712dae78fed3260bf1777392dc3ebb5d0eb84db165887098646ed6ba1dea519f

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe
Size

7.7MB
MD5

167b2e4547779a8ab4999dcb139dd6df
SHA1

864825ebd2883e9d70a4e5ae27951e96357b060d
SHA256

712dae78fed3260bf1777392dc3ebb5d0eb84db165887098646ed6ba1dea519f
SHA512

8696d9938fe983eb7018bf7b266c29f7e68da1fc32623e3430d29d6c08f522be2917ae3b305f5a31698443527f209d44b6de10771afdea45932c8337eb1f7d27
SSDEEP

196608:q4lVrq9+AzRA/Pob+fK3QKnePsf400h74ZZesa4WGLvzCcy:h20Pi400hkLHa4Webvy

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1732	KuGoo.exe
928	KuGoo.exe

Loads dropped DLL 11 IoCs

pid	Process
2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
1980	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-EJDM5.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-E1JFV.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-CF4J6.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\ver.ini	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\SingerRes9D94580A-EB27-4233-A1B5-70577835D89E	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-OI0KL.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-A2UK8.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-MEDVE.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\Skins\Subject\is-NIPHU.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-K7L4O.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\HotImages\is-VNE9E.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-C55H4.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-86A6T.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-HR086.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\KuGoo.xml	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-DRDQ7.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-PV1R6.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\DSPPlugins\is-8Q7NO.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-R8UFQ.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\unins000.dat	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\LastStatus.dat	KuGoo.exe
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-M1Q13.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-S11S0.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-6H7FF.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-V5LK2.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-ENAPJ.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-08B5M.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-6AP0I.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-JDRQ8.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-QESJI.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-QUGRV.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\unins000.dat	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-9QJK4.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-OD7KI.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-B0T3T.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-DG018.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-TEMTM.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-7TURI.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-G8OBU.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-RTR8I.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-GA1JR.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-SCT2I.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-DLUVP.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-9463N.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-3TB82.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\FirstGuid\is-G8GGL.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-LRBFA.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-HMTJC.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-MQTCM.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-0BH27.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\Install.ini	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-9624V.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-R95HO.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-NULJS.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-S9T73.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\SingerRes	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-EBGQO.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-3NPRV.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-E7SUG.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AudioPlugins\is-3I290.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\AddIns\is-DKH92.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\FirstGuid\is-1CE2E.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\KuGou\KuGou2010\config.ini	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-GHRJ1.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
File created	C:\Program Files (x86)\KuGou\KuGou2010\is-T8VIS.tmp	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KuGoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KuGoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{739094EE-8FC3-498D-A816-086023A88293}	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{739094EE-8FC3-498D-A816-086023A88293}\AppName = "Kugoo.exe"	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{739094EE-8FC3-498D-A816-086023A88293}\AppPath = "C:\\Program Files (x86)\\KuGou\\KuGou2010"	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{739094EE-8FC3-498D-A816-086023A88293}\Policy = "3"	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MIDI\DefaultIcon\ = "C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe,2"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.RMI\Shell	KuGoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KuGoo.KFS\Shell\Open\Command	KuGoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{162AF25B-5A2A-448E-A842-194653EF3E05}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\KuGoo3DownXControl.ocx,1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.KGM	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.DTS\ = "????DTS??"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MP2	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.RMI\Shell\PlayList\Command\ = "\"C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe\" /List \"%1\""	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MPC\Shell\Open	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AIF\DefaultIcon\ = "C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe,2"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.RMI\ = "KuGoo.RMI"	KuGoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KuGoo3DownXControl.KuGoo3Down\Clsid\ = "{162AF25B-5A2A-448E-A842-194653EF3E05}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.WAV\Shell\Open	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AIFF\Shell\PlayList\Command	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.DTS\Shell\PlayList\Command\ = "\"C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe\" /List \"%1\""	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.M4A	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.APE	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MP1\Shell\PlayList\Command	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MP3\Shell\PlayList	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MPC\ = "????MPC??"	KuGoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04B9A4F6-B3C8-4227-BEB7-11DB11D15647}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MP1\Shell	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AU\DefaultIcon	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AC3\DefaultIcon	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.DTSWAV\Shell\Open\ = "??(&O)"	KuGoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KuGoo3DownXControl.KuGoo3Proto\	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.WMA\ = "KuGoo.WMA"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AIFF\DefaultIcon	KuGoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE269465-D334-414A-BB1F-2F53FAD77251}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.KRC\ = "????KRC??"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.M3U\Shell\Open\ = "??(&O)"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.A52\Shell\PlayList	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AA\Shell\Open	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MPC\DefaultIcon	KuGoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.KFS\ = "KuGoo.KFS"	KuGoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04B9A4F6-B3C8-4227-BEB7-11DB11D15647}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.MP2	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.AA	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.CUE\Shell\PlayList\ = "???“????”????(&P)"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.KRC	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.MP1\ = "KuGoo.MP1"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MP1\Shell\Open\ = "??(&O)"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.APE\Shell	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.KRC\Shell\Open\ = "??(&O)"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AIF\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe\" /Open \"%1\""	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MIDI\Shell\PlayList\Command	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.A52\Shell\Open\Command	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.APE\ = "????APE??"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.APE\Shell\Open	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.RMI\Shell\PlayList	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AAC\DefaultIcon	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.APE\DefaultIcon\ = "C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe,1"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.AIF\ = "KuGoo.AIF"	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.RMI\DefaultIcon\ = "C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe,2"	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.DTS\Shell\PlayList\Command	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.KGM\Shell\Open	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.CDA\Shell\PlayList	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MID\Shell\Open	KuGoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{162AF25B-5A2A-448E-A842-194653EF3E05}\Verb	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.M4A\Shell\PlayList\Command\ = "\"C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe\" /List \"%1\""	KuGoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.OGG\Shell\PlayList\Command\ = "\"C:\\Program Files (x86)\\KuGou\\KuGou2010\\KuGoo.exe\" /List \"%1\""	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.AAC	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.FLAC	KuGoo.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\KuGoo.MPC	KuGoo.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1716	2108	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe	30
PID 1716 wrote to memory of 1732	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	34
PID 1716 wrote to memory of 1732	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	34
PID 1716 wrote to memory of 1732	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	34
PID 1716 wrote to memory of 1732	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	34
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 1980	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	35
PID 1716 wrote to memory of 928	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	36
PID 1716 wrote to memory of 928	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	36
PID 1716 wrote to memory of 928	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	36
PID 1716 wrote to memory of 928	1716	167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp	36

