Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 23:40
Static task
static1
Behavioral task
behavioral1
Sample
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
ac0bf74c05127212f2800825bf73af08
-
SHA1
bb7fe3dc76356a717ede736bbf3490c07a9a42ba
-
SHA256
860befc00c41c533fa7c9011a0f5d1df1120724188050b67b088b1d7e06349e3
-
SHA512
7dc15cef913690cca3c5aacf9616daec22d5b20a093abeb63acd2d3bb62cf1f9d2a7ad4a40700109f8763923a1176b786b43d208204d70cd04f345f2a9a119db
-
SSDEEP
49152:2uuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:4E7AqrlyutLxC3sEwwMd
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
minidownload.exeSogouSoftware.exeExternalApp.exeMiniTPFw.exeUpdateService.exeThunderFW.exeUpdateService.exeMiniThunderPlatform.exepid process 2720 minidownload.exe 1752 SogouSoftware.exe 1836 ExternalApp.exe 1888 MiniTPFw.exe 2356 UpdateService.exe 1776 ThunderFW.exe 2464 UpdateService.exe 1352 MiniThunderPlatform.exe -
Loads dropped DLL 54 IoCs
Processes:
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exeminidownload.exeSogouSoftware.exeExternalApp.exeregsvr32.exeregsvr32.exeregsvr32.exeMiniTPFw.exeUpdateService.exeThunderFW.exeMiniThunderPlatform.exepid process 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe 2720 minidownload.exe 2720 minidownload.exe 2720 minidownload.exe 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1732 regsvr32.exe 2684 regsvr32.exe 2320 regsvr32.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1836 ExternalApp.exe 1888 MiniTPFw.exe 1888 MiniTPFw.exe 2356 UpdateService.exe 2356 UpdateService.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1888 MiniTPFw.exe 1752 SogouSoftware.exe 1776 ThunderFW.exe 1776 ThunderFW.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe 1352 MiniThunderPlatform.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ExternalApp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\SogouSoftwareAutoRun = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun" ExternalApp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exeSogouSoftware.exeExternalApp.exeMiniThunderPlatform.exedescription ioc process File opened for modification \??\PhysicalDrive0 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 SogouSoftware.exe File opened for modification \??\PhysicalDrive0 ExternalApp.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Drops file in System32 directory 4 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy regsvr32.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini regsvr32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol regsvr32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ExternalApp.exeminidownload.exedescription ioc process File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\1.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\scroll_bk.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\WirelessNet.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\dlgshadow.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\button140.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\ins_app2phone.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-base minidownload.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\dlg_settings.xml ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\search_bar_act_focus.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\Media4848.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\item_unfold.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\item_icon_5.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\scroll_thu.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\DrvInst64\.svn\all-wcprops ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\default_pkgicon.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\ins_banner.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\driver_backup_list_item.xml.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\allow_debug.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\dtlapi_hw.dll ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\soft_update_left_more.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Unknown4848.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\pcinfo.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\setting_dwn.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\ScrollBar\.svn\prop-base\scrollH.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\icon_success.