a2e719acfc2c9771927c7ee6a754374cc1bf6cf8452b342c5de5117b3fdbf09e

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
Size

1.5MB
MD5

08443d1392a9ddd1e83d57308253090e
SHA1

65127afb99651cc708daa89cba06d2f844e621ed
SHA256

a2e719acfc2c9771927c7ee6a754374cc1bf6cf8452b342c5de5117b3fdbf09e
SHA512

224a39499a2c34003ea66bca9265bb8cfbc12840452ad17b8c9b9b2ac1b0401621d3b3d4a917b9e370e86275ecf5b2530022cf6f697522bd6ae7e79a93bbcd48
SSDEEP

24576:I+9danInLmIE4P8di/Jh6nnSfcsuD0DfezN6rNFKLA137615nB8:I8aIctdqJhVcsu4LezgKEL6Xna

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000160ae-21.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1544	Au_.exe

Executes dropped EXE 63 IoCs

pid	Process
2524	mzone-1334.exe
1916	ipseccmd.exe
2868	ipseccmd.exe
2900	ipseccmd.exe
2200	ipseccmd.exe
880	ipseccmd.exe
1968	ipseccmd.exe
536	ipseccmd.exe
1724	ipseccmd.exe
2340	mysetup.exe
1252	kupdata.exe
1544	ipseccmd.exe
2568	ipseccmd.exe
1476	ipseccmd.exe
2836	ipseccmd.exe
2536	ipseccmd.exe
1680	ipseccmd.exe
2528	ipseccmd.exe
2148	ipseccmd.exe
2480	ipseccmd.exe
2824	ipseccmd.exe
2688	ipseccmd.exe
2280	ipseccmd.exe
2604	ipseccmd.exe
556	ipseccmd.exe
1236	ipseccmd.exe
1892	ipseccmd.exe
2760	ipseccmd.exe
2896	ipseccmd.exe
1140	ipseccmd.exe
2888	ipseccmd.exe
2428	ipseccmd.exe
788	ipseccmd.exe
2624	ipseccmd.exe
2392	ipseccmd.exe
660	ipseccmd.exe
1540	ipseccmd.exe
940	ipseccmd.exe
2348	ipseccmd.exe
1928	ipseccmd.exe
2652	ipseccmd.exe
2504	ipseccmd.exe
1588	ipseccmd.exe
1488	ipseccmd.exe
2044	ipseccmd.exe
2060	ipseccmd.exe
2608	ipseccmd.exe
756	ipseccmd.exe
2340	ipseccmd.exe
3052	ipseccmd.exe
1560	ipseccmd.exe
1312	ipseccmd.exe
1720	ipseccmd.exe
2012	ipseccmd.exe
1144	ipseccmd.exe
2684	ipseccmd.exe
2908	ipseccmd.exe
1184	ipseccmd.exe
548	ipseccmd.exe
1512	ipseccmd.exe
1972	ipseccmd.exe
1612	un0221235001540.exe
1544	Au_.exe

Loads dropped DLL 64 IoCs

pid	Process
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2524	mzone-1334.exe
2524	mzone-1334.exe
2524	mzone-1334.exe
2524	mzone-1334.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
2340	mysetup.exe
1252	kupdata.exe
2340	mysetup.exe
2340	mysetup.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\starforce\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	kupdata.exe
File opened for modification	C:\Windows\System32\starforce\sfdrv01.sys	mysetup.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000160ae-21.dat	upx

