Malware Analysis Report

2024-10-19 10:47

Sample ID 240620-jwzlqs1fnj
Target 0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118
SHA256 11ce42e2efb7fd927d04b1e4dd8577be06631fca42ed310249fd5744713c9b96
Tags
adware evasion stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11ce42e2efb7fd927d04b1e4dd8577be06631fca42ed310249fd5744713c9b96

Threat Level: Shows suspicious behavior

The file 0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion stealer trojan

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:01

Reported

2024-06-20 08:04

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\NebulaRudimentary\FantasiaSartorial.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File created C:\Program Files\SartorialGrandstand\SartorialParchment.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification C:\Program Files\NebulaRudimentary\FantasiaSartorial.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification C:\Program Files\SartorialGrandstand\SartorialParchment.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 2548 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

"C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe"

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 7c6c8aae4ee93e1133482982ae4b43e8
SHA1 b8ed7dfbf980a5ddae7865c917bbb58be04c51d2
SHA256 21b8102e9af67f442fbdac2bc7b75ec739a4fd32816cf879d73af9fc133bb994
SHA512 0a562fa4aa0c46da2297df655dfdbf822a3b5fbe1f095dbb441bdbd874c753d7da2ee764516513fb5d39eeb2072458e2c67068148943acf7bd70e5308ac3ca35

\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

C:\Program Files\NebulaRudimentary\FantasiaSartorial.exe

MD5 0435efb696d90b496f4dcd1ed76634f0
SHA1 4c0af2b33c5bd3895fd9a3408360eb945e710af7
SHA256 11ce42e2efb7fd927d04b1e4dd8577be06631fca42ed310249fd5744713c9b96
SHA512 80f511e23130d9266909516561063f33cc8e6bf9f0c39a4d28f2117c19b8e48c7901c10d793a9288f2e7b0bc159da0ebda3cef29333150a92b129da6a314dce5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:01

Reported

2024-06-20 08:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\HypotenuseGrandstand\HypotenuseParchment.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File created C:\Program Files\ParchmentFantasia\LicitAntediluvian.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification C:\Program Files\HypotenuseGrandstand\HypotenuseParchment.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A
File opened for modification C:\Program Files\ParchmentFantasia\LicitAntediluvian.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3624 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3624 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3624 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 3624 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 3624 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 3624 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 3624 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe
PID 3624 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0435efb696d90b496f4dcd1ed76634f0_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

"C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe"

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 7c6c8aae4ee93e1133482982ae4b43e8
SHA1 b8ed7dfbf980a5ddae7865c917bbb58be04c51d2
SHA256 21b8102e9af67f442fbdac2bc7b75ec739a4fd32816cf879d73af9fc133bb994
SHA512 0a562fa4aa0c46da2297df655dfdbf822a3b5fbe1f095dbb441bdbd874c753d7da2ee764516513fb5d39eeb2072458e2c67068148943acf7bd70e5308ac3ca35

C:\Users\Admin\AppData\Local\Temp\RefuteAnachronism.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

C:\Program Files\ParchmentFantasia\LicitAntediluvian.exe

MD5 0435efb696d90b496f4dcd1ed76634f0
SHA1 4c0af2b33c5bd3895fd9a3408360eb945e710af7
SHA256 11ce42e2efb7fd927d04b1e4dd8577be06631fca42ed310249fd5744713c9b96
SHA512 80f511e23130d9266909516561063f33cc8e6bf9f0c39a4d28f2117c19b8e48c7901c10d793a9288f2e7b0bc159da0ebda3cef29333150a92b129da6a314dce5