5c4d0962a9e5ffc28a0bf8d3951e9017d3a639f80d2c2a2912fb0d8190fe81b2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe
Size

468KB
MD5

619b6486f1a4e6451206847951bf9efc
SHA1

d37c7529d3565482d5d9e67c1fed6455f2de0669
SHA256

5c4d0962a9e5ffc28a0bf8d3951e9017d3a639f80d2c2a2912fb0d8190fe81b2
SHA512

ed003ef65b45174c1b2729ef6c6123a842d5a62ff057614a0280e7bc39ed4e8bd952fd2032b0a2e04bfa879a2307df52f15f0841b07b298eecf39abfb38f949b
SSDEEP

6144:xKU6TGEOMB9Q7z76B1151BDloXLGkf3aLiqQ2qJzoUa+7+q0EmU/tcmeyo2x3Sf5:xKJgzetovGi5ZkUR77mS2eniMKkBLm

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cdntran.sys	setup.exe
File created	C:\Windows\SysWOW64\drivers\cdnprot.sys	setup.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cdnprot\ImagePath = "system32\\drivers\\cdnprot.sys"	setup.exe

Executes dropped EXE 3 IoCs

pid	Process
2804	setup.exe
2608	setup.exe
808	cdnup.exe

Loads dropped DLL 34 IoCs

pid	Process
2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe
2804	setup.exe
2804	setup.exe
2804	setup.exe
2804	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
2608	setup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
2608	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CdnCtr = "C:\\Program Files\\CNNIC\\Cdn\\cdnup.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cdn.dll	setup.exe
File created	C:\Windows\SysWOW64\cdnns.dll	setup.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\CNNIC\Cdn\cdnprot.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnaux.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\Images\news.ico	setup.exe
File created	C:\Program Files\CNNIC\Cdn\Images\soft.ico	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaoe.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdncmd.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\Images\popup.bmp	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnhint.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\client.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\wmhlpr.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntdns.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprev.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnunins.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnup.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaol.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntran.dat	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\Images\enter.ico	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnspie.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnctr.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\iesrch.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cnnic.htm	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprh.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdniehlp.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnglo.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndet.dll	setup.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP\ValueName = "EnableTaskPopup"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_WEB\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "ÖÐÎÄÉÏÍøÉèÖÃ"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\ValueName = "EnableKw"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT\ValueName = "Contexts"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\INHINT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\ValueName = "EnableIdn"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE\ValueName = "AutoUpdate"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_WEB\ValueName = "EnableMailW"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP\Text = "Pop up news information"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_WEB\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\ValueName = "EnableMailAcc"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\DefaultValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuText = "Chinese Navigation"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT\DefaultValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_WEB\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_WEB\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "Chinese Navigation"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword\Contexts = "127"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\Text = "E-Mail Script"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\ValueName = "EnableMailScript"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\Text = "Display hints under the address bar"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\INHINT\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT\ValueName = "EnableCollect"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\ValueName = "EnableAddrHint"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT\Text = "Permit the system to collect users' records"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "ÖÐÎÄÉÏÍø"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\Text = "Enable Chinese Domain Name"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT\ValueName = "EnableIdnCmdEx"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\HKeyRoot = "2147483649"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\UncheckedValue = "0"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT\HKeyRoot = "2147483649"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP\Type = "checkbox"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMEvtSink.1\CLSID\ = "{8CDCBBA0-4BE1-4199-8389-1B19ED41D3E8}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F248EBAB-D894-4682-80E3-F48AABF4B12D}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMEvtSink\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CDCBBA0-4BE1-4199-8389-1B19ED41D3E8}\ = "WMEvtSink Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMHlprObj\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\CurVer\ = "Cdn.CdnObj.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMHlprObj\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMHlprObj\CurVer\ = "WMHlpr.WMHlprObj.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMEvtSink\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj.1\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMHlprObj\ = "WMHlprObj Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1\ = "MailParser Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\ = "IWMHlprObj"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.Alive	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.Alive\ = "Alive Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMHlpr.WMEvtSink\CLSID\ = "{8CDCBBA0-4BE1-4199-8389-1B19ED41D3E8}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF571585-070D-4EB1-8B0E-99023F934FD4}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{951A869A-1003-4897-948F-D55E570871DB}\TypeLib\ = "{C24A5A5C-0874-4386-85C7-E669F90997A9}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25F580B4-2C3D-46D8-9967-3A08305EF643}\ = "IAlive"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\ProgID\ = "MailParserSvr.InspectorHandler.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F248EBAB-D894-4682-80E3-F48AABF4B12D}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}\InprocServer32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\wmhlpr.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.Alive.1\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F411F2F2-8D8F-41B1-B9D3-4D849ADFE38A}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.Alive.1\ = "Alive Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\CLSID\ = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\ = "{B7DB519E-7131-47B1-A9F5-DA8D061C2611}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\ = "IWMHlprObj"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{951A869A-1003-4897-948F-D55E570871DB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib\ = "{01833110-7C51-4D41-A09F-69EF74606E5B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\TypeLib\ = "{B7DB519E-7131-47B1-A9F5-DA8D061C2611}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF571585-070D-4EB1-8B0E-99023F934FD4}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\ = "CdnObj Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}\ = "WMHlprObj Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.Alive\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25F580B4-2C3D-46D8-9967-3A08305EF643}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler\ = "InspectorHandler Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C991F1E-D6FE-4B74-B6EC-763FF528FAE1}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F411F2F2-8D8F-41B1-B9D3-4D849ADFE38A}\InprocServer32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\InprocServer32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\imaol.dll"	setup.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2608	setup.exe
Token: SeBackupPrivilege	2608	setup.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe
808	cdnup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2804	2752	619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2804 wrote to memory of 2608	2804	setup.exe	31
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32
PID 2608 wrote to memory of 808	2608	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\619b6486f1a4e6451206847951bf9efc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe 00020402
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup\setup.exe" 00020402
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files\CNNIC\Cdn\cdnup.exe
      "C:\Program Files\CNNIC\Cdn\cdnup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup\cdn.dll

