88cad3952c02dc2a6857ba73205d440d1326c051e7075bfb69a3429cb1f0a061

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Size

3.1MB
MD5

7f38832772b97aa7cd7c11e130273189
SHA1

e72700b338ac78333492c0cba6bbdca77f95be53
SHA256

88cad3952c02dc2a6857ba73205d440d1326c051e7075bfb69a3429cb1f0a061
SHA512

8d15e39cdd3d2b499b89b9655efdc696db45d5514a326baaf51e358e46e5ba06d6352fa82d320d8f07bde0465a48e1f7e21fd558b0588c18bec9fee83c1ec1ff
SSDEEP

49152:APOk/NpIHct1WceDSkJKQMaU33X4b+J6QcRP/bxxbvHgeUe4X0sq3f6g5KibNJgn:ZhHcX9BQMaUHWJ/Nxkg4JqLKYJg9UjY

Score

7^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	HuofengGameWorld.exe

Executes dropped EXE 6 IoCs

pid	Process
4188	HuofengGameWorld.exe
4568	HuofengGameWorld.exe
2456	HuofengGameWorld.exe
2792	hfgwupdate.exe
1704	HuofengGameWorld.exe
1972	HuofengGameWorld.exe

Loads dropped DLL 22 IoCs

pid	Process
3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe
4568	HuofengGameWorld.exe
4568	HuofengGameWorld.exe
4568	HuofengGameWorld.exe
4568	HuofengGameWorld.exe
2456	HuofengGameWorld.exe
2456	HuofengGameWorld.exe
2456	HuofengGameWorld.exe
2456	HuofengGameWorld.exe
1704	HuofengGameWorld.exe
1704	HuofengGameWorld.exe
1704	HuofengGameWorld.exe
1704	HuofengGameWorld.exe
1972	HuofengGameWorld.exe
1972	HuofengGameWorld.exe
1972	HuofengGameWorld.exe
1972	HuofengGameWorld.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HuofengGameWorld = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld\\hfgwupdate.exe -opensystem"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HuofengGameWorld.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HuofengGameWorld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	hfgwupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	HuofengGameWorld.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	hfgwupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HuofengGameWorld.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	hfgwupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	HuofengGameWorld.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	HuofengGameWorld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HuofengGameWorld.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	HuofengGameWorld.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\HuofengGameWorld.exe = "1"	HuofengGameWorld.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\HuofengGameWorld.exe = "9999"	HuofengGameWorld.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU	HuofengGameWorld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	HuofengGameWorld.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID\ = "{C06F84BC-734A-4C66-B3AF-590E7FC440AB}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}\ = "AuxMod"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AuxMod.DLL\AppID = "{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CLSID\ = "{C06F84BC-734A-4C66-B3AF-590E7FC440AB}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld\\IEAux.dll"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\HuofengGameWorld\\IEAux.dll"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\ = "IEAux Class"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID\ = "IEAuxMod.IEAux.1"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\VersionIndependentProgID	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\ = "IEAux Class"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer\ = "IEAuxMod.IEAux.1"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\FLAGS\ = "0"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\ = "IEAux 1.0 Type Library"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\FLAGS	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ = "IEAux Class"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\VersionIndependentProgID\ = "IEAuxMod.IEAux"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CLSID	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32\ThreadingModel = "Apartment"	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0\win32	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2792	hfgwupdate.exe
Token: SeRestorePrivilege	2792	hfgwupdate.exe
Token: SeChangeNotifyPrivilege	2792	hfgwupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4188	HuofengGameWorld.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4188	HuofengGameWorld.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe
4188	HuofengGameWorld.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4188	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	93
PID 3268 wrote to memory of 4188	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	93
PID 3268 wrote to memory of 4188	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	93
PID 3268 wrote to memory of 4568	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	94
PID 3268 wrote to memory of 4568	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	94
PID 3268 wrote to memory of 4568	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	94
PID 3268 wrote to memory of 2456	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	97
PID 3268 wrote to memory of 2456	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	97
PID 3268 wrote to memory of 2456	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	97
PID 4188 wrote to memory of 2792	4188	HuofengGameWorld.exe	98
PID 4188 wrote to memory of 2792	4188	HuofengGameWorld.exe	98
PID 4188 wrote to memory of 2792	4188	HuofengGameWorld.exe	98
PID 3268 wrote to memory of 1704	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	100
PID 3268 wrote to memory of 1704	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	100
PID 3268 wrote to memory of 1704	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	100
PID 3268 wrote to memory of 1972	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	101
PID 3268 wrote to memory of 1972	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	101
PID 3268 wrote to memory of 1972	3268	7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f38832772b97aa7cd7c11e130273189_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe
  "C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -desktop
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\HuofengGameWorld\hfgwupdate.exe
    "C:\Users\Admin\AppData\Local\HuofengGameWorld\hfgwupdate.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe
  "C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -installprotocol
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Enumerates system info in registry
  PID:4568
- C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe
  "C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -install_small_pack 10962855313023520271
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:2456
- C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe
  "C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" -installicon 10962855313023520271
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:1704
- C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe
  "C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe" hfgame://id:10962855313023520271,category:5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HuofengGameWorld\HFUILib.dll

