Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) up####.sdk.jig####.cn:80
- TCP(HTTP/1.1) s####.m.img####.com:80
- TCP(HTTP/1.1) l####.tbs.qq.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) cdn.43####.com:80
- TCP(HTTP/1.1) 1####.29.29.29:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) p####.43####.com:80
- TCP(HTTP/1.1) cloud####.fengkon####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(HTTP/1.1) f1.img####.com:80
- TCP(HTTP/1.1) 2####.107.1.33:80
- TCP(HTTP/1.1) f####.fengkon####.com:80
- TCP(TLS/1.0) ali-s####.j####.cn:443
- TCP(TLS/1.0) m####.439####.net:443
- TCP(TLS/1.0) t####.j####.cn:443
- TCP pus####.43####.com:4800
- TCP sdk.o####.t####.####.com:5224
- UDP s.j####.cn:19000
- TCP c####.g####.ig####.com:5224
- TCP 43.2####.88.72:7006
Запросы DNS:
- 7j####.c####.z0.####.com
- ali-s####.j####.cn
- c####.g####.ig####.com
- c-h####.g####.com
- cdn.43####.com
- cloud####.fengkon####.com
- f####.fengkon####.com
- f1.img####.com
- l####.tbs.qq.com
- m####.439####.net
- p####.43####.com
- pus####.43####.com
- s####.m.img####.com
- s.j####.cn
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- sis.j####.io
- sj2.img####.com
- t####.j####.cn
- up####.sdk.jig####.cn
- www.b####.com
Запросы HTTP GET:
- cdn.43####.com/android/box/general/v1.0/adverts-start-coverSize-1-mareac...
- cdn.43####.com/android/box/player/v3.1.1/miniGame-entryConfig-mareacode-...
- cdn.43####.com/app/android/v3.0/config-dailySign-mareacode-999998.html
- cdn.43####.com/app/android/v3.4/config-common-mareacode-999998.html
- cdn.43####.com/app/android/v3.4/config-common.html
- cdn.43####.com/app/android/v4.4.1/game-index-mareacode-999998.html
- cdn.43####.com/app/forums/android/v2.1/chat-faces-mareacode-999998.html
- cdn.43####.com/app/forums/android/v3.3/chat-faces-mareacode-999998.html
- cdn.43####.com/user/sns/box/android/v1.0/headgear-feature-id-149-mareaco...
- f1.img####.com/box~cp/7402019/05/17/14_hKzIQc.200x250.gif
- f1.img####.com/downloader/tpl/game/template449.zip
- f1.img####.com/downloader/tpl/thread/template579.zip
- f1.img####.com/downloader/upload/toutao/qiangpozheng/jh.zip
- f1.img####.com/ma~111591_logo2_a8fa.jpg~124x124
- f1.img####.com/ma~113253_logo2_8c89.jpg~124x124
- f1.img####.com/ma~115227_logo2_0d49.jpg~124x124
- f1.img####.com/ma~115956_logo2_0aa7.jpg~124x124
- f1.img####.com/ma~118707_logo2_8bf5.jpg~124x124
- f1.img####.com/ma~120684_logo2_e1e6.jpg~124x124
- f1.img####.com/ma~121235_logo2_545a.jpg~124x124
- f1.img####.com/ma~121724_logo2_2267.jpg~124x124
- f1.img####.com/ma~124040_logo2_adea.jpg~124x124
- f1.img####.com/ma~134002_logo2_ab14.jpg~124x124
- f1.img####.com/ma~138325_logo2_2c5c.jpg~124x124
- f1.img####.com/ma~139488_logo2_9b3e.jpg~124x124
- f1.img####.com/ma~140225_logo2_d45a.jpg~124x124
- f1.img####.com/ma~167_20190501140620_5cc9375cd8fcd.gif
- f1.img####.com/ma~27_20170706154005_595de955018bc.png
- f1.img####.com/ma~30_20180423163038_5add99aec4cca.png
- f1.img####.com/ma~30_20180423163205_5add9a05191b8.png
- f1.img####.com/ma~34084_logo2_8ae3.jpg~124x124
- f1.img####.com/ma~425_20190404140500_5ca59e8c8c5eb.png
- f1.img####.com/ma~425_20190404140653_5ca59efddbac5.png
- f1.img####.com/ma~425_20190404140730_5ca59f227b86c.png
- f1.img####.com/ma~425_20190404140829_5ca59f5daca38.png
- f1.img####.com/ma~425_20190404140924_5ca59f944aba0.png
- f1.img####.com/ma~425_20190404141019_5ca59fcb1676f.png
- f1.img####.com/ma~425_20190404141058_5ca59ff2cecd2.png
- f1.img####.com/ma~425_20190404141202_5ca5a03227a44.png
- f1.img####.com/ma~425_20190404141331_5ca5a08b3d7dc.jpeg
- f1.img####.com/ma~wap_s2_1558146724
- f1.img####.com/ma~wap_s2_1558154979
- p####.43####.com/cloud.php?act=####&rectime=####&appid=####&uid=####&fla...
