9dd0c3e5e7eda5f6c5caf3128fbc5b5e9c24a8de165e526b2618b4fbd5461bc8

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Size

3.1MB
MD5

3fbbc4076a45bfbe08334c587cc5a190
SHA1

1855d84f967d46fe79877a59040eede7083fc0aa
SHA256

9dd0c3e5e7eda5f6c5caf3128fbc5b5e9c24a8de165e526b2618b4fbd5461bc8
SHA512

48f7f14de94ad99be65997066faa67d48d20c41a6b620e7311a513e116d91ee2e5da38a174237cd234bbc1eed1d457683ef9c94fb931fe2150826bfa6cccc2af
SSDEEP

98304:8g6t0F4NvE79tc0QIBl8j2fUi/QsGG+pWIGE15L0qqdhF:8vycA9NBl8SfmsR6KqQF

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
348	Uninstall.exe
1156	SangforCSClientInstaller.exe
852	SuperExeInstaller.exe
3616	SuperServiceInstaller.exe
3896	SangforPromoteService.exe
440	SangforServiceClientInstaller.exe
1140	InstallControl.exe
780	VNICInstaller_X64.exe
3632	DNSBackup.exe
3248	Installer.exe
2556	DNSBackup.exe
4664	HTPInstaller.exe
1536	SangforSDUIInstaller.exe
3988	SJobberInstaller.exe
3300	SangforUpdateInstaller.exe
2956	SangforRAppInstaller.exe