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\follow_tip.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\guide_smt.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\upgrade_stable_list_item.xml ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\hover̬.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\soft_update_icon.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\btn_dropdown_expand.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\text-base\Display.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\DrvInst32\.svn\text-base\DrvInst_x86.exe.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\ins_confirm.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\update_list_dlg_2item.xml ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\setting_nor.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\Printer4848.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\AdbWinApi.dll ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\.svn\text-base\adbdll.dll.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\button.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\ready_icon.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\phone_normal.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\group_list_item.xml.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\update_hov.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\guide_smt.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnk ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\.svn\text-base\update_dlg_list_item.xml.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\prop-base\check.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\download_bind_checkbox.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\search_bar_act_focus.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\prop-base\menu_item.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\msvcp71.dll ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\atl71.dll.svn-base minidownload.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\upgrade_ignore_list_item.xml ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\extheme\ApkTool\.svn\text-base\icon_success.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\.svn\text-base\id.dat.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\recommend_nor.png ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\driver\.svn\prop-base\Keyboard.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\driver_fresh_progress_fore.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\text-base\refresh_nor2.png.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\.svn\text-base\aapt.exe.svn-base ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\3.2.2.58\ApkTool\3.0.0.0\Temp\ApkIcons\.svn\entries ExternalApp.exe File created C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe minidownload.exe File created C:\Program Files (x86)\SogouSoftware\download\download\.svn\text-base\MiniTPFw.exe.svn-base minidownload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\minidownload.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\minidownload.exe nsis_installer_2 C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe nsis_installer_1 C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe nsis_installer_2 -
Processes:
ExternalApp.exeSogouSoftware.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} ExternalApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppName ExternalApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\AppPath ExternalApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\Policy = "3" ExternalApp.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main SogouSoftware.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
regsvr32.exeExternalApp.exeSogouSoftware.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download ExternalApp.exe Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download ExternalApp.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\AutoCheckInterval = "60" SogouSoftware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE ExternalApp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\Enable = "0" SogouSoftware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware ExternalApp.