####.####.com/1471572120-5862_taobao.png
- mobile####.c####.i####.####.com/1473301577-9918_la.png
- mobile####.c####.i####.####.com/1475230905-7778_li.png
- mobile####.c####.i####.####.com/1478605608-4835_icon.png
- mobile####.c####.i####.####.com/1480662900-7215_shengciben.png
- mobile####.c####.i####.####.com/1480662983-2601_tingli.png
- mobile####.c####.i####.####.com/1480663126-4520_yuedu.png
- mobile####.c####.i####.####.com/1482474164-8547_anzhuoxinban.png
- mobile####.c####.i####.####.com/1483610777-4996_WechatIMG25.png
- mobile####.c####.i####.####.com/1493126448-3238_{9C76C261-0538-4EB0-ADC0...
- mobile####.c####.i####.####.com/1494924268-8130_Group 18.png
- mobile####.c####.i####.####.com/1495869114-328_icon_???.####
- mobile####.c####.i####.####.com/1497491279-7932_icon_????.####
- mobile####.c####.i####.####.com/1497837793-7033_shucheng.png
- mobile####.c####.i####.####.com/1497837810-7868_jingpinke.png
- mobile####.c####.i####.####.com/1503487379-8412_xin.png
- mobile####.c####.i####.####.com/1504229232-2939_1Slice@2x.png
- mobile####.c####.i####.####.com/1505193746-175_icon.png
- mobile####.c####.i####.####.com/1506678300-8940_xin.png
- mobile####.c####.i####.####.com/1507777811-7653_icon.png
- mobile####.c####.i####.####.com/1508494280-3490_dou.png
- mobile####.c####.i####.####.com/1510042524-9463_Group@2x.png
- mobile####.c####.i####.####.com/1554953491_955871_ecbad.png
- mobile####.c####.i####.####.com/feeds_ad/f4a0cef6dd3d77105046641568122e0...
- mobile####.c####.i####.####.com/feeds_ad/ff1f90ba4ff8492431355cb2fe5c5de...
- mobile####.c####.i####.####.com/listening/image/scholarship/2018-08-03/1...
- mobile####.c####.i####.####.com/listening/image/scholarship/2018-08-10/1...
- mobile####.c####.i####.####.com/listening/image/scholarship/2019-03-20/1...
- mobile####.c####.i####.####.com/listening/image/scholarship/2019-03-29/1...
- mobile####.c####.i####.####.com/listening/image/scholarship/2019-04-29/1...
- mobile####.c####.i####.####.com/listening/image/scholarship/2019-05-06/1...
- mobile####.c####.i####.####.com/listening/image/voice/small/2018-07-16/0...
- p####.i####.com/index.php?client=####&sourceId=####&source=####&uid=####...
- p####.i####.com/weixin/getMch?client=####&sourceId=####&source=####&uuid...
- scb.c####.i####.####.com/cabf6a5697ea13c72caf1d0fd6b6fad2.jpg
- ser####.i####.com/popo/activity/mobileIndex/v2?client=####×tamp=###...
- ser####.i####.com/popo/activity/taotoken?client=####×tamp=####&uid=...
- ser####.i####.com/popo/open/interval?sign=####&uid=####×tamp=####&v...
- ser####.i####.com/popo/version/introduce?client=####&v=####&sv=####&uuid...
- t####.c####.q####.####.com/config/bj-bjv7.conf
- t####.c####.q####.####.com/config/hz-bjv8.conf
- vip.i####.com/vip/act?client=####&uid=####&uuid=####&sv=####&v=####&iden...
- z####.i####.com/zixun/v10/home?client=####&sourceId=####&source=####&uid...
Запросы HTTP POST:
- 25279a5####.ksy####.com/lock/screen/card
- a####.u####.com/app_logs
- abroad-####.k####.com/api/dynamicParam/v1/app/ed5e390b9ddab4cd
- dict-mo####.i####.com/msg/index.php?mod=####&act=####&&client=####&v=###...
- dict-mo####.i####.com/msg/index.php?mod=####&act=####&client=####&v=####...
- l####.tbs.qq.com/ajax?c=####&k=####
- o.d####.mi####.####.com/mistats/v2
- ser####.i####.com/comment/message/noticecount?uid=####×tamp=####&si...
- ser####.i####.com/popo/open/screens/v3?client=####&v=####&sv=####&uuid=#...
- www.cmpass####.com/openapi/queryloginconfig?ver=####&sourceid=####&appid...
