Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-vk4l4adf7z
Target 55d57cec0b11b83c759301459002e52a_JaffaCakes118
SHA256 c3e1a086cd330f1ebd8eccc8474354c349ac01d849456656584a4b81ff200779
Tags
aspackv2 upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c3e1a086cd330f1ebd8eccc8474354c349ac01d849456656584a4b81ff200779

Threat Level: Shows suspicious behavior

The file 55d57cec0b11b83c759301459002e52a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

ASPack v2.12-2.42

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 17:03

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 1808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 676

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 45.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1808-0-0x0000000010000000-0x000000001019D000-memory.dmp

memory/1808-2-0x0000000010000000-0x000000001019D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\game600cmt\600层魔塔.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\game600cmt\600层魔塔.url

Network

N/A

Files

memory/3024-0-0x0000000000420000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\game600cmt\600层魔塔.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\game600cmt\600层魔塔.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 123.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe

"C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe"

Network

N/A

Files

memory/1892-0-0x0000000010000000-0x000000001019D000-memory.dmp

memory/1892-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe

"C:\Users\Admin\AppData\Local\Temp\game600cmt\Game.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4516-0-0x0000000010000000-0x000000001019D000-memory.dmp

memory/4516-1-0x0000000006F40000-0x0000000006F41000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\game600cmt\\" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\game600cmt\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:80 www.paopaoche.net tcp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/3536-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/3536-1-0x0000000002410000-0x0000000002411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\game600cmt\rungame.ini

MD5 ab12e4bb1420857cb82092c8e52a8b26
SHA1 d832cde1efa0ad1f59c8f037085a8cdadff9ca41
SHA256 82ae4895ca0c833e8a08f7369af423b07915df5fe9f5a96e4454954a48deb2aa
SHA512 1b3f52832b3b1f193e36960a8f67f2d2de4da7ee0b843bf254f63870114d19ec16af5eeebf1f11c248bb5bf91b0274aa20b723846ee0c78910328bb5b7ddea53

C:\Users\Admin\AppData\Local\Temp\game600cmt\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

C:\Users\Admin\AppData\Local\Temp\game600cmt\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

memory/3536-37-0x0000000000400000-0x0000000000791000-memory.dmp

memory/3536-39-0x0000000002410000-0x0000000002411000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win7-20240215-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe"

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\game600cmt\\" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\game600cmt\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\game600cmt\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:80 www.paopaoche.net tcp
HK 43.135.124.120:80 www.paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 s94.cnzz.com udp
US 8.8.8.8:53 cbjs.baidu.com udp
US 8.8.8.8:53 s6.cnzz.com udp
CN 220.185.168.234:80 s6.cnzz.com tcp
CN 220.185.168.234:80 s6.cnzz.com tcp
CN 119.188.176.49:80 cbjs.baidu.com tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp

Files

memory/2312-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2312-7-0x0000000000400000-0x0000000000791000-memory.dmp

\Users\Admin\AppData\Local\Temp\game600cmt\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

\Users\Admin\AppData\Local\Temp\game600cmt\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

C:\Users\Admin\AppData\Local\Temp\game600cmt\rungame.ini

MD5 ab12e4bb1420857cb82092c8e52a8b26
SHA1 d832cde1efa0ad1f59c8f037085a8cdadff9ca41
SHA256 82ae4895ca0c833e8a08f7369af423b07915df5fe9f5a96e4454954a48deb2aa
SHA512 1b3f52832b3b1f193e36960a8f67f2d2de4da7ee0b843bf254f63870114d19ec16af5eeebf1f11c248bb5bf91b0274aa20b723846ee0c78910328bb5b7ddea53

memory/2312-27-0x0000000004CF0000-0x0000000004D00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFGNZ1XG\rank[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

memory/2312-59-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFGNZ1XG\softmain[1].css

MD5 729aa1f32dc5fe22bc67e7d73895c9c5
SHA1 bd90148bf8c4c47c9639826bde9d2341423dfa73
SHA256 c62bf9e3e8def17b145ee84add6b6f62ec972fd3609dc2a4bf175a2c4b9dbb02
SHA512 813a6d68fbe51a01d3f148a298cdcbf83b7404c895349b6dc42204f29b63bf50ff13d0ff43938a75f6b00dcdd6ea40c422cf8464807a722f387a37b9539aa720

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\softui[1].js

MD5 b9582f731eda9c4b2d967fc6d0cd3c02
SHA1 bc79c5b327762f3f3cfb0045c5098f26bdf94ef9
SHA256 de223f2810d08af3ef852c54ad26381998ad6a50fe75142eb505ff8f7058ae36
SHA512 f348ea4e0e129a49fd1cb48fe34bf9cabbd2bfea3167a6fa7d0b91e993711bf19df0d158a4d81ce371516d4ebdb7d25de770e3a1fe59b2258245f203ed83e85a

memory/2312-115-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/2312-117-0x0000000000400000-0x0000000000791000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win7-20240508-en

Max time kernel

140s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\game600cmt\RGSS103J.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 244

Network

N/A

Files

memory/836-0-0x0000000010000000-0x000000001019D000-memory.dmp

memory/836-1-0x0000000010000000-0x000000001019D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win7-20240221-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
US 8.8.8.8:53 6pic.paopaoche.net udp
US 8.8.8.8:53 c.qx5577.com udp
CN 82.157.27.9:80 6pic.paopaoche.net tcp
CN 82.157.27.9:80 6pic.paopaoche.net tcp
CN 82.157.27.9:80 6pic.paopaoche.net tcp

Files

memory/2228-0-0x0000000000A80000-0x0000000000BA6000-memory.dmp

memory/2228-609-0x0000000000A80000-0x0000000000BA6000-memory.dmp

memory/2228-615-0x0000000000A80000-0x0000000000BA6000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-18 17:03

Reported

2024-05-18 17:06

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 6pic.paopaoche.net udp
US 8.8.8.8:53 c.qx5577.com udp
CN 82.157.27.9:80 6pic.paopaoche.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
CN 82.157.27.9:80 6pic.paopaoche.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 82.157.27.9:80 6pic.paopaoche.net tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4348-0-0x0000000000AC0000-0x0000000000BE6000-memory.dmp

memory/4348-600-0x0000000000AC0000-0x0000000000BE6000-memory.dmp

memory/4348-606-0x0000000000AC0000-0x0000000000BE6000-memory.dmp