Analysis Overview
SHA256
30bc3b02a9694b1c61ee17929b2c4d6ac74ba6d175f4b0b8e7e993cd0696a040
Threat Level: Shows suspicious behavior
The file 10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 04:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 04:32
Reported
2024-06-26 04:35
Platform
win7-20240611-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyDVD.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files\Common Files\Tencent\services.exe | N/A |
Drops file in Program Files directory
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionReason = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionTime = d02202e581c7da01 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadNetworkName = "Network 3" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F} | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecision = "0" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\62-f0-86-1c-8e-87 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecision = "0" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionTime = d02202e581c7da01 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionTime = f0c8b8e081c7da01 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionReason = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDetectedUrl | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionTime = f0c8b8e081c7da01 | C:\Program Files\Common Files\Tencent\services.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"
C:\Program Files\Common Files\Services\csboyDVD.dll
"C:\Program Files\Common Files\Services\csboyDVD.dll"
C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
"C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files\Common Files\Services\csboyTT.dll
"C:\Program Files\Common Files\Services\csboyTT.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | track.qvod.com | udp |
| US | 8.8.8.8:53 | stun.qvod.com | udp |
| US | 8.8.8.8:53 | y0.vayl49k0.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | xx.vamg49o1.info | udp |
| US | 8.8.8.8:53 | j0.vajj49i0.com | udp |
| US | 8.8.8.8:53 | stun01.sipphone.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | jj.vajr49p1.info | udp |
| US | 8.8.8.8:53 | agent.qvod.com | udp |
| CN | 61.139.219.200:80 | udp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp |
Files
memory/2392-0-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2392-2-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2392-1-0x0000000000230000-0x0000000000294000-memory.dmp
\Program Files\Common Files\Services\csboyDVD.dll
| MD5 | d8b959990d3888ffc50ecd89156a3204 |
| SHA1 | 3ceafcf6b10748dae5f713bede1f622be939dfe3 |
| SHA256 | 1cadded557baee6bb6298969624b716c8f0ee21a185115d64f17f20d0aece81f |
| SHA512 | 01c016a736b2667c5b3fac7273b734904e5426fad9dc159cff825c4dafa9f2815f5d5b4b9c16275fc60bcf49151c769ecdae55a9e8031a624b865218e77022ad |
memory/2392-8-0x0000000000260000-0x00000000002AE000-memory.dmp
memory/328-17-0x0000000000400000-0x000000000044E000-memory.dmp
memory/328-16-0x0000000000230000-0x000000000027E000-memory.dmp
memory/328-15-0x0000000000230000-0x000000000027E000-memory.dmp
memory/328-20-0x0000000000400000-0x000000000044E000-memory.dmp
\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
| MD5 | 9b07dfe42e631f6fe905affe27b816a1 |
| SHA1 | 6505ce70d718f2125a4eac57f9a4aca5137f99dd |
| SHA256 | 2b5331308dfff885d62e3da03a32570b347ade8c4678214bab55af32f4167f2f |
| SHA512 | a61986926655e4d98916d904f301a5ff9c4d8ae7c633904705d2da3f4f162a637e78efb0e5e93af4a5e2e638ab018f951881d0fb9a51773b5d520d12bc78b5c2 |
memory/2056-29-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2056-35-0x0000000003280000-0x0000000003484000-memory.dmp
memory/2056-36-0x0000000003280000-0x0000000003484000-memory.dmp
\Program Files\Common Files\Tencent\services.exe
| MD5 | bb2b7321edb97525d61c355db5761500 |
| SHA1 | c5965a66dcdb25af52d4289a4dce3bfd36a5a8c7 |
| SHA256 | 0b7f4bf0eb742c20b2852ee7bfcc7e1b963d686f26c32f43c65986d7caa58d73 |
| SHA512 | 311e4b861555d73751817014e3f4db2c22f8838a6936c372630ecdbcc34f3164932adc1730d5f9bbed6372215ae191ce6944db333fc4a5f2d5ea804745dd5f62 |
memory/2392-42-0x0000000000260000-0x0000000000297000-memory.dmp
memory/2932-54-0x00000000002C0000-0x00000000002F7000-memory.dmp
memory/2932-55-0x0000000000400000-0x0000000000437000-memory.dmp
\Program Files\Common Files\Tencent\tuziboyAuTo.dll
| MD5 | b78e85d6b895835e46f24c6c0345a82f |
| SHA1 | 6b346205b3cac35b71b9ce90ac4d45aa1ab753d0 |
| SHA256 | cd31faea7ea2a14145122551da93e50e00acc2f6700054a3b6039a28f84540db |
| SHA512 | e945884a81ba575f42636a76052ae819e9e02dfde1687bf2547ad5f669200b55a22e4fb1bdae3d5ff8a4807941d9341b98dd74676ff76094f92885d99fa20859 |
memory/2392-62-0x0000000000260000-0x0000000000272000-memory.dmp
memory/2392-61-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2616-68-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2616-77-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2616-76-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2616-75-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2648-88-0x0000000000400000-0x0000000000437000-memory.dmp
memory/328-81-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2616-82-0x00000000002B0000-0x00000000002E7000-memory.dmp
memory/2392-96-0x0000000000260000-0x0000000000297000-memory.dmp
memory/1968-95-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1968-94-0x0000000000250000-0x0000000000287000-memory.dmp
\Program Files\Common Files\Services\csboyTT.dll
| MD5 | feadf79836b0be6ac61c193fdbd406a3 |
| SHA1 | b190bb7d502fb8ac72496d5cc121c84fbf336f9f |
| SHA256 | d428633aa54912ea33bab395d3694b6617b9b9af33d501f523a9ffaf54f5517e |
| SHA512 | 8b173081f0cf95a966367e60a13472f8c0139a53b9736a1e5f6841dd535c08e698b852630d925e8252be2d8dcf26576743f63392320fe1280d3118898885afa5 |