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common\msxml2.dll	mysetup.exe
File created	C:\Program Files (x86)\Common\kupdata.exe	mysetup.exe
File created	C:\Program Files (x86)\Common\suject.db	mysetup.exe
File created	C:\Program Files (x86)\Common\pro.txt	kupdata.exe
File opened for modification	C:\Program Files (x86)\Common\sfdrv01-nos.sys	mysetup.exe
File created	C:\Program Files (x86)\FeixinMedia\ipseccmd.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\sqlite3.dll	mysetup.exe
File opened for modification	C:\Program Files (x86)\Common\suject.db	kupdata.exe
File opened for modification	C:\Program Files (x86)\Common\suject.db-journal	kupdata.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\menu.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\mysetup.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\s0001.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\ypac.txt	mysetup.exe
File created	C:\Program Files (x86)\Common\sfdrv01-nos.sys	mysetup.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\s0001.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\menu.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\un0221235001540.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Program Files (x86)\Common\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\mysetup.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\ipseccmd.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\un0221235001540.exe	Au_.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\temp0221235001540.ini	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\yypro.pac	kupdata.exe
File opened for modification	C:\WINDOWS\yypro.pac	kupdata.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2052	sc.exe
2696	sc.exe
2720	sc.exe
1720	sc.exe
2332	sc.exe
2072	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzone-1334.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kupdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un0221235001540.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000015d7f-10.dat	nsis_installer_1
behavioral1/files/0x0008000000015d7f-10.dat	nsis_installer_2
behavioral1/files/0x000500000001932a-229.dat	nsis_installer_2
behavioral1/files/0x0008000000015f2a-834.dat	nsis_installer_2

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecision = "0"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecision = "0"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\be-ec-74-ad-84-40	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecisionReason = "1"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	kupdata.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	kupdata.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	kupdata.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecisionTime = 30e4ce0b6b14db01	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadNetworkName = "Network 3"	kupdata.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecisionTime = 30e4ce0b6b14db01	kupdata.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecisionReason = "1"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	kupdata.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	mzone-1334.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2340	mysetup.exe
2340	mysetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 2524	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	30
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1720	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	32
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 1916	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	34
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2868	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	36
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2900	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	38
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 2200	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	40
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 880	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	42
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 1968	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	44
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 536	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	46
PID 808 wrote to memory of 1724	808	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	48

C:\Users\Admin\AppData\Local\Temp\08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\mzone-1334.exe
  C:\Users\Admin\AppData\Local\Temp\mzone-1334.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2524
- C:\Windows\SysWOW64\sc.exe
  sc start PolicyAgent
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block1 -r BlockTCP -f 119.147.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block2 -r BlockNEW -f 119.188.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block3 -r BlockTWO -f 122.70.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block4 -r BlockTHREE -f 124.238.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block6 -r Block6 -f 125.39.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:880
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block8 -r Block8 -f 220.181.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block9 -r Block9 -f 221.194.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:536
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block0 -r Block0 -f 118.145.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Program Files (x86)\FeixinMedia\mysetup.exe
  mysetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc create KupSvrLookup binpath= "C:\Program Files (x86)\Common\kupdata.exe" type= share start= auto displayname= "ISATAP And Teredo To Cache Services"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\sc.exe
    sc description KupSvrLookup "Ê¹ÓÃ IPv6 ×ª»»¼¼ÊõÌá¹©½øÐÐ»¥ÁªÍøä¯ÀÀ¸üÐÂÒÔ¼°Ô¤¶Á¼ÓËÙ·þÎñ¡£Èç¹ûÍ£Ö¹¸Ã·þÎñ£¬Ôò¼ÆËã»ú½«²»¾ß±¸ÕâÐ©¼¼ÊõÌá¹©µÄ¼ÓËÙ¹¦ÄÜ¡£"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc start KupSvrLookup
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2052
- - C:\Windows\SysWOW64\sc.exe
    sc create sfdrv01 binpath= C:\Windows\system32\starforce\sfdrv01.sys type= kernel start= system group= Base tag= yes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\sc.exe
    sc start sfdrv01
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass11 -r Pass11 -f 119.147.15.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass12 -r Pass12 -f 119.147.182.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass13 -r Pass13 -f 119.147.21.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass14 -r Pass14 -f 119.147.41.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass15 -r Pass15 -f 119.147.64.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass16 -r Pass16 -f 119.147.74.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass17 -r Pass17 -f 119.147.9.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass18 -r Pass18 -f 122.70.142.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass19 -r Pass19 -f 125.39.123.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass110 -r Pass110 -f 125.39.127.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass111 -r Pass111 -f 125.39.185.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass112 -r Pass112 -f 125.39.39.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass113 -r Pass113 -f 125.39.78.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass114 -r Pass114 -f 125.39.85.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1144 -r Pass1144 -f 125.39.86.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass115 -r Pass115 -f 125.39.87.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1155 -r Pass1155 -f 125.39.88.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1151 -r Pass1151 -f 125.39.89.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass116 -r Pass116 -f 220.181.100.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1161 -r Pass1161 -f 220.181.101.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1162 -r Pass1162 -f 220.181.102.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1163 -r Pass1163 -f 220.181.103.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1171 -r Pass1171 -f 220.181.104.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:660
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass117 -r Pass117 -f 220.181.105.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass118 -r Pass118 -f 220.181.111.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:940
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1181 -r Pass1181 -f 220.181.112.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1182 -r Pass1182 -f 220.181.113.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1183 -r Pass1183 -f 220.181.114.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass119 -r Pass119 -f 220.181.115.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1110 -r Pass1110 -f 220.181.118.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1111 -r Pass1111 -f 220.181.135.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1112 -r Pass1112 -f 220.181.23.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1212 -r Pass1212 -f 220.181.24.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1312 -r Pass1312 -f 220.181.25.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1113 -r Pass1113 -f 220.181.26.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1412 -r Pass1412 -f 220.181.27.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1512 -r Pass1512 -f 220.181.28.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1612 -r Pass1612 -f 220.181.29.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1712 -r Pass1712 -f 220.181.30.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1114 -r Pass1114 -f 220.181.31.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1115 -r Pass1115 -f 220.181.38.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1116 -r Pass1116 -f 220.181.4.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1117 -r Pass1117 -f 220.181.43.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1118 -r Pass1118 -f 220.181.50.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1119 -r Pass1119 -f 220.181.6.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1120 -r Pass1120 -f 220.181.69.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:548
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1121 -r Pass1121 -f 220.181.92.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1122 -r Pass1122 -f 221.194.129.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- C:\Program Files (x86)\FeixinMedia\un0221235001540.exe
  "C:\Program Files (x86)\FeixinMedia\un0221235001540.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Program Files (x86)\FeixinMedia\
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1544

C:\Program Files (x86)\Common\kupdata.exe
"C:\Program Files (x86)\Common\kupdata.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common\kupdata.exe

Filesize
951KB

MD5
fd90dcefd8ac8c97762bf75232b1bd37

SHA1
5049da26925eb2a49d75b0da3a18e54403d56857

SHA256
9afcc8ca00125d89faed061b9e0f5b203540922af4c10443c2b45e62bac180b5

SHA512
b3caa106c5bd2ce7b78814ce4d5ba34e8c5f683744be2cf8e45a1269c7063e33b3427700f1cef304ecf9148128fcc512ef46f14995528ad9b2b56e7595414159

Download Submit
C:\Program Files (x86)\Common\sfdrv01-nos.sys

Filesize
6KB

MD5
9a7c147ab35c9bb6f04d3081e0e45d2b

SHA1
d0d56dc5fd9695c41dcadc2b50e3f56569844532

SHA256
293f07b6a881061c4957cd5e55f38255efb038a62c49c6930b85b5148c083067

SHA512
7cafd5e408031fb993c0bb987f7b08eac8b0359cc599dd6ae5bfcdcfb18a444e78e7519790ca31895b5a3aedfa9c7fd88e5b0817d291234ebe4a42898ccbda01

