Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
343d963bb3d...18.exe
windows7-x64
743d963bb3d...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Acrobat2Dict.dll
windows7-x64
1Acrobat2Dict.dll
windows10-2004-x64
1RunDict.exe
windows7-x64
4RunDict.exe
windows10-2004-x64
7TextExtrac...32.dll
windows7-x64
1TextExtrac...32.dll
windows10-2004-x64
1TextExtrac...64.dll
windows7-x64
1TextExtrac...64.dll
windows10-2004-x64
1WordBook.exe
windows7-x64
1WordBook.exe
windows10-2004-x64
1WordStroke...32.dll
windows7-x64
1WordStroke...32.dll
windows10-2004-x64
1WordStroke...64.dll
windows7-x64
1WordStroke...64.dll
windows10-2004-x64
1YodaoDict.dll
windows7-x64
3YodaoDict.dll
windows10-2004-x64
3YodaoDict.exe
windows7-x64
4YodaoDict.exe
windows10-2004-x64
4YodaoOcr.exe
windows7-x64
1YodaoOcr.exe
windows10-2004-x64
1YoudaoEH.exe
windows7-x64
1YoudaoEH.exe
windows10-2004-x64
1YoudaoGetWord32.dll
windows7-x64
1YoudaoGetWord32.dll
windows10-2004-x64
1YoudaoGetWord64.dll
windows7-x64
7YoudaoGetWord64.dll
windows10-2004-x64
7Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Acrobat2Dict.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
Acrobat2Dict.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
RunDict.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
RunDict.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
TextExtractorImpl32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
TextExtractorImpl32.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
TextExtractorImpl64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
TextExtractorImpl64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
WordBook.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
WordBook.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
WordStrokeHelper32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
WordStrokeHelper32.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
WordStrokeHelper64.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
WordStrokeHelper64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
YodaoDict.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
YodaoDict.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
YodaoDict.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
YodaoDict.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
YodaoOcr.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
YodaoOcr.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
YoudaoEH.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
YoudaoEH.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
YoudaoGetWord32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
YoudaoGetWord32.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
YoudaoGetWord64.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
YoudaoGetWord64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
-
Size
4.7MB
-
MD5
43d963bb3d6d59917024fbcd50eebaac
-
SHA1
848a6799540049d5054bd4a9d43521cdcfbf2ea8
-
SHA256
d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b
-
SHA512
efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0
-
SSDEEP
98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
pid Process 3032 YodaoDict.exe 1208 YodaoDict.exe -
Loads dropped DLL 7 IoCs
pid Process 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 2236 regsvr32.exe 1992 regsvr32.exe 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 1460 regsvr32.exe 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\YodaoDict = "\"C:\\Program Files (x86)\\Youdao\\Dict\\RunDict.exe\" -hide" YodaoDict.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Youdao\Dict\resultui\images\earthpic.jpg 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\intro\step3.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\res\faq.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\xp-cute.xml 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\xp-default.xml 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord32.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\intro\pre.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\vendor.dat 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\res\images\laba1.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\tessdll.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\YodaoDict.api 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\wiki.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\js 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\index.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\win7-default.xml 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\intro\style.css 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\res\style\updater.css 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\queryresult.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\newfeaturepic.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\intro\images\arrow.png 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\res\images\image-q3-21.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\tessdata\eng.word-dawg 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\css 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\images\baike.jpg 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\tessdata\eng.normproto 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\tessdata\eng.unicharset 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\graypointpoint.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\logo.