Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Adware.Gexin.2.origin
Сетевая активность:
Подключается к:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) nb-####.oss-cn-####.aliy####.com:80
- TCP(HTTP/1.1) ip.ta####.com:80
- TCP(HTTP/1.1) hm.b####.com:80
- TCP(HTTP/1.1) t####.c####.q####.####.com:80
- TCP(HTTP/1.1) m.w####.cn:80
- TCP(HTTP/1.1) q.q####.cn:80
- TCP(HTTP/1.1) 2####.107.1.1:80
- TCP(HTTP/1.1) c####.api.newg####.com:80
- TCP(HTTP/1.1) c-h####.g####.com:80
- TCP(HTTP/1.1) w####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) qin####.com.www.####.com:80
- TCP(HTTP/1.1) sdk-ope####.g####.com:80
- TCP(TLS/1.0) et2-na6####.wagbr####.ali####.####.com:443
- TCP(TLS/1.0) w####.com.edg####.net:443
- TCP(TLS/1.0) weiboi####.g####.sina####.com:443
- TCP(TLS/1.0) m####.w####.cn:443
- TCP(TLS/1.0) tvaw####.g####.sina####.com:443
- TCP(TLS/1.0) m.w####.cn:443
- TCP sdk.o####.t####.####.com:5224
- TCP c####.g####.ig####.com:5227
Запросы DNS:
- 7j####.c####.z0.####.com
- a####.u####.com
- c####.api.newg####.com
- c####.g####.ig####.com
- c####.m.newg####.com
- c-h####.g####.com
- h5.sin####.cn
- hm.b####.com
- img.nb####.newg####.com
- ip.ta####.com
- log.u####.com
- m####.w####.cn
- m.w####.cn
- pub-####.qin####.com
- q.q####.cn
- s####.u####.com
- sdk-ope####.g####.com
- sdk.c####.ig####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.com
- sdk.o####.t####.####.net
- t####.sin####.cn
- w####.com
- www.w####.com
- wx1.sin####.cn
- wx2.sin####.cn
- wx3.sin####.cn
- wx4.sin####.cn
Запросы HTTP GET:
- c####.api.newg####.com/m/forum/50000000031016
- c####.api.newg####.com/m/forum/50000000031016/posts?limit=####&offset=####
- c####.api.newg####.com/m/m/node_modules/jquery/dist/jquery.js?h=####
- c####.api.newg####.com/m/m/page/forum-detail/images/title-bg.jpg?h=####
- c####.api.newg####.com/m/m/page/post-detail/images/button-like.png?h=####
- c####.api.newg####.com/m/m/pkg/page/forum-detail/forum-detail.html_aio.c...
- c####.api.newg####.com/m/m/pkg/page/forum-detail/forum-detail.html_aio.j...
- c####.api.newg####.com/m/m/pkg/page/post-detail/post-detail.html_aio.css...
- c####.api.newg####.com/m/m/pkg/page/post-detail/post-detail.html_aio.js?...
- c####.api.newg####.com/m/m/static/images/default_avatar.png
- c####.api.newg####.com/m/m/static/images/icon_loading.png?h=####
- c####.api.newg####.com/m/m/static/images/icon_reply.png?h=####
- c####.api.newg####.com/m/m/static/images/icon_view.png?h=####
- c####.api.newg####.com/m/m/static/lib/mod.js?h=####
- c####.api.newg####.com/m/m/widget/comment-list/images/icon-like.png?h=####
- c####.api.newg####.com/m/m/widget/to-top/icon3.png?h=####
- c####.api.newg####.com/m/post/60000000045411/comments?only_author=####&o...
- c####.api.newg####.com/m/post/60000000058435/comments?only_author=####&o...
- c####.api.newg####.com/m/posts/60000000045411
- c####.api.newg####.com/m/posts/60000000054018?Device-Id=####&f=####
- c####.api.newg####.com/m/posts/60000000058435?Device-Id=####&f=####
- c####.api.newg####.com/v2/api/forum/user/19690/focus_general
- c####.api.newg####.com/v2/api/forums/50000000031016
- c####.api.newg####.com/v2/api/forums/50000000031016/users?limit=####&off...
- c####.api.newg####.com/v2/api/game_assistant/ads?category=####
- c####.api.newg####.com/v2/api/games/10000000044532
- c####.api.newg####.com/v2/api/images/077cb39f48c4c969688b9efe8acf61f3.pn...
