Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\pjyhdvngxj] 'ImagePath' = '<DRIVERS>\jqPtzF.sys'
Creates the following services
- 'pjyhdvngxj' <DRIVERS>\jqPtzF.sys
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\tlzutfdd\zgzlzeyh.exe
- %TEMP%\dqbqrfqz\ytd35.exe
- %TEMP%\dqbqrfqz\tab.dll
- %TEMP%\dqbqrfqz\dagood.dll
- %TEMP%\dqbqrfqz\kljdwp.exe
- %TEMP%\dqbqrfqz\888061.dll
- %TEMP%\dqbqrfqz\2.dll
- %TEMP%\5531.tmp
- %TEMP%\faeafaabd3555cb68e2f34fa2382cb321cd88.tmp
- %TEMP%\6152.tmp
- %TEMP%\6308.tmp
- %TEMP%\6d18.tmp
- <DRIVERS>\jqptzf.sys
Deletes the following files
- %TEMP%\5531.tmp
- %TEMP%\6152.tmp
- %TEMP%\6308.tmp
- %TEMP%\6d18.tmp
- <DRIVERS>\jqptzf.sys
- %TEMP%\dqbqrfqz\ytd35.exe
Modifies the following files
Network activity
Connects to
- 'by#.##.lcg2020.com':80
- 'microsoft.com':80
- 'cl####.vbnm34567.xyz':8088
- 'sp#.#aidu.com':80
- 'ap##.#ame.qq.com':80
- 'ap#.#bbtv.xyz':80
- '47.##6.6.217':6663
- 'ht.###wqd.en35.xyz':8088
- 'pv.#ohu.com':80
- 'xy#.##opdomain1.com':80
- 'nm#####.hjkl45678.xyz':80
- 'hj#####t.hjurjuyt.com':8890
- 'wx#.#inaimg.cn':80
- 'ba##u.com':443
- 'tj.##789.top':80
- 'up.##nzhuan.xyz':80
- '14#.#2.57.39':190
- 'tj.##789.top':666
- 'af#.#afe.xyz':8889
- 'ba###gif.com':2653
- 'td.#.##opdomain1.com':80
- 'cd########yz.slt.sched.tdnsv8.com':80
- 'mp####.hjkl45678.xyz':80
TCP
HTTP GET requests
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/11071df961de36f4.zip
- http://do##.onefast.cc/cfg/cmc/kfbd.txt
- http://do##.onefast.cc/pgm/mds/f5d2972ba2a267dd/01b52f532c849cf0806bd3d18fd238b64bb7774f1979663d64.zip
- http://do##.onefast.cc/cfg/cmc/kfbdu.txt
- http://do##.onefast.cc/cfg/cmc/b2.txt
- http://11#.#29.100.93/report.php?da##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/qzpass.txt
- http://1.###.175.101/report/report_data?da#######################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/slfdm.txt
- http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/8f007cd4c25ecb56e4532c581a4fabaa6803360c369b568064.zip
- http://do##.onefast.cc/pgm/mds/52408051d2c341e5/3fd88158fb5b2ae0aba8d1aa36c27f8b28b7710111292ea464.zip
- http://do##.onefast.cc/cfg/pub/ps.json
- http://1.###.175.101/report.php?ty###############################################################################################################################################################...
- http://do##.onefast.cc/cfg/pub/ms.json
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/11071df961de36f4.json
- http://do##.onefast.cc/cfg/cmc/blacklist.txt
- http://ap#.#bbtv.xyz/m.php?md##########################################################
- http://do##.onefast.cc/cfg/cmc/userpq.zip
- http://hj######.hjurjuyt.com:8890/nb/indexx.html
- http://hj######.hjurjuyt.com:8890/nb/biz6.html
- http://af#.##fe.xyz:8889/s/wb/0/scr/index.html via af#.#afe.xyz
- http://14#.##.57.39:190/Application/set/776012/RtkAudUService32.dll via 14#.#2.57.39
- http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/face66c3c8766717d00ff2449308f08ce3f16e91eab26e2f64.zip
- http://do##.onefast.cc/cfg/cmc/sfbd.txt
HTTP POST requests
- http://by#.##.lcg2020.com/checkver
- http://by#.##.lcg2020.com/zzz
- http://14#.##.57.39:190/?c=################### via 14#.#2.57.39
