Malware Analysis Report

2024-10-19 10:47

Sample ID 240620-jedmya1anl
Target 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118
SHA256 c3b38963d437f369539cd22a21f83105f2febb99dc6feb30434f2f0bbb2f5d42
Tags
adware stealer evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c3b38963d437f369539cd22a21f83105f2febb99dc6feb30434f2f0bbb2f5d42

Threat Level: Likely malicious

The file 0411fbf6288de3e978aefd69af73d00e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware stealer evasion persistence

Sets file to hidden

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Views/modifies file attributes

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:34

Reported

2024-06-20 07:37

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ = "Password Edit Ctrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660} C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\ = "PwdEditCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\ = "PwdEditCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat" "

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /c C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

Network

Country Destination Domain Proto
CN 121.14.142.19:1000 tcp
CN 121.14.142.19:1000 tcp
CN 121.14.142.19:1000 tcp
CN 121.14.142.19:1000 tcp
CN 121.14.142.19:1000 tcp
CN 121.14.142.19:1000 tcp

Files

memory/1460-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

MD5 d727e34e3f5eb5ee1ce17fe4c66bf617
SHA1 ea796e8b305510775d244f30758e125a01569626
SHA256 d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d
SHA512 ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat

MD5 f33f30c3cddbb32ce1641f7aa325a170
SHA1 dcaa649892d9acf11658bb7b85ae63b76d36a4a8
SHA256 efc90ad2a6161fb21977815aeb81095e82572a40a2b3ab69cd1abad04c6bc23d
SHA512 d07d64eaf8cee948de2099fc791f79a5b6a58529c760bd3f3105d2689708930026a54b3b27c0e55bbf4b3356ff9c8bd915704e80af7735a865bcf4a9abcadf79

C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

MD5 5ae46845cf644cf46d738ee441adc7ce
SHA1 0128e5e263f351129c8ebbbeddb6d9b5ef122724
SHA256 483bb4fe1f45acd0013e863a70e58724dbceb1738a214ce3db15e7f9dbabf80e
SHA512 d7c8a8b73767432a1b81b70b700646a6d39a3e25632cec794fba673be9168d968f64042dadd5f80bf566b4b420fc28a85ce6beec57c716b0c51e321f01a2bd4a

\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

MD5 24cf25203580aaed1edf6627e2de418d
SHA1 81ca5a48ad17f4738d4629c104b6e50933aaf7ad
SHA256 5a19568ac061c91f64a7747d39360bfd48d1cbe280626442911a953091277171
SHA512 fbe03be1d5a269cf28555823dbc1abb330e747af8034ceb096fc49e20803e9bdea9f8fe3e8c3811981f977381b5f7cdd295644e9dc68b143c1623897dd412e1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:34

Reported

2024-06-20 07:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\inl9632.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inl9632.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\datread\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ = "Password Edit Ctrl" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF926298-2ED7-11EF-A084-4A7C5F4B2F01} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113956" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113956" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113956" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2488698658" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2482761114" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2482761114" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\PIPI\\pwdedit.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib\ = "{7E818FB4-EB7F-455A-B673-F994C13CEEA0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\TypeLib\ = "{7E818FB4-EB7F-455A-B673-F994C13CEEA0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CurVer\ = "PwdEdit.PwdEditCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib\ = "{7E818FB4-EB7F-455A-B673-F994C13CEEA0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ = "PwdEditCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\PIPI" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\ = "PwdEditCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\AppID = "{327DB191-294E-4425-B49B-77113C2C29B2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\ProgID\ = "PwdEdit.PwdEditCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\VersionIndependentProgID\ = "PwdEdit.PwdEditCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ = "IPwdEditCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\ = "PwdEditCtrl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E818FB4-EB7F-455A-B673-F994C13CEEA0}\1.0\ = "PwdEdit 1.0 ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\datread\\3.bat\"" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\PIPI\\pwdedit.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PwdEdit.PwdEditCtrl\CLSID\ = "{1C6B98DA-0AB6-4CCB-A528-AB47E9376660}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{320D924A-9410-4862-B7E8-A083CE0B2FBC}\ = "IPwdEditCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inl9632.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4864 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4864 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2212 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 1136 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 1136 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4704 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4304 wrote to memory of 4704 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4304 wrote to memory of 4704 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2108 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl9632.tmp
PID 2212 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl9632.tmp
PID 2212 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl9632.tmp
PID 2108 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2108 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 1720 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 1720 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 2772 wrote to memory of 4696 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2772 wrote to memory of 4696 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2772 wrote to memory of 4696 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3340 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\inl9632.tmp C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\inl9632.tmp C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat" "