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/2684b8e9e09c106d367f33a2d06eaae3.tmp
- /data/data/####/4a08c87f00dbc69cc83f230d4d07a4455424538aea07748....0.tmp
- /data/data/####/768210fe9efd1400427a5ebfc2c93ead022d949f92d4ce6....0.tmp
- /data/data/####/84d4f516fa30b61c86fc629b0610f2ff1cb19c09794af77....0.tmp
- /data/data/####/8740bf409ddf4f66b5a0bb1dfd36f48fe8fd75a4dfa94ab....0.tmp
- /data/data/####/AdBackground.db
- /data/data/####/AdBackground.db-journal
- /data/data/####/Alvin2.xml
- /data/data/####/BaseBackground.db
- /data/data/####/BaseBackground.db-journal
- /data/data/####/ContextData.xml
- /data/data/####/DouAdapter
- /data/data/####/KSOStat.db-journal
- /data/data/####/MultiDex.lock
- /data/data/####/StatSupport.db-journal
- /data/data/####/UMC_SDK_ACCOUNT.xml
- /data/data/####/a7a44ef6c6c4032acff5fcb8eace45529fde45299f75a86....0.tmp
- /data/data/####/ad0e7d30bd9ac701c5eb1ce9521751dbaea82f3661f7669....0.tmp
- /data/data/####/admob.db-journal
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/com.kingsoft_preferences.xml
- /data/data/####/core_info
- /data/data/####/ddb9e2f4d1326de926691445f55964a84c95af89536cbe7....0.tmp
- /data/data/####/dmdata.xml
- /data/data/####/e3a2d639a5ce3e71b8cb58539805c3e7776e9654b13762a....0.tmp
- /data/data/####/e99cc4792361a7692a91e3eaea8c6a982c760dc64a027b8....0.tmp
- /data/data/####/ee9098edb76205466ec894482442c21463493225f1b7e02....0.tmp
- /data/data/####/ef5b8b2b1424eb2fb5b12a4fb1bfa43d6e9e4010d6fa162....0.tmp
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f88af713ed194194ebedca85bccf594e5a5c06b78efac90....0.tmp
- /data/data/####/fb1bed26a2fe8a7ef3c0b173469df92c00d6595d4e86bb9....0.tmp
- /data/data/####/getui_sp.xml
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libjiagu-1400443340.so
- /data/data/####/mistat.db
- /data/data/####/mistat.db-journal
- /data/data/####/mistat.xml
- /data/data/####/mistat67C470FAE5A4F77547B9E503FC53A12C214D5CB3.xml
- /data/data/####/mistatD1D166923887570CA383B0FEBB815F8EE0ABA4A9.xml
- /data/data/####/multidex.version.xml
- /data/data/####/powerword.db
- /data/data/####/powerword.db-journal
- /data/data/####/powerword.db-shm
- /data/data/####/powerword.db-wal
- /data/data/####/powerword.xml
- /data/data/####/powerword_times.xml
- /data/data/####/push.pid
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/sd.xml
- /data/data/####/support.stat.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_config.xml.bak
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tydMoblieAgent_sys_config.xml
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/xieyi.xml
- /data/media/####/-625326547
- /data/media/####/.nomedia
- /data/media/####/15313533766796a619a35b12796ab7dc.0.tmp
- /data/media/####/2238e9c67f8d4faa80ea7a5a0817b849.0.tmp
- /data/media/####/261a57bc5be21cadea4ac88b5f94fb31.0.tmp
- /data/media/####/2b132bc772e5815a88ce55ed918d72c4
- /data/media/####/2da7060dccf43996ca9342a4de4e8300.0.tmp
- /data/media/####/38e8ea0c0fd24e0509538069b06f7b0d.0.tmp
- /data/media/####/39b04632ae4c7d18c1b3f9736d81d34b.0.tmp (deleted)
- /data/media/####/3e87577d5549abcdb1b5641566ec5ec0.0.tmp
- /data/media/####/572b5df8f2b80f7b570053a2bc17ad0e.0.tmp
- /data/media/####/59562e7e4034d0b60d6e2ea77f16d076.0.tmp
- /data/media/####/657144876
- /data/media/####/6cc5a6cae35f3d92e084a73a4fcfa710.0.tmp
- /data/media/####/6fdf23a54ab1dbbbe8d1ef6506dc8939
- /data/media/####/75e489c84bb837de0bdc8b2c00ca5464.0.tmp
- /data/media/####/824a73be2e8ae181fad51442c17396a6.0.tmp
- /data/media/####/82a9be7acd8a356f0816144200eb5267.0.tmp (deleted)
- /data/media/####/8a7ba4f2c88e493f12eb6e50b3c7a92b.0.tmp
- /data/media/####/9570b94ede11bd94910b095704cc6855.0.tmp
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/a79c0a56f4161e4fb454659f0655b533.0.tmp
- /data/media/####/app.db
- /data/media/####/b279877576d3ec79b2f33305e4137dd0.0.tmp
- /data/media/####/b718443e5b807f73741481e8a4831e6b.0.tmp
- /data/media/####/b97505506c9d562ab5fdb96f36e43a9e.0.tmp
- /data/media/####/ba2f3df00438fc639ce03a9fed3eabe7.0.tmp
- /data/media/####/bdd07ae09c516120167e6b7af80f4f39.0.tmp
- /data/media/####/c370a53f34f6a4b4c019eba4271bc8fd.0.tmp
- /data/media/####/c884f183b3717d5b6c72121f243e13b4.0.tmp
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.kingsoft.bin
- /data/media/####/com.kingsoft.db
- /data/media/####/hotword
- /data/media/####/journal
- /data/media/####/journal.tmp
- /data/media/####/statistictime
Другие:
Запускает следующие shell-скрипты:
- <Package Folder>/app_bin/daemon -p <Package> -s <Package>.service.LockScreenService -t 10
- getprop ro.product.brand
- getprop ro.product.cpu.abi
Загружает динамические библиотеки:
- getuiext2
- libjiagu-1400443340
- utils-jni
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
- RSA-ECB-NoPadding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