- c####.api.newg####.com/v2/api/images/09c82b28f1a48b175e311f5efa6b0a87.pn...
- c####.api.newg####.com/v2/api/images/0b57c8e8ba191a112e7c5ce29284ae13.jpeg
- c####.api.newg####.com/v2/api/images/0b8130f274c211491573772452a9e4d8.jpeg
- c####.api.newg####.com/v2/api/images/0c77d0eb0d857ab5161291cd223dbe53.pn...
- c####.api.newg####.com/v2/api/images/13d330ee1a20aed45552521cfab78bcb.jp...
- c####.api.newg####.com/v2/api/images/14f130f983ca0f242d9bcd6a3ba8e878.jp...
- c####.api.newg####.com/v2/api/images/16435617cd8a60baee0b24b4893dfe9d.pn...
- c####.api.newg####.com/v2/api/images/16a14b4e4c0c25ee892e323836994c39.jpeg
- c####.api.newg####.com/v2/api/images/1976d622d6355610706c0f696b0d9c56.jp...
- c####.api.newg####.com/v2/api/images/1a50d6ae93ce2ae5cc374305ff2fb998.jp...
- c####.api.newg####.com/v2/api/images/1cc121593a1c6ca5ff9dbfec8e65ee89.jp...
- c####.api.newg####.com/v2/api/images/22d853672d34bb87dbdf1cc4e5628dc8.pn...
- c####.api.newg####.com/v2/api/images/29346db50ef343447274457b0c786449.jpeg
- c####.api.newg####.com/v2/api/images/2b28804192ef8e5615dab2fcb7db1188.jp...
- c####.api.newg####.com/v2/api/images/3d8019424804cb7b55d6927af4d6fc4c.jpeg
- c####.api.newg####.com/v2/api/images/3f1d3965873509d9a3978be1fc2a3421.jp...
- c####.api.newg####.com/v2/api/images/41cc7c6be18110e600a97530666d5138.jpeg
- c####.api.newg####.com/v2/api/images/45fd1bc3e14bdd26ea3d31394cef9721.jp...
- c####.api.newg####.com/v2/api/images/5198c297961b0c3edf744132bd3a3cd1.jpg
- c####.api.newg####.com/v2/api/images/56a49ea0a25a9c4e1c343e793a539a7f.jp...
- c####.api.newg####.com/v2/api/images/6003daa6d497a0b6aa5278c92182c68b.jp...
- c####.api.newg####.com/v2/api/images/703fe80ca88156d1c4e9c5892865ce4f.jpeg
- c####.api.newg####.com/v2/api/images/7928c7c375e571a7317c5dfe67a23a0a.jp...
- c####.api.newg####.com/v2/api/images/7c464c1894260d63f8842ff4d6c8c2e2.jp...
- c####.api.newg####.com/v2/api/images/82d00293a14cdce398044c01e87a0fae.jpg
- c####.api.newg####.com/v2/api/images/83bdcd8f24473451cefcb6ed12d9bb22.jpg
- c####.api.newg####.com/v2/api/images/92b69fc2334c2ef7c574e81151c787bf.jp...
- c####.api.newg####.com/v2/api/images/94f0222b9daf450f6593e16fd429eb68.pn...
- c####.api.newg####.com/v2/api/images/9db2a3683b0735db8c121fda3aae7d09.jp...
- c####.api.newg####.com/v2/api/images/9f09abef16fd53eadb17b3faa70f46c3.jp...
- c####.api.newg####.com/v2/api/images/a906a75f0a81402a7712fe48529825f6.jp...
- c####.api.newg####.com/v2/api/images/b3b2f16e2529c13d794503e960dd2a99.jpeg
- c####.api.newg####.com/v2/api/images/bad9cbb852b22fe58e62f3f23c7d63d2.png
- c####.api.newg####.com/v2/api/images/c44fd57be0823e257dad6b04c112bda8.png
- c####.api.newg####.com/v2/api/images/ce2a6ee5b3a59dd2b5b39e797bf5764a.jpeg
- c####.api.newg####.com/v2/api/images/d16ba3047684a2dabb595dafbd3a8908.jpeg
- c####.api.newg####.com/v2/api/images/d3e32c9881a7430fea6aecef9c91f101.jp...
- c####.api.newg####.com/v2/api/images/d3e32c9881a7430fea6aecef9c91f101.jpeg
- c####.api.newg####.com/v2/api/images/d668f1715ac864930b65924087eeedfe.pn...