- http://up.##nzhuan.xyz/up/v
- http://up.##nzhuan.xyz/up/z
Other
- 'ba###gif.com':2653
- 'ba##u.com':443
- '47.##6.6.217':6663
UDP
- DNS ASK by#.##.lcg2020.com
- DNS ASK yh##2yh.com
- DNS ASK microsoft.com
- DNS ASK nm#####.hjkl45678.xyz
- DNS ASK lo#.#nefast.cc
- DNS ASK pa#####t.ourgame.com
- DNS ASK cu####fas-vveqs.com
- DNS ASK zx###xltzy.com
- DNS ASK xb##080.com
- DNS ASK mp####.hjkl45678.xyz
- DNS ASK s3#####ud.meiqia.com
- DNS ASK s3#######.meiqiausercontent.com
- DNS ASK ne####i.meiqia.com
- DNS ASK te########ets.meiqiausercontent.com
- DNS ASK ch#####k.mstatik.com
- DNS ASK xk##lzx.com
- DNS ASK st####.meiqia.com
- DNS ASK hy#.#kjznx.pw
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK 27##3td.top
- DNS ASK ca#######client-a.meiqia.com
- DNS ASK sp#.#aidu.com
- DNS ASK 15#######c0be3c3.vbnm34567.xyz
- DNS ASK ap#.#bbtv.xyz
- DNS ASK ht.###wqd.en35.xyz
- DNS ASK pv.#ohu.com
- DNS ASK xy#.##opdomain1.com
- DNS ASK hj#####t.hjurjuyt.com
- DNS ASK ba##u.com
- DNS ASK wx#.#inaimg.cn
- DNS ASK cd########yz.slt.sched.tdnsv8.com
- DNS ASK 20####.ip138.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK up.##nzhuan.xyz
- DNS ASK af#.#afe.xyz
- DNS ASK do##.onefast.cc
- DNS ASK ba###gif.com
- DNS ASK tj.##789.top
- DNS ASK td.#.##opdomain1.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK 07##56.com
- '<LOCALNET>.14.186':18954
- '<LOCALNET>.14.183':29232
- '<LOCALNET>.14.176':12971
- '<LOCALNET>.14.171':16972
- '<LOCALNET>.14.172':29231
- '<LOCALNET>.14.182':25105
- '<LOCALNET>.14.173':25102
- '<LOCALNET>.14.175':10813
- '<LOCALNET>.14.177':18943
- '<LOCALNET>.14.178':54117
- '<LOCALNET>.14.185':14955
- '<LOCALNET>.14.179':49988
- '<LOCALNET>.14.174':14942
- '<LOCALNET>.14.170':21101
- '<LOCALNET>.14.196':14617
- '<LOCALNET>.14.188':50011
- '<LOCALNET>.14.189':54138
- '<LOCALNET>.14.190':29026
- '<LOCALNET>.14.191':24899
- '<LOCALNET>.14.192':20768
- '<LOCALNET>.14.193':16641
- '<LOCALNET>.14.194':12774
- '<LOCALNET>.14.195':18748
- '<LOCALNET>.14.184':10828
- '<LOCALNET>.14.169':61557
- '<LOCALNET>.14.166':10511
- '<LOCALNET>.14.233':63386
- '<LOCALNET>.14.180':16979
- '<LOCALNET>.14.187':12980
- '<LOCALNET>.14.181':21106
- '<LOCALNET>.14.154':29835
- '<LOCALNET>.14.141':16020
- '<LOCALNET>.14.145':22427
- '<LOCALNET>.14.146':26616
- '<LOCALNET>.14.147':30681
- '<LOCALNET>.14.148':34358
- '<LOCALNET>.14.149':38423
- '<LOCALNET>.14.150':13327
- '255.255.255.255':46554
- '<LOCALNET>.14.151':19363
- '<LOCALNET>.14.152':15298
- '<LOCALNET>.14.153':11233
- '<LOCALNET>.14.234':34685
- '<LOCALNET>.14.155':25770
- '<LOCALNET>.14.143':14173
- '<LOCALNET>.14.156':21705
- '<LOCALNET>.14.158':46343
- '<LOCALNET>.14.159':42278
- '<LOCALNET>.14.160':24924
- '<LOCALNET>.14.161':29053
- '<LOCALNET>.14.162':16670
- '<LOCALNET>.14.163':20799
- '<LOCALNET>.14.164':18765
- '<LOCALNET>.14.165':12793
- '<LOCALNET>.14.197':10490
- '<LOCALNET>.14.168':57428
- '<LOCALNET>.14.198':61546
- '<LOCALNET>.14.202':45800
- '<LOCALNET>.14.200':37546
- '<LOCALNET>.14.157':17640
- '<LOCALNET>.14.142':10108
- '<LOCALNET>.14.167':14640
- '<LOCALNET>.14.235':38748
- '<LOCALNET>.14.226':37902
- '<LOCALNET>.14.208':15127
- '<LOCALNET>.14.238':18161
- '<LOCALNET>.14.239':22224
