Malware Analysis Report

2024-09-23 12:04

Sample ID 240612-ps5apsvejh
Target a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118
SHA256 10d3d7b584624563fae525b258a3115c8eff08e00758012f47db7c92f8a96e2e
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

10d3d7b584624563fae525b258a3115c8eff08e00758012f47db7c92f8a96e2e

Threat Level: Shows suspicious behavior

The file a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:36

Reported

2024-06-12 12:39

Platform

win7-20240419-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\oCR34sDbRb.99R C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 0e7a34aecda0b747918ca6af9fc133c4 C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe" 2752 nosilent

Network

Country Destination Domain Proto
US 8.8.8.8:53 updatecenter.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 pdlxf-doctor.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
CN 113.105.95.120:443 tcp
CN 113.105.95.120:443 tcp
CN 125.39.120.82:443 tcp
CN 125.39.120.82:443 tcp
CN 113.105.95.120:443 tcp
CN 113.105.95.120:443 tcp
CN 125.39.120.82:443 tcp
CN 125.39.120.82:443 tcp

Files

\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\HummerSetup.dll

MD5 0061076b19ac1d3e63578d4ffe92ae65
SHA1 047d742bf3e312f65fca4728287f98ca7fa19c31
SHA256 58bec01266aa5f53aae52293138140e06e5cf956c0c680757e69b6b34ace416b
SHA512 8cf340c1a2350b6a46fc033eb969dbf900550b6009fece746a8991f321435fa3c7dd2b3204898dc8609447a8fa05eacbcadf939501395c4b38ed1d0573b60c2f

C:\Users\Admin\AppData\Local\Temp\Cab4EFC.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe

MD5 79d160fc002214110de9089a791094e8
SHA1 a3885ee6b0005f4ff2070794e24afc6a835cd1d2
SHA256 5f699fe1c1079ce2b24c2d64e9b8ff41c58a65e8171415a7b5df8039334d2b66
SHA512 9ed4f44a2ffe0694683058bdbea0f481fdc4ac246b8996b9895f8531bc4581b1682de54740d616840bb50e5e720d1e4b692234d3ec644ca727fc431dc806b5e9

\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQPCDetector.dll

MD5 fe90262e8b9677694ae9f9095fccb7a3
SHA1 0922135dbaf9824014800e13a912a69bde733723
SHA256 f7cc3aa92edd7066dd83573d4a33725f329051a820fce83350220f8632d49cb1
SHA512 c6a0c1a94c9d9d017b3f5342cadf7e5e33bd1abaac1b2f4f8cdc5a0b98c531cf86a5795aee8c22df340347a425a97209aa55e88a2642ec5cefce4547e586293e

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\dlcore.dll

MD5 034f82a601af1ab10d64af95a23dd8c3
SHA1 3dd5ff8217bf601b153d87e97a434ed2f14bdf71
SHA256 60305b6766970768cb81e75bb8af5e74c9c6b6d55ef747f3c441b68211110d53
SHA512 1ee4f9fc8026da1729b7e3c1be6201e7be7c68a85b4adfee9337df73eddb297a06043bfff8834afdf29910d0d942aaba3d7ccd28d6915d075c292ed1932d0913

memory/2648-36-0x0000000003730000-0x00000000037E5000-memory.dmp

memory/2648-61-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-66-0x00000000033F0000-0x000000000344C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\Common\gjdatareport.dll

MD5 c6d182150ec67b517d803d75e6e48fb4
SHA1 983200fcf5dcf4b922701d0c6d47a9f18a530bb5
SHA256 0cb32302dd006cd923839584396cf392a502769c9374556c2e88ab2b926740bc
SHA512 e4654b2de9650b48991011fb49aff08d4253eb300e807a5b19a1f1067dc086f2336e31ee4dadfe0ac6b42b851a934bcb3c172d6a827d865e44206c3f49f22b32

memory/2648-95-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-96-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-98-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-99-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-100-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-101-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-102-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-103-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-110-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-111-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-112-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-113-0x00000000033F0000-0x000000000344C000-memory.dmp

memory/2648-114-0x0000000002C60000-0x0000000002CBC000-memory.dmp

memory/2648-115-0x00000000033F0000-0x000000000344C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:36

Reported

2024-06-12 12:39

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\k93UtF3P55Ac6.dat C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
File created C:\Windows\64giI9jor6X444.4gP C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 13b2755222a9b141b534048869927fda C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0b09b0e6609f89c60d6848a662b83a9_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe" 1244 nosilent