- c####.api.newg####.com/v2/api/images/db0baf9e156f02ffce8a19ff66ea4b20.jp...
- c####.api.newg####.com/v2/api/images/e0131e827580e5ba8414e069a0ccc6a4.jpeg
- c####.api.newg####.com/v2/api/images/e1d0386b1ab454785c1f54a3fa39fad2.jpg
- c####.api.newg####.com/v2/api/images/e428173ebfe7078a93c5d9d92f72eb71.jp...
- c####.api.newg####.com/v2/api/images/e612681278e284b0e1296efd988091ba.jp...
- c####.api.newg####.com/v2/api/images/e612681278e284b0e1296efd988091ba.jpeg
- c####.api.newg####.com/v2/api/images/eae28e6acefebd58313616312f8e5894.jpg
- c####.api.newg####.com/v2/api/images/f0964eb873062cd919a930bd166e6ab9.jp...
- c####.api.newg####.com/v2/api/images/f3b0f84ad550dd7ac28e80cd1ca9aa1d.pn...
- c####.api.newg####.com/v2/api/images/f6adeab38a436fae9121b91e1ecd890c.jp...
- c####.api.newg####.com/v2/api/images/ff41b46fdd65a4382ed75df078c22227.jpeg
- c####.api.newg####.com/v2/api/images/fff0c53e8ce37c42c81aeca085290e51.pn...
- c####.api.newg####.com/v2/api/medals/19690
- c####.api.newg####.com/v2/api/newgames_with_posts?offset=####&limit=####
- c####.api.newg####.com/v2/api/posts/50000000031016/sticky
- c####.api.newg####.com/v2/api/posts/50000000031016?limit=####&offset=###...
- c####.api.newg####.com/v2/api/posts/60000000054018/detail
- c####.api.newg####.com/v2/api/posts/60000000058435/detail
- c####.api.newg####.com/v2/api/user/19690/detail
- c####.api.newg####.com/v2/api/user/19690/dynamics?offset=####&limit=####
- c####.api.newg####.com/v2/api/user/19690/favor/games?offset=####&limit=#...
- c####.api.newg####.com/v2/api/user/19690/post_and_comment/supported
- c####.api.newg####.com/v2/api/user/19690/supported_list?limit=####&offse...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&ep=####&et=#...
- hm.b####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&vl=####&et=####&ja=#...
- hm.b####.com/hm.js?7507191####
- ip.ta####.com/service/getIpInfo2.php?ip=####
- m.w####.cn/ttarticle/p/show?id=####&jumpfrom=####&id=####
- nb-####.oss-cn-####.aliy####.com/077cb39f48c4c969688b9efe8acf61f3.png@!w...
- nb-####.oss-cn-####.aliy####.com/09c82b28f1a48b175e311f5efa6b0a87.png@!w...
- nb-####.oss-cn-####.aliy####.com/0b57c8e8ba191a112e7c5ce29284ae13.jpeg
- nb-####.oss-cn-####.aliy####.com/0b8130f274c211491573772452a9e4d8.jpeg
- nb-####.oss-cn-####.aliy####.com/0c77d0eb0d857ab5161291cd223dbe53.png@!w...
- nb-####.oss-cn-####.aliy####.com/13d330ee1a20aed45552521cfab78bcb.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/14f130f983ca0f242d9bcd6a3ba8e878.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/16435617cd8a60baee0b24b4893dfe9d.png@!w...
- nb-####.oss-cn-####.aliy####.com/16a14b4e4c0c25ee892e323836994c39.jpeg
- nb-####.oss-cn-####.aliy####.com/1976d622d6355610706c0f696b0d9c56.jpg@!w...
- nb-####.oss-cn-####.aliy####.com/1a50d6ae93ce2ae5cc374305ff2fb998.jpg@!w...
- nb-####.oss-cn-####.aliy####.com/1cc121593a1c6ca5ff9dbfec8e65ee89.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/22d853672d34bb87dbdf1cc4e5628dc8.png@!w...
