Technical Information
Malicious functions
Executes the following
- '%ProgramFiles%\internet explorer\iexplore.exe' http://www.hao123.com/?tn=98040130_hao_pg
Modifies file system
Creates the following files
- %LOCALAPPDATA%low\microsoft\internet explorer\domstore\amq9v9vh\www.hao123[1].xml
- %LOCALAPPDATA%\microsoft\windows\history\desktop.ini
Network activity
Connects to
- 'ha##23.com':80
- 'b.###tatic.com':443
- 'cp##.##idustatic.com':80
- 'oc##.#igicert.cn':80
- 'fe####.cdn.bcebos.com':443
- 'so####.bdstatic.com':80
- 'hm###.baidu.com':443
- 'hc#.#aidu.com':80
- 'pa####rt.baidu.com':80
- 'hc#.#aidu.com':443
- 'ss#.#aidu.com':443
- 'dg###.bdstatic.com':443
- 'cp##.##idustatic.com':443
- 'gi###.baidu.com':443
- 'hm.##idu.com':443
- 'fy###.#dn.bcebos.com':80
- 's1.###123img.com':80
- 'sc#.##o123img.com':443
- 'oc##.##ctigochina.com':80
- 'co##.#dstatic.com':443
- 'sc#.##o123img.com':80
- 'dg###.bdstatic.com':80
- 'ds##.#dstatic.com':443
- 'ha#######atic.cdn.bcebos.com':80
- 'ha#######atic.cdn.bcebos.com':443
- 'fy###.#dn.bcebos.com':443
- 'lu###.#dn.bcebos.com':443
TCP
HTTP GET requests
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/lib/main.cf91835.js
- http://www.ha##23.com/api/getkeydata?to##########################################################################################################################################################...
- http://www.ha##23.com/feedData/data?ty#############################################################################################################################
- http://www.ha##23.com/api/getgoodthing?pa########
- http://www.ha##23.com/?tn################
- http://pa####rt.baidu.com/passApi/js/uni_login_wrapper.js?cd######################################
- http://www.ha##23.com/
- http://s0.###123img.com/resource/fe/widget/js/service/haoAnti.js?17###########
- http://s0.###123img.com/res/js/track.js?_4#####
- http://www.ha##23.com/t.gif?v=########################################################
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/aging-tools/aging-tools.8cfd930.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/moreskin/moreskin.cb0ab96.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/skin/service.4010d39.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/skin/hooks.27db52b.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/fullpage-pop/fullpage-pop.396ce3b.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/skinbtn/skinbtn.273a038.js
- http://sc#.##o123img.com/res/r/image/2021-4-1/favicon.png
- http://sc#.##o123img.com/data/3321005414876972a6ccd92043996804
- http://sc#.##o123img.com/data/15561edb1bae1b2c6a54fd6b4df5d840
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-all_0.4_z.5501eca.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-all_0.45_z.85f992e.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-all_0.5_z.b5152ca.png
- http://www.ha##23.com/images/track.gif?le########################################################################################################################################################...
- http://so####.bdstatic.com/js/dfxaf.js?_=#############
- http://www.ha##23.com/api/tnwhilte?tn################################
- http://www.ha##23.com/images/track.gif?tm########################################################################################################################################################...
- http://as#.#.hao123.com/qmoshe.js
- http://as#.#.hao123.com/site/api/6g5d5.js?ni########################
- http://as#.#.hao123.com/production/ui7pr.js?xs########################
- http://cp##.##idustatic.com/cpro/ui/c.js?_=#############
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/aging-tools/img/tools.b04b47d.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/feednews/play-icon.76435ac.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/feednews/all.c1d4b57.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/feednews/bg.812f584.png
- http://oc##.#igicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSs4qvpyL%2F1h8IM3CR%2F4ZfFi8oOlAQUe6P6%2F%2FXVCV0e%2BSr%2FhVPtr0eo13oCEAxl1HAvkqSgFmOk0kDFQ0Q%3D
- http://www.ha##23.com/api/searchrecom?c=#########################################################################################################################################################...
- http://www.ha##23.com/images/a.gif?ty############################################################################################################################################################...
- http://oc##.#igicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSs4qvpyL%2F1h8IM3CR%2F4ZfFi8oOlAQUe6P6%2F%2FXVCV0e%2BSr%2FhVPtr0eo13oCEAe1XQJ5vfulUCkTbjaWze4%3D
- http://oc##.#igicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAUfDH7dyI268AxQ4oX0ImU%3D
- http://www.ha##23.com/api/getgamedata?ty############################
- http://www.ha##23.com/api/carifshow
- http://www.ha##23.com/api/getgamedata?t=####################
- http://www.ha##23.com/api/getgameboxindexdata?t=#############
- http://www.ha##23.com/api/searchword?tn##################################################
- http://www.ha##23.com/api/sample?ap#####################################################
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/container/coolsites/drop.b084916.png
- http://sh####.hao123.com/v1/info?ca################################
- http://www.ha##23.com/images-ab/track.gif?tm#####################################################################################################################################################...
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/shortcut/img/tipclose.8d4e3df.png
- http://sc#.##o123img.com/urlicon/bddt2018110949.png
- http://sc#.##o123img.com/data/b51544df631f5dd536ade159b09c1dcf
- http://sc#.##o123img.com/urlicon/game0331.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-all_z.94bbc42.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/container/search/tabarrow.51effee.png
- http://sc#.##o123img.com/qiusuo_icon/10597f220b047cee3e8ea50e91886d71.ico
- http://sc#.##o123img.com/res/r/image/2021-3-5/baidulogo.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/kingPosition/template.9166382.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/carsbox/carsbox.4ebbf7c.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/ecommerce/countdown.4b2dab1.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/ecommerce/ecommerce.35c2d7e.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/hotlist/hotlist.8ff7540.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/hotgoods/hotgoods.144f696.js
- http://s0.###123img.com/img/1L/Aw/2F/mk/ch/o/blank.gif
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-static2.1287a4c.js
- http://www.ha##23.com/api/citymenu?