- p####.43####.com/cloud.php?act=####&rectime=####&flag=####&data=####
- t####.c####.q####.####.com/config/hz-hzv6.conf
- t####.c####.q####.####.com/tdata_LsR975
- t####.c####.q####.####.com/tdata_RyW085
- t####.c####.q####.####.com/tdata_YYn966
- t####.c####.q####.####.com/tdata_lOE499
Запросы HTTP HEAD:
- f1.img####.com/downloader/tpl/game/template449.zip
- f1.img####.com/downloader/tpl/thread/template579.zip
Запросы HTTP POST:
- c-h####.g####.com/api.php?format=####&t=####
- cdn.43####.com//android/box/v1.0/config-tabs-mareacode-999998.html
- cloud####.fengkon####.com/v2/device/conf
- cloud####.fengkon####.com/v2/device/profile
- f####.fengkon####.com/v2/device/profile
- l####.tbs.qq.com/ajax?c=####&k=####
- s####.m.img####.com/trace/<Package>/1.0/360/
- s####.m.img####.com/trace/<Package>/1.0/360/1100ghBYyvlmXJ1wKatpKdeb8
- s####.m.img####.com/trace/<Package>/1.0/Unknown/.config?version=####
- sdk-ope####.g####.com/api.php?format=####&t=####
- up####.sdk.jig####.cn/v1/push/sdk/postlist
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.jg.ic
- /data/data/####/.policy
- /data/data/####/02bfc27ffb58b9a3796a629dbcb3ab08721b757150a1c08....0.tmp
- /data/data/####/0371e135bb77adc858e5a0212b703013b2e23f6d617eeca....0.tmp
- /data/data/####/0bf80b62087e10cfb7660c155184c0e5212dd2554835187....0.tmp
- /data/data/####/0c946c984c5a9dc948165ee6be80a3bbca2a20d50e64c35....0.tmp
- /data/data/####/1.0d33c0f3.chunk.js
- /data/data/####/1.0d33c0f3.chunk.js.map
- /data/data/####/1089422b5ec3c41a08dffd7ccbf5d75fbebd553dee819b3....0.tmp
- /data/data/####/11e6e326ce819cd5518e04a56f4f976da954e255636baab....0.tmp
- /data/data/####/134f94d21971037b06b5f2cabe4a2f30c5b365553aa86cb....0.tmp
- /data/data/####/137dde1e322a486ebcd16174fe7f7cb84d2508f38ba679b....0.tmp
- /data/data/####/1732f60d56d2ca329701fa5408cdc2f9e82ae2c3e27d12a....0.tmp
- /data/data/####/1732f60d56d2ca329701fa5408cdc2f9e82ae2c3e27d12a...26c3.0
- /data/data/####/1f27cf225ed5b7a772945460d87181514001b31f8d537b9....0.tmp
- /data/data/####/203dfc0b89b36a00fccbe7bedf135df5a1fef7ae1f6072e....0.tmp
- /data/data/####/257ff3adbf5c8d79dff9bc56a8061af2c659676de96afc9....0.tmp
- /data/data/####/285e2c40-6ef0-47a5-b718-fbcce476e91f
- /data/data/####/2e88599838ce1ef3c5c0146f145bd4ef7ccbf08fa4b4bf2....0.tmp
- /data/data/####/3932ec93355bab1b9091f5aeb71f803459ceae3a4bd805e....0.tmp
- /data/data/####/3bba2521723197db4237d663e16503ff3ca485e322a8c88....0.tmp
- /data/data/####/3be2849659c76ba03e8f31a08572191712f848e14317fea....0.tmp
- /data/data/####/40319bf0352832e54afb9233621350ea15798cc5eac7d50....0.tmp
- /data/data/####/419aac51760ec642e3ed4921352471cc71b4184cba3e202....0.tmp
- /data/data/####/44c6dbe634f9911f3432a84d394678b410432bc0b2d3d13....0.tmp
- /data/data/####/4596f94b-fcc5-498c-9b8d-449f69b9f5d2
- /data/data/####/45e2f3952b48f0550edcf88e01270571c62d0589197caab....0.tmp
- /data/data/####/4a286956f9db67129dfef7474a4903b033f7a6cae9d9b64....0.tmp
- /data/data/####/4b4f74186ecf1abb52b1ac2c7e996796a3c1cb94b22fdcf....0.tmp
- /data/data/####/4b4f74186ecf1abb52b1ac2c7e996796a3c1cb94b22fdcf...340f.0
- /data/data/####/5483d8bb-b463-491d-9f91-38de482124bb
- /data/data/####/5ae1635d4549f5e59457c55e1ef21698.0.tmp
