Overview
overview
7Static
static
37f38832772...18.exe
windows7-x64
77f38832772...18.exe
windows10-2004-x64
7HFUILib.dll
windows7-x64
3HFUILib.dll
windows10-2004-x64
3HuofengGameWorld.exe
windows7-x64
6HuofengGameWorld.exe
windows10-2004-x64
7IEAux.dll
windows7-x64
1IEAux.dll
windows10-2004-x64
1bin/downlo...Fw.exe
windows7-x64
3bin/downlo...Fw.exe
windows10-2004-x64
7bin/downlo...rm.exe
windows7-x64
6bin/downlo...rm.exe
windows10-2004-x64
6bin/downlo...FW.exe
windows7-x64
1bin/downlo...FW.exe
windows10-2004-x64
1bin/downlo...71.dll
windows7-x64
1bin/downlo...71.dll
windows10-2004-x64
1bin/downlo...id.dll
windows7-x64
1bin/downlo...id.dll
windows10-2004-x64
1bin/downlo...ne.dll
windows7-x64
1bin/downlo...ne.dll
windows10-2004-x64
1bin/downlo...71.dll
windows7-x64
3bin/downlo...71.dll
windows10-2004-x64
3bin/downlo...71.dll
windows7-x64
3bin/downlo...71.dll
windows10-2004-x64
3bin/downlo...b1.dll
windows7-x64
3bin/downlo...b1.dll
windows10-2004-x64
3bin/xldl.dll
windows7-x64
3bin/xldl.dll
windows10-2004-x64
3hfgwupdate.exe
windows7-x64
6hfgwupdate.exe
windows10-2004-x64
6msvcp100.dll
windows7-x64
3msvcp100.dll
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 02:30
Static task
static1
Behavioral task
behavioral1
Sample
7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HFUILib.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
HFUILib.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HuofengGameWorld.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
HuofengGameWorld.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
IEAux.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
IEAux.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
bin/download/MiniTPFw.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
bin/download/MiniTPFw.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
bin/download/MiniThunderPlatform.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
bin/download/MiniThunderPlatform.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
bin/download/ThunderFW.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
bin/download/ThunderFW.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
bin/download/atl71.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
bin/download/atl71.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
bin/download/dl_peer_id.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
bin/download/dl_peer_id.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
bin/download/download_engine.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
bin/download/download_engine.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
bin/download/msvcp71.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
bin/download/msvcp71.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
bin/download/msvcr71.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
bin/download/msvcr71.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
bin/download/zlib1.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
bin/download/zlib1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
bin/xldl.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral28
Sample
bin/xldl.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
hfgwupdate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
hfgwupdate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
msvcp100.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral32
Sample
msvcp100.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
7f38832772b97aa7cd7c11e130273189
-
SHA1
e72700b338ac78333492c0cba6bbdca77f95be53
-
SHA256
88cad3952c02dc2a6857ba73205d440d1326c051e7075bfb69a3429cb1f0a061
-
SHA512
8d15e39cdd3d2b499b89b9655efdc696db45d5514a326baaf51e358e46e5ba06d6352fa82d320d8f07bde0465a48e1f7e21fd558b0588c18bec9fee83c1ec1ff
-
SSDEEP
49152:APOk/NpIHct1WceDSkJKQMaU33X4b+J6QcRP/bxxbvHgeUe4X0sq3f6g5KibNJgn:ZhHcX9BQMaUHWJ/Nxkg4JqLKYJg9UjY
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2784 HuofengGameWorld.exe 1616 HuofengGameWorld.exe 1620 HuofengGameWorld.exe 2804 HuofengGameWorld.exe -
Loads dropped DLL 20 IoCs
pid Process 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 2784 HuofengGameWorld.exe 2784 HuofengGameWorld.exe 2784 HuofengGameWorld.exe 2784 HuofengGameWorld.exe 1616 HuofengGameWorld.exe 1616 HuofengGameWorld.exe 1616 HuofengGameWorld.exe 1616 HuofengGameWorld.exe 1620 HuofengGameWorld.exe 1620 HuofengGameWorld.exe 1620 HuofengGameWorld.exe 1620 HuofengGameWorld.exe 2804 HuofengGameWorld.exe 2804 HuofengGameWorld.exe 2804 HuofengGameWorld.exe 2804 HuofengGameWorld.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HuofengGameWorld = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld\\hfgwupdate.exe -opensystem" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 HuofengGameWorld.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HuofengGameWorld.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HuofengGameWorld.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HuofengGameWorld.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HuofengGameWorld.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HuofengGameWorld.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily HuofengGameWorld.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID\ = "{C06F84BC-734A-4C66-B3AF-590E7FC440AB}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer\ = "IEAuxMod.IEAux.1" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld\\IEAux.dll" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\VersionIndependentProgID\ = "IEAuxMod.IEAux" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32\ThreadingModel = "Apartment" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\ = "IEAux Class" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\FLAGS 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Programmable 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AuxMod.DLL 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CLSID 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\VersionIndependentProgID 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID\ = "IEAuxMod.IEAux.1" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CLSID\ = "{C06F84BC-734A-4C66-B3AF-590E7FC440AB}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}\ = "AuxMod" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AuxMod.DLL\AppID = "{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\FLAGS\ = "0" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0\win32 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87} 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\ = "IEAux 1.0 Type Library" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\ = "IEAux Class" 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2784 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 30 PID 1932 wrote to memory of 2784 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 30 PID 1932 wrote to memory of 2784 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 30 PID 1932 wrote to memory of 2784 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 30 PID 1932 wrote to memory of 1616 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 32 PID 1932 wrote to memory of 1616 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 32 PID 1932 wrote to memory of 1616 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 32 PID 1932 wrote to memory of 1616 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 32 PID 1932 wrote to memory of 1620 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 38 PID 1932 wrote to memory of 1620 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 38 PID 1932 wrote to memory of 1620 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 38 PID 1932 wrote to memory of 1620 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 38 PID 1932 wrote to memory of 2804 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 40 PID 1932 wrote to memory of 2804 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 40 PID 1932 wrote to memory of 2804 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 40 PID 1932 wrote to memory of 2804 1932 7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe"C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -installprotocol2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
PID:2784
-
-
C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe"C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -install_small_pack 109628553130235202712⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:1616
-
-
C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe"C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -installicon 109628553130235202712⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:1620
-
-
C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe"C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" hfgame://id:10962855313023520271,category:52⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393B
MD574763b466651a9f061464bf3da5b7707
SHA1c8ed4bc93bbbbcd5025eec9d31c7091146fbf422
SHA256258bcf86763cceb3e535f1d6422d8b2ba8f99a72af0843027ea54df12e7697db
SHA512e27176f8fef040cbbfa692b61366bcd1efd4679b053f8658c11a1da4da0d4d25b4544e28937f446f8cc155fcf52d033ec66e77b7bdc2952b4c0a86f12697c788
-
Filesize
1KB
MD501e39e241e2827c888e795353e5621f8
SHA13d99454bfd035ad261c3f52ec73353164d8ecddb
SHA256cf8f255cd850593517070070c83973fe05670f581d65a07508c6228720df2708
SHA5129a23ae2fd728c6282ae10239966b1a52691501db3ddd8542e8c50f5a9560d536dbdb8a90bf511b814e6229fa7f8d1e4c56514f4eab94d2df26f5f893cc9752d2
-
Filesize
312KB
MD5010b4d91d539d4e595bc5dfd0cc76d49
SHA10a72003557a8676705ebdbdf23b35f62202d0099
SHA25693125bad493948dd0c577623a364751a1c960561a6b933a2c5dfd8b93421dad5
SHA512fbb66f47a1e43732ed75b31aa420446544c6de29122df48f8d4ee6ff6f344faffe92ab669c74b9ff496a2eff103d7a70562d9c280e0f7661e886e3eb18399d53
-
Filesize
955KB
MD5f034531a701044350969d768a825b60c
SHA18763743d1d3e4c8a3cf151de06b34e67cec88465
SHA25611456913c0f21eeeb78a85ba0e3f6d7e420d1da47774f53c20973ccb89c04584
SHA512a58495b929556edc955449b02ce4f92f21a9022a08d5b557d0107125b5493ecdad040e9813e2973b4f7fb3ab97acf2b0f7d7bdb7229412da42e97d4396816fae
-
Filesize
64KB
MD53633de4079190b65d9c1a062db39b882
SHA170b6f944a6711b69b8d1a992456dccb3bc2618f2
SHA25671141a084a6ccc601f9ae32b5a56476854efde219bdad3c4abc93865fb5e611b
SHA512d8a7540713e34c74261ca542d3dc4ec1cb35da3953ba6fb390f4526147df1a14c68d940756a53a44676f6faa7ca9cc0bfb442ce390038c321117a832ace10362
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
528KB
MD5d12d28dce936a741dc0e01858f9f8ec4
SHA17f04eb55fad0ca0cdf99dabcc00a7eb1634d85c5
SHA25638832085b72e6bf16fce077ddc848c0f72e9fb6888a13d0d5cd04ee99ce34d5f
SHA512845a918fe1f08c4879bf381fe65529cd56ad539b0621483b40312ff971a39cf0865abcfcc8e2cc926aa5d65dece77e8f1a5cca6201cbac63c2d0b713f74eabcf