Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
38bd9a3095e...18.exe
windows7-x64
88bd9a3095e...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ox.dll
windows7-x64
3$PLUGINSDI...ox.dll
windows10-2004-x64
3$SMSTARTUP...��.exe
windows7-x64
3$SMSTARTUP...��.exe
windows10-2004-x64
37zr.exe
windows7-x64
37zr.exe
windows10-2004-x64
3Encode.exe
windows7-x64
1Encode.exe
windows10-2004-x64
3FZip.dll
windows7-x64
3FZip.dll
windows10-2004-x64
3HTTP.dll
windows7-x64
3HTTP.dll
windows10-2004-x64
3LHInstall.dll
windows7-x64
3LHInstall.dll
windows10-2004-x64
3LangHua.exe
windows7-x64
8LangHua.exe
windows10-2004-x64
8LhLogSvr.dll
windows7-x64
3LhLogSvr.dll
windows10-2004-x64
3LhTips.exe
windows7-x64
3LhTips.exe
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/LhNsis.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/LhNsis.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/ebanner.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/ebanner.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/messagebox.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/messagebox.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$SMSTARTUP/7k7kϷ.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
$SMSTARTUP/7k7kϷ.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
7zr.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
7zr.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Encode.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
Encode.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
FZip.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
FZip.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HTTP.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
HTTP.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
LHInstall.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
LHInstall.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
LangHua.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral28
Sample
LangHua.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
LhLogSvr.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
LhLogSvr.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
LhTips.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
LhTips.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe
-
Size
4.8MB
-
MD5
8bd9a3095ebb74383c3103bfc41765b0
-
SHA1
a7b38182caa24927955d49740496dbb432c6363b
-
SHA256
20a45fa6c17c9e8461522886352a440c2c00a6a16075004f3d731876631c3696
-
SHA512
a4aca9d5b1ab785822b9913c6d4d10aa7244873445982806f4ada9fa47c01a2f28ccbb4b5d1234e5af9a164997924ff342e44e7ad47b6014831e40ac3a51f577
-
SSDEEP
98304:KrgJubL1bcRIRDF7nO9X3ll3MZXsKdaoTgkuKL21WKtxa9/nj:KZ9wohLI3fcZXRcVKL21K9/nj
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 708 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k7kÓÎÏ·ºÐ.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k7kÓÎÏ·ºÐ.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe -
Loads dropped DLL 12 IoCs
pid Process 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\GameInfoOpenOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\ScrollHorz.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownPathSelCancelHover.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownProgressLogo.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\IconTreeNodeCategory.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\LangHua.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\res\html\SwfGamePlaying.htm 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\res\pic\lhc.img 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\CommonSkin\Login\LoginBtnCloseDown.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\DownMgrStatusError.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\QQPaneMiddleOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\msvcp71.dll 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\HTTP.dll 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\Angry Birds HD\TopPanelBKRight.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\Angry Birds HD\topright.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\¹ÖÎï\topleft.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\DlgHotKeyBK.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownProgressBarLeft.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\ExitFullNormal.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\TabBarCloseOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\1\conf.ini 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\QQPaneLeft.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\PNG\SkinFrame.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\µ¯µ¯ÌÃ\TopPanelBKLeft.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\½©Ê¬\small.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Encode.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\CollapseOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\LhLogSvr.dll 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\readme.txt 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\AutoAddDown.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\StartNormal.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\config.xml.temp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\PNG\TopPanelBtnSkin.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\ManualAddHover.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SortByTimeDown.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\TabBarRectMiddleNormal.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\Angry Birds HD\TopPanelBKMid.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\¹ÖÎï\topright.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\res\html\netload.swf 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\GameRePlayOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SortByTimeNormal.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\trayMessageHead.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\¹ÖÎï\topright.png 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\UserFeedBackDown.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\½©Ê¬\TopPanelBKMid.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\BottomAdPanelBK.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownTipsPcGame.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownloadInfoProgressBar.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\FrameTopLeft.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\SearchEditBorderOut.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\FrameTopRightMask.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\TopPanelBKMid.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\config.xml.temp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Uninstall.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\QKDown.exe 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\CommonSkin\Login\LoginEditBorderGlow2.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\DownProgressBarFullMiddle.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\FrameRightBottom.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File created C:\Program Files (x86)\LANGHUA\Skin\default\GameInfoCloseOver.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SbujectSkin\½©Ê¬\TopPanelBKMid.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\QQPaneIconDown.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\SearchEditBorder.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\Skin\default\TabBarRectLeftNormal.bmp 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LANGHUA\res\html\netload.swf 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe -
Modifies registry class 59 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install.1\ = "CInstall Object" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\InprocServer32\ = "C:\\Program Files (x86)\\LANGHUA\\LHInstall.dll" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib\ = "{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell\open 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell\open\command\ = "\"C:\\Program Files (x86)\\LANGHUA\\LangHua.exe\" \"%1\"" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install.1\CLSID\ = "{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\TypeLib\ = "{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\HELPDIR 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ProxyStubClsid32 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib\ = "{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install.1 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install\CLSID\ = "{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install\CurVer\ = "LHInstall.Install.1" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ = "IInstall" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib\Version = "1.0" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell\open\command 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\ProgID\ = "LHInstall.Install.1" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\InprocServer32 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\AppID 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\ProgID 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\Implemented Categories 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\0 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ = "IInstall" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install\CurVer 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\VersionIndependentProgID 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install\CLSID 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\FLAGS 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib\Version = "1.0" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\InprocServer32\ThreadingModel = "apartment" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\ProxyStubClsid32 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\URL Protocol 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\ = "URL:lhbox Protocol" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\VersionIndependentProgID\ = "LHInstall.Install" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DEDEE61-C394-4EC7-99EE-016DA4DCACD9}\TypeLib 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell\open\ 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install.1\CLSID 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LHInstall.Install\ = "CInstall Object" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\ = "CInstall Object" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\TypeLib 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\FLAGS\ = "0" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\0\win32\ = "C:\\Program Files (x86)\\LANGHUA\\LHInstall.dll" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LANGHUA\\" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\0\win32 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lhbox\shell\ 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F0FD4E4-7410-46B7-BD3B-AB4EA0B89189}\Programmable 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1415AA3-8FD7-45E2-8BDB-A3099A4A779D}\1.0\ = "LHInstall 1.0 Type Library" 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31 PID 2984 wrote to memory of 708 2984 8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8bd9a3095ebb74383c3103bfc41765b0_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\LANGHUA\LangHua.exe" 7k7kÓÎÏ·ºÐ ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292B
MD5bef63375cea722bdae589b6d216e26a0
SHA13a936fc239861cc9abcd4b07c180b223046a82bc
SHA256b949bf373d756634b2855851023535c5a8df6bfe1172458725aee7a97dd94dbd
SHA5128df9f0aaec09c6717bf8d580f617abd5363c9008bf6d337cdfe7db628b1896337039fdf5d4b0f3e99cd31da25e8c8867c5c7d67a56d007d8895628498af46b38
-
Filesize
832B
MD53c22a589918880a4220af43e1baa1263
SHA1767a957cbf71932ae4449c42baf711445adbc123
SHA2564b441cf4d704fa561ca70dfab621a767607717ccae4438150cda0a1b87ed200e
SHA51289902c687a3b2b6ac9c722b9c015ee2d39a2cb44fdf6227b3527986af6dc971b76b08bc36a92d46f4147030cc1900830388605477e2dc352b16387138f53742d
-
Filesize
9KB
MD5d4eb94400c76da205cbf83cb42cf1e6c
SHA1fdbb4723dd8c2d2c3a2ae0616419bb27db7c4de7
SHA256d5a2884190caf25783c0abd32875f8c700abbec9f245bbee7e2584358ea864dc
SHA5122fb517dd94e0c57cc9875229735ee5bedffe5a60d90c741299328ff625b7f25894c7a0308fda9c29d5daf667230e5f923591632c612d607774da303e2dba5050
-
Filesize
37KB
MD5baaba3043095985cd25a2ed145bec930
SHA1e5db0602c0ce554a4312227be9040bac6a7695bc
SHA25656c28ece9745b056b505348ee56f6a2340d40039741f60860d23ae86cc8c1fbb
SHA51213c4b7cca681ba65d057eb3bf8a4ea6261f9acd414f0ff07c6dbdfca44d5b1198307ed5d8806114bd4b4a41017c232e563798b52e7ddc800f2f03ef0711dbbbb
-
Filesize
2.1MB
MD54d1770fca9559746469e30933b4d83fd
SHA1f0b0a86cb17f06aaa808e073e5e4c25a55057e1b
SHA256d50be917d4aa3352b4adbed554517f1a473bda771c6e70cdc0431ebb08fa3ca5
SHA512f5ec293042bbd838f283f89772375c33236cb0777490722fd1eb394d60677523c80eeb9f7ba742c919806d42cbb2922824130e821b65bb203e13e95257d8bf02
-
Filesize
345KB
MD5c1c6767e9a17b17fdd00232fa7e57c5e
SHA11dcbdafbe96043da6eac5f56e5fe58ac4075f755
SHA2567178e784dd51d94927c368926191aeb276fcd7b535580394e481d884412965b5
SHA512613c3a6d0c027e6261f95adc3c20d4f556de43a664cb2fc653f42418bb4ee7c5b7572b83a6ffb27512516afde805538d0ea181dd5c8180539b731d328a451a7c
-
Filesize
136KB
MD5c7e90bf806485f29fd6a12d55cc9345b
SHA14c67092cc34e82c8a12d2992ed31393bc1af6ea9
SHA256c91224d0a6beebc46fef20ce716852ccccc1cbb6f12f117ed2e45f83417b0f92
SHA512b19fe4017475a22e83d26822bce9eb7406bbffebc3fe3b7faff4ecda1fd84f975405ad814c0f09c63b55174b4a940b818f534540334bcecf7e424d84eee7b646
-
Filesize
10KB
MD54eff5fafd746f5decb93a44e3a3d570c
SHA1a11aa7681b7e2df1c7f7492a127d332d1495ea8a
SHA256cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5
SHA512cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72