- nb-####.oss-cn-####.aliy####.com/29346db50ef343447274457b0c786449.jpeg
- nb-####.oss-cn-####.aliy####.com/2b28804192ef8e5615dab2fcb7db1188.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/3d8019424804cb7b55d6927af4d6fc4c.jpeg
- nb-####.oss-cn-####.aliy####.com/3f1d3965873509d9a3978be1fc2a3421.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/41cc7c6be18110e600a97530666d5138.jpeg
- nb-####.oss-cn-####.aliy####.com/45fd1bc3e14bdd26ea3d31394cef9721.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/5198c297961b0c3edf744132bd3a3cd1.jpg
- nb-####.oss-cn-####.aliy####.com/56a49ea0a25a9c4e1c343e793a539a7f.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/6003daa6d497a0b6aa5278c92182c68b.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/703fe80ca88156d1c4e9c5892865ce4f.jpeg
- nb-####.oss-cn-####.aliy####.com/7928c7c375e571a7317c5dfe67a23a0a.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/7c464c1894260d63f8842ff4d6c8c2e2.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/82d00293a14cdce398044c01e87a0fae.jpg
- nb-####.oss-cn-####.aliy####.com/83bdcd8f24473451cefcb6ed12d9bb22.jpg
- nb-####.oss-cn-####.aliy####.com/92b69fc2334c2ef7c574e81151c787bf.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/94f0222b9daf450f6593e16fd429eb68.png@!w...
- nb-####.oss-cn-####.aliy####.com/9db2a3683b0735db8c121fda3aae7d09.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/9f09abef16fd53eadb17b3faa70f46c3.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/a906a75f0a81402a7712fe48529825f6.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/b3b2f16e2529c13d794503e960dd2a99.jpeg
- nb-####.oss-cn-####.aliy####.com/bad9cbb852b22fe58e62f3f23c7d63d2.png
- nb-####.oss-cn-####.aliy####.com/c44fd57be0823e257dad6b04c112bda8.png
- nb-####.oss-cn-####.aliy####.com/ce2a6ee5b3a59dd2b5b39e797bf5764a.jpeg
- nb-####.oss-cn-####.aliy####.com/d16ba3047684a2dabb595dafbd3a8908.jpeg
- nb-####.oss-cn-####.aliy####.com/d3e32c9881a7430fea6aecef9c91f101.jpeg
- nb-####.oss-cn-####.aliy####.com/d3e32c9881a7430fea6aecef9c91f101.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/d668f1715ac864930b65924087eeedfe.png@!w...
- nb-####.oss-cn-####.aliy####.com/db0baf9e156f02ffce8a19ff66ea4b20.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/e0131e827580e5ba8414e069a0ccc6a4.jpeg
- nb-####.oss-cn-####.aliy####.com/e1d0386b1ab454785c1f54a3fa39fad2.jpg
- nb-####.oss-cn-####.aliy####.com/e428173ebfe7078a93c5d9d92f72eb71.jpg@!w...
- nb-####.oss-cn-####.aliy####.com/e612681278e284b0e1296efd988091ba.jpeg
- nb-####.oss-cn-####.aliy####.com/eae28e6acefebd58313616312f8e5894.jpg
- nb-####.oss-cn-####.aliy####.com/f0964eb873062cd919a930bd166e6ab9.jpeg@!...
- nb-####.oss-cn-####.aliy####.com/f3b0f84ad550dd7ac28e80cd1ca9aa1d.png@!w...
- nb-####.oss-cn-####.aliy####.com/f6adeab38a436fae9121b91e1ecd890c.jpg@!w...
- nb-####.oss-cn-####.aliy####.com/ff41b46fdd65a4382ed75df078c22227.jpeg
- nb-####.oss-cn-####.aliy####.com/fff0c53e8ce37c42c81aeca085290e51.png@!w...