Loads dropped DLL 42 IoCs

pid	Process
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3896	SangforPromoteService.exe
3616	SuperServiceInstaller.exe
3616	SuperServiceInstaller.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
1140	InstallControl.exe
1140	InstallControl.exe
1140	InstallControl.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
3896	SangforPromoteService.exe
1396	netsh.exe
2956	SangforRAppInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFD2FD1F-C991-4A2F-8557-CDB11E275000}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E39B98A8-34A7-4D92-A979-920C48815003}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E39B98A8-34A7-4D92-A979-920C48815003}\ = "SangforSSO"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E39B98A8-34A7-4D92-A979-920C48815003}\NoExplorer = "1"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}	DrvInst.exe
File created	C:\Windows\SysWOW64\detoured.dll	InstallControl.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBEFA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBEFA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\sangforvnic.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBF0B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBF0B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SangforVnic.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\CSClientManagerPrj.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DC.bat	VNICInstaller_X64.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforUpdate\Uninstaller.exe	SangforUpdateInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\HTP\zbcdll.dll	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SvpnJobber\SJobberUninstaller.exe	SJobberInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\RemoteAppClient\SfRemoteAppClientHook.dll	SangforRAppInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\RemoteAppClient\mstscax.dll.mui	SangforRAppInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Uninstall.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\HTPInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\SangforVNIC.inf	VNICInstaller_X64.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforBHO.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperExeInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforUpdateInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromote.exe	SuperExeInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\HTP\htpd.exe	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforUpdateInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Nddkey\FT_ND_MOD.dll	InstallControl.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\uninstall.exe	VNICInstaller_X64.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSddn.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SSOClientPrj.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\UrlWarrent.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Nddkey\FT_ND_SC.dll	InstallControl.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\InstallControl.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforCSClientInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\VNICInstaller_X64.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforServiceClientInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforNsp.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\HTP\uninst.exe	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforSDUI\SangforSDUIUninstaller.exe	SangforSDUIInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforRAppInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforCSClient\SangforCSClientUninstaller.exe	SangforCSClientInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromote.exe	SuperExeInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\VnicDriverSign.dll	VNICInstaller_X64.exe
File created	C:\Program Files (x86)\Sangfor\SSL\HTP\htp.conf	HTPInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSDUIInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforBHO.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSD.CAB	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\nd_dkey_v2.CAB	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforSDUI\SangforSD.dll	InstallControl.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforServiceClient\SangforServiceClientUninstaller.exe	SangforServiceClientInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\HTP\zbcdll.dll	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SvpnJobber\SvpnJobber.exe	SJobberInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforUpdate\SangforUD.exe	SangforUpdateInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSDUIInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Nddkey\epsnd_m8.inf	InstallControl.exe
File created	C:\Program Files (x86)\Sangfor\SSL\HTP\netbase.dll	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\Promote\PromoteUninstall.exe	SuperExeInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\Promote\PromoteServiceUninstall.exe	SuperServiceInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\VnicDriverSign.dll	VNICInstaller_X64.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperServiceInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforNsp.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SJobberInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\SangforSDUI\SangforSDUI.exe	SangforSDUIInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforL3Vpn.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\CS App Support Client.log	Installer.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\HTP\netbase.dll	HTPInstaller.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforTcp.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\HTP\krtdll.dll	HTPInstaller.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\Uninstaller.exe	VNICInstaller_X64.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe	VNICInstaller_X64.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforServiceClientInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SSOClientPrj.dll	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\Installer.exe	VNICInstaller_X64.exe
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperExeInstaller.exe	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	Installer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforServiceClientInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SJobberInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VNICInstaller_X64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DNSBackup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforCSClientInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SuperExeInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SuperServiceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforUpdateInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforRAppInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforPromoteService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTPInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SangforSDUIInstaller.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c9a-177.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 30 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	Installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforCore.SangforCoreCom	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8926450F-FECD-4852-9219-F5B4362C94F1}\1.0\0\win32\ = "C:\\Program Files (x86)\\Sangfor\\SSL\\ClientComponent\\SSOClientPrj.dll"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53EC2F48-968E-4A42-B99B-9F6571475003}\InprocServer32\ = "C:\\Program Files (x86)\\Sangfor\\SSL\\ClientComponent\\SangforTcp.dll"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforL3Vpn.L3Vpn.1\CLSID\ = "{BC0615F9-5824-49F3-A36A-376B167DED43}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforSddn.Sddn\ = "Sddn Class"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B57D701-FC61-4857-B172-7135C1917FB1}\TypeLib\Version = "1.0"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A39CB63-CC0C-4EDD-82D0-4559C5085003}\ProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A39CB63-CC0C-4EDD-82D0-4559C5085003}\InprocServer32\ThreadingModel = "Apartment"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProxyIE.CSProxy\CurVer	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{400A754D-7867-4BE7-B787-D3F442307577}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Sangfor\\SSL\\ClientComponent\\"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{013B354E-96FF-4675-8942-B6CB50889543}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FT_ND_SC.ePsM8SC\CLSID	InstallControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.Web2Client.1\CLSID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00636D5E-8A83-46D4-A389-7DF7B030B6EC}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53EC2F48-968E-4A42-B99B-9F6571475003}\ProgID\ = "ProxyIE.CSProxy.1"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53EC2F48-968E-4A42-B99B-9F6571475003}\VersionIndependentProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4A90D77-027F-4096-8D94-8FA4A4E1F235}\1.0\0	InstallControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.SSOClientBHO.1\CLSID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5A85624-037B-446E-9090-EEA49DFD4300}\InprocServer32	