Network

Country Destination Domain Proto
US 8.8.8.8:53 updatecenter.qq.com udp
CN 220.194.116.116:80 updatecenter.qq.com tcp
US 8.8.8.8:53 pdlxf-doctor.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 cfg.xf.qq.com udp
US 8.8.8.8:53 fs-conn-doctor.qq.com udp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
US 8.8.8.8:53 fs-tcp-conn-doctor.qq.com udp
US 8.8.8.8:53 local-p2p.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 dlied6.qq.com udp
US 8.8.8.8:53 dtrp.url-quality.qq.com udp
US 8.8.8.8:53 c.pc.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 fs-conn-back-doctor.qq.com udp
HK 43.135.106.117:80 c.pc.qq.com tcp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 fs-conn-other-doctor.qq.com udp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
CN 122.188.37.134:80 dldir1.qq.com tcp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 url-quality-stat.xf.qq.com udp
US 8.8.8.8:53 xf.stat-doctor.qq.com udp
US 8.8.8.8:53 c.pc.qq.com udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
CN 116.131.226.145:80 dldir1.qq.com tcp
HK 43.135.106.117:80 c.pc.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
HK 43.135.106.184:80 c.pc.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 116.131.226.145:80 dldir1.qq.com tcp
CN 116.131.226.145:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 116.131.226.145:80 dldir1.qq.com tcp
CN 60.217.249.30:80 dldir1.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 116.131.226.145:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 119.188.150.124:80 dldir1.qq.com tcp
CN 113.105.95.120:443 tcp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 dldir1.qq.com udp
CN 116.131.226.145:80 dldir1.qq.com tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
CN 119.188.150.114:80 dldir1.qq.com tcp
CN 111.3.90.95:80 dldir1.qq.com tcp
CN 116.153.42.253:80 dldir1.qq.com tcp
CN 119.188.150.124:80 dldir1.qq.com tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
HK 43.135.106.117:80 c.pc.qq.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 125.39.120.82:443 tcp
CN 125.39.120.82:443 tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
CN 115.56.90.107:80 dldir1.qq.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 dldir1.qq.com udp
CN 119.188.150.114:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 119.188.150.114:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 119.188.150.114:80 dldir1.qq.com tcp
CN 220.249.243.180:443 fs-conn-other-doctor.qq.com tcp
CN 119.188.150.114:80 dldir1.qq.com tcp
CN 119.188.150.114:80 dldir1.qq.com tcp

Files

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\HummerSetup.dll

MD5 0061076b19ac1d3e63578d4ffe92ae65
SHA1 047d742bf3e312f65fca4728287f98ca7fa19c31
SHA256 58bec01266aa5f53aae52293138140e06e5cf956c0c680757e69b6b34ace416b
SHA512 8cf340c1a2350b6a46fc033eb969dbf900550b6009fece746a8991f321435fa3c7dd2b3204898dc8609447a8fa05eacbcadf939501395c4b38ed1d0573b60c2f

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe

MD5 79d160fc002214110de9089a791094e8
SHA1 a3885ee6b0005f4ff2070794e24afc6a835cd1d2
SHA256 5f699fe1c1079ce2b24c2d64e9b8ff41c58a65e8171415a7b5df8039334d2b66
SHA512 9ed4f44a2ffe0694683058bdbea0f481fdc4ac246b8996b9895f8531bc4581b1682de54740d616840bb50e5e720d1e4b692234d3ec644ca727fc431dc806b5e9

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQPCDetector.dll

MD5 fe90262e8b9677694ae9f9095fccb7a3
SHA1 0922135dbaf9824014800e13a912a69bde733723
SHA256 f7cc3aa92edd7066dd83573d4a33725f329051a820fce83350220f8632d49cb1
SHA512 c6a0c1a94c9d9d017b3f5342cadf7e5e33bd1abaac1b2f4f8cdc5a0b98c531cf86a5795aee8c22df340347a425a97209aa55e88a2642ec5cefce4547e586293e

C:\Users\Admin\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\dlcore.dll

MD5 034f82a601af1ab10d64af95a23dd8c3
SHA1 3dd5ff8217bf601b153d87e97a434ed2f14bdf71
SHA256 60305b6766970768cb81e75bb8af5e74c9c6b6d55ef747f3c441b68211110d53
SHA512 1ee4f9fc8026da1729b7e3c1be6201e7be7c68a85b4adfee9337df73eddb297a06043bfff8834afdf29910d0d942aaba3d7ccd28d6915d075c292ed1932d0913

memory/1524-24-0x0000000004730000-0x00000000047E5000-memory.dmp

C:\Windows\k93UtF3P55Ac6.dat

MD5 c6d182150ec67b517d803d75e6e48fb4
SHA1 983200fcf5dcf4b922701d0c6d47a9f18a530bb5
SHA256 0cb32302dd006cd923839584396cf392a502769c9374556c2e88ab2b926740bc
SHA512 e4654b2de9650b48991011fb49aff08d4253eb300e807a5b19a1f1067dc086f2336e31ee4dadfe0ac6b42b851a934bcb3c172d6a827d865e44206c3f49f22b32

memory/1524-34-0x0000000004850000-0x00000000048AC000-memory.dmp

memory/1524-43-0x0000000004DD0000-0x0000000004E2C000-memory.dmp

memory/1524-95-0x0000000004DD0000-0x0000000004E2C000-memory.dmp

memory/1524-94-0x0000000004850000-0x00000000048AC000-memory.dmp

memory/1524-98-0x0000000004850000-0x00000000048AC000-memory.dmp

memory/1524-99-0x0000000004DD0000-0x0000000004E2C000-memory.dmp

memory/1524-111-0x0000000004850000-0x00000000048AC000-memory.dmp

memory/1524-114-0x0000000004DD0000-0x0000000004E2C000-memory.dmp

memory/1524-113-0x0000000004850000-0x00000000048AC000-memory.dmp

memory/1524-126-0x0000000004850000-0x00000000048AC000-memory.dmp