Malware Analysis Report

2025-01-18 22:00

Sample ID 240622-mmdvfsthna
Target 01ae60f13db53d1c8fa86adec6620403_JaffaCakes118
SHA256 9e8b917ecb417a5842d40fa02f50a68a33d4ce448fe9bcd3f119d17a6f8cda9f
Tags
adware evasion stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e8b917ecb417a5842d40fa02f50a68a33d4ce448fe9bcd3f119d17a6f8cda9f

Threat Level: Shows suspicious behavior

The file 01ae60f13db53d1c8fa86adec6620403_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion stealer trojan

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:34

Reported

2024-06-22 10:37

Platform

win7-20240611-en

Max time kernel

126s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\H8UIHSATAGXH.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
N/A N/A C:\H8UIHSATAGXH.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{65CD846B-1A69-106F-847E-9B7E00914F20} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\FIIO6\WYWAWT.EXE C:\H8UIHSATAGXH.EXE N/A
File opened for modification C:\Program Files\FIIO6\WYWAWT.EXE C:\H8UIHSATAGXH.EXE N/A
File created C:\Program Files\PVUYQ1J7\S6IV55.EXE C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PVUYQ1J7\S6IV55.EXE C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File created C:\Program Files\FIIO6\IRGKRB4Z8IB.EXE C:\H8UIHSATAGXH.EXE N/A
File opened for modification C:\Program Files\FIIO6\IRGKRB4Z8IB.EXE C:\H8UIHSATAGXH.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ABBKGXDVG.txt C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File created C:\Windows\ABBKGXDVG.dll C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{65CD846B-1A69-106F-847E-9B7E00914F20}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32\ = "C:\\Windows\\ABBKGXDVG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{65CD846B-1A69-106F-847E-9B7E00914F20}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "C:\\Windows\\ABBKGXDVG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\H8UIHSATAGXH.EXE
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\H8UIHSATAGXH.EXE
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\H8UIHSATAGXH.EXE
PID 2256 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\H8UIHSATAGXH.EXE
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe"

C:\H8UIHSATAGXH.EXE

"C:\H8UIHSATAGXH.EXE" C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\ABBKGXDVG.dll"

Network

Country Destination Domain Proto
CN 58.49.58.27:443 tcp
CN 58.49.58.27:443 tcp
CN 58.49.58.27:443 tcp

Files

C:\H8UIHSATAGXH.EXE

MD5 e9c0d19f1c3d63ae8f58fb56c75994be
SHA1 66a1bf7f4d9f30f407c185fedf75177b3063d57b
SHA256 041627cad599d68e11fc7b5836d0911cdae746244679162dab642ff19499aa76
SHA512 c04a0f6a063f245b9e551488576202eaf8014601f8ee6e240eacdc88d889bd37770f8f13582f3c62350a96ba9bb99b559e5577b20fd531dc6926bc2ddf975d78

\Program Files\PVUYQ1J7\S6IV55.EXE

MD5 01ae60f13db53d1c8fa86adec6620403
SHA1 f44a1b75bce9912178b90adb5a954edf0923995d
SHA256 9e8b917ecb417a5842d40fa02f50a68a33d4ce448fe9bcd3f119d17a6f8cda9f
SHA512 d465f8b8086aa805454976e317ee0edb7675cb48d678476ccfc4bbe0759c8b3fbc06c046e6e24de0e2df3dde1d02e01bf926d402e89271073c1db47e6172a7f6

C:\Windows\ABBKGXDVG.dll

MD5 b40c8723d18fccf9c95391463365f730
SHA1 766ada69f1042101f7d2618e3123f32b0fc0ee0e
SHA256 8e3c1b6fd0266e051637cfd65b01c2ef250c4f51ac70d8723739cfa2930fc526
SHA512 3642521113b1d2b935f44730dab4e4763ec091f1c3f8a33c588086cf49fb0d21272ffe77a9e4c8873b2d47c9ab4b462ec2f6febc237a3b55c0ab90a9428735a9