memory/280-116-0x00000000003D0000-0x00000000003E8000-memory.dmp
memory/280-115-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2392-114-0x0000000000260000-0x0000000000278000-memory.dmp
memory/2392-113-0x0000000000260000-0x0000000000278000-memory.dmp
memory/2392-112-0x0000000000260000-0x0000000000297000-memory.dmp
memory/280-111-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2392-118-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2616-120-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2616-122-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2616-123-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2616-124-0x0000000000020000-0x0000000000032000-memory.dmp
memory/2616-126-0x00000000002B0000-0x00000000002E7000-memory.dmp
memory/280-129-0x00000000003D0000-0x00000000003E8000-memory.dmp
memory/2616-133-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 04:32
Reported
2024-06-26 04:35
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyDVD.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" | C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll | N/A |
Drops file in Program Files directory
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Tencent\services.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Common Files\Tencent\services.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\csboyTT.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"
C:\Program Files\Common Files\Services\csboyDVD.dll
"C:\Program Files\Common Files\Services\csboyDVD.dll"
C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
"C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
C:\Program Files\Common Files\Tencent\services.exe
"C:\Program Files\Common Files\Tencent\services.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
C:\Program Files\Common Files\Services\csboyTT.dll
"C:\Program Files\Common Files\Services\csboyTT.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | track.qvod.com | udp |
| US | 8.8.8.8:53 | stun.qvod.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | 127.0.0.1.in-addr.arpa | udp |
| US | 8.8.8.8:53 | y0.vayl49k0.com | udp |
| US | 8.8.8.8:53 | xx.vamg49o1.info | udp |
| US | 8.8.8.8:53 | j0.vajj49i0.com | udp |
| US | 8.8.8.8:53 | jj.vajr49p1.info | udp |
| US | 8.8.8.8:53 | stun01.sipphone.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | agent.qvod.com | udp |
| CN | 61.139.219.200:80 | udp | |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | 200.219.139.61.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | track.qvod.com | udp |
| US | 8.8.8.8:53 | agent.qvod.com | udp |
| CN | 221.194.134.216:80 | tcp |
Files
memory/2420-1-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/2420-0-0x0000000000400000-0x0000000000464000-memory.dmp
C:\Program Files\Common Files\Services\csboyDVD.dll
| MD5 | b2cfdc2c11d4bf13d0f0b3b4949b518d |
| SHA1 | d01861f4d7c54052466c822374ac0d78ecbef9a2 |
| SHA256 | 9b6420ccadcef72175e59a88309560ae33fd2bbd1c2a8aef6736171286c0094c |
| SHA512 | 481b62798cc2630d8abdbee0319d14067ee4d507cdeedb2595c27f6e547d2ac89f9e625f0cadb84b4d8c6069f7370648a894b465e33a66a379b972923ee8efe0 |
memory/4808-8-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4808-9-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/4808-10-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
| MD5 | 9b07dfe42e631f6fe905affe27b816a1 |
| SHA1 | 6505ce70d718f2125a4eac57f9a4aca5137f99dd |
| SHA256 | 2b5331308dfff885d62e3da03a32570b347ade8c4678214bab55af32f4167f2f |
| SHA512 | a61986926655e4d98916d904f301a5ff9c4d8ae7c633904705d2da3f4f162a637e78efb0e5e93af4a5e2e638ab018f951881d0fb9a51773b5d520d12bc78b5c2 |
memory/4240-17-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Program Files\Common Files\Tencent\services.exe
| MD5 | 041a51bd3e4ff3e1f057f5ca9bc2cfb0 |
| SHA1 | d7c35641e2cad0904aeaa366a8530847ef4be439 |
| SHA256 | 3c340ecb11b5aaab3107bc5d478e6cc518610435cedd0c921ec8a5d5f8521669 |
| SHA512 | 9ad35cf99e72f78390b490f04bfdb571ad9c2a6984d38441025308477deed2be89e901c9bbdc82c7aac2502af483c97977157d1f3aa5d93e916cfc223979ef22 |
memory/2340-24-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2340-27-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
| MD5 | 7b0ed92880c55b16bcb556730bbff855 |
| SHA1 | fc11fe51af4821e016e4671a2daaa061bdcde1ac |
| SHA256 | d6f0e3b6a259c1d42db36fc392118b35e5b30fc0eb38ea48b4c46752b24d32b8 |
| SHA512 | 03a2317e1ee1ba29d8fa8be82533a4e3b02c0a9a1ad03eead709e074aa0dfb83a478d35886602a95cc1fe3f324c76ced5eb6a491f6106777885a57fa08a58e25 |
memory/2656-34-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4508-39-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4500-38-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4508-41-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2656-46-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4500-44-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Program Files\Common Files\Services\csboyTT.dll
| MD5 | c716c7f4b2e18b4e48bd69cd5b223f67 |
| SHA1 | f5e232986cc3e9f334675498032660e844f7a0cf |
| SHA256 | 9197e1b71f8a47c251d5a3ab2b414c1b73298f6f1e0a859efc28b4703bf94293 |
| SHA512 | 48fdac4708cde1b64a1b56362533fd636aded709c6662d642268c149a0703cb5d0de3995af26d812a80a3845ac9a44be1fadd733c4f56cc375531d882694cf0a |
memory/3756-55-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3756-56-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2420-58-0x0000000000400000-0x0000000000464000-memory.dmp
memory/4808-59-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4808-60-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/3756-62-0x0000000000400000-0x0000000000418000-memory.dmp