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F1FA1B-468A-41E3-BBC8-4FF781015C4F}\TypeLib\Version = "1.0"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6316651-CC1B-4FB9-A985-4796DC6B5003}\VersionIndependentProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6FA42FE-C228-46F8-8964-3A482C0888A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientNSPPrj.ClientNSP	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{400A754D-7867-4BE7-B787-D3F442307577}\1.0	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforL3Vpn.L3Vpn.1\ = "L3Vpn Class"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC0615F9-5824-49F3-A36A-376B167DED43}\ProgID\ = "SangforL3Vpn.L3Vpn.1"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C844E9EA-6DA2-4020-8DF2-3E2C8733328B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Sangfor\\SSL\\ClientComponent\\SangforSddn.dll"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.SSOClientBHO\ = "SSOClientBHO Class"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientNSPPrj.ClientNSP\CLSID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A2AB65E-3650-4120-AD55-3640EF1716DD}\1.0	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A2AB65E-3650-4120-AD55-3640EF1716DD}\1.0\0\win32	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B57D701-FC61-4857-B172-7135C1917FB1}\ = "ISangforCoreCom"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4A90D77-027F-4096-8D94-8FA4A4E1F235}\1.0\FLAGS	InstallControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.Web2Client\CLSID\ = "{E6316651-CC1B-4FB9-A985-4796DC6B5003}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC0615F9-5824-49F3-A36A-376B167DED43}\VersionIndependentProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70AED526-A803-4E5D-9EFC-BDA40D039502}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D372A52D-D08B-4336-B561-E00028877FAB}\ProxyStubClsid32	InstallControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFD2FD1F-C991-4A2F-8557-CDB11E275000}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A39CB63-CC0C-4EDD-82D0-4559C5085003}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6FA42FE-C228-46F8-8964-3A482C0888A4}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB568827-4E19-4131-942E-C960AD93C28A}\1.0\0	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FFD2FD1F-C991-4A2F-8557-CDB11E275000}\InprocServer32	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforBHO.SangforHelper.1	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1465DEB2-3910-4187-967A-2CB6E8925000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.SSOHtmlElementEvent\CurVer	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FT_ND_SC.ePsM8SC.1\ = "ePsM8SC Class"	InstallControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F6E061-5558-438D-9FA2-F75503950011}\InprocServer32	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7CB39B1-4D52-4C1F-A3DB-2EE39B9BB49A}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53EC2F48-968E-4A42-B99B-9F6571475003}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BC93A23-F692-4D82-8C9B-D26232C8FFD3}\VersionIndependentProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D73CFC-0085-4D5E-97D9-274EE3094F7C}\InprocServer32\ = "C:\\Program Files (x86)\\Sangfor\\SSL\\ClientComponent\\UrlWarrent.dll"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7CB39B1-4D52-4C1F-A3DB-2EE39B9BB49A}\TypeLib	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOClientPrj.SSOClientBHO\CLSID\ = "{E39B98A8-34A7-4D92-A979-920C48815003}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B98A8-34A7-4D92-A979-920C48815003}\VersionIndependentProgID	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A3E8532E-398D-426F-96AC-B7AB9029A354}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B57D701-FC61-4857-B172-7135C1917FB1}\TypeLib\ = "{BB568827-4E19-4131-942E-C960AD93C28A}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforBHO.SangforHelper\CurVer	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA932284-5078-424D-9F64-33283B6F79B5}\TypeLib\Version = "1.0"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72C391A8-4FF6-4198-9945-D6596BFEB846}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91557551-9285-4884-B882-DD419F1A7590}\ = "ICSProxy"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SangforL3Vpn.L3Vpn\CLSID\ = "{BC0615F9-5824-49F3-A36A-376B167DED43}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E532BD84-B91B-482D-9575-E6B8534802B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{915C2B11-A583-429F-821A-477CE5277C76}	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA932284-5078-424D-9F64-33283B6F79B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	Uninstall.exe
Token: SeAuditPrivilege	4344	svchost.exe
Token: SeSecurityPrivilege	4344	svchost.exe
Token: SeLoadDriverPrivilege	3248	Installer.exe
Token: SeLoadDriverPrivilege	3960	DrvInst.exe
Token: SeLoadDriverPrivilege	3960	DrvInst.exe
Token: SeLoadDriverPrivilege	3960	DrvInst.exe
Token: SeLoadDriverPrivilege	3248	Installer.exe
Token: SeLoadDriverPrivilege	3248	Installer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
348	Uninstall.exe
348	Uninstall.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 348	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	86
PID 2992 wrote to memory of 348	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	86
PID 2992 wrote to memory of 348	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	86
PID 2992 wrote to memory of 1156	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	87
PID 2992 wrote to memory of 1156	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	87
PID 2992 wrote to memory of 1156	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	87
PID 2992 wrote to memory of 852	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	88
PID 2992 wrote to memory of 852	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	88
PID 2992 wrote to memory of 852	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	88
PID 2992 wrote to memory of 3616	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	89
PID 2992 wrote to memory of 3616	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	89
PID 2992 wrote to memory of 3616	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	89
PID 2992 wrote to memory of 440	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	91
PID 2992 wrote to memory of 440	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	91
PID 2992 wrote to memory of 440	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	91
PID 2992 wrote to memory of 1140	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	92
PID 2992 wrote to memory of 1140	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	92
PID 2992 wrote to memory of 1140	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	92
PID 2992 wrote to memory of 780	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	93
PID 2992 wrote to memory of 780	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	93
PID 2992 wrote to memory of 780	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	93
PID 780 wrote to memory of 3632	780	VNICInstaller_X64.exe	94
PID 780 wrote to memory of 3632	780	VNICInstaller_X64.exe	94
PID 780 wrote to memory of 3632	780	VNICInstaller_X64.exe	94
PID 3632 wrote to memory of 452	3632	DNSBackup.exe	95
PID 3632 wrote to memory of 452	3632	DNSBackup.exe	95
PID 3632 wrote to memory of 452	3632	DNSBackup.exe	95
PID 780 wrote to memory of 3248	780	VNICInstaller_X64.exe	97
PID 780 wrote to memory of 3248	780	VNICInstaller_X64.exe	97
PID 452 wrote to memory of 1396	452	cmd.exe	98
PID 452 wrote to memory of 1396	452	cmd.exe	98
PID 452 wrote to memory of 1396	452	cmd.exe	98
PID 4344 wrote to memory of 536	4344	svchost.exe	100
PID 4344 wrote to memory of 536	4344	svchost.exe	100
PID 4344 wrote to memory of 3960	4344	svchost.exe	102
PID 4344 wrote to memory of 3960	4344	svchost.exe	102
PID 780 wrote to memory of 2556	780	VNICInstaller_X64.exe	104
PID 780 wrote to memory of 2556	780	VNICInstaller_X64.exe	104
PID 780 wrote to memory of 2556	780	VNICInstaller_X64.exe	104
PID 2992 wrote to memory of 4664	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	105
PID 2992 wrote to memory of 4664	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	105
PID 2992 wrote to memory of 4664	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	105
PID 2992 wrote to memory of 1536	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	106
PID 2992 wrote to memory of 1536	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	106
PID 2992 wrote to memory of 1536	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	106
PID 2992 wrote to memory of 3988	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	107
PID 2992 wrote to memory of 3988	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	107
PID 2992 wrote to memory of 3988	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	107
PID 2992 wrote to memory of 3300	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	108
PID 2992 wrote to memory of 3300	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	108
PID 2992 wrote to memory of 3300	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	108
PID 2992 wrote to memory of 2956	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	109
PID 2992 wrote to memory of 2956	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	109
PID 2992 wrote to memory of 2956	2992	3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe	109

