Malware Analysis Report

2025-01-18 21:45

Sample ID 240415-atr97shf78
Target efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118
SHA256 905d0ff21e4ee58ef2901e50012e56a4ec088e762f5cde6cfd0383d089b3556b
Tags
adware evasion stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

905d0ff21e4ee58ef2901e50012e56a4ec088e762f5cde6cfd0383d089b3556b

Threat Level: Shows suspicious behavior

The file efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion stealer trojan

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 00:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 00:30

Reported

2024-04-15 00:33

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TherapeuticAntediluvian\TherapeuticProtract.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A
File opened for modification C:\Program Files\TherapeuticAntediluvian\TherapeuticProtract.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A
File created C:\Program Files\TardyHypotenuse\GrandstandFantasia.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A
File opened for modification C:\Program Files\TardyHypotenuse\GrandstandFantasia.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe
PID 2816 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe

"C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe"

C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe

C:\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 bcecc5444cb852e1579d8bffd9371713
SHA1 1698a529f2b37ea9a9c945b1747ff405ed33df39
SHA256 e08975d4ba2fcee38c3f342f8dc06cf360f628ce27a539cf3696005ad127d263
SHA512 a0ac5ee5baf90cee8e531e590fcefd2880afe7cbd70e4a9505fd6dddd9370c613c33bb28d52f1978480912c7aaa97806a62e237d558835ee078ef069fa425689

\Users\Admin\AppData\Local\Temp\MenagerieMasonry.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

C:\Program Files\TherapeuticAntediluvian\TherapeuticProtract.exe

MD5 efe1c8dce7b451c0c166c551de0e8dda
SHA1 61c6a5c8a0a4ab953b79c890d3c88b8286db1938
SHA256 905d0ff21e4ee58ef2901e50012e56a4ec088e762f5cde6cfd0383d089b3556b
SHA512 b778fc8f5ceb53fb7bdc04888a5ee382108e1be0e5b92f9b7d5e5e6a346c47eae647949c066198d058a65ff601b8750ad2262ad7154529d72ba5d261a5e69411

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 00:30

Reported

2024-04-15 00:33

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\LicitProtract\TardyGrandstand.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A
File opened for modification C:\Program Files\LicitProtract\TardyGrandstand.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A
File created C:\Program Files\NebulaTherapeutic\NebulaNebula.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A
File opened for modification C:\Program Files\NebulaTherapeutic\NebulaNebula.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe
PID 4504 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe
PID 4504 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe
PID 4504 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe
PID 4504 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe
PID 4504 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efe1c8dce7b451c0c166c551de0e8dda_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe

"C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe"

C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe

C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 205.209.168.5:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 205.209.168.5:443 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 bcecc5444cb852e1579d8bffd9371713
SHA1 1698a529f2b37ea9a9c945b1747ff405ed33df39
SHA256 e08975d4ba2fcee38c3f342f8dc06cf360f628ce27a539cf3696005ad127d263
SHA512 a0ac5ee5baf90cee8e531e590fcefd2880afe7cbd70e4a9505fd6dddd9370c613c33bb28d52f1978480912c7aaa97806a62e237d558835ee078ef069fa425689

C:\Users\Admin\AppData\Local\Temp\ShareholderMasonry.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

C:\Program Files\NebulaTherapeutic\NebulaNebula.exe

MD5 efe1c8dce7b451c0c166c551de0e8dda
SHA1 61c6a5c8a0a4ab953b79c890d3c88b8286db1938
SHA256 905d0ff21e4ee58ef2901e50012e56a4ec088e762f5cde6cfd0383d089b3556b
SHA512 b778fc8f5ceb53fb7bdc04888a5ee382108e1be0e5b92f9b7d5e5e6a346c47eae647949c066198d058a65ff601b8750ad2262ad7154529d72ba5d261a5e69411