Filesize
312KB

MD5
010b4d91d539d4e595bc5dfd0cc76d49

SHA1
0a72003557a8676705ebdbdf23b35f62202d0099

SHA256
93125bad493948dd0c577623a364751a1c960561a6b933a2c5dfd8b93421dad5

SHA512
fbb66f47a1e43732ed75b31aa420446544c6de29122df48f8d4ee6ff6f344faffe92ab669c74b9ff496a2eff103d7a70562d9c280e0f7661e886e3eb18399d53

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\HuofengGameWorld.exe

Filesize
955KB

MD5
f034531a701044350969d768a825b60c

SHA1
8763743d1d3e4c8a3cf151de06b34e67cec88465

SHA256
11456913c0f21eeeb78a85ba0e3f6d7e420d1da47774f53c20973ccb89c04584

SHA512
a58495b929556edc955449b02ce4f92f21a9022a08d5b557d0107125b5493ecdad040e9813e2973b4f7fb3ab97acf2b0f7d7bdb7229412da42e97d4396816fae

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\IEAux.dll

Filesize
64KB

MD5
3633de4079190b65d9c1a062db39b882

SHA1
70b6f944a6711b69b8d1a992456dccb3bc2618f2

SHA256
71141a084a6ccc601f9ae32b5a56476854efde219bdad3c4abc93865fb5e611b

SHA512
d8a7540713e34c74261ca542d3dc4ec1cb35da3953ba6fb390f4526147df1a14c68d940756a53a44676f6faa7ca9cc0bfb442ce390038c321117a832ace10362

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\config.dat

Filesize
393B

MD5
74763b466651a9f061464bf3da5b7707

SHA1
c8ed4bc93bbbbcd5025eec9d31c7091146fbf422

SHA256
258bcf86763cceb3e535f1d6422d8b2ba8f99a72af0843027ea54df12e7697db

SHA512
e27176f8fef040cbbfa692b61366bcd1efd4679b053f8658c11a1da4da0d4d25b4544e28937f446f8cc155fcf52d033ec66e77b7bdc2952b4c0a86f12697c788

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\hfgwupdate.exe

Filesize
668KB

MD5
7500395f2c1353c49ba2ebf8b5a85546

SHA1
ef0cb174a919d92ce743d7e11e88c84eca19c620

SHA256
44e2c30372e3563f47b0dda78b8db697b8aa2270633437acb927478cb35073e7

SHA512
84721d6106ec6bd6fe333fb35f7ef926afccc948e3a2de1d1ceed30f95bd7f3148cc19b25c9652b07aa1bc6a956b4807b3e8c9d1067868998c27210b771ec33d

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\msvcp100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\setting\gamelib.png

Filesize
2KB

MD5
f1cd23cec1ad277e34214d8c7458c226

SHA1
0c3fa5144536b02657276377989cfb36d4c235de

SHA256
2ca40d953b3df2cb71ad3c649af7da3ef47878d0b647aaf803c4080ca292a797

SHA512
1ced2896739479a75095cdf860f345b78b32b7aadd173fb5fe7d8aa1cb5ea247731a831f533afd64d90d9dc58ce8fc3fcf2fdec35180e04de964da5310b1098e

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\setting\gamelib_hot.png

Filesize
1KB

MD5
428ab0566da92e393025855366022ecd

SHA1
04c3bad9fc7eefa952e9bdd8f8780f47f458c1b7

SHA256
78478d3cb7e8e20e92cea4045b547a931ae0fb36a5a7228d99f4321fa6a1ddb2

SHA512
984193111a36e1c8599520a626f5cbce6dfefee8ba90472737e7434db308b349270c4dd41ffe84bd578baf6cf251cc3d6985ffc390cca2b382b68efd29671f1c

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\setting\mygames.png

Filesize
2KB

MD5
5cae3b1af2d7fa15a301bd73e57bb6a8

SHA1
54502662655eac7889fd49b701d2f5f37ea1e219

SHA256
f2af69dd00da4e6b1fe8d930824a892cf0e75c9ae3c7a3132ce66288d17efdcb

SHA512
1effc7f30d2f86404a49fb0a50a470a5427234db9b3b05bd978bdc1f465e38468c0c9d00f366095985d6ac93aec3be26eb06d74d12d8aee15aa957306264ed53

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\setting\mygames_hot.png

Filesize
1KB

MD5
7f7d159e97d63a2e5b1ef6c18869b18c

SHA1
1cb0014172d654a3fc50e21344f8f2f021bba698

SHA256
79abce6749dd99c51dc8c13a9cba57540125df73582176b08d6990758ec09a68

SHA512
f2703f184912f54e200618409cd19211d79cd9a92bafa53b68b6d31b6e2d0ca9a107485e178ad17a64a943a5762fca4582bd498f34c33ad38f56c89e9eff72ff

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\setting\setting.dat

Filesize
530B

MD5
e759313e404abf86e930b2abdc262ea3

SHA1
b9d816d9b56ae0f2356f3f899285d338ae24ffe1

SHA256
13a9660b3115924ee645f8088a344e524d699179f4be201078ea849997d6b9f9

SHA512
f967fa7241db385d126b68561da0aa461d0844d0aa1107808f3d161608c4db42856184970afc13e59ecd9f3a4cf7de71be92f147357bdf5deb8933f068d8bf3f

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\skin.zip

Filesize
445KB

MD5
7f5f26ba449b6205b02230729349ec71

SHA1
a19c5d28281ef641ef96bc542d68a0372bb45db5

SHA256
6f02ecbb1aa8ecb8ff2c3d2bc2aca0d19e246c02c884238afd16b027de6f7d96

SHA512
6cd7f177e8552f4f3b9eb84b4456878c40c45ccf765ddf8715417e4117d5475e9355a7923203632cdcdcffb5957e5a1945b660eb4bb8fec937038711d7400eee

Download Submit
C:\Users\Admin\AppData\Local\HuofengGameWorld\sqlite3.dll

Filesize
528KB

MD5
d12d28dce936a741dc0e01858f9f8ec4

SHA1
7f04eb55fad0ca0cdf99dabcc00a7eb1634d85c5

SHA256
38832085b72e6bf16fce077ddc848c0f72e9fb6888a13d0d5cd04ee99ce34d5f

SHA512
845a918fe1f08c4879bf381fe65529cd56ad539b0621483b40312ff971a39cf0865abcfcc8e2cc926aa5d65dece77e8f1a5cca6201cbac63c2d0b713f74eabcf

Download Submit
C:\Users\Admin\Desktop\»ð·ïÓÎÏ·ÊÀ½ç.lnk

Filesize
1KB

MD5
21dee34df914e5bba0ea66850679b4d2

SHA1
1e083bbb6746b66b619bd544f93c50396a8122d9

SHA256
8ed262158da05e6bc56f78195165807ee8e3be3e06dd169789e189cd0a1bb5ef

SHA512
a84cd8dea651cf64d880e082211be6590c947dbb32528e2d71f0afea4b17b080265464bd3e7c73ffdfd91d5e060584c0f69441d4b6289918d782d7c011bf267c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads