Malware Analysis Report

2024-09-09 19:14

Sample ID 240613-twmmaazfml
Target a67b1993186041776a15ae97fcc99d36_JaffaCakes118
SHA256 8c6118146bda7b7f51946083e365ef66f122602eeca7b44559bbcf9f3e33c0f4
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8c6118146bda7b7f51946083e365ef66f122602eeca7b44559bbcf9f3e33c0f4

Threat Level: Likely malicious

The file a67b1993186041776a15ae97fcc99d36_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 16:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 16:24

Reported

2024-06-13 16:27

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\2.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\Unins.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\msvcp100.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup_pass.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\3.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmAdvert.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_btn.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_close.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\7.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\9.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_bg.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\11.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\tongjiData.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_btn.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\popup_s.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_mini.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayWebAD.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\WinFileMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\TPSC.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\SysConfig.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\btn_close1.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\logo.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\popup_s.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\0.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmAdvert.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\DuiLib_u.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_mini.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\10.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\4.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\4.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\WinOperMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_max.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup_pass.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\11.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\WinFileMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\0.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\1.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\10.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\img.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayWebAD.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\Data\tongjiData.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\5.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\5.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\img.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\tongjiData.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\logo.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_max.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\8.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_default.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\2.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\btn_close1.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_close.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_default.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\WinMainFrame.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\DuiLib_u.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell\ = "Open" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell\Open C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell\Open\Command\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\picview.exe \"%1\"" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell\Open\Command C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.jpg C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell\Open\Command C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell\Open\Command\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\picview.exe \"%1\"" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\DefaultIcon\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\Data\\img.ico" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.jpeg\ = "PicView.jpeg" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell\Open C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell\Open\ = "使用图片查看器打开" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell\Open\ = "使用图片查看器打开" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bmp\ = "PicView.bmp" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.jpg\ = "PicView.jpg" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\ = "PicView.jpg" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\ = "PicView.jpeg" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.png C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\ = "PicView.png" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\DefaultIcon C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\ = "PicView.bmp" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\DefaultIcon\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\Data\\img.ico" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell\Open C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.jpeg C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\DefaultIcon\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\Data\\img.ico" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell\Open\Command\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\picview.exe \"%1\"" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell\Open\ = "使用图片查看器打开" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\DefaultIcon C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell\ = "Open" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell\ = "Open" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell\Open\Command C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.bmp C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpeg\Shell C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.png\ = "PicView.png" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\DefaultIcon\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\Data\\img.ico" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell\ = "Open" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\Shell\Open C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\DefaultIcon C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell\Open\Command C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.jpg\Shell\Open\Command\ = "C:\\Program Files (x86)\\picview_202406131624\\202406131624\\picview.exe \"%1\"" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.png\Shell\Open\ = "使用图片查看器打开" C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\PicView.bmp\DefaultIcon C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe
PID 2476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe
PID 2476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe
PID 2476 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe
PID 2680 wrote to memory of 2280 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe
PID 2680 wrote to memory of 2280 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe
PID 2680 wrote to memory of 2280 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe
PID 2680 wrote to memory of 2280 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe
PID 2680 wrote to memory of 1592 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe
PID 2680 wrote to memory of 1592 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe
PID 2680 wrote to memory of 1592 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe
PID 2680 wrote to memory of 1592 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe
PID 1592 wrote to memory of 860 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Windows\SysWOW64\WerFault.exe
PID 1592 wrote to memory of 860 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Windows\SysWOW64\WerFault.exe
PID 1592 wrote to memory of 860 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Windows\SysWOW64\WerFault.exe
PID 1592 wrote to memory of 860 N/A C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe"

C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe

"C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe" -tuopan

C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe

"C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe" -W

C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe

"C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1304

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.103:80 www.baidu.com tcp
US 8.8.8.8:53 tongji.hiv-hiv.com udp
US 8.8.8.8:53 sd.hiv-hiv.com udp
US 8.8.8.8:53 tc.hiv-hiv.com udp
US 8.8.8.8:53 update.yinyue.fm udp
US 8.8.8.8:53 asad.lczchina.com udp
US 8.8.8.8:53 load.hiv-hiv.com udp
US 8.8.8.8:53 as.hiv-hiv.com udp

Files

\Program Files (x86)\picview_202406131624\202406131624\picview.exe

MD5 017e6b9dc5038f268cf41c3c8245be34
SHA1 d184b18a033652c48f975ed3b98fc6df24bba10f
SHA256 50aaaebe0b360b059534e5a6c7f8fea34357a9ce6dff07851a07a7015df45855
SHA512 1bf4bbdca2a823af8817d5f84764def2b3d85bffa59b010a475615c1dd0ff82adc2d564f32052447ba2d7828b2a4fb63f5162c4062b45d9397cfba1d07481200

C:\Program Files (x86)\picview_202406131624\202406131624\MSVCP100.dll

MD5 fa78eacffbbd98eaabe96a7eff1849b5
SHA1 436bb4e01193a4518e458132ec6f107dc7a79b41
SHA256 d2f6b30e507bfa6294cd588abcb52645fee069d5f38fedc1bce93e2a06056274
SHA512 29040d415fc3a64b3f5065c7b6131297170e7fbc2f565eeb689765eec90324c0ff79267a9707d1c7a2cd94043e6f5e5216da797c03b22182bb090e7f4ae202d6

C:\Program Files (x86)\picview_202406131624\202406131624\MSVCR100.dll

MD5 7e52465b8e9c0cfc90bd5a03a5394c7d
SHA1 dc6c6812bfc6f0f68407baa710df3edafb5a3f40
SHA256 6f0ce2263db465bd4443534cee1c647dfe86e2684dd5609755d7d330788e733c
SHA512 789fcdef95a8c7da50589517bd8c4ff98d1894be027e5e50b18f3ab5e432b7bae450ae98e1dca41cae3cfc7de8e3c950e672774f12f2f3941635e362e57bf7f3

C:\Program Files (x86)\picview_202406131624\202406131624\DuiLib_u.dll

MD5 76d4bc26590d19697eef4ad49da5d9dd
SHA1 8c48f4305eac73d44860432d3b43a1d5c9d554af
SHA256 c919175dfc6ad57f8b0b38e2c3f8958bfe1ff257cfb356ea0e6613011ab57498
SHA512 da6e92ffcbf389f6ab54701e01f3b18c6cda5951bf7a2df7c3ba0de153fd8e515666f9fdb4b5b8f413c041c869117bc1f4a140f6c6f2bb0c7c9709d24bf4d02a

C:\Program Files (x86)\picview_202406131624\202406131624\Data\WinMainFrame.xml

MD5 9ed93f68181149be6b8d65e36e80c45b
SHA1 78c274501f401cceb4ed7ac808e6b0c151c10992
SHA256 ee8e4b02157b8176a56c358285f82ee36a12be29eaaf6c9dd77efc30b1674a62
SHA512 e05cb02bdfe0d2bbd91da87c633202bb906c58282d7d28d518a274e8ae5445da6231f641f36ad086a938618d8850df80715f8a6ce8b7b16af9cb850634743f36

C:\Program Files (x86)\picview_202406131624\202406131624\Data\FrmTrayWebAD.xml

MD5 a8ea7aea881d2d60ec71981a9da00d18
SHA1 128f43c0b6912dd75b90002f0f8df1cdb72c5788
SHA256 a224f80f0554104d29e43627413a65bcd01c02eab10404da93bb593120012d48
SHA512 a5dc7efbb9c8b33e73f550e0125807ca47aa0a9f766705df975fe66325e009daa2a73eccb51671067af39133fd2d1ca5c255a6a07637a9ea71baed3277aac559

memory/2680-96-0x0000000000380000-0x0000000000381000-memory.dmp

C:\Program Files (x86)\picview_202406131624\202406131624\Data\tongjiData.ini

MD5 f575cd5772146f3ff7611318e57bbf7b
SHA1 8cd917ada6407e5dc707ecdfa6477b554effdc01
SHA256 960fa9cc7df516ee5184f8e03edd55cbe3f4ca85fac4f12064c8db2c78848d84
SHA512 0d4b3df4848b2f05f311f2cdd9df2bf061306ac2879614e7a30c62c39a43613e50816fc6d94edb65d1789ce445e78a26567d9de5c700a2fd1f618d9e0ef7c75b

C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe

MD5 6b9faed50882703fd27bef513369a57c
SHA1 35724212311766d52b2e5fc3e45b3e1982b62226
SHA256 b998495310e3d81eeaf3a9d5d1edd686810a6927c6acec7ed19f570cffcb6f9c
SHA512 277d5ab2b90bbd8d91c118e5bb834723795038eca76d601116823341f2a932d6d13fd9d6c420c8d60dc93d7eb979fb50253bb50cb0310ae27f2448a206f9fb49

memory/2680-102-0x0000000004310000-0x0000000004400000-memory.dmp

memory/2680-105-0x0000000004310000-0x0000000004400000-memory.dmp

\Program Files (x86)\picview_202406131624\202406131624\picbus.exe

MD5 380680c186797bba0192e6eb709ea164
SHA1 f766e0a036ae36ee8f4d77390c6640ff8d550dba
SHA256 d3a4c6cd6652f48be4f08b3fc82f1351aeb9b9665a4bf84afc20fc8f5155a021
SHA512 3665edfaf8e47d04f91c764fe10b7d510e7fe4fee0b59a21ff8cfa853b93508a3b03a9afecd8ad5d244645de8fb413d7868beccd53071a8df435be558d13b8f8

memory/2280-112-0x0000000000400000-0x00000000004F0000-memory.dmp

C:\Program Files (x86)\picview_202406131624\202406131624\Data\FrmAdvert.xml

MD5 baa8fe197cdaa706040f8fe6e9bfdd5a
SHA1 abdd19436a2bfbfd8eca5f98d0967da3a03aebb6
SHA256 28e029c2f5fa029d277a7f91d4919900ba5bafa2e8608c3e74aa0c0b15cb97d5
SHA512 742ba460245885350890048e2c060fe14730f2a1e05ae8a08f751f67e605f2b36e4507ae51463510ff25db0539d0bb00dd42ce37b8199dca59cd1ee7b58e6f78

memory/2280-114-0x0000000000400000-0x00000000004F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 16:24

Reported

2024-06-13 16:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_bg.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\btn_close1.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_default.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\0.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\3.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\7.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\WinFileMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\Unins.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_bg.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\logo.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\popup_s.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\11.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\img.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\Unins.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_max.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_max.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\1.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\5.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\btn_close1.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_mini.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\8.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\WinMainFrame.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\TPSC.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\TPSC.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\5.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\7.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\9.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\img.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\tongjiData.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\msvcp100.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\bar_btn.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\logo.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup_pass.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\OKS.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\popup_s.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_popup.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\10.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\2.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\4.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayWebAD.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\9.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\picbus.exe C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\DuiLib_u.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_mini.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\4.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmAdvert.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayWebAD.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\Data\user2.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\0.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\11.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\SysConfig.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\tongjiData.ini C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_close.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\window_btn_default.png C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\2.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\picview_202406131624\202406131624\data\6.ico C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\FrmTrayMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\WinFileMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\picview_202406131624\202406131624\data\WinOperMenu.xml C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A
N/A N/A C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a67b1993186041776a15ae97fcc99d36_JaffaCakes118.exe"

C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe

"C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe" -tuopan

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp

Files

C:\Program Files (x86)\picview_202406131624\202406131624\picview.exe

MD5 017e6b9dc5038f268cf41c3c8245be34
SHA1 d184b18a033652c48f975ed3b98fc6df24bba10f
SHA256 50aaaebe0b360b059534e5a6c7f8fea34357a9ce6dff07851a07a7015df45855
SHA512 1bf4bbdca2a823af8817d5f84764def2b3d85bffa59b010a475615c1dd0ff82adc2d564f32052447ba2d7828b2a4fb63f5162c4062b45d9397cfba1d07481200

C:\Program Files (x86)\picview_202406131624\202406131624\DuiLib_u.dll

MD5 76d4bc26590d19697eef4ad49da5d9dd
SHA1 8c48f4305eac73d44860432d3b43a1d5c9d554af
SHA256 c919175dfc6ad57f8b0b38e2c3f8958bfe1ff257cfb356ea0e6613011ab57498
SHA512 da6e92ffcbf389f6ab54701e01f3b18c6cda5951bf7a2df7c3ba0de153fd8e515666f9fdb4b5b8f413c041c869117bc1f4a140f6c6f2bb0c7c9709d24bf4d02a

C:\Program Files (x86)\picview_202406131624\202406131624\MSVCR100.dll

MD5 7e52465b8e9c0cfc90bd5a03a5394c7d
SHA1 dc6c6812bfc6f0f68407baa710df3edafb5a3f40
SHA256 6f0ce2263db465bd4443534cee1c647dfe86e2684dd5609755d7d330788e733c
SHA512 789fcdef95a8c7da50589517bd8c4ff98d1894be027e5e50b18f3ab5e432b7bae450ae98e1dca41cae3cfc7de8e3c950e672774f12f2f3941635e362e57bf7f3

C:\Program Files (x86)\picview_202406131624\202406131624\MSVCP100.dll

MD5 fa78eacffbbd98eaabe96a7eff1849b5
SHA1 436bb4e01193a4518e458132ec6f107dc7a79b41
SHA256 d2f6b30e507bfa6294cd588abcb52645fee069d5f38fedc1bce93e2a06056274
SHA512 29040d415fc3a64b3f5065c7b6131297170e7fbc2f565eeb689765eec90324c0ff79267a9707d1c7a2cd94043e6f5e5216da797c03b22182bb090e7f4ae202d6

C:\Program Files (x86)\picview_202406131624\202406131624\Data\WinMainFrame.xml

MD5 9ed93f68181149be6b8d65e36e80c45b
SHA1 78c274501f401cceb4ed7ac808e6b0c151c10992
SHA256 ee8e4b02157b8176a56c358285f82ee36a12be29eaaf6c9dd77efc30b1674a62
SHA512 e05cb02bdfe0d2bbd91da87c633202bb906c58282d7d28d518a274e8ae5445da6231f641f36ad086a938618d8850df80715f8a6ce8b7b16af9cb850634743f36

C:\Program Files (x86)\picview_202406131624\202406131624\Data\FrmTrayWebAD.xml

MD5 a8ea7aea881d2d60ec71981a9da00d18
SHA1 128f43c0b6912dd75b90002f0f8df1cdb72c5788
SHA256 a224f80f0554104d29e43627413a65bcd01c02eab10404da93bb593120012d48
SHA512 a5dc7efbb9c8b33e73f550e0125807ca47aa0a9f766705df975fe66325e009daa2a73eccb51671067af39133fd2d1ca5c255a6a07637a9ea71baed3277aac559

memory/1008-94-0x00000000019C0000-0x00000000019C1000-memory.dmp

memory/1008-95-0x00000000019C0000-0x00000000019C1000-memory.dmp