Malware Analysis Report

2024-09-23 11:42

Sample ID 240614-kt5weaxcjm
Target a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118
SHA256 608c952990ffc5b566f7caf722e95aba7949d4dde7e52a2fc5a065a7d0c28f33
Tags
bootkit discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

608c952990ffc5b566f7caf722e95aba7949d4dde7e52a2fc5a065a7d0c28f33

Threat Level: Shows suspicious behavior

The file a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery evasion persistence

Modifies file permissions

Enumerates connected drives

Modifies Windows Firewall

Writes to the Master Boot Record (MBR)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:54

Reported

2024-06-14 08:57

Platform

win7-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\Netsh.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 5da8e786aa124b4eb1029eb0aeabd5b8 C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
PID 2284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
PID 2284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
PID 2284 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
PID 2592 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe C:\Windows\SysWOW64\icacls.exe
PID 2592 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe C:\Windows\SysWOW64\icacls.exe
PID 2592 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe C:\Windows\SysWOW64\icacls.exe
PID 2592 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe C:\Windows\SysWOW64\icacls.exe
PID 2284 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe
PID 2284 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe C:\Windows\SysWOW64\Netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low

C:\Windows\SysWOW64\Netsh.exe

"C:\Windows\system32\Netsh.exe" advfirewall firewall delete rule name="腾讯手游助手下载器组件"

C:\Windows\SysWOW64\Netsh.exe

"C:\Windows\system32\Netsh.exe" advfirewall firewall delete rule name="腾讯手游助手下载器"

Network

Country Destination Domain Proto
US 8.8.8.8:53 p2pupgrade.gamedl.qq.com udp
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 stat.gamedl.qq.com udp
US 8.8.8.8:53 p2pupdate.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp

Files

C:\test.tmp

MD5 16673215c943c570fc71a220b8499a7e
SHA1 8b875515600b671e9b5aa16d61da2e7341494ce0
SHA256 6e4982cdaee7f016483d3444f04b3b395401282a7213668bfe0bcd81f0188519
SHA512 6a318e7355b4389c374f35076711b295f0cce5365b89a083a05143bbe7e77e7c270c0b81f386fe9888636a458b959b77d3fa78d323088641aefd83654e70725d

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.dll

MD5 34431eb1ae2d3ac86e3415d8c3e977a3
SHA1 b2eae82dffecdbe02ef877d5a4d28de83b84bd59
SHA256 8379e09c7a3a51bdb652418781ceed8067e324b656c7d5a307b9a77c899f0806
SHA512 32b1d12630ced494b5168037a1d0899b3576970f603b5e69bf48fd915a4dad51d877e97bc91660929719e3a1395344ec39d5cc5b761111096c4523563d3bdd5e

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

MD5 8fb4e336f4c145eb6e379701c3ac59d1
SHA1 ad53b732cabd515035784f187aeaab4d8a6b67c7
SHA256 d7a59b5ba3f0fb3906ebaa7a67c76088995a1f37652a2ae9893977c19754d9bf
SHA512 c83b726e867f47c9fdabaf3151ae74c07e2b74be47f8ec41685fee744eba41c81614faaf473fcd28cabc044545eddcad5cbbaf67e90109d916e109c1b5d6a770

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL_core.dll

MD5 11d65a68132e918bd80e7e0a09029730
SHA1 c1978c02176e1e370c66d1597e964eab908847dc
SHA256 36c18dedac0429375c583fcf9420cdc9ace8a38bbac9f33378b5b4d6739da511
SHA512 34278a85cfdad1b2086b9368368b6eada08829c3237d02d0afbfced4f32df38e95a5ca0a600fc8d8c98c33d6cc8d4ac82c3279ccdba36cb0ed4738c1c0648315

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\dr.dll

MD5 2814acbd607ba47bdbcdf6ac3076ee95
SHA1 50ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA256 5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA512 34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

memory/2284-26-0x0000000000160000-0x0000000000171000-memory.dmp

memory/2284-29-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\p2papp.dll

MD5 b1b101d86c417286e60f471fc8b79bb1
SHA1 b602bee2a25ed63a1f9cda72c83bdadd44dcd07c
SHA256 91cfa1769be449dfdfbf6bcc8049ce5c9218df6deaa66a0879528526b204a51a
SHA512 0a1d03364e1a52c08d6992a52b31b29f54c3781c009562427c560338db5428b74b55fab41f9c48c7018ddce41ab6a7f8593fbf12a75ae472c11590a36b42682b

memory/2592-32-0x0000000002470000-0x000000000275F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:54

Reported

2024-06-14 08:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = a7cbe22015ad1a4085aa84991e6cf5bc C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8d46e549e80fe4e72ee281d3cc76ceb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 p2pupgrade.gamedl.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 stat.gamedl.qq.com udp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 p2pupdate.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp

Files

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.dll

MD5 34431eb1ae2d3ac86e3415d8c3e977a3
SHA1 b2eae82dffecdbe02ef877d5a4d28de83b84bd59
SHA256 8379e09c7a3a51bdb652418781ceed8067e324b656c7d5a307b9a77c899f0806
SHA512 32b1d12630ced494b5168037a1d0899b3576970f603b5e69bf48fd915a4dad51d877e97bc91660929719e3a1395344ec39d5cc5b761111096c4523563d3bdd5e

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

MD5 8fb4e336f4c145eb6e379701c3ac59d1
SHA1 ad53b732cabd515035784f187aeaab4d8a6b67c7
SHA256 d7a59b5ba3f0fb3906ebaa7a67c76088995a1f37652a2ae9893977c19754d9bf
SHA512 c83b726e867f47c9fdabaf3151ae74c07e2b74be47f8ec41685fee744eba41c81614faaf473fcd28cabc044545eddcad5cbbaf67e90109d916e109c1b5d6a770

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL_core.dll

MD5 11d65a68132e918bd80e7e0a09029730
SHA1 c1978c02176e1e370c66d1597e964eab908847dc
SHA256 36c18dedac0429375c583fcf9420cdc9ace8a38bbac9f33378b5b4d6739da511
SHA512 34278a85cfdad1b2086b9368368b6eada08829c3237d02d0afbfced4f32df38e95a5ca0a600fc8d8c98c33d6cc8d4ac82c3279ccdba36cb0ed4738c1c0648315

memory/1732-23-0x0000000003580000-0x0000000003591000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\dr.dll

MD5 2814acbd607ba47bdbcdf6ac3076ee95
SHA1 50ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA256 5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA512 34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\p2papp.dll

MD5 b1b101d86c417286e60f471fc8b79bb1
SHA1 b602bee2a25ed63a1f9cda72c83bdadd44dcd07c
SHA256 91cfa1769be449dfdfbf6bcc8049ce5c9218df6deaa66a0879528526b204a51a
SHA512 0a1d03364e1a52c08d6992a52b31b29f54c3781c009562427c560338db5428b74b55fab41f9c48c7018ddce41ab6a7f8593fbf12a75ae472c11590a36b42682b

memory/5096-33-0x00000000024A0000-0x000000000278F000-memory.dmp