Filesize
32KB

MD5
3964f6382d52d1b86f41fcd1e378ea22

SHA1
d6ab66c2e100fe3b301557839f8e506b134e8ee3

SHA256
e5c016482d720004f9b00090c2f4e7656813226c0c304289c8cc6620ed462191

SHA512
0272951f6730e276a9f3a34185284ecb926cab9f3d85ac7b1637b04919448693c4baee92e58d20b1722d2a7d82168302fbb8831a590273a13065cd63863fe722

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnaux.dll

Filesize
36KB

MD5
a7a7b73184d80b802d8f324b29c7574b

SHA1
252f64ab7d06c781dc782e7dd51440a8d7d1427e

SHA256
a168517f1428b8926cf4c161b6c1cca1dd17b85b98766a15f2d582391283221a

SHA512
48e2d1c2b0e678feb73c32dcede5befa5ed8a86dc23ac3e1ff82d89edec4a668fa5e5145f0e47f2e511f17b8138d855f13013fe08ab03c60cd7ead15dadfd9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdncmd.dll

Filesize
56KB

MD5
56dec52827b35f2a44c40ab17928a6a9

SHA1
16a1313739288ebf35e71e6ba384ef5bc48b822a

SHA256
b913ec1a9abd721510731397ee02e5b5f1c699585e249f997298681b6bffbf2c

SHA512
d0a32620341c7aa938d9d4e81a07326e6af980e6c070242ead088998d4ed5f4cbe07566d8cc88b9920b63245fb9b00285c469e91b0f555be8217a3e5e9bac8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnctr.exe

Filesize
76KB

MD5
7a2865d3d21859e5eaab7891733995fb

SHA1
f7e314f7a8e95cff9ff82acf3353ca5b48d981de

SHA256
90174b09ebe5969f384cb04ef26c40338d358049c65602744f1b7dcbcaeb98bd

SHA512
49837a89f087e41523a12a16c40c09e224e56c5f45074a5d07a93a6e8ed75b6e4b0a1ad8d0367b5c6ac0a4b9ccae3c1e392751f6fac84892fe3a98a44ad28913

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndet.dll

Filesize
76KB

MD5
cf5652e4cf05fd6f146a5cdfa730f280

SHA1
ad7485df8655ac7069f60321fde47026d05d8736

SHA256
20bf0b6b0722f912f933b947c1dd8f3327a29d7cee7bbc4f3fc9d8051961d655

SHA512
9fe496f10e60011435265db1c5289b821377f442b8fb24a64d002cd20246231858f3d6decfee481376d1458c667dbe844a18c85e8fb2c71764c39aab0221eb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndisp.dat

