Malware Analysis Report

2025-01-18 22:02

Sample ID 240622-mkec7stgpa
Target 01aa93050252cf557b281b75c1dcdf86_JaffaCakes118
SHA256 e5d435efd11d3ea3667e194b4e9ed8b40784de8fc09913f388e409e5575b2125
Tags
adware evasion stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e5d435efd11d3ea3667e194b4e9ed8b40784de8fc09913f388e409e5575b2125

Threat Level: Shows suspicious behavior

The file 01aa93050252cf557b281b75c1dcdf86_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion stealer trojan

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:31

Reported

2024-06-22 10:33

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\LicitSinge\TardyTardy.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A
File opened for modification C:\Program Files\LicitSinge\TardyTardy.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A
File created C:\Program Files\AverRudimentary\AntediluvianProtract.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A
File opened for modification C:\Program Files\AverRudimentary\AntediluvianProtract.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe
PID 2804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe

"C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe"

C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe

C:\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe

Network

Country Destination Domain Proto
US 205.209.168.5:443 tcp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 205.209.168.5:443 tcp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 78885290bd573a862795805277c3b74a
SHA1 9af1f46fdf5bcc6ca9531f5db467f0b18a3b46ff
SHA256 93f774a139b68ccdee7665544425de475dd9d8b0381e25b968d2360eca85316f
SHA512 71546643af0ab14b4f600b498ad52fee288ec5140d13fe52a78c228ef07473f2d5e1c21ac8a8b79d6fdae552e1510988f6aaead2edff38689586321632e174b7

\Users\Admin\AppData\Local\Temp\MenagerieAnachronism.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

\Program Files\LicitSinge\TardyTardy.exe

MD5 01aa93050252cf557b281b75c1dcdf86
SHA1 676653a07ed7fd2f5abc52e8763328b4ae392756
SHA256 e5d435efd11d3ea3667e194b4e9ed8b40784de8fc09913f388e409e5575b2125
SHA512 a8595d9641f7c35f5ff7f4819201d2dc27c3ad78f780bae9623ea02903cdb7d215f5ca73c2b12b5daee297fa5934c446e529ae68ba868e9ba00f021b8517921f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:31

Reported

2024-06-22 10:33

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\f:\$recycle.bin\s-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\KernelHypotenuse\KernelFantasia.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A
File opened for modification C:\Program Files\LicitProtract\TardyGrandstand.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A
File opened for modification C:\Program Files\KernelHypotenuse\KernelFantasia.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A
File created C:\Program Files\LicitProtract\TardyGrandstand.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SUGUZEFHWD.dll C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe
PID 3172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe
PID 3172 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe
PID 3172 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe
PID 3172 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe
PID 3172 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01aa93050252cf557b281b75c1dcdf86_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"

C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe

"C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe"

C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe

C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 205.209.168.5:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 buytomer.oCry.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 smithewife.zyns.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 205.209.168.5:443 tcp

Files

C:\Windows\SUGUZEFHWD.dll

MD5 78885290bd573a862795805277c3b74a
SHA1 9af1f46fdf5bcc6ca9531f5db467f0b18a3b46ff
SHA256 93f774a139b68ccdee7665544425de475dd9d8b0381e25b968d2360eca85316f
SHA512 71546643af0ab14b4f600b498ad52fee288ec5140d13fe52a78c228ef07473f2d5e1c21ac8a8b79d6fdae552e1510988f6aaead2edff38689586321632e174b7

C:\Users\Admin\AppData\Local\Temp\MultifariousObsequious.exe

MD5 619b4cf619eaebe531bb252e99cdd23b
SHA1 75131437e0039afc65aca67a7a54885b58b8054e
SHA256 cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402
SHA512 40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

C:\Program Files\KernelHypotenuse\KernelFantasia.exe

MD5 01aa93050252cf557b281b75c1dcdf86
SHA1 676653a07ed7fd2f5abc52e8763328b4ae392756
SHA256 e5d435efd11d3ea3667e194b4e9ed8b40784de8fc09913f388e409e5575b2125
SHA512 a8595d9641f7c35f5ff7f4819201d2dc27c3ad78f780bae9623ea02903cdb7d215f5ca73c2b12b5daee297fa5934c446e529ae68ba868e9ba00f021b8517921f