C:\Users\Admin\AppData\Local\Temp\3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fbbc4076a45bfbe08334c587cc5a190_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Uninstall.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Uninstall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:348
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforCSClientInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforCSClientInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperExeInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperExeInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:852
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperServiceInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperServiceInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3616
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforServiceClientInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforServiceClientInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:440
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\InstallControl.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\InstallControl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1140
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\VNICInstaller_X64.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\VNICInstaller_X64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe
    "C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c DC.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ip show DNS
        5⤵
        Loads dropped DLL
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1396
- - C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\Installer.exe
    "C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\Installer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe
    "C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe" r
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\HTPInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\HTPInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4664
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSDUIInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSDUIInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SJobberInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SJobberInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3988
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforUpdateInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforUpdateInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3300
- C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforRAppInstaller.exe
  "C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforRAppInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2956

C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromoteService.exe
"C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromoteService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d43f2d1b-2aab-fa4d-b404-3cd413843d4a}\sangforvnic.inf" "9" "493d7628f" "0000000000000148" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\sangfor\ssl\csclient\vnic"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:536
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "3" "1" "ROOT\NET\0000" "" "" "493d7628f" "0000000000000158"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Sangfor\SSL\CLIENT~1\ND_DKE~1.CAB

Filesize
228KB

MD5
ffb870680f45dda30a54fa9f27d1b6bd

SHA1
5724e43881e31b08f0bdc8c4e3e9c389d914e680

SHA256
4a20539cfac1fa0ace18a2e0570c594aa51e8bfaa84defb9f00c8cfc1fa0bf75

SHA512
d80b1b2d1adc8fffb9710d551d476e392e88de5f9203724137f1a064bd1d809007697b5656a327fb2746f100ed113dde69fb61b627709c1e3972969807db1700

Download Submit
C:\PROGRA~2\Sangfor\SSL\CLIENT~1\SANGFO~1.CAB

Filesize
80KB

MD5
d1d722c416d486d02dd79cf72c44b06d

SHA1
d99144c8dae64bfc02e6fd17aa5881dfb362038e

SHA256
271871f5d482e365f3ce2d4829c9b476fc4085b512f8d343bee8c5a36501f5e5

SHA512
2efd97a0cf4459f4279d70c1c126c7702992513ca6a8f9c55cd7fea3d526d8dd029574613d40b379413ccbafb0426245eca2edc81f9f119b474bb8250835154a

Download Submit
C:\PROGRA~2\Sangfor\SSL\CLIENT~1\detoured.cab

Filesize
9KB

MD5
21b4cde312363e8922b856b5ff85c1fa

SHA1
c8f017432d69940a77a12ef6358edf5619128212

SHA256
d371900da0a2a851eab58dc3d241a99dc73963961fcb76787dc894015eca125f

SHA512
57b011ef31b2437820f3aa90eed89c5ea6b45215a6adb1ba036fecaecab7c1d4a754f67f476a895fbf1418623035c80b3dd4c62dc6ba1bb8197cf6591f5b2065

Download Submit
C:\Program Files (x86)\Sangfor\SSL\CSClient\VNIC\DNSBackup.exe

Filesize
49KB

MD5
99ccd377eff2eb85e43aaadb29ed51b0

SHA1
5c87d3f53c6376361369e733b534c2c7adf3835b

SHA256
b2315499dcbfed9373a169ed2728ffa69847e3ddc8ce24db71387b67a8e5ba9e

SHA512
c72ee5df6ca7f2bb798a34c6a8ad00535ef7daed57bb8ea90635dd81b645c5e3b6f853791f990938813cfa3902173ecc6be1cb852c51a8b6d5f1a6072ada7194

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\CSClientManagerPrj.dll

Filesize
236KB

MD5
04055853152f3d3631cf5ce3ec4dbf66

SHA1
1a30d2f87e572b970ad5bb06aab3c873b15b74a7

SHA256
005a236b692e4b3ac220a06f5cfda63417895c6c4c3b387a9269b8ca966a5e3e

SHA512
97a16e1c5e774755792cc1356296d83e1bada24f0b6707ad82b0d365adc69bcb15a68fb387be3d7ea3ee751fad601a5e3c3ab4a7e730a590cb514ec20091429e

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\InstallControl.exe

Filesize
56KB

MD5
ab2aed3798eaba532e1cb59e54fac3e9

SHA1
d8d782b6427da101761c0215d611367251428a2e

SHA256
84e03b1381de0710031b90daa7d5459944b2ebf4fbc665b18914c1f4ac34b4dc

SHA512
e1d2925e677f812511718e106aade21a994df81a17926ac717dc0b34e093e439f9985a97e0f9c659bd64a81c8efa5d7894b693d6c3715ad0b92127c0bcc1d677

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Nddkey\FT_ND_API.dll

Filesize
129KB

MD5
90911ed5982555df949d80e67bd33ac6

SHA1
fcad775569ac4b39fe12e5f6669c94d3081f71cd

SHA256
166920f46f4641c4171c565e36b4675348f5fc00c9c8c2066c28afd3e8b19740

SHA512
b28930b90a98912647e2233f99cf9748440d39a62aa9ff4cdf5fd6736405d2da1706da9810c19cc6f97f6bfc545226af4d672e88d68f050408ba0c89e53a9b17

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Nddkey\FT_ND_SC.dll

Filesize
65KB

MD5
2fdba4e269e0628e3a6076c81a1aad71

SHA1
2eab1abe53c2eea507eeed71a90dccceb9a0db9e

SHA256
32876260682e50ebe9f54fc0d339ca655d6d1281148091eec9388448cef3f4e0

SHA512
2e7a4a1b590bd2003ea64ffde8d1440b42c5a12c86e41e6be09df08469d8ade784174bfbff9a843f4460960ca4caaf5e93b8fdb0aa6cca4cf8921a077c25413d

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SSOClientPrj.dll

Filesize
144KB

MD5
d0bdb0ef0cdc5fcb31fb6799d59e59b2

SHA1
f502b98b89c4dbfad14db1156a31de05461aea2f

SHA256
d2d17f1c405979ecd5f24106450f5c70f268743ab6cf6f3610aea6d9e260c08c

SHA512
862a5def9403964ab5ed10d6a1161d06494922a83b6f76eb3f44c320a5be9679c269922b16b27f032da7860cf9099037f3b9a8a94f81e8f318e4436ebebb86a5

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforBHO.dll

Filesize
100KB

MD5
57dc36976b7bc55a37109695f3d1d499

SHA1
f55e66329b3b691a1c393f0cda81328cf16bdc57

SHA256
03676c9e0a0e59ab0b8e0a20a92cb000cf657ad5c64c86ad4d2e6660996e0da4

SHA512
fc2e4d81d3ba4cdc96844337d62df8566b09dc5e8643f828b6f57f8a9930f978ce3954df65c14dab9d48a5c9da909f3c0bd0f1b4f327d0da4f9086573f58cbb0

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforCSClientInstaller.exe

Filesize
227KB

MD5
ad8a0eeaee0a600f80dc3ee1b24d92ec

SHA1
825795549bd36254313488eff8185b725b81cdf1

SHA256
fde38773cbb182ac7f5b18a2439c2c7e9e420485b48e5ab80108e064201fd5f6

SHA512
a3035ea638232771570f7c16253a63bbd5bec00a8f6583d3e0155ebe40c076df166157503be6f0c76a77b17ff0acfed38c312d205472542422c7317396176842

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforCore.dll

Filesize
596KB

MD5
84c4796caacc1eca8b5e739f900fdfac

SHA1
ff33d1a58ba1a32b132444e970e6dd704d82c2ea

SHA256
0da9fddb51c610c98aa098c2a9460b80a89e41b1c05be54a85f4082a46b855c6

SHA512
1bedaa428d9686b30745f9a7f7feec8f011e522b2f173aa51e54b1cca1c800f8233c669a300726b12b2c7e50065ff756c0c2e7619018e37c2bd6404d7241363a

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforL3Vpn.dll

Filesize
276KB

MD5
71946aaed78cbfa3758eac844dfa7837

SHA1
a4cc9443352db832c0977339650d99d635225b07

SHA256
309d314886106ec5c9b276a0c28a1bf2985e27f5ce4c68c43195f45171dc070f

SHA512
de843d5f175aeb876e2c732c9051c572b3fd46a880a7745a237d45eac2e82481552b37c2732bdbbcc0e8052d299fa81b6d7e069bbcee1ea777057c1cafd449ba

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforNsp.dll

Filesize
1.4MB

MD5
adb61575e9f50a62dc8d03f3fbe3b9a2

SHA1
9055667dbb312ee932794cdc7cce7720be246c17

SHA256
eae0415bdd3943e7695815798cd55ed27d51a6c8c99427e9dc833f726f2a3f96

SHA512
cc4a7f32139887c8e819b073875bfafd351da697edd0c7aa76c00ed5c14b82c70bc2db8bc33b9be6148d25fe2c24819dc9807f2e75d1d9b8787f10f54d6c0458

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforSddn.dll

Filesize
249KB

MD5
0770df7c04942e6fd1a8ebecf21f6916

SHA1
1320cdc2f41ad63199c56c65af72c17e80b00e2d

SHA256
493ff4da2bc74d6c636ca1e3543f5930820fea3a06fd02a737c01a038a501ad3

SHA512
d8144b6c1b0d54fbd850cba2e980ba3b5a5d42abe9595e9ad2681ac54a47dce2ca72ba6cf71a98b797b86901fb1011a59a7a7ae3d21c95b2ebb86d670128e4bd

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforServiceClientInstaller.exe

Filesize
76KB

MD5
64c803cba85b21bf20004aa3c7128d48

SHA1
99e5db910b9e6abcda3e0569a5c738e3ee83e477

SHA256
5a5f0b46bde6f2cb5b5bcd87584f15e6efb15ebd4fb57a47155cdec3b74029cb

SHA512
ada2c2d8cc930b74364c792bde9a5036387d5aa3ed1e64067248861e51133e0d0b48d2ebe90e12ab632a11335314b64d574d561979ac603c4c20b211b87b820a

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforTcp.dll

Filesize
1.6MB

MD5
bf05ee3df332861f7a7e6c17b5647720

SHA1
f2a93217b37dc4351bfa140c3dedd4c4cd203882

SHA256
3591a93f69e8b2f6e462d52dbe99a4295c179984c1b36bd43c6d015eaa779949

SHA512
5e79169c5e4a5b24a29c8fe2c511ff642b49fb37ebacb2b63aff8e2b19eb84a139c0a78b7388559401ae1f21312ba074e50b357a24b7a55f50a1bd2cd55401dd

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperExeInstaller.exe

Filesize
151KB

MD5
cc64684253944ed963252354051feb55

SHA1
61e953dc18b5ddffa4826c18b946b716b927afaf

SHA256
15dba1227ddec28002333beccc2fc2e0b823907f012d56d29a9ddcdf8a2759c7

SHA512
9b919b5256fb149144b6b90ecdcb7e1814295163e72b2c623e2044993a9f8859923e00a29809b47fd6336fb25575f34c15b7d8f04abf61579ebe2c357202696c

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SuperServiceInstaller.exe

Filesize
94KB

MD5
83cec4b986a07baaebceefe885aaaae3

SHA1
48729bfbdbe8b612d1c5c5b4a47eefabe8ba7479

SHA256
440345ae2effff2b373683a944aade7461dabe495432f926bd42f48d4ff27c6b

SHA512
64ef1ae86099a5d772c57b46bba96ee3e10cf7e258d0b8d74d4278b90c8b44c9d5d14220c904a7a20bf49ba795fdb56e22b05499cec30ed384105604ff654cc0

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\Uninstall.exe

Filesize
112KB

MD5
65afc0dedccde336b0e32ea633b962fb

SHA1
87451f5045da81f2b20a02c4b4b2a0b51f770858

SHA256
5e82edaa5837ebe0eb7ef6b3af8409c75426600ebffd4ccd1366d145a7152237

SHA512
d5f55b95cadf8d8f0f9289b429db1d8e2699d4513574c9c611855afac9b8fdac82cff6c9f4020be3c46bbabdc45eb1f170df157d98bc40389a01b583f47e22ae

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\UrlWarrent.dll

Filesize
124KB

MD5
c2aea24fe072430f5606889f4b0ec8e0

SHA1
6aa6c8356dfee1a0593d3ed858fdd9027bc2e690

SHA256
abbd0f4b56997a1961e682604008ae6966d6545231cf6f39b964d0f6abb8a472

SHA512
0b5bfebf258008eb854a206719febd468df072104d58e0753342eec9d44c9050e68b9bcf1daaef84e7d0a7b677c667ecc617a20d5299f78f4ecf372fa278e974

Download Submit
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\VNICInstaller_X64.exe

Filesize
91KB

MD5
f5b3ad3e9cb3ca63e1d38c8580c3bd83

SHA1
40e8ec830a63df8bff698b55b041fb6708188181

SHA256
0ab35431129d87614fc1b59846a616730545ebe8a62b31827562ae5d05cc6d79

SHA512
050d45294e905f43ac07934511c863021e217cd55c14032d3d96841edc6c4e2158d787eaff0bbc1ebd552a9f10caa6a672199162432d71c7e9425827bbf4c9b8

Download Submit
C:\Program Files (x86)\Sangfor\SSL\Promote\MSVCP60.dll

Filesize
404KB

MD5
59a6413fb2cc89fd8651b1d2962fb8b9

SHA1
7e118606f03a591897e014b7693d64e6a86fdbe0

SHA256
fed76003f544525783796a22a07b190a8340874c11b5cf1999196c697d51e154

SHA512
83e7ea9905214081793c2a241b776a29dab58ba6ce279ceb3851347004c4ae99cf33fb77f12c7d7474de32d417686f8ba5624a7bd7cec73f3dcab55adae307b5

Download Submit
C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromote.exe

Filesize
68KB

MD5
ce82406735b89b6e77db305a562705f7

SHA1
f22bad486472cd70bf33fbb5c7ada5883b83e8b9

SHA256
55001f1fb7437242dafa00cc677d0fc0ed0e88acc36297d467e996967442cc75

SHA512
dbfc77243dd12315e74d58eccab2e80f3442fbaa4f0715a9fb11bd300c20acc113ab19b52453607f48624716c92a818f95b1a4112a23e121c92697ea3b2a51f9

Download Submit
C:\Program Files (x86)\Sangfor\SSL\Promote\SangforPromoteService.exe

Filesize
108KB

MD5
085e35e80fe658b626ee3bebb0536766

SHA1
cc372b471eb98e2fda09577c601aa5668cf4900c

SHA256
5e7899ca27f4e955da380a60ef08c14ea396a959f8a7580c116a9f5c62c68f69

SHA512
e1724fb9ed3ad25a17ac189a3c0a9bbd13496b4eb2dba1078485ca618230b83410591391b0fa17d9a55391b6dde8534b25c7695083fd63825535aaf944453f53

Download Submit
C:\Program Files (x86)\Sangfor\SSL\SangforCSClient\SangforCSClientUninstaller.exe

Filesize
34KB

MD5
4cb8a3a75fb92c341dc3acd7e141b19c

SHA1
007691c22828ffd21e0ce5d5fe62922957a434e7

SHA256
6561a79476ced5c71c045e4ae92eb5994dc08eea88e37a6ec2abc8c0779f7e89

SHA512
243739e0ebc7e57e30bea6b4a44ae2471de858d344f311e991cd04aa29a54a10d32eaeb1ce4fbb14ed4fe85f6164cdc981e58d67b9615c0a992871377b1daa2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiB364.tmp\System.dll

Filesize
10KB

MD5
725145e8caa39635cab9899c47c72eda

SHA1
30478c907551bd920bf359638b091fc5c10b5a53

SHA256
1759e4f7777fb8c9ed356a7d4dc237a90e0760061685d44ea02d40ca9e359ceb

SHA512
de31286ea10321f762a3b6e7c6c82177d5b6f45a82adc936fcbbc23105708cbbbec903ba94ba94e7723e80f1828393e5395ef575b37136b19de7535e74e24547

Download Submit
C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBEFA.tmp

Filesize
1KB

MD5
807902cec10d074a89232c545f90b6f9

SHA1
72fc3a4c90b909aa2cca98c007f70f6492511cad

SHA256
34aae18c44b7b65cebd2844da1514de208f514f6a839167fde5bb359217af73d

SHA512
af86f1a3ee7a48c3cd6bc285de16163b5bb7d2fc560569649c8c5ee67ad00b208e5d02c55ac2b7a9ad135f43f58e305c1d9e7da0f59c143ac644b5e3bfd385aa

Download Submit
C:\Windows\System32\DriverStore\Temp\{ac691dff-ade0-d64a-bf30-7f357d695718}\SETBF0B.tmp

Filesize
33KB

MD5
b87bd17c6d3ab4a5d2621bbf71e9aaf9

SHA1
f2139aed3bd315f207598184fbc028353bbd6f7c

SHA256
4721d26fe98629324b9eb6ddbafb4991ebec2d64dd0b79fa16b9cee24ca5c20d

SHA512
f48607afc6046a275bd3e8de30f54e7a7b08fbb0577fc8aa550b41f127f7a6af62bfdd89216f436114ba739345b0e85cb750bee205b39e2fe5e6b220a6c56cdd

Download Submit
memory/1140-195-0x0000000000480000-0x00000000004A1000-memory.dmp

Filesize
132KB

Download
memory/2992-51-0x0000000004810000-0x00000000048B0000-memory.dmp

Filesize
640KB

Download
memory/3896-164-0x0000000000A00000-0x0000000000A65000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads