Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\nsy3.tmp\Statistics.exe' = '%TEMP%\nsy3.tmp\Statistics.exe:*:En...
Modifies file system:
Creates the following files:
- %ProgramFiles%\Tencent\QQLive\LiveMaster.dll
- %ProgramFiles%\Tencent\QQLive\LiveMedia.dll
- %ProgramFiles%\Tencent\QQLive\libcurl.dll
- %ProgramFiles%\Tencent\QQLive\LiveLogin.dll
- %ProgramFiles%\Tencent\QQLive\LiveOcx.dll
- %ProgramFiles%\Tencent\QQLive\MiniTips.dll
- %ProgramFiles%\Tencent\QQLive\ProcessSession.dll
- %ProgramFiles%\Tencent\QQLive\LiveVOD.dll
- %ProgramFiles%\Tencent\QQLive\MediaCtrl.dll
- %ProgramFiles%\Tencent\QQLive\LiveLog.dll
- %ProgramFiles%\Tencent\QQLive\DelayLoad.dll
- %ProgramFiles%\Tencent\QQLive\DesktopHelper.dll
- %ProgramFiles%\Tencent\QQLive\Common.dll
- %ProgramFiles%\Tencent\QQLive\DataManager.dll
- %ProgramFiles%\Tencent\QQLive\DesktopHelperX.dll
- %ProgramFiles%\Tencent\QQLive\IPC.dll
- %ProgramFiles%\Tencent\QQLive\LiveAPI.dll
- %ProgramFiles%\Tencent\QQLive\GF.dll
- %ProgramFiles%\Tencent\QQLive\HttpModule.dll
- %ProgramFiles%\Tencent\QQLive\arkIOStub.dll
- %ProgramFiles%\Tencent\QQLive\arkIPC.dll
- %ProgramFiles%\Tencent\QQLive\Win7Feature.dll
- %ProgramFiles%\Tencent\QQLive\arkGraphic.dll
- %ProgramFiles%\Tencent\QQLive\arkImage.dll
- %APPDATA%\Tencent\QQLive\FailRecord.dat
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\ckvcollect[1].htm
- %ProgramFiles%\Tencent\QQLive\jgIOStub.dll
- %ProgramFiles%\Tencent\QQLive\jgImage.dll
- %ProgramFiles%\Tencent\QQLive\WebCtrl.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveMainModule.dll
- %ProgramFiles%\Tencent\QQLive\SetupShell.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveCommu.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveDownload.dll
- %ProgramFiles%\Tencent\QQLive\Statistic.dll
- %ProgramFiles%\Tencent\QQLive\Upgrade.dll
- %ProgramFiles%\Tencent\QQLive\UserData.dll
- %ProgramFiles%\Tencent\QQLive\TNProxy.dll
- %ProgramFiles%\Tencent\QQLive\ToolBox.dll
- %ProgramFiles%\Tencent\QQLive\TXSSO\bin\SSOCommon.dll
- %ProgramFiles%\Tencent\QQLive\TXSSO\bin\SSOLUIControl.dll
- %ProgramFiles%\Tencent\QQLive\TXSSO\I18N\2052\PGFStringBundle.xml
- %ProgramFiles%\Tencent\QQLive\TXSSO\I18N\2052\SSOStringBundle.xml
- %ProgramFiles%\Tencent\QQLive\TXSSO\bin\SSOPlatform.dll
- %ProgramFiles%\Tencent\QQLive\bugreport.exe
- %ProgramFiles%\Tencent\QQLive\cabarc.exe
- %ProgramFiles%\Tencent\QQLive\TXSSO\bin\npSSOAxCtrlForPTLogin.dll
- %ProgramFiles%\Tencent\QQLive\BugReporter.exe
- %ProgramFiles%\Tencent\QQLive\TXSSO\I18N\SSOConfig.xml
- %APPDATA%\Tencent\QQLive\user.ini
- %APPDATA%\Tencent\QQLive\hwcfg.ini
- %TEMP%\nsd2.tmp
- %APPDATA%\Tencent\QQLive\Log\QQLiveInstall.log
- %APPDATA%\Tencent\QQLive\config.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\mon_inst[1].ini
- %ALLUSERSPROFILE%\Application Data\mon_inst.ini
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\mon_pro[1].ini
- %ALLUSERSPROFILE%\Application Data\mon_pro.ini
- %ProgramFiles%\Tencent\QQLive\proxytask.dll
- %ProgramFiles%\Tencent\QQLive\LiveInstHlp.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveUninstaller.exe
- %ProgramFiles%\Tencent\QQLive\QQLiveDisk.ico
- %ProgramFiles%\Tencent\QQLive\QQPCDetector.dll
- %ProgramFiles%\Tencent\QQLive\CefSubProcess.dll
- %ProgramFiles%\Tencent\QQLive\ChannelMgr.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveExternal.dll