- /data/data/####/5e226957947348612a7f84a6a374e43a.0.tmp
- /data/data/####/5e3bda2fe5e45d5ca15cc41b0830504811529fb0c603dae....0.tmp
- /data/data/####/60c3e31b5b974f00f18e24407e4c26021c9e06863dccaa9....0.tmp
- /data/data/####/60d01c932743e5510f2c561f9c44092c.0.tmp
- /data/data/####/6477a7617dbb0d6329495aafd1bb67faa92d1135e41bd40....0.tmp
- /data/data/####/684d2b7750bd795df50ca1427c43e7bc4a6b90c1ce9b1fd....0.tmp
- /data/data/####/6968dea9fb6c88650018759459c2c0d7.0.tmp
- /data/data/####/6d6e44a9709efb76c67fe42601778e0373c5e8f2ea9b129....0.tmp
- /data/data/####/70ffa18133fb7025f60e3976bc9d0fdd64f3f38ad936772....0.tmp
- /data/data/####/74566d49c24bb0dc45eb1cfd365fe3706441119a977cca0....0.tmp
- /data/data/####/751b054e5fc3dfcfb273f42f78a9d56fe3947034d0e15b1....0.tmp
- /data/data/####/7731d16e69fa823b97bf0c01f18aa9723b7d384c5b14e4c....0.tmp
- /data/data/####/7a597029452e8a06254ecf99c1455941658be529a7518f3....0.tmp
- /data/data/####/7bd0793796f4f478d1dba5d939590c315a69265cc1d061e....0.tmp
- /data/data/####/82e7d894-09d1-41b4-b6c9-9c1161bbfe60
- /data/data/####/875113bd-f22d-47a9-8dc4-add0b0e485d1
- /data/data/####/89b62b30965a0bfa29ffe066e82d275c2e6857b16eff560....0.tmp
- /data/data/####/8cc41743faf6bbcef635a70f151147a1cdfa8466211cb2b....0.tmp
- /data/data/####/9514fbdd6089de3691957df2b8d131aff51667df520702c....0.tmp
- /data/data/####/JPushSA_Config.xml
- /data/data/####/MultiDex.lock
- /data/data/####/MyAnalytics_VERSION_INFO.xml
- /data/data/####/MyAnalytics_device_id.xml
- /data/data/####/MyAnalytics_general_config.xml
- /data/data/####/MyAnalytics_send_config.xml
- /data/data/####/UserInfo.xml
- /data/data/####/a4a20c983aa74a24d943a5b61aab063866b2241c1fba511....0.tmp
- /data/data/####/a85d94b54238d1871c66363bc66f47ff.0.tmp
- /data/data/####/a986a9f644820377adc274684df4c6e69e16b435a57c1a1....0.tmp
- /data/data/####/ab1275c071775c8dddbbe977165d0b3308e0ba6cf474040....0.tmp
- /data/data/####/ab93b6ee7ddd59a0b7a02470ebc7818d0fb35b57a946c30....0.tmp
- /data/data/####/adc3f4424e34293d072979471c93d8fe57c2f5519f13978....0.tmp
- /data/data/####/appPackageNames_v2
- /data/data/####/asset-manifest.json
- /data/data/####/b0513c7c-3a1d-421a-8745-0d154b732acc
- /data/data/####/b834d43bdf2fae45e9f008fe639a2ccf78eebc5ce8a9044....0.tmp
- /data/data/####/b9cefd324cbbb1ab3e386f86dee9e442f014b5a56cd36c5....0.tmp
- /data/data/####/bd005fa02328ef85462a8b552822d28b8c1eef897ca25ad....0.tmp
- /data/data/####/c2df5758e15538d94e5d1ee1c4a3fde991136c52b76fbd7....0.tmp
- /data/data/####/c31a092105e4270527a5411e12fd036a07800882940c281....0.tmp
- /data/data/####/cb57709777e734bab0060d6025ff29ff33b384df7a80205....0.tmp
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/cd37825cf7f4c53cd37abad378216a2920404c1a135e6a9....0.tmp
- /data/data/####/cn.jpush.android.user.profile.xml
- /data/data/####/cn.jpush.preferences.v2.rid.xml
- /data/data/####/cn.jpush.preferences.v2.xml
- /data/data/####/com.m4399.gamecenter_preferences.xml
- /data/data/####/com.m4399.gamecenter_preferences.xml.bak
- /data/data/####/com.shumei.xml
- /data/data/####/comment.zip
- /data/data/####/core_info
- /data/data/####/d7d0c152367ad40cd2af915c17d9e4e2b03bccfdd1234ef....0.tmp
- /data/data/####/d9969589c10de308a89b1141fed6c7f47bcefd82174d76b....0.tmp
- /data/data/####/dc8cb47846da2f3df4d4f26ba0145c79016ec54c5323d40....0.tmp
- /data/data/####/download_upload
- /data/data/####/downloads.db-journal
- /data/data/####/e53be25a8adf07dc834de6075b4b33e44b0f26a8c2a1dbe....0.tmp
- /data/data/####/e875c17a62e0ec84156d69fab7d8d44b459a87c1e66a51c....0.tmp
- /data/data/####/e906ca231e0962fba64949a9cf4ae46c613a4504d91dad6....0.tmp
- /data/data/####/ecf4a9c4e3c462df43c8d020cc26833e6542c6bebad6de9....0.tmp
- /data/data/####/f118c43165ce77e6506b9543998e19face02b4f16150980....0.tmp
- /data/data/####/f1815c784c7025a0f8c04edf09318979a5312e1faec59fa....0.tmp
- /data/data/####/f9e703ca6dcc80dfd56819e298dd5ce25a3c7f257c34b00....0.tmp
- /data/data/####/favicon.ico
- /data/data/####/fbeed44c50465e27da2895600e7ac60c3a3aa765609a065....0.tmp
- /data/data/####/framework.db-journal
- /data/data/####/gamecenter183.db-journal
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/index.html
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/jpush_device_info.xml
- /data/data/####/jpush_stat_cache.json
- /data/data/####/jpush_stat_cache_history.json
- /data/data/####/jpush_statistics.db
- /data/data/####/jpush_statistics.db-journal
- /data/data/####/jpush_statistics.db-shm (deleted)
- /data/data/####/jpush_statistics.db-wal
- /data/data/####/libjiagu1858054988.so
- /data/data/####/loading_content0.png
- /data/data/####/loading_content1.png
- /data/data/####/loading_content2.png
- /data/data/####/loading_content3.png
- /data/data/####/loading_content5.png
- /data/data/####/m4399AppEmoji3.0.json
- /data/data/####/m4399BBSEmoji3.0.json
- /data/data/####/main.09a595df.css
- /data/data/####/main.1b86c821.chunk.css
- /data/data/####/main.1b86c821.chunk.css.map
- /data/data/####/main.2d79b803.css
- /data/data/####/main.385c78bd.js
- /data/data/####/main.413200f9.js
- /data/data/####/main.598c208e.js
- /data/data/####/main.6949fe16.css
- /data/data/####/main.8e7f2df5.js
- /data/data/####/main.8eef9f55.chunk.js
- /data/data/####/main.8eef9f55.chunk.js.map
- /data/data/####/main.f9259969.css
- /data/data/####/manifest.json
- /data/data/####/mobclick_agent_cached_com.m4399.gamecenter1341
- /data/data/####/multidex.version.xml
- /data/data/####/placeholder.jpg
- /data/data/####/placeholder.png
- /data/data/####/plugin.meta
- /data/data/####/precache-manifest.6661aa4b38a334b2b54414b30b7e50d8.js
- /data/data/####/pref.headup.message.chat.unread.pt
- /data/data/####/push.jar
- /data/data/####/push.pid
- /data/data/####/push.zip
- /data/data/####/push_box_sdk_version.xml
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushk.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/run.pid
- /data/data/####/runtime~main.54148531.js
- /data/data/####/runtime~main.54148531.js.map
- /data/data/####/seq.xml
- /data/data/####/service-worker.js
- /data/data/####/skin_main_plugin_pref.xml
- /data/data/####/tbs_download_config.xml
- /data/data/####/tbs_download_stat.xml
- /data/data/####/tbs_pv_config
- /data/data/####/tbscoreinstall.txt
- /data/data/####/tbslock.txt
- /data/data/####/tdata_LsR975
- /data/data/####/tdata_LsR975.jar
- /data/data/####/tdata_RyW085
- /data/data/####/tdata_RyW085.jar
- /data/data/####/tdata_YYn966
- /data/data/####/tdata_YYn966.jar
- /data/data/####/tdata_lOE499
- /data/data/####/tdata_lOE499.jar
- /data/data/####/template.zip
- /data/data/####/tracker.db-journal
- /data/data/####/type1
- /data/data/####/type2
- /data/data/####/type3
- /data/data/####/umeng_general_config.xml
- /data/data/####/weekly_report.zip
- /data/media/####/.disys
- /data/media/####/.nomedia
- /data/media/####/.push_deviceid
- /data/media/####/.test.txt
- /data/media/####/.thumbcache_idx0
- /data/media/####/.udid
- /data/media/####/.z49ids
- /data/media/####/10001.png
- /data/media/####/10002.png
- /data/media/####/10003.png
- /data/media/####/10004.png
- /data/media/####/10005.png
- /data/media/####/10006.png
- /data/media/####/10007.png
- /data/media/####/10008.png
- /data/media/####/10009.png
- /data/media/####/10010.png
- /data/media/####/10011.png
- /data/media/####/10012.png
- /data/media/####/10013.png
- /data/media/####/10014.png
- /data/media/####/10015.png
- /data/media/####/10016.png
- /data/media/####/10017.png
- /data/media/####/10018.png
- /data/media/####/10019.png
- /data/media/####/10020.png
- /data/media/####/10021.png
- /data/media/####/10022.png
- /data/media/####/10023.png
- /data/media/####/10024.png
- /data/media/####/10025.png
- /data/media/####/10026.png
- /data/media/####/10027.png
- /data/media/####/10028.png
- /data/media/####/10029.png
- /data/media/####/10030.png
- /data/media/####/10031.png
- /data/media/####/10032.png
- /data/media/####/10033.png
- /data/media/####/10034.png
- /data/media/####/5cb6dbc6-5ff78.download
- /data/media/####/5cd519cb-2efa0.download
- /data/media/####/aio_file.zip
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.m4399.gamecenter.bin
- /data/media/####/com.m4399.gamecenter.db
- /data/media/####/com.m4399.gamecenter.sdklogin
- /data/media/####/config.json
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/plugin_init.log
- /data/media/####/shumei.txt
- /data/media/####/t1v579.meta
- /data/media/####/t2v449.meta
- /data/media/####/tdata_LsR975
- /data/media/####/tdata_RyW085
- /data/media/####/tdata_YYn966
- /data/media/####/tdata_lOE499
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GTPushService 24788 300 0
- cat /proc/self/cgroup
- chmod 700 <Package Folder>/files/gdaemon_20161017
- dmesg
- getprop ro.product.cpu.abi
- grep -i blueStacks
- grep -i virtualbox
- logcat -c
- ls /system/bin
- ls /system/lib
- ps
- sh
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/<Package>.service.GTPushService 24788 300 0
Загружает динамические библиотеки:
- getuiext2
- jcore123
- libjiagu1858054988
- m4399
- smsdk
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS5Padding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- AES-ECB-PKCS7Padding
- DES-ECB-PKCS5Padding
- RSA-ECB-NoPadding
- RSA-ECB-PKCS1Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-ECB-NoPadding
- AES-ECB-PKCS5Padding
- DES-ECB-NoPadding
- DES-ECB-PKCS5Padding
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Осуществляет доступ к интерфейсу камеры.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Получает информацию о запущенных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
