Overview
overview
8Static
static
35e94109129...18.exe
windows7-x64
85e94109129...18.exe
windows10-2004-x64
8$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDIR/nsSCM.dll
windows7-x64
3$PLUGINSDIR/nsSCM.dll
windows10-2004-x64
3$PROGRAMFI...4D.exe
windows7-x64
1$PROGRAMFI...4D.exe
windows10-2004-x64
1$PROGRAMFI...rv.exe
windows7-x64
1$PROGRAMFI...rv.exe
windows10-2004-x64
1$PROGRAMFI...n.html
windows7-x64
1$PROGRAMFI...n.html
windows10-2004-x64
1$PROGRAMFI...ack.js
windows7-x64
3$PROGRAMFI...ack.js
windows10-2004-x64
3$PROGRAMFI...ent.js
windows7-x64
3$PROGRAMFI...ent.js
windows10-2004-x64
3$PROGRAMFI...oud.js
windows7-x64
3$PROGRAMFI...oud.js
windows10-2004-x64
3$PROGRAMFI...up.exe
windows7-x64
3$PROGRAMFI...up.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PROGRAMFI...IE.exe
windows7-x64
1$PROGRAMFI...IE.exe
windows10-2004-x64
1$SYSDIR/PAZU.dll
windows7-x64
1$SYSDIR/PAZU.dll
windows10-2004-x64
1$SYSDIR/PAZUVista.exe
windows7-x64
1$SYSDIR/PAZUVista.exe
windows10-2004-x64
1$SYSDIR/pa...st.exe
windows7-x64
1$SYSDIR/pa...st.exe
windows10-2004-x64
1$PROGRAMFI...om.dll
windows7-x64
3$PROGRAMFI...om.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsSCM.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsSCM.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PROGRAMFILES/PAZUƴӡ/P4D.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$PROGRAMFILES/PAZUƴӡ/P4D.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAMFILES/PAZUƴӡ/PAZUCloudSrv.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAMFILES/PAZUƴӡ/PAZUCloudSrv.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAMFILES/PAZUƴӡ/html/print-ie-sln.html
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAMFILES/PAZUƴӡ/html/print-ie-sln.html
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazu_hack.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazu_hack.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazuclient.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazuclient.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazucloud.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$PROGRAMFILES/PAZUƴӡ/js/pazucloud.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PROGRAMFILES/PAZUƴӡ/sc_setup.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
$PROGRAMFILES/PAZUƴӡ/sc_setup.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PROGRAMFILES/4Fang/SafeIE.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
$PROGRAMFILES/4Fang/SafeIE.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$SYSDIR/PAZU.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
$SYSDIR/PAZU.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$SYSDIR/PAZUVista.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
$SYSDIR/PAZUVista.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$SYSDIR/pazuVistaInst.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral30
Sample
$SYSDIR/pazuVistaInst.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PROGRAMFILES/PAZUƴӡ/sys/dcom.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
$PROGRAMFILES/PAZUƴӡ/sys/dcom.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe
-
Size
365KB
-
MD5
5e941091299bcff65b7b6ea84aa9c2e9
-
SHA1
e68192f4420b0782afcf0d35403ae0f2c9a26450
-
SHA256
2b90e389578f65caca0148d3e79eeb9bdafadb8345267033a0603a98dfd7d7ed
-
SHA512
f134c339d3d43f23d215313514b02e42319f65d8ebd4d86dc412f9debec9f24ff32069c674511f4e011bf8dc063ddfe7e3728b0e109b1efaa10dcd2b39893b69
-
SSDEEP
6144:18LxBh6yxLs7AFSYqNLaENrUXVZlO++OZC+Hd7vMCRGBTh1v4B7wskcnm/aYgxv:A6ywgPBLlOuHd7UvTh1vuwv/aLt
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2560 sc_setup_oem.exe 2240 pazuVistaInst.exe 2400 PAZUCloudSrv.exe -
Loads dropped DLL 10 IoCs
pid Process 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2560 sc_setup_oem.exe 2560 sc_setup_oem.exe 2560 sc_setup_oem.exe 2560 sc_setup_oem.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAZUCloudSrv = "C:\\Program Files (x86)\\PAZUÔÆ´òÓ¡×é¼þ\\PAZUCloudSrv.exe" 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PAZUCloudSrv = "C:\\Program Files (x86)\\PAZUÔÆ´òÓ¡×é¼þ\\PAZUCloudSrv.exe" 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\PAZU.ocx sc_setup_oem.exe File created C:\Windows\SysWOW64\PAZUVista.exe sc_setup_oem.exe File created C:\Windows\SysWOW64\pazuVistaInst.exe sc_setup_oem.exe File opened for modification C:\Windows\SysWOW64\pazuVistaInst.exe sc_setup_oem.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\P4D.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\config.ini 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\js\pazucloud.js 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\sys\dcom.dll 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\uninst.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\temp\ 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\Log\ServiceLog.txt PAZUCloudSrv.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\PAZUCloudSrv.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\html\print-ie-sln.html 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\js\pazuclient.js 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\js\pazu_hack.js 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\temp\sc_setup_oem.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\sc_setup.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\temp\sc_setup.exe 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe File created C:\Program Files (x86)\4FangÔÚÏßÈí¼þ\SafeIE.exe sc_setup_oem.exe File created C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\Log\ServiceLog.txt PAZUCloudSrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0009000000014825-27.dat nsis_installer_1 behavioral1/files/0x0009000000014825-27.dat nsis_installer_2 -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppPath = "C:\\Windows\\system32" sc_setup_oem.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no" sc_setup_oem.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5} sc_setup_oem.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights sc_setup_oem.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppPath = "C:\\Windows\\system32" sc_setup_oem.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\Policy = "3" sc_setup_oem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5} sc_setup_oem.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main sc_setup_oem.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy sc_setup_oem.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppName = "pazuvista.exe" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppName = "pazuvista.exe" sc_setup_oem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\Policy = "3" sc_setup_oem.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppName = "pazuvista.exe" sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5} sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\Software sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy sc_setup_oem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5} sc_setup_oem.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\AppPath = "C:\\Windows\\system32" sc_setup_oem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26AB6362-AB12-4416-9F67-07BFB871CAD5}\Policy = "3" sc_setup_oem.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF6338E8-5B65-476C-80DE-65FED0D58207}\VERSION sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E2376A8-405C-4794-847C-32B0467E16A3}\Programmable sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BACE040A-9869-46C0-A771-A209ADF4823D}\ProxyStubClsid sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file\ = "file:, local: Asychronous Pluggable Protocol Handler" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript\ sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF6338E8-5B65-476C-80DE-65FED0D58207}\TypeLib sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A74A00A1-640E-4D88-BBE1-385A25FAAA4D}\ProxyStubClsid32 sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF33188F-6656-4549-99A6-E394F0CE4EA4}\TypeLib sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B4C82EE-605E-4A9C-AE47-688840FAA623}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69028594-A8DE-4F16-9263-22E9A4252565}\Forward\ = "{81CEEC84-6A85-480E-918D-F311331769FB}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLEScript sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2CBFC27-91DB-4B78-9760-B6C0338E51ED}\ = "_GaoFei" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E2376A8-405C-4794-847C-32B0467E16A3}\TypeLib\ = "{DB74E627-EF9B-4D6D-A7FB-0082199AA7A8}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E2376A8-405C-4794-847C-32B0467E16A3}\Implemented Categories sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69028594-A8DE-4F16-9263-22E9A4252565}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB6D0E6-3B6D-44DC-BEFF-B685D3CF6FC6}\ = "_Shell" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A51A793-4C61-4D0A-BB6B-2335413CFF0D}\TypeLib\Version = "33c.d" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF6338E8-5B65-476C-80DE-65FED0D58207}\InprocServer32\ = "C:\\Windows\\SysWow64\\PAZU.ocx" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A2414229-96EE-476D-8F26-4E134D89C7E8}\Forward sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2CBFC27-91DB-4B78-9760-B6C0338E51ED}\TypeLib\ = "{DB74E627-EF9B-4D6D-A7FB-0082199AA7A8}" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81CEEC84-6A85-480E-918D-F311331769FB}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF33188F-6656-4549-99A6-E394F0CE4EA4}\VERSION\ = "828.13" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2CBFC27-91DB-4B78-9760-B6C0338E51ED}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https\CLSID = "{79eac9e5-baf9-11ce-8c82-00aa004ba90b}" sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B46140BD-6C6B-4EE6-9026-2431F8F9CECC} sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C8CB06B-7A46-42B6-8848-162826E2ED26}\Forward\ = "{E2CBFC27-91DB-4B78-9760-B6C0338E51ED}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B15B8DC0-C7E1-11d0-8680-00AA00BDCB71} sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBS\OLEScript sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E902957A-23B4-440C-893B-62204D3C8F75}\ProxyStubClsid sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{DB74E627-EF9B-4D6D-A7FB-0082199AA7A8}\33c.d\0 sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E2376A8-405C-4794-847C-32B0467E16A3}\ = "PAZU.CPrinter" sc_setup_oem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PAZU.GaoFei\Clsid\ = "{AF33188F-6656-4549-99A6-E394F0CE4EA4}" sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E902957A-23B4-440C-893B-62204D3C8F75}\Forward sc_setup_oem.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2CBFC27-91DB-4B78-9760-B6C0338E51ED}\TypeLib sc_setup_oem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E2376A8-405C-4794-847C-32B0467E16A3} sc_setup_oem.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2240 pazuVistaInst.exe 2400 PAZUCloudSrv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2364 wrote to memory of 2560 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 28 PID 2560 wrote to memory of 2240 2560 sc_setup_oem.exe 29 PID 2560 wrote to memory of 2240 2560 sc_setup_oem.exe 29 PID 2560 wrote to memory of 2240 2560 sc_setup_oem.exe 29 PID 2560 wrote to memory of 2240 2560 sc_setup_oem.exe 29 PID 2364 wrote to memory of 2616 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 30 PID 2364 wrote to memory of 2616 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 30 PID 2364 wrote to memory of 2616 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 30 PID 2364 wrote to memory of 2616 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 30 PID 2364 wrote to memory of 2620 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2620 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2620 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2620 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2732 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 33 PID 2364 wrote to memory of 2732 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 33 PID 2364 wrote to memory of 2732 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 33 PID 2364 wrote to memory of 2732 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 33 PID 2364 wrote to memory of 2400 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 36 PID 2364 wrote to memory of 2400 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 36 PID 2364 wrote to memory of 2400 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 36 PID 2364 wrote to memory of 2400 2364 5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e941091299bcff65b7b6ea84aa9c2e9_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\temp\sc_setup_oem.exe"C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\temp\sc_setup_oem.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\pazuVistaInst.exe"C:\Windows\system32\pazuVistaInst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "CheckNetIsolation LoopbackExempt -a -p=S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194"2⤵PID:2616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "CheckNetIsolation LoopbackExempt -a -n=Microsoft.Windows.Spartan_cw5n1h2txyewy"2⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe"2⤵PID:2732
-
-
C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\PAZUCloudSrv.exe"C:\Program Files (x86)\PAZUÔÆ´òÓ¡×é¼þ\PAZUCloudSrv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD572c9c4a2cc14b42074522b971e5c99a6
SHA1e3498cee7f57f82d87b113911661accd5a2cd3df
SHA256cf02b2a2976515118b3bea7becd69e3abc22b49d0f5e4c3a3e1ecb0ba4cbeb50
SHA512e9bc28ac50a3a37e709e8283c0a61c9bbc437e5b03a64d391ad994af4a12491612564a9fde32e50a134c2efe994f116bb926bd306db70775569bfdb903f8faee
-
Filesize
199KB
MD57defbdc31ef10afad60b86e3880c9fea
SHA110aef9b8485ece78835e155f3f3742d6f8ff4fe5
SHA256aff268123430a25a6d5879c2fe5415e1fc018cde783274313c26a8a3c2d56e3f
SHA5125009fcb305c22657ae30cdaf79d4940e418edc53c04bcbcfb20b8db342a825ee2214ccc5d2925512085e8d0db2843fae22fd3ab98e000c57ba694fb92037aa30
-
Filesize
161KB
MD5585bf14b7fd9ded9c0c98bed84fe78e6
SHA12a0b85350c0c1d3e8bf3d2c9155728d18e2ecca9
SHA25671bd503327842f855bee5e055602ebb0c2c5e8f2b3f5983f4490718490ed4fde
SHA512d321f71eafbeff06e22c928e847eb04ed84f99ffb912cfe0bc19008d6effe4b7ecf3447a9f79f4687cea4ed6c11eefc98b4fbe09152ce2710ba69a3d843a8ee6
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
5KB
MD562efa7b730eb0523a026ea4325403b77
SHA1806ed3bd677ccf5d9817c9b464015e347f2c8f3c
SHA2560b96456e8cf6b3e582388d3e530c73ce9121974381d51e5a21cd945c75fd2a38
SHA512748237582e1c25655cf512ec6b1a2f9ad59b3a0da2c3cada535f202dcc66e068ab3bb3be34016f944a4a4fae71a16aea12f9725fe9f679b3fd1073639e31033b
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
193KB
MD5f41f9c5a2a3c123aee141f3562d9799f
SHA1d3501f807f8070a7432ec482e2b4e03d02a20f53
SHA256de49fb40338aa5798989fae866e4d2d1e03aa6a301b151d6b58f5c37e679e52a
SHA512b1387785fe0c86579cf92c9366ca19c6c60d156dd5c92aaba3d3de10655f7d457ac2f83b8926067ec644cd648a5f0abfda6b7b7b743675da281f98c090e49463
-
Filesize
32KB
MD522275e8de6f1949149eb65b64eb277ea
SHA14b03a7c868c12dfc69eb908f6c369d82d83058f5
SHA256fc3746216f06fab8fad0ca6ec6eeb37a60ab8d945b03dfb84eb58032e9837d8a
SHA512f8ac3f562debc1d31d44cc43c9c174a3123118c524b3f7f036ad635a1391d0ca469fb0b7c425bce702e84810cfd7872e3edc424882c15913983bb05d27610fad