- q.q####.cn/qqapp/101298654/620D6CC3201A9A736261A29B773FA82A/40@128w_1l.src
- qin####.com.www.####.com/tdata_EDT369
- t####.c####.q####.####.com/config/hz-hzv6.conf
- t####.c####.q####.####.com/tdata_BAI450
- t####.c####.q####.####.com/tdata_IcB528
- t####.c####.q####.####.com/tdata_Uad612
- w####.com/ttarticle/p/show?id=####
Запросы HTTP POST:
- a####.u####.com/app_logs
- c####.api.newg####.com/v2/api/game_assistant/boot_config_v2
- c####.api.newg####.com/v2/api/game_assistant/offprint
- c####.api.newg####.com/v2/api/pkgs
- c####.api.newg####.com/v2/api/pnames/filtout/first
- c####.api.newg####.com/v2/api/report
- c-h####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####
- sdk-ope####.g####.com/api.php?format=####&t=####&d=####&k=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/0.xml
- /data/data/####/ApplicationCache.db-journal
- /data/data/####/GameCrack_Preferences.xml
- /data/data/####/bff7a80ad135
- /data/data/####/cc.db
- /data/data/####/cc.db-journal
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/deviceId.xml
- /data/data/####/exchangeIdentity.json
- /data/data/####/exid.dat
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/forum_page.0.tmp
- /data/data/####/gdaemon_20161017
- /data/data/####/getui_sp.xml
- /data/data/####/gkt-journal
- /data/data/####/gx_sp.xml
- /data/data/####/http_clan.m.newgamer.com_0.localstorage-journal
- /data/data/####/index
- /data/data/####/init.pid
- /data/data/####/init_c1.pid
- /data/data/####/journal.tmp
- /data/data/####/libjiagu.so
- /data/data/####/multidex.version.xml
- /data/data/####/newgame.db-journal
- /data/data/####/ngdsdownload.db-journal
- /data/data/####/push.pid
- /data/data/####/pushext.db-journal
- /data/data/####/pushg.db-journal
- /data/data/####/pushsdk.db-journal
- /data/data/####/reservation_new_games_list.0.tmp
- /data/data/####/run.pid
- /data/data/####/statistics_Preferences.xml
- /data/data/####/sys_prefs.xml
- /data/data/####/tdata_BAI450
- /data/data/####/tdata_BAI450.jar
- /data/data/####/tdata_IcB528
- /data/data/####/tdata_IcB528.jar
- /data/data/####/tdata_Uad612
- /data/data/####/tdata_Uad612.jar
- /data/data/####/ua.db
- /data/data/####/ua.db-journal
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/umeng_socialize.xml
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/-1086444101.tmp
- /data/media/####/-1500890166.tmp
- /data/media/####/-1531851777.tmp
- /data/media/####/-1655477906.tmp
- /data/media/####/-1687166020.tmp
- /data/media/####/-1771188435.tmp
- /data/media/####/-2020295488.tmp
- /data/media/####/-2030477241.tmp
- /data/media/####/-312137126.tmp
- /data/media/####/-339882190.tmp
- /data/media/####/-35005961.tmp
- /data/media/####/-504533042.tmp
- /data/media/####/-637230063.tmp
- /data/media/####/-833221458.tmp
- /data/media/####/1066668960.tmp
- /data/media/####/1069240478.tmp
- /data/media/####/1084024636.tmp
- /data/media/####/1372648025.tmp
- /data/media/####/1465461820.tmp
- /data/media/####/152930412.tmp
- /data/media/####/1559189697688
- /data/media/####/1595052838.tmp
- /data/media/####/1741676573.tmp
- /data/media/####/1775518596.tmp
- /data/media/####/1955158832.tmp
- /data/media/####/2047354339.tmp
- /data/media/####/2109661259.tmp
- /data/media/####/25206819.tmp
- /data/media/####/338743249.tmp
- /data/media/####/417997179.tmp
- /data/media/####/569616890.tmp
- /data/media/####/861098504.tmp
- /data/media/####/app.db
- /data/media/####/com.getui.sdk.deviceId.db
- /data/media/####/com.igexin.sdk.deviceId.db
- /data/media/####/com.newgame.gamehelper.hdl.bin
- /data/media/####/com.newgame.gamehelper.hdl.db
- /data/media/####/gkt-journal
- /data/media/####/gktper
- /data/media/####/tdata_BAI450
- /data/media/####/tdata_IcB528
- /data/media/####/tdata_Uad612
- /data/media/####/test.log
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- <Package Folder>/files/gdaemon_20161017 0 <Package>/cn.com.ngds.newgame.service.PushService 25559 300 0
- cat /sys/class/net/wlan0/address
- chmod 700 <Package Folder>/files/gdaemon_20161017
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- mount
- sh
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/cn.com.ngds.newgame.service.PushService 25559 300 0
Загружает динамические библиотеки:
- getuiext2
- libjiagu
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- AES-CFB-NoPadding
- AES-ECB-PKCS5Padding
- RSA-NONE-OAEPWithSHA1AndMGF1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES-CBC-NoPadding
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Осуществляет доступ к приватному интерфейсу ITelephony.
Использует специальную библиотеку для скрытия исполняемого байт-кода.
Получает информацию о местоположении.
Получает информацию о сети.
Получает информацию о телефоне (номер, IMEI и т. д.).
Получает информацию об установленных приложениях.
Добавляет задания в системный планировщик.
Отрисовывает собственные окна поверх других приложений.
Управляет Wi-Fi-подключением.
