2018-06-08 19:48

Report No.: b6-2018-060801

Report source: 360cert

Report author: 360cert

Update Date: June 8, 2018

0x00 Preface

Recently 360cert has detected a kind of qqkey Trojan horse variant that can avoid killing almost all mainstream killing software on the market, and the Trojan horse author openly builds a website in China to sell the Trojan horse. 360cert analyzes the sample at the first time after receiving the Trojan horse variant.

(above: picture of Trojan author's official website)

0x01 Trojan analysis

                     

(above: Trojan initialization stage)

                        .

(above: get the QQ of the current computer)

                      .

    temporary solution: the Trojan fixed the web port to obtain qqkey at 4300, you can try to log in several more QQS, and then close the QQ for the first login, so that the QQ quick login service for subsequent login can be changed to 4301-4310 port.

0x02 traceability analysis

(above: domain name whoos information)

                     

联系人：刘千仪 联系邮箱：[email protected]qq.com 手机号：17602394355 QQ号：649484636 不过后续我们查询了一下域名信息修改记录得知：该域名应该是已备案域名二手过户而来，姓名与备案信息可能不真实。

(above: grid shop information)

(above: Baidu Post Bar information)

   according to QQ number, we found that the author of the Trojan horse published his contact information in Baidu Post Bar, lattice shop, etc. in the search engine: Mobile: 138833208351 Baidu Post Bar account: little hamster whirlwind

Originally, it was also a channel for him to promote the sale of Trojans.

(above: contact information of Trojan official website)

                     .

(above: QQ group announcement)

(above: group member information)

   after we created a qq small number plus group, we found that: official online disk: http://agulang.cccpan.com/ password: Gulang file download: gulang002 after sales processing email: [email protected]

(above: network disk information)

                          .

(above: 360 security guard)

                       .

(above: FTP connection information in the software)

                            

(above: qqkey directory in FTP)

(above: some qqkey information)

   we verified the accuracy of the connection information, and found that the qqkey directory contains the name of the login account of the Trojan generator.

                      .

0x03 later

                           . It is recommended that the majority of users download and install "360 security guard" which can accurately check and kill such Trojan horses for security protection, and do not credulous any software prompt so-called turn off antivirus and run it, safety first!

0x04 360 Network Security Response Center (360cert)

   360cert was founded in May 2017. It is a young team with strong security capabilities. The team focuses on Internet upstream emergency response, network attack and defense research, malware analysis, relying on 360 massive security data and the support of the team's top security experts, and has a profound accumulation in security vulnerability event analysis, intelligence analysis, and threat early warning.

Email: [email protected]

WeChat official account: 360CERT

0x05 timeline

June 8, 2018 360cert issues analysis report

0x06 reference link

• Steam's new Trojan horse and analysis report of industrial chain