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule SogouSoftware.exe Key created \REGISTRY\USER\.DEFAULT regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\AutoCheckInterval = "60" SogouSoftware.exe Key created \REGISTRY\USER\S-1-5-19 regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download\DownloadPath = "C:\\SogouDownload" ExternalApp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule SogouSoftware.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE\SogouSoftware\Download\DownloadPath = "C:\\SogouDownload" ExternalApp.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware ExternalApp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\APPDATALOW\SOFTWARE\SogouSoftware\DriverModule\Enable = "0" SogouSoftware.exe Key created \REGISTRY\USER\S-1-5-20 regsvr32.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Key created \REGISTRY\USER\S-1-5-19\Software\APPDATALOW\SOFTWARE ExternalApp.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeExternalApp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\ = "SogouDownLoadLib" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\ = "DownLoadBHO Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\DefaultIcon ExternalApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ = "IGameDownload" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command ExternalApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C} ExternalApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open ExternalApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ = "IDownLoadBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\DefaultIcon\ = "C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe" ExternalApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SogouSoftware\Shell\Open\command\ = "\"C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe\" \"%1\"" ExternalApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4D786E8-0535-41DB-91F8-B18ABBCCDE6C}\LocalServer32 ExternalApp.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ExternalApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32\ = "C:\\Program Files (x86)\\SogouSoftware\\3.2.2.58\\npdownload.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244}\iexplore\AllowedDomains\* regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ = "IDownLoadBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib\ = "{13D91BAE-B37C-41C3-AE86-463E53990546}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1871D0A-4929-4A3C-AAE5-684235E62244} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Programmable regsvr32.exe -
Processes:
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
UpdateService.exeSogouSoftware.exepid process 2464 UpdateService.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe 1752 SogouSoftware.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ExternalApp.exedescription pid process Token: SeRestorePrivilege 1836 ExternalApp.exe Token: SeBackupPrivilege 1836 ExternalApp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SogouSoftware.exepid process 1752 SogouSoftware.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
SogouSoftware.exepid process 1752 SogouSoftware.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SogouSoftware.exepid process 1752 SogouSoftware.exe 1752 SogouSoftware.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exeSogouSoftware.exeExternalApp.exeregsvr32.exeMiniTPFw.exedescription pid process target process PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 2720 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe minidownload.exe PID 2148 wrote to memory of 1752 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe SogouSoftware.exe PID 2148 wrote to memory of 1752 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe SogouSoftware.exe PID 2148 wrote to memory of 1752 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe SogouSoftware.exe PID 2148 wrote to memory of 1752 2148 ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe SogouSoftware.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1752 wrote to memory of 1836 1752 SogouSoftware.exe ExternalApp.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 1732 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 1836 wrote to memory of 2684 1836 ExternalApp.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 2684 wrote to memory of 2320 2684 regsvr32.exe regsvr32.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 1888 1836 ExternalApp.exe MiniTPFw.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1836 wrote to memory of 2356 1836 ExternalApp.exe UpdateService.