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\world-cup.xml 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\intro 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\YodaoDict.api YodaoDict.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\TextExtractorImpl64.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\WordStrokeHelper32.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\YoudaoEH.exe 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\xp-default.bmp 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\intro\step1.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\world-cup.css 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\world-cup.png 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\intro\images\sprite.jpg 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\cidian_aqurebutton_close.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\images\cidian_point_empty.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\js\ui.js 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\default.css 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\WordBook.exe 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\images\cidian_aqurebutton_close.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\cidian_point_solid.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\world-cup.bmp 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\RunDict.exe 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\verifycode.html 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\wikiresult.xsl 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\win7-default.bmp 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\js\jquery.min.js 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\TextExtractorImpl32.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\dicten.db 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\baike.jpg 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\images\newfeaturepic.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\skins\xp-blue.xml 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\TextExtractorImpl32.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\graypoint.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\resultui\images\graypointpoint.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File created C:\Program Files (x86)\Youdao\Dict\resultui\images\submitbutton.gif 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord32.dll 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\skins\xp-blue.png 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Youdao\Dict\tessdata\eng.DangAmbigs 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect\CLSID\ = "{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32\ = "C:\\Program Files (x86)\\Youdao\\Dict\\YoudaoGetWord64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect\CurVer\ = "YoudaoGetWord32.Connect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\ProgID\ = "YoudaoGetWord32.Connect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\ = "YoudaoGetWord 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect.1\CLSID\ = "{07473267-2FBF-468D-8C7D-A9DB6211F5F2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\InprocServer32\ = "C:\\Program Files (x86)\\Youdao\\Dict\\YoudaoGetWord32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect.1\CLSID\ = "{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\TypeLib\ = "{55684B24-475C-4969-8C82-B498B5A53596}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect\CurVer\ = "YoudaoGetWord64.Connect.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\VersionIndependentProgID\ = "YoudaoGetWord64.Connect" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect\CLSID\ = "{07473267-2FBF-468D-8C7D-A9DB6211F5F2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect.1\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Youdao\\Dict\\YoudaoGetWord32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\0\win64\ = "C:\\Program Files (x86)\\Youdao\\Dict\\YoudaoGetWord64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Youdao\\Dict\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\TypeLib\ = "{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Youdao\\Dict\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect.1\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\VersionIndependentProgID\ = "YoudaoGetWord32.Connect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\ProgID\ = "YoudaoGetWord64.Connect.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord32.Connect.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\ = "Connect Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07473267-2FBF-468D-8C7D-A9DB6211F5F2}\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB241B94-028A-441D-B9EB-B9AD3FDF2D9A}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7659C504-025E-4FB5-A9EC-8D2A42C9B2AF}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoudaoGetWord64.Connect\ = "Connect Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55684B24-475C-4969-8C82-B498B5A53596}\1.0\ = "YoudaoGetWord 1.0 Type Library" regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3032 YodaoDict.exe 1208 YodaoDict.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2388 wrote to memory of 3032 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 30 PID 2388 wrote to memory of 3032 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 30 PID 2388 wrote to memory of 3032 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 30 PID 2388 wrote to memory of 3032 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 2236 3032 YodaoDict.exe 31 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 3032 wrote to memory of 1992 3032 YodaoDict.exe 32 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 1992 wrote to memory of 1460 1992 regsvr32.exe 33 PID 2388 wrote to memory of 1208 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 34 PID 2388 wrote to memory of 1208 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 34 PID 2388 wrote to memory of 1208 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 34 PID 2388 wrote to memory of 1208 2388 43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe"C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe" install2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord32.dll" /s3⤵
- Loads dropped DLL
- Modifies registry class
PID:2236
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord64.dll" /s3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\regsvr32.exe"C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord64.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
PID:1460
-
-
-
-
C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe"C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe" instreport2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5f644fd525eb7a16842963458f95a8f24
SHA19fd9bad66fd39348dbb1faa58b8e3841663acdb4
SHA256378c1de993cbb32e9cf8663b1c20986733da5e8755649eac1dee2938332fc319
SHA5120436cd4a2302953900e2a5799f1585682f22f39cce54bc0e9ff9a48338056ba3853af04bdc6ae8c4304305ff70d4a094723188da197cca25b66ef9404fe3c0a9
-
Filesize
301KB
MD5defdfacb94569297bd74cdce30d014f1
SHA129424c26e644dd97b345d7c91b025a65d93d6605
SHA2567a0fc662db1894071eb3a2b83e0d8c9f00b7ef2604b7aa903ba44f51ced452b1
SHA512d4e4e37763628bd7757cfa23a88b1cb5cac77c2d89eb8a3030de535203a2e6a3da1b2a1fd4cf7bd183f48cdaa24ad19f1c754da11d83be966f94c3eae73ca6fe
-
Filesize
481KB
MD57e12d51099017eafdf2b7626c514dce4
SHA1f84a8c654e2ec5e080cea767a44a2d2a803c1e66
SHA2560114d12aae2ebbfabda09a8e02a1bcffb91e4dce863c1c86b4668436aee50f57
SHA512c85df7920f76a750af966067a16cafd5acd4fdf2f2514824ad4fa8d7d1bfc487eece0d735c2bb4da685a26d12b383f9f4598e72c17e7dad9a316fccbc1ddedd8
-
Filesize
77B
MD54d0f73ef439be3e82ed8f0b1ec9f34fc
SHA17e41c414369b51e8d846d0c6e701c4f393a18a78
SHA2560408a6c40b7e3793a49510bad89c1ca52d906aafad5f27064223ebec4a4f5f5b
SHA5123103b11966f389a6d5537be4ae7d37be9a131b27b0958f76948b09b0bf972db6dbdfa91ccd7e5c9ef3fcbacda41e0f42e4b1c04557e2f33cd08274fd324f5e93
-
Filesize
16B
MD5197db01a182166197d319e0738250013
SHA1687e8e97f574d80eac0403034b33b8cdd24dfd81
SHA256d5a06a989ca5f879dc9b7f91f2a243b6e05dd265be6be783b7e904fe766fe50f
SHA5129afff9424d9aa8751a470090ff2d1406798d9553d38b9f282ac571d9f83379e3b5ab422749884687d3fee9bb52c48c9908bc95717858093a21753f617ae6e84c
-
Filesize
549KB
MD52055451ef343ddf16e3381af30ce836d
SHA1c0ff6dd53d6664e05407b72bf725f7837c7e8394
SHA25642b9c7089e17be21d5c8441ec8600b2d93627be08f6fe19081c08af7bbc8ba69
SHA512da250349668c97305612d7658bc86f7d726507f287396813f452cc127e8fe7017524d4dc518e87d630adf44d3f60509d154b6585b763c3eae914b70cd4a682bc
-
Filesize
4B
MD5e11ce15ad01f5fef87016b607ea74a1b
SHA1e212d05d3aebab836c32bc247a0f325e96dc17d9
SHA256146d7002ea6e76a5f6296cb7f8c1152e33e2f29903711fd7c997768a1ba2628b
SHA5129c4c0c7ef9e62bf4656edd61f69dd4aa317365ee692191030cab99ea396f37a964f38990adda328710f8b245ce1f9bef2e1abfc170782a0c2b06e5c7320e9023
-
Filesize
828B
MD50e1fe243c0d3726868770e998415118b
SHA1058df77e26b67704d67834c78f0f82a80fb053dc
SHA25602eeef10b4523bef247ac07e0d4a2a0470a9c2e307225532bdff17d987111c3e
SHA512558ce7ab6acfe49032206b00684d015e399805ff2b8efcdd84aa7e3bcd2a69ad01a8b703d5d8ca290831dd0fbb628abc190d1aaddcf2723f7342741e868b144d
-
Filesize
954B
MD526093b98a4cf7eba54956b6ff78b1e7d
SHA103158c1fab1fc09b12a3af6a2d81eeb50c6531dc
SHA256da55620095fbef0f2726a844dbb3f8759240926d939ee57d897f83783b9b6149
SHA51265271f5a264eea5ac3035c6aa2f9d6ba5a7a6b8947ae57f268c0abf8d1a73e498a9179e41aad6e223c619e52883872fc0f45bfd65241897449d7cd4b8fb83148
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9
Filesize1KB
MD5ba4e3f44b19e926525ab37f65b33a5e1
SHA1d30b326297672f3e74a2e6f6bad42e7d79cc91f0
SHA2569e23b893746ba984eadc822da78bce02121236d2779101c66ac0d622f0c07e5d
SHA5121bd49e6ff7b018c3bbe1e61d6c5df05924d7a3eda1e897cfca318ea71e5292ae62e427cf233d99415e289170624df2b5a73fec105be2e52786f1570d79af3d7d
-
Filesize
152B
MD5e036a52181d9614b2ffa05bdf43433af
SHA17ad1badf149282ae7168b531fd5f8afd7fdd8471
SHA2564d029c6d6901fcca513e4fa6dc76ebc67a28022ff669434d007adf032521c11b
SHA512c2a9c2a96419fcb1fe7da1c3d8dcc68ea34ce78c7320e49156e276e8f2d0fc644e66ee91e5b24eeaf3d7dd1d4361c5b8363a52f21ac4e8f2bc1da2bdfac27f4f
-
Filesize
1.0MB
MD58f53c2d99bfa673b55166bcf1ff7d7da
SHA1926c2a8973e865e97bc8efd2853fe452baf1de9a
SHA2563c427a32b5f6d01035fbf6ef41e24cec36dbd6bdf2623e92415b3db38cf29c7d
SHA51206eea32886ed3b710c7ec794296c7cb7aadb82cf8e6efd24e4c7e3441dc32ae17a56b169df5763988ef77cc392e4e54e95abbe89e8886c3450bb0957c82e589e
-
Filesize
1.6MB
MD5c7ed7d11c78afcff633ad5109445820f
SHA1fac007401a37d621f32c4ee7e426c153dc12203e
SHA25699c01ecce6c52ab30736b74c4fd519298b133125b7c2b2c0926763d0f471818a
SHA512e4ff7760844dbb0c284c7d200eaf95520c7291e6a932289d5b098521e4b759ae4d44390c0dd59b039a8111e892a11872f70f6839126fd3d93e7c4790130d9061