Download Submit
C:\Program Files (x86)\Common\sfdrv01.sys

Filesize
9KB

MD5
c391f3356fd694f321a6f21f77dfce06

SHA1
79ddc6dd6abcade2cd4654016fc049705aab10b4

SHA256
fa806f331bfebe2e412a25847b8c226528d7b0539c2788bb200942608dad3fe1

SHA512
d46098fb3bbacccc4781d4c532e484d31c2e3b73ee6a593cd211d7f9b447fd4133324f84aaedf2f8a043dcfd1cd9bb2bd847bd8f5a62fffd221c8fc3b4b3c83d

Download Submit
C:\Program Files (x86)\Common\sqlite3.dll

Filesize
494KB

MD5
33439d6c91ca56b1c2c87648ea21697e

SHA1
a4bec2b19254fd85e10ff91e353c6ce6503a928b

SHA256
96ef9b5d02b10d4635479630fb5bffd155af440d1d9fcdb9a00e4951f86ecb92

SHA512
60c50d45e5bf7ee2894221be390ecc94797d1f9f99567a229be7de580222bb3862330a5a01d93caa49f0f2666c1280d7cb0097ca7f7400c122b9e3bdf8c3108f

Download Submit
C:\Program Files (x86)\FeixinMedia\un0221235001540.exe

Filesize
53KB

MD5
1ec2ec9d9a8b02ea8cfd087d2ed918b0

SHA1
44edacf17a705b06f357a24b4ec030dd9c304097

SHA256
cf32985c43989034c5e89dccaaef883dbb432133815567b6c0fefbf9def445df

SHA512
f72bb3b936912881862ecc9c0b14f1778fb92943a6b8ecda203fedb26463e0f39d675b7d22b19cf4126a4568b13d8e0af4422bd351d6d2217d6c06c1f908e59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB56B.tmp\ioSpecial.ini

Filesize
591B

MD5
261a7ccd85ec1b3645a6a21ca3b16337

SHA1
f11269c8cbe7c1a098a3541f032194dd7d933a82

SHA256
26572a884c4832467d4475943507c0d6c8b6b129386d3af435a2d85b13f21e68

SHA512
fd9e9e5aac1b63faf2d5c8ee2f22a945ca805c83d3b8c346ee1d9971ac685813749dfa407da970812a87556e556814d73db21f02024d059da1562d6a5362e276

Download Submit
C:\Windows\yypro.pac

Filesize
7KB

MD5
f3c0445abf44ddc4fe1055070718ce93

SHA1
ff990cb5472215e3d27f3cb0b82699702a70d6d5

SHA256
eb4428fcec281e0556fbc19a30825a9b4144abe1645febe4173adacd3d8650c6

SHA512
ed55842e3c1d4fc53d86d850cb845f830e6476510a638effc97abda0715c5716e4d9106bd51807b18207ef1672efac64dda126dc66604a5359608d3b66d3fa8a

Download Submit
\Program Files (x86)\Common\msxml2.dll

Filesize
684KB

MD5
0b69528911359d8f5381a4ea6618c65a

SHA1
973b03afafca0280e8ef32065af35e2f63b7b5f4

SHA256
ccb76dc547081b16262eddd5c403fe1d6a17902bca6807e4e6feb21a2393af72

SHA512
9861d0c859d98eafff7cb737fe50fbd6ebfc615f90499030fb99547a5c12c2afc80a887910a058d52ad6a9d9cb2750d6cae4c540cc15323fca112a7b8a60a2a7

Download Submit
\Program Files (x86)\FeixinMedia\ipseccmd.exe

Filesize
105KB

MD5
8c362511fe3c2ff957c4b08053816226

SHA1
b8bc35394fa13e9d038301daf0b4cfbc75ff0249

SHA256
8b9a8695b9811ee6bb1679f02566a53888d57294758bb2887de0423262eeec8b

SHA512
b4b8eb807e8cfd49f09f64645a36403e3b3d3f2e8953492de47a4aee7caf098f4245d7ba70baf2ff4118e91dab8b6dd98f064da48e1a84dbd094766d3f7d7abc

Download Submit
\Program Files (x86)\FeixinMedia\mysetup.exe

Filesize
1.1MB

MD5
442c9c64818436632a413eb4f0472fb4

SHA1
ae7006326b76dfaca5465095e33eb34d532540f1

SHA256
534d8870453936e62e1cc51fd0fe9b39fba484b3d92fba8bda14222780255c99

SHA512
7f0a644a68beee960c5b0299fb24b76ea0fac87c08b789a0ec9335966c864fa27bde4595bb4e84282fe616e95af51fcf8ce235f769f5428900bf234d01accb2e

Download Submit
\Users\Admin\AppData\Local\Temp\mzone-1334.exe

Filesize
179KB

MD5
34538d2253a2d4a3d0d0de85032f5811

SHA1
68fd1548ffb80fbc071635d4e9457223795f696f

SHA256
1484ee1dde0761a18994885f44c8e89b258be4267f42f643610475db8787e672

SHA512
dc0de037f3cbd863bbe58740e9ec2606485494b0904c6d8771270886c8487c9a4e95d4955d26eeeab832583a41636e7de7ddc070b64f4c1410325c208d9f9130

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB4DF.tmp\Internet.dll

Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB4DF.tmp\System.dll

Filesize
10KB

MD5
1a7a1f7fd0acd2ebe7722d56357a56da

SHA1
d6e952df2d3c33b923685087509eda5be1c53bdf

SHA256
3b2f46ecabea3457a0e29847974ced9f26d617449812e485543d28d645cdd060

SHA512
cf02e30108ea7e584b5b01a8347142927973f0b4b25a03020075cafb2badbee4eec3bb7c4c5785928f4d1e86248983904f33c0df363ee5c4c53a973c7beb39aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB4DF.tmp\nsExec.dll

Filesize
6KB

MD5
1e16f1e4f6e9155d68a33501d5c36010

SHA1
2f5da34b1ca655b55739cc7455e94314aab7ddc9

SHA256
73a56cf3b8e4a3022304e7e2196aefd4104dce1e2055ca068e3ce7650597b6fc

SHA512
4c5990ff8799aea74983e5974072a2cf41cb28abac0a7691186fae31eec9920845fb71b86771a88a87cf79ad33ca184823522f24b38df3805c1b37d39876c037

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB4DF.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB4DF.tmp\nsisplugin.dll

Filesize
319KB

MD5
9d5aa658e39972a0068b7f61d2b8b046

SHA1
be50599c1fa9ddf629cc8dd4d6d4ae2066d0a83b

SHA256
4834aa76a816b03f2f7b4af6dea467c893952edc2b79a11f791526cdd803d694

SHA512
e47f312a3f29d7f25dfd75eb0e7f9d7e99af78528718bb09cfe51b943d56bf2f8c3a44e1459230681d448f31ce53a8ba793abf70988dde60367995919bbf9f30

Download Submit
\Users\Admin\AppData\Local\Temp\nstD28C.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB56B.tmp\InstallOptions.dll

Filesize
14KB

MD5
fa5beae80dba254fb6c21b58265f5310

SHA1
f2f776611dbbb157b151aa744a7e0be1d4b8c079

SHA256
34b8a2130729064ca2f9b3b8e6f90d883d84662156b648a4eeccefefc3473269

SHA512
7c74b9e9f1ff0665ffd6fcf76fca462d9f4fbd7c4a215bc67b419497ef4c3cb9cede6c5b0803cabb316bc5391c4c6f0d578d36e1094b8ed326b140f8e272b538

Download Submit
memory/808-38-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/808-287-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/808-125-0x0000000003590000-0x00000000035E8000-memory.dmp

Filesize
352KB

Download
memory/808-225-0x0000000003610000-0x0000000003668000-memory.dmp

Filesize
352KB

Download
memory/1252-604-0x0000000060900000-0x000000006096D000-memory.dmp

Filesize
436KB

Download
memory/1252-603-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download