Filesize
408B

MD5
c446ea5f7758e07542e47c5353a843bc

SHA1
ef4db3fc423e539f32ea4625538351f46c0149c7

SHA256
d834262537368b143c1e39801122c7045bfe1da14f708a935e44a46963deaaed

SHA512
133895206340747a779fc60cd8adea33fb7298468f908c30a2283c089d6387452ca7bc2ab140b73e0d5f8291edd198fe01dfa54913cde401c8e7a833396b908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnglo.dll

Filesize
96KB

MD5
e18226ad9572f10d6f87a572dae0d35a

SHA1
736509c281339205293350855458b25248ee308f

SHA256
076264de8bf16d847601b72ae639006a5c409663c275e8290d4d58e94ee434a1

SHA512
6c85432d61307200724c2619049779204ceeb19bb44802adf2a31c6085d8f2341ef774a0750a0053151b534d7de11d4dce6f69eee215f734db2d923a5bcc32dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnhint.dat

Filesize
617B

MD5
9dfcd4bdb68132d89824172847db86e7

SHA1
ca3671ad08c33487b4b685f5c166934362ef877e

SHA256
608a870b870ac5beebdf9d9fa6f85d5abde08274c550ab968403b0409d65030a

SHA512
daa209322c78eacc9ba2773c3d2dd7f66bcef88d41bc818b426cf358d290282d4b1d1ea130fd9ee2f567915cf7aa68976a0216d0ea2d95d211b2001cd3e88d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdniehlp.dll

Filesize
128KB

MD5
a372149e9bd992fdab063bd2667ff713

SHA1
4e75312486b63b50ce3b470b379e2d0e5df1e94e

SHA256
d99498ced3adfc3bcfc65660537120762c50985bfebfde06e5569a226fba3084

SHA512
2c42433d01e86bda392a9b75e5848d16e2256a7d97ecdd4e5247aa1960f1764df5de84c8a3c0ddd68d37a070186ee0d43539cbc218414bdc46d0ec87db9bffa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
80KB

MD5
4593b7103fffb5c12b58d87bad04851d

SHA1
d6669641bc1917f01eaf7f2d44ae037c99b9f49c

SHA256
35e383dc59f37272ae4fa2d1b99d63e6ec17a4b0bb09a6673d6d8a84642f3a6e

SHA512
a8449470e8d88062bd5e163a0c30c73756ef91f3daca5abf45009bc413d9f3e2cb192193518cce41a9b8315542b10980eb0072f29d1cfca8fca507677f05a5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnns.dll

Filesize
22KB

MD5
b9ec30062a67883d1ffdcc498d17ed3b

SHA1
a74722a2196e77dfe8bf85deb5942269e0e9f4bf

SHA256
23493233c886b2e02e48c4b47177b814aaa988c0f0f3e4ec8f168242fec1e0bd

SHA512
a8f306b286f6d36abcb20b2571de3f8aba1eb075b2f2334bbc2c7e8f462c69448bd9a6297c1d3117ac8d0a023fd4a8bf344020a103a3ad5224b377b3e92ea889

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprev.dat

Filesize
332B

MD5
859ea7a38cba1624ed5c4599ba7c8582

SHA1
35632082204a81942792c336c4f9753a48fe4da7

SHA256
fbad62bd59eb03bcf515a036d9d4c9b100efcf7aa22e17e46beeeb25eeeff858

SHA512
068adc14dee7eab6a206d41a6bf037272e0c716b4f6bd8b35a62d4457a8c71a9814cb40a164cc26185a459073eceef747ef6358cd619dd446995ec28e7a25dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
aeafca5111fcf2d9ed1d2221cb83bf69

SHA1
28712a5f6cd48125c9da1879aa90cb407c750c47

SHA256
9c0a55d1660130816f8869889686dbe92aae62994859c56f575547ea61db82da

SHA512
e233f2ef79c1bbd0c876e293638cb40834e8248c1a07be7c3fe8309c85db64de2a0695645d864e2d9f0540ce98f72bd3a500ae97aaafbfa15005b3674abf5ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprot.dat