C:\Windows\ABBKGXDVG.txt

MD5 a06bea2ed781fb7a7966d1eca8f29a21
SHA1 b2cb5a7dc7433cf44c2d116aade7868766629e3b
SHA256 1da2edd49a2229e337404e904591f71fbad4d402813be6157d73c2185a4c99a5
SHA512 ece3be4e823263e92898527b11c5d8fb18e261edf4dc949aff8eb09036fe2d623e1529f497e0f64dc1a92f2315dd97bacbda05f85009f1f0793e9b314e07e1cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:34

Reported

2024-06-22 10:37

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\YPMIYDSC.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65CD846B-1A69-106F-847E-9B7E00914F20} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MTP6YMW8UXRQ\PGR2V26W0.EXE C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MTP6YMW8UXRQ\PGR2V26W0.EXE C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File created C:\Program Files\D168FKL5Q\G7F5P1.EXE C:\YPMIYDSC.EXE N/A
File opened for modification C:\Program Files\D168FKL5Q\G7F5P1.EXE C:\YPMIYDSC.EXE N/A
File created C:\Program Files\D168FKL5Q\UD2P819YE9.EXE C:\YPMIYDSC.EXE N/A
File opened for modification C:\Program Files\D168FKL5Q\UD2P819YE9.EXE C:\YPMIYDSC.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ABBKGXDVG.txt C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A
File created C:\Windows\ABBKGXDVG.dll C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "C:\\Windows\\ABBKGXDVG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{65CD846B-1A69-106F-847E-9B7E00914F20}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ProgID\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\VersionIndependentProgID\ = "Thunder.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\InprocServer32\ = "C:\\Windows\\ABBKGXDVG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{65CD846B-1A69-106F-847E-9B7E00914F20}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65CD846B-1A69-106F-847E-9B7E00914F20}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe"

C:\YPMIYDSC.EXE

"C:\YPMIYDSC.EXE" C:\Users\Admin\AppData\Local\Temp\01ae60f13db53d1c8fa86adec6620403_JaffaCakes118.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\ABBKGXDVG.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 58.49.58.27:443 tcp
CN 58.49.58.27:443 tcp
CN 58.49.58.27:443 tcp

Files

C:\YPMIYDSC.EXE

MD5 e9c0d19f1c3d63ae8f58fb56c75994be
SHA1 66a1bf7f4d9f30f407c185fedf75177b3063d57b
SHA256 041627cad599d68e11fc7b5836d0911cdae746244679162dab642ff19499aa76
SHA512 c04a0f6a063f245b9e551488576202eaf8014601f8ee6e240eacdc88d889bd37770f8f13582f3c62350a96ba9bb99b559e5577b20fd531dc6926bc2ddf975d78

C:\Windows\ABBKGXDVG.dll

MD5 b40c8723d18fccf9c95391463365f730
SHA1 766ada69f1042101f7d2618e3123f32b0fc0ee0e
SHA256 8e3c1b6fd0266e051637cfd65b01c2ef250c4f51ac70d8723739cfa2930fc526
SHA512 3642521113b1d2b935f44730dab4e4763ec091f1c3f8a33c588086cf49fb0d21272ffe77a9e4c8873b2d47c9ab4b462ec2f6febc237a3b55c0ab90a9428735a9

C:\Windows\ABBKGXDVG.txt

MD5 a06bea2ed781fb7a7966d1eca8f29a21
SHA1 b2cb5a7dc7433cf44c2d116aade7868766629e3b
SHA256 1da2edd49a2229e337404e904591f71fbad4d402813be6157d73c2185a4c99a5
SHA512 ece3be4e823263e92898527b11c5d8fb18e261edf4dc949aff8eb09036fe2d623e1529f497e0f64dc1a92f2315dd97bacbda05f85009f1f0793e9b314e07e1cc

C:\Program Files\D168FKL5Q\G7F5P1.EXE

MD5 01ae60f13db53d1c8fa86adec6620403
SHA1 f44a1b75bce9912178b90adb5a954edf0923995d
SHA256 9e8b917ecb417a5842d40fa02f50a68a33d4ce448fe9bcd3f119d17a6f8cda9f
SHA512 d465f8b8086aa805454976e317ee0edb7675cb48d678476ccfc4bbe0759c8b3fbc06c046e6e24de0e2df3dde1d02e01bf926d402e89271073c1db47e6172a7f6