- '<LOCALNET>.14.240':24174
- '<LOCALNET>.14.241':20047
- '<LOCALNET>.14.242':32300
- '<LOCALNET>.14.243':28173
- '<LOCALNET>.14.244':18015
- '<LOCALNET>.14.245':13888
- '<LOCALNET>.14.246':16040
- '<LOCALNET>.14.247':11913
- '<LOCALNET>.14.248':57190
- '<LOCALNET>.14.249':53063
- '<LOCALNET>.14.250':27999
- '<LOCALNET>.14.237':46878
- '<LOCALNET>.14.251':32126
- '<LOCALNET>.14.253':23868
- '<LOCALNET>.14.254':11739
- '23#.#23.112.211':55942
- 'ff##::1:3':5355
- '22#.0.0.252':5355
- '255.255.255.255':47754
- '255.255.255.255':3150
- '<LOCALNET>.14.232':59323
- '<LOCALNET>.14.199':57419
- '<LOCALNET>.14.231':55256
- '<LOCALNET>.14.229':26081
- '<LOCALNET>.14.201':33419
- '<LOCALNET>.14.203':41673
- '<LOCALNET>.14.252':19741
- '<LOCALNET>.14.204':53806
- '<LOCALNET>.14.206':62060
- '<LOCALNET>.14.41':36699
- '<LOCALNET>.14.209':11000
- '<LOCALNET>.14.210':41371
- '<LOCALNET>.14.211':45498
- '<LOCALNET>.14.212':33241
- '<LOCALNET>.14.213':37368
- '<LOCALNET>.14.214':57631
- '<LOCALNET>.14.215':61758
- '<LOCALNET>.14.216':49501
- '<LOCALNET>.14.217':53628
- '<LOCALNET>.14.94':43426
- '<LOCALNET>.14.219':12466
- '<LOCALNET>.14.220':62664
- '<LOCALNET>.14.221':58601
- '<LOCALNET>.14.222':54410
- '<LOCALNET>.14.223':50347
- '<LOCALNET>.14.224':46156
- '<LOCALNET>.14.225':42093
- '<LOCALNET>.14.144':18362
- '<LOCALNET>.14.227':33839
- '<LOCALNET>.14.228':30144
- '<LOCALNET>.14.230':51193
- '<LOCALNET>.14.207':57933
- '<LOCALNET>.14.139':14069
- '<LOCALNET>.14.137':61006
- '<LOCALNET>.14.36':26155
- '<LOCALNET>.14.37':30218
- '<LOCALNET>.14.38':34789
- '<LOCALNET>.14.39':38852
- '<LOCALNET>.14.140':11955
- '<LOCALNET>.14.236':42815
- '<LOCALNET>.14.40':40826
- '<LOCALNET>.14.120':44440
- '<LOCALNET>.14.42':48952
- '<LOCALNET>.14.45':53215
- '<LOCALNET>.14.46':65468
- '<LOCALNET>.14.47':61341
- '<LOCALNET>.14.48':17895
- '<LOCALNET>.14.49':13768
- '<LOCALNET>.14.35':22088
- '<LOCALNET>.14.50':44107
- '<LOCALNET>.14.53':39976
- '<LOCALNET>.14.54':60623
- '<LOCALNET>.14.106':43836
- '<LOCALNET>.14.56':52365
- '<LOCALNET>.14.57':56492
- '<LOCALNET>.14.58':11587
- '<LOCALNET>.14.44':57342
- '<LOCALNET>.14.59':15714
- '<LOCALNET>.14.61':59705
- '<LOCALNET>.14.62':55642
- '<LOCALNET>.14.63':51579
- '<LOCALNET>.14.64':47516
- '<LOCALNET>.14.65':43453
- '<LOCALNET>.14.66':39390
- '<LOCALNET>.14.52':35849
- '<LOCALNET>.14.34':18025
- '<LOCALNET>.14.33':13966
- '<LOCALNET>.14.32':20004
- '<LOCALNET>.14.1':47214
- '<LOCALNET>.14.2':34829
- '<LOCALNET>.14.3':38956
- '<LOCALNET>.14.60':63768
- '<LOCALNET>.14.4':59595
- '<LOCALNET>.14.55':64750
- '<LOCALNET>.14.6':51337
- '<LOCALNET>.14.30':11874
- '<LOCALNET>.14.31':15937
- '<LOCALNET>.14.17':14301
- '<LOCALNET>.14.16':10174
- '<LOCALNET>.14.15':12330
- '<LOCALNET>.14.14':18304
- '<LOCALNET>.14.11':28846
- '<LOCALNET>.14.12':16589
- '<LOCALNET>.14.10':24719
- '<LOCALNET>.14.9':14694
- '<LOCALNET>.14.29':42229
- '<LOCALNET>.14.8':10567
- '<LOCALNET>.14.13':20716
- '<LOCALNET>.14.28':46292
- '<LOCALNET>.14.18':57735
- '<LOCALNET>.14.26':21786
- '<LOCALNET>.14.67':35327
- '<LOCALNET>.14.25':25977
- '<LOCALNET>.14.23':11572
- '<LOCALNET>.14.22':15635
- '<LOCALNET>.14.21':19826
- '<LOCALNET>.14.20':13788
- '<LOCALNET>.14.19':61862