Filesize
2KB

MD5
4d989dec1decc711c78e8ca4848d986b

SHA1
a66ed4fcc55202d11683fc2030cb38a3def98235

SHA256
abc756bb92ce44494e37227816c0c5a01dc15c0b66fb16a4f6d35ec133e552ba

SHA512
f606e65ffe5cde01369068512df9bc8fb0c53efaa370fd1238ae3489416c2bdac9e8c0024bde653451e5a9c22601d6dfdc13f023a14c007e9d8cab839651155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprot.sys

Filesize
49KB

MD5
1c21038c5fc035173437e3c180980dfe

SHA1
ec85c5df5cb56652c2623f1c2d73c82cb146a579

SHA256
49c5510c86265154fb5287ca40a7f83474634b5f21aabbcd06b616a629045598

SHA512
2a4b469ca8d3993344b456f1b13a9c34b6e7db4699adf295d20211711453314b40847599fe6901f57b077a3d063472f34a9206a057ebea16aaa1b6196c995676

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnspie.dll

Filesize
100KB

MD5
b01d6e3cb195ddbeab3eefb98af938f1

SHA1
00d416171b93bdde46b20c2b72260713f492b8f3

SHA256
4c41713f45a3a79c7982c25b7d1a81c34e716595c4366ad5d51d4af09646b1d2

SHA512
18144238396d1d4eb0d24acafe425aa181ce1e6d0677e4de394a9fb588354aee98f0cf4c4e3f2355537fa9cf612bba62d83f0acf50a977bac4c8b9e7c87e3592

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntdns.dll

Filesize
68KB

MD5
a3ab81df8fb30c5185fb0203621057e8

SHA1
dde0e451658e411c0b113361fd0ee6bab344dc1b

SHA256
d03317ae2a7ed1b33257fd0a11f4bf278534111fb1cd1fbc9febfb25f44d7923

SHA512
9b6d2b2e9f7a26946218f03cf510211975442139974b7a428ab5ccd65c2e2bcf6d8de569e5a5ecbebc20da312ec5fbfd4156dcda59f1284e72b276669853bc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.dat

Filesize
1KB

MD5
496b846a17146316874633bc503101ca

SHA1
cc3e8247268f74bf26d8c4596ea62b1677c715a0

SHA256
be84e1f1216979f765c048617636afbfc8092338800348456051f81bfea2c838

SHA512
5b7aac5f836e1bc9cbf49e0275d66136649bc20dacb2a3c3fb8edeb9ec87109b870b1a8a1ec1c8f8bbe64319e509f1f879360478d0d3513976ab8177189a9358

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.sys

Filesize
14KB

MD5
1ab1f525c16cc6bf6d0c533e8f8a7c4d

SHA1
56cc534fb63f85ea5efc9ed47f3efd0934d8a37d

SHA256
476551670cc536c860c6106a4c2d598f4b6049f16774e0fd5d8aa6f1c422c615

SHA512
1bf8ee86d4bb2a0a4d827b48c6db2c2ec67214211ed8e293ef12f615ede0157e3d3d36386e879fae6383b11e2fb05facecb5c91b706d273fd14438205ce62a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnunins.exe

Filesize
100KB

MD5
cb227aabc19bb62731dea186f75f08f5

SHA1
82617d63b6b02b9581c087e43162b40110ebd757

SHA256
6504c834789c9b8cb2248fe41777dc9f3bca1648132f2eac473f242c4dcb22cd

SHA512
bff415a9268ea6470965631d5a9e930cfa4f890ec55bb2157e30a835021c819655ab76098fcd6378e24ccf1664907d3f358b4e4b2d2435d9183ff444a1762afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnup.exe

Filesize
148KB

MD5
f37105dbdb4ba590ccb6a6dff2dc46f1

SHA1
17b3018f0dfdd49baf3a8a4f2a2170b25d41cecd

SHA256
4307c8c7469dc1c77614b22eb93b573dc9474266216c5f5aaa55d480146bc258

SHA512
bbdeb7245dcb1c98f3df1824933b6ee140a9ce3b284fefe5591778ccccd54869eaba97a52565251ec10260581a9c45a662a1945eeb682029a8b88e273e3b86ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnvers.dat

