a2e719acfc2c9771927c7ee6a754374cc1bf6cf8452b342c5de5117b3fdbf09e

Analysis

max time kernel
147s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
Size

1.5MB
MD5

08443d1392a9ddd1e83d57308253090e
SHA1

65127afb99651cc708daa89cba06d2f844e621ed
SHA256

a2e719acfc2c9771927c7ee6a754374cc1bf6cf8452b342c5de5117b3fdbf09e
SHA512

224a39499a2c34003ea66bca9265bb8cfbc12840452ad17b8c9b9b2ac1b0401621d3b3d4a917b9e370e86275ecf5b2530022cf6f697522bd6ae7e79a93bbcd48
SSDEEP

24576:I+9danInLmIE4P8di/Jh6nnSfcsuD0DfezN6rNFKLA137615nB8:I8aIctdqJhVcsu4LezgKEL6Xna

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234d6-18.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2908	Au_.exe

Executes dropped EXE 63 IoCs

pid	Process
3088	mzone-1334.exe
2304	ipseccmd.exe
720	ipseccmd.exe
4900	ipseccmd.exe
4008	ipseccmd.exe
4376	ipseccmd.exe
3900	ipseccmd.exe
4840	ipseccmd.exe
736	ipseccmd.exe
3852	mysetup.exe
4440	kupdata.exe
764	ipseccmd.exe
540	ipseccmd.exe
5040	ipseccmd.exe
4860	ipseccmd.exe
3560	ipseccmd.exe
2248	ipseccmd.exe
2956	ipseccmd.exe
3416	ipseccmd.exe
4432	ipseccmd.exe
2924	ipseccmd.exe
3200	ipseccmd.exe
4672	ipseccmd.exe
3192	ipseccmd.exe
3528	ipseccmd.exe
2244	ipseccmd.exe
3476	ipseccmd.exe
2720	ipseccmd.exe
220	ipseccmd.exe
2716	ipseccmd.exe
4792	ipseccmd.exe
4280	ipseccmd.exe
2620	ipseccmd.exe
1228	ipseccmd.exe
2292	ipseccmd.exe
4284	ipseccmd.exe
2120	ipseccmd.exe
764	ipseccmd.exe
540	ipseccmd.exe
2328	ipseccmd.exe
4772	ipseccmd.exe
2088	ipseccmd.exe
2124	ipseccmd.exe
464	ipseccmd.exe
3180	ipseccmd.exe
4076	ipseccmd.exe
3544	ipseccmd.exe
960	ipseccmd.exe
3000	ipseccmd.exe
208	ipseccmd.exe
5056	ipseccmd.exe
3960	ipseccmd.exe
2096	ipseccmd.exe
964	ipseccmd.exe
2600	ipseccmd.exe
3020	ipseccmd.exe
864	ipseccmd.exe
5068	ipseccmd.exe
4696	ipseccmd.exe
4456	ipseccmd.exe
4364	ipseccmd.exe
3852	un0221235001540.exe
2908	Au_.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
3088	mzone-1334.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
3852	mysetup.exe
3852	mysetup.exe
3852	mysetup.exe
3852	mysetup.exe
3852	mysetup.exe
3852	mysetup.exe
4440	kupdata.exe
3852	mysetup.exe
3852	mysetup.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\starforce\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Windows\SysWOW64\starforce\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	kupdata.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	kupdata.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	kupdata.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	kupdata.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234d6-18.dat	upx

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FeixinMedia\menu.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\ipseccmd.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\suject.db	mysetup.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\s0001.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\menu.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\ipseccmd.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\s0001.xml	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\sqlite3.dll	mysetup.exe
File created	C:\Program Files (x86)\Common\sfdrv01-nos.sys	mysetup.exe
File created	C:\Program Files (x86)\Common\sfdrv01.sys	mysetup.exe
File opened for modification	C:\Program Files (x86)\Common\sfdrv01.sys	mysetup.exe
File created	C:\Program Files (x86)\Common\msxml2.dll	mysetup.exe
File opened for modification	C:\Program Files (x86)\Common\suject.db	kupdata.exe
File opened for modification	C:\Program Files (x86)\Common\suject.db-journal	kupdata.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\un0221235001540.exe	Au_.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\temp0221235001540.ini	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\un0221235001540.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\FeixinMedia\mysetup.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common\ypac.txt	mysetup.exe
File created	C:\Program Files (x86)\Common\kupdata.exe	mysetup.exe
File created	C:\Program Files (x86)\Common\pro.txt	kupdata.exe
File opened for modification	C:\Program Files (x86)\Common\sfdrv01-nos.sys	mysetup.exe
File opened for modification	C:\Program Files (x86)\FeixinMedia\mysetup.exe	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\yypro.pac	kupdata.exe
File opened for modification	C:\WINDOWS\yypro.pac	kupdata.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4424	sc.exe
2884	sc.exe
1068	sc.exe
3888	sc.exe
3188	sc.exe
3760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kupdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mysetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzone-1334.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipseccmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d1-12.dat	nsis_installer_1
behavioral2/files/0x00070000000234d1-12.dat	nsis_installer_2
behavioral2/files/0x00070000000234e0-186.dat	nsis_installer_2
behavioral2/files/0x00080000000234d0-620.dat	nsis_installer_2

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	kupdata.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	kupdata.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kupdata.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kupdata.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3852	mysetup.exe
3852	mysetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3088	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	82
PID 2364 wrote to memory of 3088	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	82
PID 2364 wrote to memory of 3088	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	82
PID 2364 wrote to memory of 1068	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	83
PID 2364 wrote to memory of 1068	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	83
PID 2364 wrote to memory of 1068	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	83
PID 2364 wrote to memory of 2304	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	85
PID 2364 wrote to memory of 2304	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	85
PID 2364 wrote to memory of 2304	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	85
PID 2364 wrote to memory of 720	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	87
PID 2364 wrote to memory of 720	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	87
PID 2364 wrote to memory of 720	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	87
PID 2364 wrote to memory of 4900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	89
PID 2364 wrote to memory of 4900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	89
PID 2364 wrote to memory of 4900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	89
PID 2364 wrote to memory of 4008	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	91
PID 2364 wrote to memory of 4008	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	91
PID 2364 wrote to memory of 4008	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	91
PID 2364 wrote to memory of 4376	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	93
PID 2364 wrote to memory of 4376	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	93
PID 2364 wrote to memory of 4376	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	93
PID 2364 wrote to memory of 3900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	95
PID 2364 wrote to memory of 3900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	95
PID 2364 wrote to memory of 3900	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	95
PID 2364 wrote to memory of 4840	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	97
PID 2364 wrote to memory of 4840	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	97
PID 2364 wrote to memory of 4840	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	97
PID 2364 wrote to memory of 736	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	99
PID 2364 wrote to memory of 736	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	99
PID 2364 wrote to memory of 736	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	99
PID 2364 wrote to memory of 3852	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	101
PID 2364 wrote to memory of 3852	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	101
PID 2364 wrote to memory of 3852	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	101
PID 3852 wrote to memory of 3888	3852	mysetup.exe	102
PID 3852 wrote to memory of 3888	3852	mysetup.exe	102
PID 3852 wrote to memory of 3888	3852	mysetup.exe	102
PID 3852 wrote to memory of 3188	3852	mysetup.exe	104
PID 3852 wrote to memory of 3188	3852	mysetup.exe	104
PID 3852 wrote to memory of 3188	3852	mysetup.exe	104
PID 3852 wrote to memory of 3760	3852	mysetup.exe	106
PID 3852 wrote to memory of 3760	3852	mysetup.exe	106
PID 3852 wrote to memory of 3760	3852	mysetup.exe	106
PID 3852 wrote to memory of 4424	3852	mysetup.exe	109
PID 3852 wrote to memory of 4424	3852	mysetup.exe	109
PID 3852 wrote to memory of 4424	3852	mysetup.exe	109
PID 3852 wrote to memory of 2884	3852	mysetup.exe	111
PID 3852 wrote to memory of 2884	3852	mysetup.exe	111
PID 3852 wrote to memory of 2884	3852	mysetup.exe	111
PID 2364 wrote to memory of 764	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	113
PID 2364 wrote to memory of 764	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	113
PID 2364 wrote to memory of 764	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	113
PID 2364 wrote to memory of 540	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	115
PID 2364 wrote to memory of 540	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	115
PID 2364 wrote to memory of 540	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	115
PID 2364 wrote to memory of 5040	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	117
PID 2364 wrote to memory of 5040	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	117
PID 2364 wrote to memory of 5040	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	117
PID 2364 wrote to memory of 4860	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	119
PID 2364 wrote to memory of 4860	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	119
PID 2364 wrote to memory of 4860	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	119
PID 2364 wrote to memory of 3560	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	121
PID 2364 wrote to memory of 3560	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	121
PID 2364 wrote to memory of 3560	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	121
PID 2364 wrote to memory of 2248	2364	08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe	123

C:\Users\Admin\AppData\Local\Temp\08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08443d1392a9ddd1e83d57308253090e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\mzone-1334.exe
  C:\Users\Admin\AppData\Local\Temp\mzone-1334.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3088
- C:\Windows\SysWOW64\sc.exe
  sc start PolicyAgent
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1068
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block1 -r BlockTCP -f 119.147.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block2 -r BlockNEW -f 119.188.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:720
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block3 -r BlockTWO -f 122.70.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block4 -r BlockTHREE -f 124.238.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4008
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block6 -r Block6 -f 125.39.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block8 -r Block8 -f 220.181.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block9 -r Block9 -f 221.194.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Block0 -r Block0 -f 118.145.*.*+0 -n BLOCK -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:736
- C:\Program Files (x86)\FeixinMedia\mysetup.exe
  mysetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\SysWOW64\sc.exe
    sc create KupSvrLookup binpath= "C:\Program Files (x86)\Common\kupdata.exe" type= share start= auto displayname= "ISATAP And Teredo To Cache Services"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3888
- - C:\Windows\SysWOW64\sc.exe
    sc description KupSvrLookup "Ê¹ÓÃ IPv6 ×ª»»¼¼ÊõÌá¹©½øÐÐ»¥ÁªÍøä¯ÀÀ¸üÐÂÒÔ¼°Ô¤¶Á¼ÓËÙ·þÎñ¡£Èç¹ûÍ£Ö¹¸Ã·þÎñ£¬Ôò¼ÆËã»ú½«²»¾ß±¸ÕâÐ©¼¼ÊõÌá¹©µÄ¼ÓËÙ¹¦ÄÜ¡£"
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Windows\SysWOW64\sc.exe
    sc start KupSvrLookup
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Windows\SysWOW64\sc.exe
    sc create sfdrv01 binpath= C:\Windows\system32\starforce\sfdrv01.sys type= kernel start= system group= Base tag= yes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4424
- - C:\Windows\SysWOW64\sc.exe
    sc start sfdrv01
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass11 -r Pass11 -f 119.147.15.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5040
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass12 -r Pass12 -f 119.147.182.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4860
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass13 -r Pass13 -f 119.147.21.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass14 -r Pass14 -f 119.147.41.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass15 -r Pass15 -f 119.147.64.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass16 -r Pass16 -f 119.147.74.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3416
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass17 -r Pass17 -f 119.147.9.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass18 -r Pass18 -f 122.70.142.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass19 -r Pass19 -f 125.39.123.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3200
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass110 -r Pass110 -f 125.39.127.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4672
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass111 -r Pass111 -f 125.39.185.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass112 -r Pass112 -f 125.39.39.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3528
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass113 -r Pass113 -f 125.39.78.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass114 -r Pass114 -f 125.39.85.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1144 -r Pass1144 -f 125.39.86.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass115 -r Pass115 -f 125.39.87.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:220
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1155 -r Pass1155 -f 125.39.88.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1151 -r Pass1151 -f 125.39.89.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass116 -r Pass116 -f 220.181.100.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1161 -r Pass1161 -f 220.181.101.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1162 -r Pass1162 -f 220.181.102.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1163 -r Pass1163 -f 220.181.103.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1171 -r Pass1171 -f 220.181.104.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass117 -r Pass117 -f 220.181.105.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass118 -r Pass118 -f 220.181.111.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1181 -r Pass1181 -f 220.181.112.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1182 -r Pass1182 -f 220.181.113.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1183 -r Pass1183 -f 220.181.114.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass119 -r Pass119 -f 220.181.115.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1110 -r Pass1110 -f 220.181.118.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1111 -r Pass1111 -f 220.181.135.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1112 -r Pass1112 -f 220.181.23.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3180
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1212 -r Pass1212 -f 220.181.24.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1312 -r Pass1312 -f 220.181.25.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1113 -r Pass1113 -f 220.181.26.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:960
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1412 -r Pass1412 -f 220.181.27.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1512 -r Pass1512 -f 220.181.28.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1612 -r Pass1612 -f 220.181.29.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1712 -r Pass1712 -f 220.181.30.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3960
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1114 -r Pass1114 -f 220.181.31.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1115 -r Pass1115 -f 220.181.38.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1116 -r Pass1116 -f 220.181.4.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1117 -r Pass1117 -f 220.181.43.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1118 -r Pass1118 -f 220.181.50.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1119 -r Pass1119 -f 220.181.6.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1120 -r Pass1120 -f 220.181.69.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4696
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1121 -r Pass1121 -f 220.181.92.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Program Files (x86)\FeixinMedia\ipseccmd.exe
  ipseccmd -p Pass1122 -r Pass1122 -f 221.194.129.*+0 -n PASS -x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4364
- C:\Program Files (x86)\FeixinMedia\un0221235001540.exe
  "C:\Program Files (x86)\FeixinMedia\un0221235001540.exe"
  2⤵
  - Executes dropped EXE
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Program Files (x86)\FeixinMedia\
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2908

C:\Program Files (x86)\Common\kupdata.exe
"C:\Program Files (x86)\Common\kupdata.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common\kupdata.exe

Filesize
951KB

MD5
fd90dcefd8ac8c97762bf75232b1bd37

SHA1
5049da26925eb2a49d75b0da3a18e54403d56857

SHA256
9afcc8ca00125d89faed061b9e0f5b203540922af4c10443c2b45e62bac180b5

SHA512
b3caa106c5bd2ce7b78814ce4d5ba34e8c5f683744be2cf8e45a1269c7063e33b3427700f1cef304ecf9148128fcc512ef46f14995528ad9b2b56e7595414159

Download Submit
C:\Program Files (x86)\Common\msxml2.dll

Filesize
684KB

MD5
0b69528911359d8f5381a4ea6618c65a

SHA1
973b03afafca0280e8ef32065af35e2f63b7b5f4

SHA256
ccb76dc547081b16262eddd5c403fe1d6a17902bca6807e4e6feb21a2393af72

SHA512
9861d0c859d98eafff7cb737fe50fbd6ebfc615f90499030fb99547a5c12c2afc80a887910a058d52ad6a9d9cb2750d6cae4c540cc15323fca112a7b8a60a2a7

Download Submit
C:\Program Files (x86)\Common\sfdrv01-nos.sys

Filesize
6KB

MD5
9a7c147ab35c9bb6f04d3081e0e45d2b

SHA1
d0d56dc5fd9695c41dcadc2b50e3f56569844532

SHA256
293f07b6a881061c4957cd5e55f38255efb038a62c49c6930b85b5148c083067

SHA512
7cafd5e408031fb993c0bb987f7b08eac8b0359cc599dd6ae5bfcdcfb18a444e78e7519790ca31895b5a3aedfa9c7fd88e5b0817d291234ebe4a42898ccbda01

Download Submit
C:\Program Files (x86)\Common\sfdrv01.sys

Filesize
9KB

MD5
c391f3356fd694f321a6f21f77dfce06

SHA1
79ddc6dd6abcade2cd4654016fc049705aab10b4

SHA256
fa806f331bfebe2e412a25847b8c226528d7b0539c2788bb200942608dad3fe1

SHA512
d46098fb3bbacccc4781d4c532e484d31c2e3b73ee6a593cd211d7f9b447fd4133324f84aaedf2f8a043dcfd1cd9bb2bd847bd8f5a62fffd221c8fc3b4b3c83d

Download Submit
C:\Program Files (x86)\Common\sqlite3.dll

Filesize
494KB

MD5
33439d6c91ca56b1c2c87648ea21697e

SHA1
a4bec2b19254fd85e10ff91e353c6ce6503a928b

SHA256
96ef9b5d02b10d4635479630fb5bffd155af440d1d9fcdb9a00e4951f86ecb92

SHA512
60c50d45e5bf7ee2894221be390ecc94797d1f9f99567a229be7de580222bb3862330a5a01d93caa49f0f2666c1280d7cb0097ca7f7400c122b9e3bdf8c3108f

Download Submit
C:\Program Files (x86)\Common\suject.db

Filesize
20KB

MD5
395986d5ab914f167f8be379700d9bb7

SHA1
fe86839bb547be76e1b4895e707aa58cc953fbb1

SHA256
c782ad5682dcfdf132120bcc390a4ac393e018e060d57d43d3c4c0e72972c3de

SHA512
7786904ac08d416761491806277fe31f78ed8554a88cd0388905c27d4d74790f11b0d164c3dc62d6c77f313b0ac14c57dde9a2ae728df275cda4daf1efeecbd5

Download Submit
C:\Program Files (x86)\Common\ypac.txt

Filesize
7KB

MD5
739ae509e4a151ee6dcf81533dcaee83

SHA1
b4e893e9dfd95cda64d7617e5731a092a1651f3c

SHA256
fa424c683857029156208a32053b0ff3749efae027f96ebb56ee8558eee4ab03

SHA512
1aa73847720184a55838589b751883222aa883845dee13ec023f178e861ecc2fdcc2d617a0b22c1f60f595f7327b8b9483011cc033eab87f5423405cb384b742

Download Submit
C:\Program Files (x86)\FeixinMedia\ipseccmd.exe

Filesize
105KB

MD5
8c362511fe3c2ff957c4b08053816226

SHA1
b8bc35394fa13e9d038301daf0b4cfbc75ff0249

SHA256
8b9a8695b9811ee6bb1679f02566a53888d57294758bb2887de0423262eeec8b

SHA512
b4b8eb807e8cfd49f09f64645a36403e3b3d3f2e8953492de47a4aee7caf098f4245d7ba70baf2ff4118e91dab8b6dd98f064da48e1a84dbd094766d3f7d7abc

Download Submit
C:\Program Files (x86)\FeixinMedia\mysetup.exe

Filesize
1.1MB

MD5
442c9c64818436632a413eb4f0472fb4

SHA1
ae7006326b76dfaca5465095e33eb34d532540f1

SHA256
534d8870453936e62e1cc51fd0fe9b39fba484b3d92fba8bda14222780255c99

SHA512
7f0a644a68beee960c5b0299fb24b76ea0fac87c08b789a0ec9335966c864fa27bde4595bb4e84282fe616e95af51fcf8ce235f769f5428900bf234d01accb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzone-1334.exe

Filesize
179KB

MD5
34538d2253a2d4a3d0d0de85032f5811

SHA1
68fd1548ffb80fbc071635d4e9457223795f696f

SHA256
1484ee1dde0761a18994885f44c8e89b258be4267f42f643610475db8787e672

SHA512
dc0de037f3cbd863bbe58740e9ec2606485494b0904c6d8771270886c8487c9a4e95d4955d26eeeab832583a41636e7de7ddc070b64f4c1410325c208d9f9130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA691.tmp\Internet.dll

Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA691.tmp\System.dll

Filesize
10KB

MD5
1a7a1f7fd0acd2ebe7722d56357a56da

SHA1
d6e952df2d3c33b923685087509eda5be1c53bdf

SHA256
3b2f46ecabea3457a0e29847974ced9f26d617449812e485543d28d645cdd060

SHA512
cf02e30108ea7e584b5b01a8347142927973f0b4b25a03020075cafb2badbee4eec3bb7c4c5785928f4d1e86248983904f33c0df363ee5c4c53a973c7beb39aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA691.tmp\nsExec.dll

Filesize
6KB

MD5
1e16f1e4f6e9155d68a33501d5c36010

SHA1
2f5da34b1ca655b55739cc7455e94314aab7ddc9

SHA256
73a56cf3b8e4a3022304e7e2196aefd4104dce1e2055ca068e3ce7650597b6fc

SHA512
4c5990ff8799aea74983e5974072a2cf41cb28abac0a7691186fae31eec9920845fb71b86771a88a87cf79ad33ca184823522f24b38df3805c1b37d39876c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA691.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA691.tmp\nsisplugin.dll

Filesize
319KB

MD5
9d5aa658e39972a0068b7f61d2b8b046

SHA1
be50599c1fa9ddf629cc8dd4d6d4ae2066d0a83b

SHA256
4834aa76a816b03f2f7b4af6dea467c893952edc2b79a11f791526cdd803d694

SHA512
e47f312a3f29d7f25dfd75eb0e7f9d7e99af78528718bb09cfe51b943d56bf2f8c3a44e1459230681d448f31ce53a8ba793abf70988dde60367995919bbf9f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB9AC.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\InstallOptions.dll

Filesize
14KB

MD5
fa5beae80dba254fb6c21b58265f5310

SHA1
f2f776611dbbb157b151aa744a7e0be1d4b8c079

SHA256
34b8a2130729064ca2f9b3b8e6f90d883d84662156b648a4eeccefefc3473269

SHA512
7c74b9e9f1ff0665ffd6fcf76fca462d9f4fbd7c4a215bc67b419497ef4c3cb9cede6c5b0803cabb316bc5391c4c6f0d578d36e1094b8ed326b140f8e272b538

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\ioSpecial.ini

Filesize
591B

MD5
7407480bb475013db29dbc98147d9db3

SHA1
8eb92bc71bedaa8896b1bb21a3c80aa085b36f20

SHA256
f7f64f8699a97ae11939de18e90add97cede9133acd8f8e009ee6de2bb0733ce

SHA512
0c01d917f20a0a2a570bd6e323ce401a8ebc62a3ab20b81e1ec8bac506cdcaa763b550e3198489ddfe5a34b2bf35215d557cc742065b44294a5f803d416a1fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
53KB

MD5
1ec2ec9d9a8b02ea8cfd087d2ed918b0

SHA1
44edacf17a705b06f357a24b4ec030dd9c304097

SHA256
cf32985c43989034c5e89dccaaef883dbb432133815567b6c0fefbf9def445df

SHA512
f72bb3b936912881862ecc9c0b14f1778fb92943a6b8ecda203fedb26463e0f39d675b7d22b19cf4126a4568b13d8e0af4422bd351d6d2217d6c06c1f908e59d

Download Submit
C:\Windows\yypro.pac

Filesize
7KB

MD5
f3c0445abf44ddc4fe1055070718ce93

SHA1
ff990cb5472215e3d27f3cb0b82699702a70d6d5

SHA256
eb4428fcec281e0556fbc19a30825a9b4144abe1645febe4173adacd3d8650c6

SHA512
ed55842e3c1d4fc53d86d850cb845f830e6476510a638effc97abda0715c5716e4d9106bd51807b18207ef1672efac64dda126dc66604a5359608d3b66d3fa8a

Download Submit
memory/2364-180-0x0000000002E00000-0x0000000002E58000-memory.dmp

Filesize
352KB

Download
memory/2364-124-0x0000000002D80000-0x0000000002DD8000-memory.dmp

Filesize
352KB

Download
memory/2364-37-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2364-417-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2364-418-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2364-38-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4440-515-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4440-516-0x0000000060900000-0x000000006096D000-memory.dmp

Filesize
436KB

Download