C:\Users\Admin\AppData\Local\Temp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\is-D0A20.tmp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D0A20.tmp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp" /SL5="$201C4,7710254,334336,C:\Users\Admin\AppData\Local\Temp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Program Files (x86)\KuGou\KuGou2010\KuGoo.exe
    "C:\Program Files (x86)\KuGou\KuGou2010\KuGoo.exe" Import
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Windows\system32\KuGoo3DownXControl.ocx"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1980
- - C:\Program Files (x86)\KuGou\KuGou2010\KuGoo.exe
    "C:\Program Files (x86)\KuGou\KuGou2010\KuGoo.exe" RegFileType
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\KuGou\KuGou2010\config.ini

Filesize
249B

MD5
97aac1eb208860c383828687a58a82fa

SHA1
8511af1cd6f580bdedb17eda7c72037ab8ea3b7d

SHA256
7773be3ec1b30fa614693f36942030d5beb75b845930ed90e77e68f2b0ffb9f7

SHA512
98063587d8bc6c91340ae612a52cf529ad4b26c23123adb3a921e65a97e6fcded68023dd000d7eeb2f1849ec4b9f1758d577dd4267436c18e1ae0a478afcfe2a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\¿á¹·ÒôÀÖ\¿á¹·ÒôÀÖ2010\¿á¹·ÒôÀÖ2010.lnk

Filesize
1KB

MD5
1c6e87b00a7ef367854b538b42d95589

SHA1
944b26334a544c777b07a52c074e15549cf925ea

SHA256
4dbfd9d774d82a85019a40656fe2e7b2abf62dc36acf38996b36afd95d1bc430

SHA512
ccdd33c610a29e672e0ede750f31df315e0ab77fde51e18afd37455614d56516900fc1e47442ad37c6b7fcbf97b2ad9714dd9e2ea53b2562024e24fe26eed619

Download Submit
C:\Windows\SysWOW64\KuGoo3DownXControl.ocx

Filesize
535KB

MD5
432ea1d34edf34e3b0549b7fe4293e2c

SHA1
d107a931602a8cbcd0dd7d879dc4846691740858

SHA256
6898cd6cd21b08f2d8bab36aeb0394c752ba23db8332d59be9071c86ab06ca7f

SHA512
8066fc1784bb3304015656ae8c82be236acdef3b254f0ceab33631b9648699b5c04ed256e3c46bf3d3a0236b5e1d85fb0966ebf647ab25475dd163c0e3baecc7

Download Submit
\Program Files (x86)\KuGou\KuGou2010\KuGoo.exe

Filesize
4.8MB

MD5
5eb1f1ea02d9dd70c4108be67ac93cfb

SHA1
0656c05633ed2a52fe53089a935ea2224a32d550

SHA256
23fb9c2930c687ee1cf6d611e35a2e7858bc7dbef2cfaf06bf7676f7927d711f

SHA512
73a9aada0fe360b4e10afb3f4fa7a042c04e5070c1a93bc62da5ed970f0333f8900bdcae0f9124ccc6131a6bee4452aaf78cc8c4cc6c5d17263a455fe1c66392

Download Submit
\Program Files (x86)\KuGou\KuGou2010\unins000.exe

Filesize
891KB

MD5
52911d4ca25ef5170fceb807f9062114

SHA1
c5faa594b9e1b12e77ae37fac92273da88c45e03

SHA256
ac70435905cbb8cca3c261cf7d27f0e077926385012e97150e3f4f08a6fe06e3

SHA512
e538ac87c1760e6f4db5bb7a81d0c2a00ed937f6093be916f64200b4163cd4d1d73253c2b0fa8e4e88d12df2614ccd63a274695f2ee5321364c2e17c15ca4e7e

Download Submit
\Users\Admin\AppData\Local\Temp\is-637OC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-637OC.tmp\isx.dll

Filesize
205KB

MD5
96d2c45b7ab03356d612e4606d23f196

SHA1
f9fa646c66b4b792d5e5f632cc515030acc80a9e

SHA256
f82e0e6830b0232634aa983a2e0c27c77dbf8599b0a1bf919a37ad0eb531e54d

SHA512
cff01cab7ad35c743f5384cd83a293f02c66798cf9a675939874ae3ae5c3cd97455423a80590dd011b7e2d1258aed7402f033e003119203484c56c2d58062f12

Download Submit
\Users\Admin\AppData\Local\Temp\is-D0A20.tmp\167b2e4547779a8ab4999dcb139dd6df_JaffaCakes118.tmp

Filesize
885KB

MD5
be74f275a12b6648cce33a9fe3d44bbe

SHA1
8d12bdd409cd1e4ea76fd71448b70b81edda2bdb

SHA256
11fc2eb509c35eaabaad33463e95ad17beea602e4707170b9e1ad52f07a4e790

SHA512
6492ee751e897e54408db7c54cf178d71ab3732c965853c858420ac771cfda0f4ef76eb949e5d69f8a55464bb1e54e38aba91d33c769cf419eb42b1b138f749d

Download Submit
memory/928-220-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1716-10-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1716-20-0x0000000001FC0000-0x0000000001FFD000-memory.dmp

Filesize
244KB

Download
memory/1716-230-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1732-201-0x0000000000400000-0x00000000008ED000-memory.dmp

Filesize
4.9MB

Download
memory/1980-204-0x0000000000610000-0x000000000069E000-memory.dmp

Filesize
568KB

Download
memory/2108-3-0x0000000000401000-0x0000000000444000-memory.dmp

Filesize
268KB

Download
memory/2108-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2108-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2108-231-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download