- %ProgramFiles%\Tencent\QQLive\AsyncTask.dll
- %ProgramFiles%\Tencent\QQLive\QQLiveService.exe
- %ProgramFiles%\Tencent\QQLive\UnistHelper.exe
- %ProgramFiles%\Tencent\QQLive\QQLiveBrowser.exe
- %ProgramFiles%\Tencent\QQLive\OcxHelper.exe
- %ProgramFiles%\Tencent\QQLive\QQLive.exe
- %ProgramFiles%\Tencent\QQLive\QQLiveServiceBrowser.exe
- %ProgramFiles%\Tencent\QQLive\InstAsm.exe
- %ProgramFiles%\Tencent\QQLive\X64Helper.exe
- %ProgramFiles%\Tencent\QQLive\QQLiveUnistBrowser.exe
- %ProgramFiles%\Tencent\QQLive\QQLiveUp.exe
Deletes the following files:
- %TEMP%\nsy3.tmp\ProcDll.dll
- %TEMP%\nsy3.tmp\Statistics.exe
- %TEMP%\nsy3.tmp\System.dll
- %TEMP%\nsy3.tmp\InstallHelper.dll
- %ALLUSERSPROFILE%\Application Data\mon_pro.ini
- %ALLUSERSPROFILE%\Application Data\mon_inst.ini
- %TEMP%\nsy3.tmp\bind.ini
Substitutes the following files:
- %ALLUSERSPROFILE%\Application Data\mon_inst.ini
- %ALLUSERSPROFILE%\Application Data\mon_pro.ini
Network activity:
Connects to:
- 'tu####.video.qq.com':80
- 'dl###1.qq.com':80
- 'bt###e.qq.com':80
- 'localhost':1037
- 'localhost':1040
- 'localhost':1044
TCP:
HTTP GET requests:
- http://dl###1.qq.com/qqtv/azdk/mon_pro.ini
- http://dl###1.qq.com/qqtv/azdk/mon_inst.ini
- http://tu####.video.qq.com/fcgi/get_platform_conf?ti#############################################################################################################################################...
- http://dl###1.qq.com/qqtv/appdata/config.ini?ti#############
HTTP POST requests:
- http://bt###e.qq.com/ckvcollect
UDP:
- DNS ASK bt###e.qq.com
- DNS ASK dl###1.qq.com
- DNS ASK tu####.video.qq.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'QQLiveService__Wnd'
Creates and executes the following:
- '%TEMP%\nsy3.tmp\Statistics.exe' -ReportNew "-Step:2 -Result:1 -ModuleName:<File name>.exe -ModuleVer:10.4.856.0 -ChannelName:xiaoxinrili -InstallDir:\"%ProgramFiles%\Tencent\QQLive\" -ParentProcessName:AngarCl.exe -NewInstall...
- '%TEMP%\nsy3.tmp\Statistics.exe' BossId=2800&Pwd=1456476441&iSta=2567&ctype=1&itype=41&ver=10.4.856.0&str1=CB24A8ACD4F5EA2C503C1DC1F2D2077E&str2=xiaoxinrili&vid=AngarCl.exe&url=<File name>.exe&int6=1&protocolver=50171115&guid2...
- '%TEMP%\nsy3.tmp\Statistics.exe' -PinOrUnpinIcon unpin "AEMAOgBcAEQAbwBjAHUAbQBlAG4AdABzACAAYQBuAGQAIABTAGUAdAB0AGkAbgBnAHMAXABBAGwAbAAgAFUAcwBlAHIAcwBcAFMAdABhAHIAdAAgAE0AZQBuAHUAXABQAHIAbwBnAHIAYQBtAHMAXIF+i6+Pb072AFyBfouvic...
- '%TEMP%\nsy3.tmp\Statistics.exe' -PinOrUnpinIcon unpin "AFyBfouvicaYkQAuAGwAbgBr"
- '%TEMP%\nsy3.tmp\Statistics.exe' -ReportNew "-Step:1 -Result:1 -ModuleName:<File name>.exe -ModuleVer:10.4.856.0 -ChannelName:xiaoxinrili -InstallDir:\"%ProgramFiles%\Tencent\QQLive\" -ParentProcessName:AngarCl.exe -NewInstall...
- '%TEMP%\nsy3.tmp\Statistics.exe' BossId=2800&Pwd=1456476441&iSta=2567&ctype=1&itype=11&ver=10.4.856.0&str1=CB24A8ACD4F5EA2C503C1DC1F2D2077E&str2=xiaoxinrili&vid=AngarCl.exe&url=<File name>.exe&int6=1&protocolver=50171115&guid2...
- '%TEMP%\nsy3.tmp\Statistics.exe' BossId=5069&Pwd=1319681759&first=install&second=&third=&forth=&cmd=exposure&platform=10204&main_login=&uin=&openid=&vuserid=&version=50171115&guid={CB24A8ACD4F5EA2C503C1DC1F2D2077E}&exposureCom...
- '%TEMP%\nsy3.tmp\Statistics.exe' -ReportAntiCheat "-ChannelName:xiaoxinrili"