- http://sc#.##o123img.com/res/weather/v3/a0.png
- http://www.ha##23.com/api/gethitthecity?
- http://oc##.##ctigochina.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR28ifac5%2BKWaDJG947H06fyWfYAgQU3z1IB2b54JFbeLGq1zxZMBc7TYUCEG59t2VJNJVfRTqtHe2cZ1w%3D
- http://dg###.bdstatic.com/5bVWsj_p_tVS5dKfpU_Y_D3/res/js/polyfill/es5-shim.min.js
- http://sc#.##o123img.com/res/r/image/2017-09-27/297f5edb1e984613083a2d3cc0c5bb36.png
- http://sc#.##o123img.com/res/r/image/2018-01-09/e2925adbe0359d59a8149bf141679df5.png
- http://sc#.##o123img.com/res/r/image/2020-05-14/d5fecbd5239db7cbc8d7939a75e4d830.png
- http://sc#.##o123img.com/res/r/image/2018-01-09/94e5c536a8c5ae843659856e2f1d6393.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/common/template.1b0aca6.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/hotsearch-top/select-bottomx2.51effee.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/common/index.8b55381.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/kingPosition/index.628ce70.js
- http://sc#.##o123img.com/res/r/image/2020-01-01/1bb44a4de355a70c26fb840ef31d3bfc.png
- http://sc#.##o123img.com/res/r/image/2020-04-09/9a95d3783ba0e6dea8bd386e2d0ad67f.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-feed.2b6c3b1.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/js/wave/wave.f11a626.js
- http://s1.###123img.com/res/r/image/2016-12-12/30d4143e18a36bed146bb7e92e5a2464.png
- http://s0.###123img.com/res/r/image/2016-11-11/331a6bbc2154a554b62b5bfce2d5cbd6.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-otherall.4ba074a.js
- http://sc#.##o123img.com/res/r/image/2019-08-16/3c8835ab2cb0db921a8879952df3cac9.png
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/pkg/aio-static1.eb29fe4.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/gamebox.20601fc.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/hotRecommend/index.5278a84.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/gameboxcustomTemplate.8c1db9b.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/hotRecommend/template.16611bc.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/newGameRank/index.d705f0e.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/newGameRank/template.fa3bf42.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/like/index.dff9bb6.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/like/template.4adaaee.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/gamebox/rightSource/index.3d67845.js
- http://ha#######atic.cdn.bcebos.com/fe-res/her/static/indexnew/component/carsbox/carsboxTemplate.c9c5e8a.js
- http://sc#.##o123img.com/res/r/image/2019-07-01/3a117368c5bcfaf958ee74b0aec56287.png
- http://sc#.##o123img.com/data/b7cf14241b120edffe1e65c79e4d48c5
- http://sc#.##o123img.com/res/r/image/2017-07-10/16c593b3396fd2ed58ce6851ff76b2d0.png
- http://sc#.##o123img.com/data/8d6d2c708fbf92d23e3852340d72f9ff
- http://www.ha##23.com/favicon.ico
Other
- 'ha#######atic.cdn.bcebos.com':443
- 'cp##.##idustatic.com':443
- 'po#.#aidu.com':443
- 'b.###tatic.com':443
- 'f7.##idu.com':443
- 'so####.baidu.com':443
- 'sf#.##fe.baidu.com':443
- 'fe####.cdn.bcebos.com':443
- 'wn.###.baidu.com':443
- 'ba##u.com':443
- 'ha##23.com':443
- 'dg###.bdstatic.com':443
- 'gi###.baidu.com':443
- 'hm.##idu.com':443
- 'im##.hao123.com':443
- 'co##.#dstatic.com':443
- 'ds##.#dstatic.com':443
- 'hm###.baidu.com':443
- 'ec####.baidu.com':443
UDP
- DNS ASK ha##23.com
- DNS ASK wn.###.baidu.com
- DNS ASK po#.#aidu.com
- DNS ASK b.###tatic.com
- DNS ASK as#.#.hao123.com
- DNS ASK cp##.##idustatic.com
- DNS ASK f7.##idu.com
- DNS ASK dg###.baidu.com
- DNS ASK so####.baidu.com
- DNS ASK oc##.#igicert.cn
- DNS ASK sf#.##fe.baidu.com
- DNS ASK sh####.hao123.com
- DNS ASK ba##u.com
- DNS ASK fe####.cdn.bcebos.com
- DNS ASK so####.bdstatic.com
- DNS ASK lu###.#dn.bcebos.com
- DNS ASK hm###.baidu.com
- DNS ASK hc#.#aidu.com
- DNS ASK ss#.#aidu.com
- DNS ASK gi###.baidu.com
- DNS ASK fy###.#dn.bcebos.com
- DNS ASK hm.##idu.com
- DNS ASK oc##.##ctigochina.com
- DNS ASK dg###.bdstatic.com
- DNS ASK ha#######atic.cdn.bcebos.com
- DNS ASK ds##.#dstatic.com
- DNS ASK sc#.##o123img.com
- DNS ASK co##.#dstatic.com
- DNS ASK im##.hao123.com
- DNS ASK s0.###123img.com
- DNS ASK s1.###123img.com
- DNS ASK pa####rt.baidu.com
- DNS ASK ec####.baidu.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