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /c C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\1.bat

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWW.cnkankan.com/?82133

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\1.inf

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\2.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4304 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\inl9632.tmp

C:\Users\Admin\AppData\Local\Temp\inl9632.tmp

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?n"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0411FB~1.EXE > nul

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\datread\3.bat""" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\2.inf

C:\Windows\SysWOW64\rundll32.exe

rundll32 D:\VolumeDH\inj.dat,MainLoad

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9632.tmp > nul

Network

Country Destination Domain Proto
CN 121.14.142.19:1000 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 121.14.142.19:1000 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
CN 121.14.142.19:1000 tcp
US 8.8.8.8:53 www.cnkankan.com udp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 8.8.8.8:53 jump3.35638.com udp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 sstatic1.histats.com udp
CA 149.56.240.27:80 sstatic1.histats.com tcp
CA 149.56.240.27:80 sstatic1.histats.com tcp
US 8.8.8.8:53 bofangqi.6gg.cn udp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 42.146.224.156.in-addr.arpa udp
US 8.8.8.8:53 27.240.56.149.in-addr.arpa udp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
SG 170.33.13.246:80 bofangqi.6gg.cn tcp
US 8.8.8.8:53 www.xunlei6x.com udp
US 8.8.8.8:53 246.13.33.170.in-addr.arpa udp
US 172.82.182.50:80 www.xunlei6x.com tcp
US 8.8.8.8:53 www.xunlei100.com udp
US 8.8.8.8:53 50.182.82.172.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp

Files

memory/2212-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

MD5 d727e34e3f5eb5ee1ce17fe4c66bf617
SHA1 ea796e8b305510775d244f30758e125a01569626
SHA256 d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d
SHA512 ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat

MD5 f33f30c3cddbb32ce1641f7aa325a170
SHA1 dcaa649892d9acf11658bb7b85ae63b76d36a4a8
SHA256 efc90ad2a6161fb21977815aeb81095e82572a40a2b3ab69cd1abad04c6bc23d
SHA512 d07d64eaf8cee948de2099fc791f79a5b6a58529c760bd3f3105d2689708930026a54b3b27c0e55bbf4b3356ff9c8bd915704e80af7735a865bcf4a9abcadf79

C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

MD5 a2d0b95eecec0b13e4b2d111223feca8
SHA1 a63fc5419566a870d8bcb2a4c9c8423bbbac9633
SHA256 aae54e202188e015109535d4c670b9bf0a4e0c67d8f7582347683c47fe991ac9
SHA512 dc766c5b6496cb449f82d07e68a04804dd52aed9c78b374d1c7bca3bce5d28fe99f9274f814aacd9a4ddf6323954b7fe60a8d8747452cbb7afef2bcc878a5fe9

C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat

MD5 5dd457b845e53fce36e6b543764337e4
SHA1 eb7f8ce82274afa5702b20eb5ba133bb71bcb8d6
SHA256 0a2c605c32f2e9b3eda6f18df3d8c1fc2d87922b9bb23d6c3a9de3aa3f383992
SHA512 0fea97ddf333c178ca4805fc85f8b66f81a7906d1cc7bf440206aff50cc711643e90115f046077a323b3cc78deeb704f7eb8a934d0a1cd011f6a3ad67057c9f6

C:\Users\Admin\AppData\Roaming\datread\1.bat

MD5 e580af507ea9f91de910e0c11b1e5ff1
SHA1 998ed9fad171139fca6e0da98f660417fb87fc1c
SHA256 7ab3f848e819dbfe653558a517b6bcd0274040d4e5a0a74e1556916aa5f9d356
SHA512 240d3ed95def600a7b6da7b4ec9f0d2289471d7c96c8bff7198b33d55671004e3b7ad500935d9bd8b7d1cc08ad648b05f1b21c4e958542ac6a150dc3dd4797ab

memory/4304-43-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-45-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-49-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-67-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

C:\Users\Admin\AppData\Roaming\datread\1.inf

MD5 66a1f0147fed7ddd19e9bb7ff93705c5
SHA1 9d803c81ea2195617379b880b227892ba30b0bf6
SHA256 4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512 cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

memory/4304-66-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-65-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-69-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-70-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-77-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-81-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-83-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-91-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-92-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-93-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-90-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-89-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

C:\Users\Admin\AppData\Roaming\datread\2.bat

MD5 7c54db0864c2eb965c63c3dfe6be2256
SHA1 303c5edaa7ec4530f88484e3c48ff7e674a676d1
SHA256 1886e568662fcc552a91c3ab25b86e5243032d4f43fa45ffb51c57ca533c4b91
SHA512 60677e5762c2a267269ca520f554b800e88ce80bd96479b0ab02ea9eded76332657c3c9b93961c47551bdea3feda4b1dd88e58ebd087ae42a7853fd4bf0b8997

memory/4304-88-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-86-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-84-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-79-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-78-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-75-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-74-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-72-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-73-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-68-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-95-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-96-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-101-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-97-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-102-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-104-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-105-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-106-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-111-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-116-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-121-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-123-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-120-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-118-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-117-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

C:\Users\Admin\AppData\Roaming\datread\4.bat

MD5 2cf4a3654b953935b844502c52715ee5
SHA1 b1c2b34458f8230336a943928a2f1919216855bd
SHA256 c085020d2e90f29b1d3192419f55fd8297181a09d32ad4bc042ea84ebfa4d9b3
SHA512 e563b71109228832f9260d6af9e6b837e2ec040ab9230a25fde54a347b619587da49ebda592bcf7d4f578185301a5c3ae4af37417312fad1ce7d304b2bc8036b

memory/2212-128-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Roaming\datread\2.inf

MD5 c5eaacddf7fe93d130f1eb67f3fc2d9d
SHA1 ce20a3a2d9925fa4672884ffda2ee200c06ad7ce
SHA256 c740a578ef5867e18bc914ef724c8258a324b4f35591690e91329a10d17f6b45
SHA512 1f9529123cf74f1c53f75d81b9b6dabb127fcef0067c104c5ca044e28450083fa379c256d63d07d4e4053f197c24e02f9e2ab4507f8bb1068032598b52bbbf77

C:\Users\Admin\AppData\Local\Temp\360mohesetup.exe

MD5 1bc415b31cdff50d79ea2a3d7b4ff2c1
SHA1 f5ebab61deebc3d7a4a6676a23b982f1418ae6a6
SHA256 582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412
SHA512 ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

memory/4304-158-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-159-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-160-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-163-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-165-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-164-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-166-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

memory/4304-162-0x00007FFAF6300000-0x00007FFAF636E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4183511f7d29c327554ca842efdaa95a
SHA1 64aa116f0dd3be496d12cd7f9b34d976e6b16ac9
SHA256 71b81fc01d22bcbd6690d59380be0e67319f0effeddbd0e5d29c198681a5376c
SHA512 36240143646f6836658c33c52103dd943b42f0f3c0de36741adbc4b61e8a407353741081950fc0f4c3dabfbb901a2e10aeca362bc58ca8b1a8f1455aeab38eaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a20dcdd581a69f44e7dcbeeab5084fb4
SHA1 61e152b89ab8a04af1843bbfee557d193924ec51
SHA256 009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7
SHA512 77de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\favicon[1].htm

MD5 9a56669fda653d180272060c91a1e932
SHA1 d5fd0bd68300df626aaad370ad96912f2edd3cf6
SHA256 37aa151bf0fc859681e856a3dad384f2344b542546e71d080ed7ac31abd79ac8
SHA512 e6a81e5e02a49a744ab62505d3d765a44f246c572f10b032a8e8137aba8b3f0c930ae8f5790c7104c0d1b4bfb9d5282363479954339758f932811260106ae6e1