Filesize
1KB

MD5
4265b76006b2ab5befd8c8105ed957a3

SHA1
6dfe98e511aa2dc866dedc4ca4741e42e6c7fae2

SHA256
afdcdc5fb91705a79f7b76ea67828c292e01790dd58455d8da0cca453860c472

SHA512
e2653a74774759211b3962dbf195336e34b23e94df74757d8f943773c079dee1386afcf094632bd9c1e8b5e2a3f2b0a41614c022aa8207d81ce966238aec0284

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\client.dll

Filesize
40KB

MD5
310cc33829f149c0913ed5f79f213ec5

SHA1
1f22f940c5f0905b8ddbf452efadb23d5c942ccb

SHA256
1551ec21970495f40f423341bcdcbde5744560418e47c01c6cccdeb74f6e6946

SHA512
94325996d4f680ff0a3a0fbd41e289e559d1e9a3de8ae634ec1f4d64ec281ec5deb41a9e6d55e66e02a39fda3296c0f15c5b86b1e7ad16309335730c0c5a7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cnnic.htm

Filesize
486B

MD5
9bdb72aa9fc6d9055f7200879091da77

SHA1
e338eb05cbab8865bd5296cdda8a5563d93dade9

SHA256
9f325e416171ea2b19f4b29e87f2b1e1361666fcd86d5e03a2a10d9826d29d99

SHA512
bd4fae43bc881314623fb735141e426dd7701aa411ae0fa302cc3b292a621f7b102ec565c1e2b085803cea70a1105c70c281df07930dbd4ce8b3c51aefed3e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\enter.ico

Filesize
1KB

MD5
16c56d25e636e836ee1625b6b8ca1ea1

SHA1
2d236ffc356b98c3bdc38d1a8b22f952dca7b2de

SHA256
0b8b9f3405b134f9667339424e6d24956e627bc3f30cd997550f15269eb87d16

SHA512
bd1dca474ae335cd527864fe116fbf0107025e4e73f60d5843d26933f5a9cef6105255dc1f41852e7faaa03d306e18e08360d8d474bd1e145428fc7dc7876f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\idnconv.dll

Filesize
228KB

MD5
53e69b76bc93941c0eda58d85f6e05f9

SHA1
13bb7ed0edfb943f7c981fdf9df8487878a151f4

SHA256
55d8110ebe08d94c63ce16558fd7e897cc7c6aedf1bb3f52b0d383b2d17dc576

SHA512
2acbe0f0ead481be94aedd9be57e88bdcfcd0011088c63c48f7aef438c3833b1246656ce73fbb0c705212504d1e4375725f730cd2110a32a094845dac53fb098

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\iesrch.dll

Filesize
32KB

MD5
bd8aba638eb738924f2cbfbd93273b7d

SHA1
12033fa17be57cf8fc007b889083a106147d03c0

SHA256
e633de01c66457d69b86800d256ddca7d0c3868aa00d49d6440334045ce2c396

SHA512
34b3a8f59faa2acd4ec675f62fdb0a2dad24f6911495bd1bc5f21ffbb7de39eb2707ddf558a088370169e2452a1bcbcf91dea785e5a79c7a7789231d57dc88b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaoe.dll

Filesize
52KB

MD5
0301104ed84129fa7073049dd51ac146

SHA1
0e21b98f6e281e9001475506ebfa187cda332234

SHA256
f013fe9041170f297006e4b487a532c4ae33ff45a7d41088e70b3e6b35a5aa71

SHA512
cbca5c3716e0c2b7df6be67660ddcf38c05dd06da3021c776bdaceedfebdc02e731d006d3acded9dce9bf7260d8650c03baf4877f79b1f873d5afe248d1e317b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\news.ico

Filesize
1KB

MD5
eea4331187111557eed9464e408bf276

SHA1
1a4754cb82cfe541f576a5519b96b194acdc17b7

SHA256
076ea71325b0442f37bb001d166b832433604fc6393952e5af836c1485d2e018

SHA512
d6fbb88b2032574abea56adb3ec91cf9b1b4a2e3c7aa0a31a0914c64ff57308e5bf4549ed088ff76b61a08b04d20426a4cfc67210a6e0bed6e54fac69cbaf54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\popup.bmp

Filesize
101KB

MD5
a2b06c6468dda000c9fc51dad0dd533a

SHA1
33dd62098adae93566997e1f0a461680b6165b86

SHA256
dbee2b79e26ea0ffa1e3ddac313114a9dd0a4e9e5a18c9487132f3a728dab954

SHA512
d03d4b100d31563dad277ad2cf252722cbe26c2d697ded46b29a22ed218152f5f8b5e53100cbd27e7999d24e02c288bdeee0f2a09052c1c4efbc0b3808fc0ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\soft.ico

Filesize
1KB

MD5
d7268d8087924276b8d610f85a52a724

SHA1
158f47ee3ac0794f5b417f17e684154356af1ac4

SHA256
7600a7d7bdce8f19d0c3cb09ea651c7c9dba2fcb5ab0be859c0576f3829c3933

SHA512
82548527c013cf5866acdd0b0a6bdb1e3d0dd2e77a1a6d422d096ed430f2e4d6a7a2fd602300c457ce81280615322d53d4cc4967aee5e2465c9e42f66f0d76fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\src.dat

Filesize
141B

MD5
4a55ac474424255fb6995c0a94e66093

SHA1
d8efc9c25e6dbd8106e3659970c567fddb219c06

SHA256
50ad0773312da49f98313709cc2ecd67df00dd8bf78c6c60754a7bf7f1986822

SHA512
f10a951bc2ca912b8421fc3e311fccea0862f128053a1fc920edaa8d57b773a9a7622a933cc898a505096a317e5002bbc3d9fcb58d219a6b9f4aac9fa9647e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\wmhlpr.dll

Filesize
52KB

MD5
6872ec8da02d0f397fc914aa36228ab7

SHA1
f58d544f4276fe0657e8fe69503360365441172c

SHA256
f3757922852195bcb6ef289372b4f4641e52f332752db6e5b678b5cb3ea06c52

SHA512
418ed9342427bc5657f9bad1157cb2b7e10a10408ff9a82797c9f4b74f7f0d6d342efd10fae3bb8f1ae950ced153e9659022338645d6f0688245a56ae553f5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\src.tmp

Filesize
141B

MD5
bfd93b16022e540133a0f460100cc62c

SHA1
f712c73492c24e9e0d8b53958d20e6b5f0ea0f42

SHA256
7202e60c55b252853a2891d83443698e347f3ad21989673fc42f0d7a247901a7

SHA512
9a4d305148c007c4603f349ee72e8dc8c8a6129d528466d22602619e998826018d0397649f3b1f388909b7fc291bb5592c2ebd6314e313b21a8c077acb0aeedd

Download Submit
C:\cdnlog.txt

Filesize
95B

MD5
08af417b109ea14eee18b3b688b605c3

SHA1
4b9e550f3cef396867abc2a6d41b826568223012

SHA256
2865c9abbe6c58b5aff1233e7228a21db12a684d8e4bb92c0b842ca5ddb4afe1

SHA512
d4afb38c50b84afdd36f7ab31819d6fa41e021707850b391eeadbf5ae0c51e96dff792b147c8890576cd403a901c356ccbfb1ad30961f1afac6f232777c80f5f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
415KB

MD5
e9dfdd02abfe1de00a7844a928f3f386

SHA1
c3c105117abda486105f0134447956627a27964d

SHA256
36bcb0f904e5f19d5a4ab59903ca3b689e924518626b8c378596183b57b3225e

SHA512
899aa3488fbd3cf731cde36a14a46f12bd75dc9dfb32c0beb13940319198451fb7f3ee09b22d778580ab9c91c25f2535c663592e0205c346205a45c2b2340f68

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
memory/808-190-0x0000000000360000-0x000000000036D000-memory.dmp

Filesize
52KB

Download
memory/808-192-0x0000000003CF0000-0x0000000003EA2000-memory.dmp

Filesize
1.7MB

Download
memory/808-191-0x0000000000720000-0x000000000073B000-memory.dmp

Filesize
108KB

Download
memory/808-189-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/2608-115-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2608-171-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2608-155-0x0000000002F90000-0x0000000003142000-memory.dmp

Filesize
1.7MB

Download
memory/2608-141-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/2608-136-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads