e60aea3de7a184da9ffe6ab259ac9d8df4f766b7073425e1b9a0c38cba47e6a0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Size

5.3MB
MD5

31151a90a011c05239d9382943fd972a
SHA1

c28823aa1a26411782937e5ee7dcdbbb5d844d66
SHA256

e60aea3de7a184da9ffe6ab259ac9d8df4f766b7073425e1b9a0c38cba47e6a0
SHA512

e206e29f44cc239833416cda5433c59ed3ec4a74a78c5c2c5afe7b4c82903126c99dc1398ac56570a6fa5e6ba551ec80ee29a6830bb50eb201688e3a5c238f90
SSDEEP

98304:Kg8H+KNKS6r/5rdZhydaId1qqnkdSaNkMS+fHAy0VHzZlh3zXW4Y:J8HT6r/5xZ0dp1qqnk4aeMS+fgymlTmt

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funshion.lnk	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3668	xml2fspdata.exe
3940	ASBarBroker.exe

Loads dropped DLL 62 IoCs

pid	Process
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
948	regsvr32.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83164193-93A3-4ECE-B554-F90E89C431CE}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83164193-93A3-4ECE-B554-F90E89C431CE}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FunShion.ini	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Windows\system32\Funshion.scr	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcFrameBtm.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarBk.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarRestore.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuBtn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNonTop.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnStop.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetMidHover.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\StatusBarRight.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateIconInit.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ListHeaderSplid.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\MainNcFrameTop.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoItemTextHover.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetMid.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskMgnTitleLeft.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CheckBox_Check.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionBtnBk.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarBeforeSmall.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarThumbSmall.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateIconSuc.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IErrorWndBk.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpCleanFile.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\RadioBtnBox.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarShowWeb.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpError.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionNormalBtn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PauseFlickerBtn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrail.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrailHover.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetTrailL.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskListBtnShow.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\CaptionMenuFEn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrow.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarHead.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarMoveUp.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\GetFspFile.gif	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskToolBarBk000.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\bmpPrompt.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionSplideBarBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPre.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarRightBk.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrow.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetBkgndHover.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskManagerCloseTxtBtn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarUpArrowL.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\TaskTextEn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateCapBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarVerWidgetBkgndL.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\SplidBarBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\GetMACAddress.dll	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\rmoc3260.dll	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrowL.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlaySplidBarThumb.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnNext.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ScrollBarDownArrowRound.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\UpdateBtmCloseBtn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\dbghelp.dll	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\OptionSplidBarTrail.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayerBarBtnPlayList.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\IeToolBarHomePage.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\ListHeaderBkgnd.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Funshion Online\Funshion\skin\PlayInfoTitleEn.bmp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
4904	taskkill.exe
2732	taskkill.exe
3512	taskkill.exe
3088	taskkill.exe
3200	taskkill.exe
3568	taskkill.exe
4472	taskkill.exe
3712	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\ScreenSaveActive = "1"	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Funshion.scr"	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=funshion010_oem_dg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Funshion Online\\Funshion\\FunshionAddr"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\TypedURLs	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\SearchScopes	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\ = "URL: fsp Protocol"	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E06D8022-DB46-11CF-B4D1-00805F6CBBEA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDA42200-BD88-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\FriendlyName = "Video Renderer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83164193-93A3-4ECE-B554-F90E89C431CE}\Programmable\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ = "SnavHttpProtocol Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\83164193-93A3-4ECE-B554-F90E89C431CE.Addr.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ = "JsObject Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib\ = "{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib	ASBarBroker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FilterData = 02000000000020000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\DefaultIcon	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CurVer\ = "AddressSearch.JsObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ = "ISearchHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Application\ = "Funshion"	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\MEDIA TYPE\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\ = "BDBroker Class"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell\open\ddeexec\Application	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\CLSID = "{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\83164193-93A3-4ECE-B554-F90E89C431CE.Addr\ = "83164193-93A3-4ECE-B554-F90E89C431CE Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ddeexec\Application\ = "Funshion"	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\FriendlyName = "AVI Draw"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FSP\shell\open\Command	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB8-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\CLSID = "{E4206432-01A1-4BEE-B3E1-3702C8EDC574}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\83164193-93A3-4ECE-B554-F90E89C431CE.Addr.1\CLSID\ = "{83164193-93A3-4ECE-B554-F90E89C431CE}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 456	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	79
PID 4608 wrote to memory of 456	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	79
PID 4608 wrote to memory of 456	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	79
PID 456 wrote to memory of 3712	456	cmd.exe	81
PID 456 wrote to memory of 3712	456	cmd.exe	81
PID 456 wrote to memory of 3712	456	cmd.exe	81
PID 4608 wrote to memory of 1544	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	83
PID 4608 wrote to memory of 1544	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	83
PID 4608 wrote to memory of 1544	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	83
PID 1544 wrote to memory of 4904	1544	cmd.exe	85
PID 1544 wrote to memory of 4904	1544	cmd.exe	85
PID 1544 wrote to memory of 4904	1544	cmd.exe	85
PID 4608 wrote to memory of 2996	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	86
PID 4608 wrote to memory of 2996	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	86
PID 4608 wrote to memory of 2996	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	86
PID 2996 wrote to memory of 2732	2996	cmd.exe	88
PID 2996 wrote to memory of 2732	2996	cmd.exe	88
PID 2996 wrote to memory of 2732	2996	cmd.exe	88
PID 4608 wrote to memory of 3476	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	89
PID 4608 wrote to memory of 3476	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	89
PID 4608 wrote to memory of 3476	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	89
PID 3476 wrote to memory of 3512	3476	cmd.exe	91
PID 3476 wrote to memory of 3512	3476	cmd.exe	91
PID 3476 wrote to memory of 3512	3476	cmd.exe	91
PID 4608 wrote to memory of 1332	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	92
PID 4608 wrote to memory of 1332	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	92
PID 4608 wrote to memory of 1332	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	92
PID 1332 wrote to memory of 3088	1332	cmd.exe	94
PID 1332 wrote to memory of 3088	1332	cmd.exe	94
PID 1332 wrote to memory of 3088	1332	cmd.exe	94
PID 4608 wrote to memory of 2976	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	95
PID 4608 wrote to memory of 2976	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	95
PID 4608 wrote to memory of 2976	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	95
PID 2976 wrote to memory of 3200	2976	cmd.exe	97
PID 2976 wrote to memory of 3200	2976	cmd.exe	97
PID 2976 wrote to memory of 3200	2976	cmd.exe	97
PID 4608 wrote to memory of 4352	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	98
PID 4608 wrote to memory of 4352	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	98
PID 4608 wrote to memory of 4352	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	98
PID 4608 wrote to memory of 4792	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	99
PID 4608 wrote to memory of 4792	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	99
PID 4608 wrote to memory of 4792	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	99
PID 4608 wrote to memory of 3668	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	101
PID 4608 wrote to memory of 3668	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	101
PID 4608 wrote to memory of 3668	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	101
PID 4608 wrote to memory of 3488	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	103
PID 4608 wrote to memory of 3488	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	103
PID 4608 wrote to memory of 3488	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	103
PID 3488 wrote to memory of 3568	3488	cmd.exe	105
PID 3488 wrote to memory of 3568	3488	cmd.exe	105
PID 3488 wrote to memory of 3568	3488	cmd.exe	105
PID 4608 wrote to memory of 948	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	107
PID 4608 wrote to memory of 948	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	107
PID 4608 wrote to memory of 948	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	107
PID 948 wrote to memory of 3940	948	regsvr32.exe	108
PID 948 wrote to memory of 3940	948	regsvr32.exe	108
PID 948 wrote to memory of 3940	948	regsvr32.exe	108
PID 4608 wrote to memory of 3176	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	110
PID 4608 wrote to memory of 3176	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	110
PID 4608 wrote to memory of 3176	4608	31151a90a011c05239d9382943fd972a_JaffaCakes118.exe	110
PID 3176 wrote to memory of 4472	3176	cmd.exe	112
PID 3176 wrote to memory of 4472	3176	cmd.exe	112
PID 3176 wrote to memory of 4472	3176	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\31151a90a011c05239d9382943fd972a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31151a90a011c05239d9382943fd972a_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C rename "C:\Users\Admin\funshion\historyTorrent\*.torrent" *.fsp
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe
  "C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe" "C:\Program Files (x86)\Funshion Online\Funshion\control\\"
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshionupgrade.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshionupgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3568
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe
    "C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "funshion.scr"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "funshion.scr"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\ASBarBroker.exe

Filesize
128KB

MD5
aecf47200f80613e5aeed4285441ade5

SHA1
a1006ab28a7c3c43beadcf72dc148be33ef90fab

SHA256
796c475af15f5f7d179a2a490901617a958e4063781a2443c4c8ce95688e8756

SHA512
c8550608c8a06108cbcf097fb94011d1928bd6439d830ac78aadab4e31d0e50b23b791552553acd3e731399b94cfa8a7947f2505eb48bf095eee62173a45ec0f

Download Submit
C:\PROGRA~2\FUNSHI~1\Funshion\FUNSHI~1\conf.xml

Filesize
259B

MD5
879fcee362a01be6ad2cc994fea5e09d

SHA1
974bd6211cb91911c16964c852d746d62da9d684

SHA256
168e3418ab45d3221834d7d1ef71bec2ca435476a8f65d6660c38b298b5cbe34

SHA512
4dabd2643f3280b0778d3edae4512b6d772b06a5e0b81a1c99909455a4ec1345b53acd2f1fcb46726e371329213c3af4018831596b2b6da0eb8f9879631df1c4

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\Funshion.exe

Filesize
2.8MB

MD5
f35d3a5736a0ecb3d6f4f18d7966476c

SHA1
bed47a42657fbd2cf5732d5a42d9e8c0865f2145

SHA256
53df592d425002c866236e2e2ed1cbb38f8c186fae2a0d98024a99e85a9cc26c

SHA512
781fd703e7aabba1757ef913608954fdd67f47c8a9c4c185ecd92bbfe73dd25a6f9ca234958f395ad0e3318f0beec41af85ddfed39baaa1a269907567bf3b9c9

Download Submit
C:\Program Files (x86)\Funshion Online\Funshion\FunshionAddr\funshionAddr.dll

Filesize
1.1MB

MD5
e2f76eb0a099a8472196bb922b86353b

SHA1
59f7a982c73277463942ebd4e1ccc6204436cc6d

SHA256
255c95b7dfc1f56d0c745064d07c264cd94ba8415e3be835a7a0dadafb936965

SHA512
578af8e2c68295d3ef010613cd065e4985bb488d4d3507cbb7d9c8c491f2d13ef5ae4941dbe1a02287c813144c9dfdeec7b6c590dd0e4ec626459f4e7257af26

Download Submit
C:\Users\Admin\AppData\Local\Temp\getmacaddress.dll

Filesize
154KB

MD5
43d6ea2d92057a5bee55a24da663c5d1

SHA1
2aee91ec9978b47aa897332a60ad53eaf47b3629

SHA256
b54029ec6385605fac85067be8573f6fb97fe9958ab527789b145efbf5133445

SHA512
94a1f3622cb5e6a329b1eb9dd6a11f41515ac56417fb48aa661dd5fe32b6571a7cd73303b82def40c7e99067b6766206ad0abfa31b865ffe383c45aea79f5e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nicdescr.dat

Filesize
1KB

MD5
0fb9927e7a9ca8c5f5af8bb4fd7857df

SHA1
40b512129c1d3de5b11c81300e0cbeb781f06873

SHA256
52348ac96775f546a3d057edf50aaf69e0aeb03edc7972055496c014c31dc738

SHA512
331228608c543b66e04e6d9960b51ed1b26bbaad4d48a9254121618cfca31e2a68d194aa1bde071b1a4e3d03d27174dbc5efcc5a7e0cb5a5064c9cee270609ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEFFF.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml2fspdata.exe

Filesize
122KB

MD5
e658e684b19c7dbacf1d197c3fdb0265

SHA1
5fe48fc190f65d44090854a7549925e19bd81b61

SHA256
434ad3a94e2686eee117d140302a089b12caec2a1e29bfb8dbf9004d555f7c33

SHA512
87d554df3720ba8e3da89fa1cd60184a3e4eb906281adfeac7cccd375837b53001bfc7dd1a6dcdad2a6caa39b3950df5e938dae6c1f5e24e425a69153dcdea1f

Download Submit
C:\Users\Admin\funshion.ini

Filesize
387B

MD5
f38281c8c49f187c34a3f7a1083fe537

SHA1
cbc9207ae48bedbc74c4776e2c7bafd715c910d6

SHA256
2aad1a30f28d330206cff40ba9593d51fae8d0b36d736334c905cb4ced89692f

SHA512
0985ca038d13624fce6df30a419c1c37caa10b0c7ef9ef9d16eb74d48306a6d5814a0737345abd42dfe043ff292b43968a726fea65fb101ce4bf96514b4e8ab0

Download Submit
C:\Users\Admin\funshion.ini

Filesize
624B

MD5
4d3a0021f10e906e2d45fe375b412040

SHA1
13f1cb7cd04e923cf72e2ec1e7a7a610b0f1a7d7

SHA256
5894aaebbf5ed8aa91579a6ea786272d33829aee6393b83924fe9fb90c2101b3

SHA512
beb55afbe6344a4832d9cf9e47576fbc51b4145d19109b4f7b6de3dd38eafb9942f5e65769835e340e61eb6d146bb61b59b3e3fb697fbcff0bdf64423e8236e5

Download Submit
C:\Users\Admin\funshion.ini

Filesize
811B

MD5
7c3e0a26301bd1b711532c474f00758f

SHA1
f0cab2192cf5825d9150bf2435b7273e903807d7

SHA256
99b20512df1b4c389adb5c1c7c787d416a8d6570fca1b463fa646afe1a6fbbf7

SHA512
1b85b0ad32fd7c60014a4667fea17f15d27feab33734460c439c4739598af229ec4c916fedf0b6dcf3ce7f46b1f0a05982736fd6c95f6dde27832c34056970ec

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
452B

MD5
7a9e668ade8b0d7916a35b0d98eeb72b

SHA1
620cda4ab541e736dfea0192a2d303161a913610

SHA256
0df2ad4d9a24fa86a2d046fc586dd8005c489577be3fff4fb356069c703c80a2

SHA512
22bf785c3b7dafd73346fbc6b0378c84dd950f47209b1026424adaa941ff666730e72697862350acbdb9ddf4b2c29dcc2d31cc5da6816139a7f0cd934ea61493

Download Submit
memory/4608-482-0x0000000003680000-0x00000000036A8000-memory.dmp

Filesize
160KB

Download
memory/4608-459-0x0000000003680000-0x000000000368B000-memory.dmp

Filesize
44KB

Download
memory/4608-115-0x0000000003010000-0x0000000003038000-memory.dmp

Filesize
160KB

Download
memory/4608-10-0x0000000002F00000-0x0000000002F0B000-memory.dmp

Filesize
44KB

Download