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1888 wrote to memory of 1776 1888 MiniTPFw.exe ThunderFW.exe PID 1752 wrote to memory of 1352 1752 SogouSoftware.exe MiniThunderPlatform.exe PID 1752 wrote to memory of 1352 1752 SogouSoftware.exe MiniThunderPlatform.exe PID 1752 wrote to memory of 1352 1752 SogouSoftware.exe MiniThunderPlatform.exe PID 1752 wrote to memory of 1352 1752 SogouSoftware.exe MiniThunderPlatform.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac0bf74c05127212f2800825bf73af08_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exe"C:\Users\Admin\AppData\Local\Temp\minidownload.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe"C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-IR5IpbEw6j9YpS1Wc4Ved3WXa85rh1XgyheSu4KSc873XX-0eLlV_4175qK_X1cC089g3UvQT4HFgXJ8-dW6Zyh6i63LXZxGM0W2Wqaimckia18juZWspKniF5_tMpLpMTV9OOG3TDj5uSN8GNMfht-hhfyrotZuymqeXTs4DKsqrgKv2NitWRKqRFCy2Uw-s.%26pcid%3D-1577129102750396778%26fr%3Dxiazai%26source%3Dtencent%26filename%3DTHS_qqguanjia_9.10.20.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F1402_48_1626246961.png&softname=%E5%90%8C%E8%8A%B1%E9%A1%BA+%E5%85%8D%E8%B4%B9%E7%89%88&softsize=148.36MB2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe"C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe" /Update3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dll"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dll"5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe"C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe" MiniThunderPlatform2024-06-1423:42:38 "C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Install4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe"C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe" -StartTP3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe"C:\Program Files (x86)\SogouSoftware\update\UpdateService.exe" /Service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload.dllFilesize
272KB
MD5c97af614b96b1d7adeed67261b3771c0
SHA1f67f94dff7a78953d4a9a6af63d30fc7dfe40a8e
SHA25698f283754465cae416af646c9c68e4c1a60eea088616bb5a265cfdd9c896b1b8
SHA512972cee7e0fe258ec1d62cbe7b077380010a5ab4a02c24791d23e10047f5d2a16e847b2a33bde9f7b27e6a59483f61371d98186281ef40a3a370629f546f6d322
-
C:\Program Files (x86)\SogouSoftware\3.2.2.58\npdownload64.dllFilesize
315KB
MD5b256f88501223e358c03ea2a172e0f7f
SHA19ee8c5b3db6d7076742c488b001a76741fc3aefe
SHA2562fc446c8fdb3ad5711e6e83c720379062accd40cf9203c6e484eea83faecb840
SHA51210f9d2bcf55d2241cb92dea7b1f7833f7d2536e93c7906d3c483df25f8515f24bd3fa57659f8972b888cf57457ae5bd5a9f564e9326278ddc66ed7201e52d19e
-
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\MySoftwareManager.xmlFilesize
23KB
MD5f5f5698ee6b73535a7a55ffc9df6f38f
SHA176b4f170b339481149f72a7294218ad7ea5f9ecd
SHA256613125461abb68bf1535c2b28d3cbf1efc3fe04484acdb89c0e961296837f1ec
SHA5125c83a38a0a0639bada0666592bcd73754e3f161b52ffcb14f066ce11ddac2f818de39ac5a36ebe3d026c202d087fcd1284d6fd5b65d38a112c6c1647274a3bc1
-
C:\Program Files (x86)\SogouSoftware\3.2.2.58\skin\PNG\.svn\formatFilesize
2B
MD5c30f7472766d25af1dc80b3ffc9a58c7
SHA1136571b41aa14adc10c5f3c987d43c02c8f5d498
SHA256aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8
SHA5120354672b288ac5ccd92c7336f24c3b5a9e669d95bf3036241d3919bae5aadba2c312742d7b422cb04347d6ce98151019baf81a3390e12de140365f17a9cf9afc
-
C:\Program Files (x86)\SogouSoftware\SogouSoftware.exeFilesize
232KB
MD50bc2d003fcfe3fa65f4c3ba7a015fa41
SHA172ed85bc1c57259b4f2ed36d16ce3fed4e30607c
SHA256388069590fb9569b6c498f941d0565416cb52fc803648ee21b8c59917c63eb4b
SHA512ae8d83e6ca21ee9b0d5e5845fac3a4dc01c6038243da36b4360b2f42763478265cdafc89072c47672b9738de1930e5e5191e2bf91715055cbd16a949d313ff24
-
C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dllFilesize
450KB
MD5b1ce2dba9515e144908aa34ac77f5a46
SHA10a3e601eeba273a16d815c5e59793eb73db9daad
SHA2565a7349e46f16ec394af8575b666c132c010bacaa2c59da472b842ffeccc5623f
SHA512d0a78b5de9126b8126b531fb8f72ae375aac898930dccd8a61f173c28470895daab56b368c34a5925020dfdc642785651445967904d8756bb1ce7c1d2f95525a
-
C:\Program Files (x86)\SogouSoftware\download\download\.svn\prop-base\atl71.dll.svn-baseFilesize
53B
MD5113136892f2137aa0116093a524ade0b
SHA1a0284943f8ddfe69ceec90833e66d96bdf4a97f0
SHA256ebbf7e8800c3446bc3a195fa53573bde1073b0bf7581a614372f1391a9286d02
SHA512d3201cc19ae702a9813aa8bc39612ebaa48138903e9ede64dcadff213691f6e711876aa4fa083887c545325d5d8bf70649523c528090542459f2b01697180e99
-
C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exeFilesize
58KB
MD558bb62e88687791ad2ea5d8d6e3fe18b
SHA10ffb029064741d10c9cf3f629202aa97167883de
SHA256f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
SHA512cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5
-
C:\Program Files (x86)\SogouSoftware\manifest.cfgFilesize
29B
MD5dbdddb37dffafd829b9dddd86c8cbf57
SHA14fd1a652c7bfe2eb39e98a795cd77bc415b13d07
SHA256e661aadd4b5793e960bebdb4862589720b757d7f2c9849c73a9490c162830466
SHA512f1883accc58a7098f9b15a1a7225e7ef0e2ce3175dde6f5b2851c63654ee02919db734e41b45e74f998ba4c5e4f1fdc96abb5546a7fa1b02cc32ffe7d0c5fe36
-
C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exeFilesize
11.9MB
MD51ea611695a4d643cf4c63a60151b9387
SHA17210cc8750b0c8c4d5cf0c49ad5274f1aab2c724
SHA2569c2f73221152802fd96b407477ee23b75f1ce9c9dc7de0c019e95f9d9b453ff2
SHA51268b50b8facba55b416b4160849c8ef4d79cc2af3969de14f26b96aeb9ed610ecfc201202a3f542030e5f26fb021e85acbb8c0602f1ef285387bfbac4b39e1a87
-
C:\Program Files (x86)\SogouSoftware\Èí¼þÖúÊÖ.lnkFilesize
944B
MD5f59ebdd09a420b367710e2c2338ebd9e
SHA135e7fa4ebac44a234d068a7b6b834868bc5ab486
SHA2560a5c57642e7a38fa5090d05e64ca6421b6702be1550bab104bcdcbe3dd306e4c
SHA512924ca49081c58bf7820a6edf2dbe6780354232a90e5d3361dfd9cc2064aa1736c7aaa3a7179569f046771553a3ffa7d80baeadf4ba8c01da284d0f382d6eb127
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I1XZEFUL.txtFilesize
96B
MD5e72016b8dfb3648ad3b775ec798ddd8e
SHA1ee2ccf69f4a0c830039ab7a0780b559a34306ac5
SHA256444d426623b29c7f166a2968d5e47bd5263890acc5a399c532bcda5859bb1298
SHA5120b668596d77c4a0d62cd178413acc1b7827c42a48c5da5cf4ad011c0abf2e4d0e5cd0f6af6bb656ca994d7040502b48b869031a18b7dcde969690eb61a7333bb
-
\Program Files (x86)\SogouSoftware\3.2.2.58\CommonState.dllFilesize
83KB
MD56e888d41691f655ab9ec752384e009eb
SHA16c54689dc6fe3070e2d24011a9f8e710f5444d66
SHA256a5adc7b2757172c55834a3720731c0b3eb22ddd1766cc531c06de537bcef786d
SHA5125995cb6a7bc4573d5593904fb518bef91401b4f44fef808ed915017a0b7f0589bb5b810fc183b196ea57de32ec4a0e63b54ce89dde3283e41ff706c6999c4977
-
\Program Files (x86)\SogouSoftware\3.2.2.58\DuiLib.dllFilesize
827KB
MD528ba86c039552346dafff7e9363ce02e
SHA10c7848c17f84f7fae9f058ae49658dba4371975c
SHA25649837458d579b16b25f81d0d477922c0d363867e120e0114577c2eb0506639a9
SHA51260fa470134c5a9dfeacf2ebf615d656fd84d80f00ce0c3ff6d617e73f7942b5d48501b1073cd76fa717a0323d69b246170af5f8232ae7d4af3bc45b0325e7283
-
\Program Files (x86)\SogouSoftware\3.2.2.58\SogouSoftware.dllFilesize
1.2MB
MD5fb7a98797d8601196a79545775864de7
SHA10148ce7895eab4725b95a57e0fd3469a21de579f
SHA256ffd9ab6a997659efee084a1493784c2755010a04f5a2ab03cd0ea74c637b3e96
SHA5123afbef824abb40ccf128bdfa52cb7357b7340fe9a65139b6a2f42a17425548a96a7c95c3154728517aa784d8b00c0a5834a4af95f04bdc590eb8cfab9c24f75a
-
\Program Files (x86)\SogouSoftware\3.2.2.58\sqlite3.dllFilesize
589KB
MD5ae8a8778ac495b47070774f33089753a
SHA124b443630adbf79b12c920f8fa2586abdf8ba6d2
SHA256bc35883beeb5da827d8eceb32d30bd07a838ad6c8ffa07f0dc7708a118ab4a39
SHA5121bd8933a7ca742769bce5463190d774ecfb70b984e500ab8b0229330eb7c4aa5e7c8432385459f4cc8e528504d2d5382e8379f7d6c13daa7a7506184fef3b125
-
\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exeFilesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
\Program Files (x86)\SogouSoftware\update\UpdateService.exeFilesize
168KB
MD53d3e5a0455863ae5b4db90b07c974967
SHA1d6316c15eeccb0942a2779636812be9b3da333d7
SHA2568671d4570f9462ff5c4cca67094baaecefebea212b2c8f27ad29d38f76ff312b
SHA51237178f6ce1bb692b3eb19767955089be56649a02b8eaa940522fcac29397030e2510a3c7419f3e72be0b595b2e8c8f13ce6d4ac723f22a52103d669e6490331e
-
\Users\Admin\AppData\Local\Temp\minidownload.exeFilesize
1.9MB
MD50618e9851ea4a522abeded8d40c2f19e
SHA1c6772967fdf545e32d28f3b46e97aec5b9ff99f5
SHA256506c374fbdf14420306e2da8d123c2138c2ceabd2046178317508a25949d3dc4
SHA512b8c4816d81aa14646a3b690da76c0d33f59b7d419305638747503dba6bb84a63b906fe7d0ced59850ad25db37c1e0e6f3bd614a902f2f5ffb3d2bf74ec4e571f
-
\Users\Admin\AppData\Local\Temp\nsu16BD.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
memory/1352-1128-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1752-1126-0x0000000009690000-0x00000000096E6000-memory.dmpFilesize
344KB
-
memory/1752-1125-0x0000000009690000-0x00000000096E6000-memory.dmpFilesize
344KB
-
memory/1752-1127-0x0000000009690000-0x00000000096E6000-memory.dmpFilesize
344KB