- '<LOCALNET>.14.24':30040
- '<LOCALNET>.14.138':18198
- '<LOCALNET>.14.68':30736
- '<LOCALNET>.14.70':51753
- '<LOCALNET>.14.7':55464
- '<LOCALNET>.14.27':17723
- '<LOCALNET>.14.5':63722
- '<LOCALNET>.14.107':47901
- '<LOCALNET>.14.128':11408
- '<LOCALNET>.14.109':23251
- '<LOCALNET>.14.111':59626
- '<LOCALNET>.14.112':55433
- '<LOCALNET>.14.113':51368
- '<LOCALNET>.14.114':47183
- '<LOCALNET>.14.115':43118
- '<LOCALNET>.14.116':38925
- '<LOCALNET>.14.117':34860
- '<LOCALNET>.14.118':31171
- '<LOCALNET>.14.119':27106
- '<LOCALNET>.14.105':39775
- '<LOCALNET>.14.205':49679
- '<LOCALNET>.14.122':36314
- '<LOCALNET>.14.123':40443
- '<LOCALNET>.14.124':60700
- '<LOCALNET>.14.125':64829
- '<LOCALNET>.14.126':52574
- '<LOCALNET>.14.43':44825
- '<LOCALNET>.14.129':15537
- '<LOCALNET>.14.130':40617
- '<LOCALNET>.14.131':36488
- '<LOCALNET>.14.132':48875
- '<LOCALNET>.14.133':44746
- '<LOCALNET>.14.134':56877
- '<LOCALNET>.14.135':52748
- '<LOCALNET>.14.136':65135
- '<LOCALNET>.14.121':48569
- '<LOCALNET>.14.104':35710
- '<LOCALNET>.14.103':64409
- '<LOCALNET>.14.108':19186
- '<LOCALNET>.14.110':63691
- '<LOCALNET>.14.218':18440
- '<LOCALNET>.14.102':60344
- '<LOCALNET>.14.72':60011
- '<LOCALNET>.14.74':35501
- '<LOCALNET>.14.75':39564
- '<LOCALNET>.14.76':43759
- '<LOCALNET>.14.77':47822
- '<LOCALNET>.14.78':19233
- '<LOCALNET>.14.79':23296
- '<LOCALNET>.14.80':55831
- '<LOCALNET>.14.81':51766
- '<LOCALNET>.14.82':64085
- '<LOCALNET>.14.83':60020
- '<LOCALNET>.14.84':39571
- '<LOCALNET>.14.85':35506
- '<LOCALNET>.14.86':47825
- '<LOCALNET>.14.73':64074
- '<LOCALNET>.14.87':43760
- '<LOCALNET>.14.100':52218
- '<LOCALNET>.14.99':30735
- '<LOCALNET>.14.98':26670
- '<LOCALNET>.14.97':39361
- '<LOCALNET>.14.96':35296
- '<LOCALNET>.14.69':26673
- '<LOCALNET>.14.95':47491
- '<LOCALNET>.14.93':55621
- '<LOCALNET>.14.92':51556
- '<LOCALNET>.14.91':63751
- '<LOCALNET>.14.90':59686
- '<LOCALNET>.14.89':19262
- '<LOCALNET>.14.88':23327
- '<LOCALNET>.14.101':56283
- '<LOCALNET>.14.71':55816
- '<LOCALNET>.14.127':56703
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- ClassName: '2978' WindowName: ''
- ClassName: 'TrayNotifyWnd' WindowName: ''
- ClassName: 'SysPager' WindowName: ''
- ClassName: 'ToolbarWindow32' WindowName: ''
- ClassName: 'HallMainWnd' WindowName: ''
- ClassName: 'NotifyIconOverflowWindow' WindowName: ''
- ClassName: 'jjhgame' WindowName: ''
- ClassName: '1916GameCenter' WindowName: '1916ÓÎÏ·ÖÐÐÄ'
- ClassName: '850GamePlaza' WindowName: ''
- ClassName: 'Net77_GamePlaza' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%TEMP%\tlzutfdd\zgzlzeyh.exe' -k
- '%TEMP%\dqbqrfqz\ytd35.exe'
- '%TEMP%\dqbqrfqz\kljdwp.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /all' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "%TEMP%\dqBqrFQZ\ytd35.exe"' (with hidden window)
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%TEMP%\tlzutfdd\zgzlzeyh.exe"
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /all
- '%WINDIR%\syswow64\ipconfig.exe' /all
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "%TEMP%\dqBqrFQZ\ytd35.exe"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
- '%WINDIR%\syswow64\timeout.exe' /t 1
- '<SYSTEM32>\svchost.exe' -k netsvcs
