File name:

CFCA_UKTool_RU.exe

Full analysis: https://app.any.run/tasks/294831af-b92b-4039-90e1-c559ed40813d
Verdict: Malicious activity
Analysis date: May 31, 2024, 15:44:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

EDB8E7F6604A5F2EA907E07A37A852BA

SHA1:

8C55B2CB94CEBF8D1D7C9825EF5A9F628DCF66B7

SHA256:

405AF3CBDE05A00EDF07C6BC83D92ACDC39B9EE45872AC2C2C94A8F3E3BE28C2

SSDEEP:

24576:RLyIp3+ROkRPMNOggBnkblgogOI1KO7Vmv/s7JzJkEZXGzVvPxT/7dys4WJ0cmf/:dyIp3+ROkRPMNOggBnkbyogOI1KO7Vmc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Creates a writable file in the system directory

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Changes the autorun value in the registry

      • CFCA_UKTool_RU.exe (PID: 4084)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Executes as Windows Service

      • CFCA_UKEY_SRV.exe (PID: 1036)

    • Executable content was dropped or overwritten

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Creates a software uninstall entry

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Reads the Internet Settings

      • CFCA_UKeyTool.exe (PID: 2040)

  • INFO

    • Reads the computer name

      • CFCA_UKTool_RU.exe (PID: 4084)
      • CFCA_UKEY_SRV.exe (PID: 820)
      • CFCA_UKEY_SRV.exe (PID: 1036)
      • CFCA_UKeyTool.exe (PID: 2040)

    • Checks supported languages

      • CFCA_UKTool_RU.exe (PID: 4084)
      • CFCA_UKEY_SRV.exe (PID: 1036)
      • CFCA_UKEY_SRV.exe (PID: 820)
      • CFCA_UKeyTool.exe (PID: 2040)

    • Create files in a temporary directory

      • CFCA_UKTool_RU.exe (PID: 4084)

    • Creates files in the program directory

      • CFCA_UKTool_RU.exe (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:12:11 21:50:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x32bf
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.8.28
ProductVersionNumber: 1.1.8.28
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Windows, Taiwan (Big5)
Comments: -
CompanyName: China Financial Certification Authority
FileDescription: CFCA Illustrate Internet Banking UKey InstallPack
FileVersion: 1.1.8.28
LegalCopyright: Copyright (C) 2018
LegalTrademarks: -
ProductName: CFCA_UKTool
ProductVersion: 1.1.8.28
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cfca_uktool_ru.exe cfca_ukey_srv.exe no specs cfca_ukey_srv.exe cfca_ukeytool.exe cfca_uktool_ru.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Windows\system32\CFCA_UKEY_SRV.exe " /i /sC:\Windows\System32\CFCA_UKEY_SRV.exeCFCA_UKTool_RU.exe
User:
admin
Company:
China Financial Certification Authority
Integrity Level:
HIGH
Description:
CFCA Service Application
Exit code:
0
Version:
1.1.8.28
Modules
Images
c:\windows\system32\cfca_ukey_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
1036C:\Windows\system32\CFCA_UKEY_SRV.exeC:\Windows\System32\CFCA_UKEY_SRV.exe
services.exe
User:
SYSTEM
Company:
China Financial Certification Authority
Integrity Level:
SYSTEM
Description:
CFCA Service Application
Version:
1.1.8.28
Modules
Images
c:\windows\system32\cfca_ukey_srv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
2040 /minC:\Program Files\CFCA\UKEY\CFCA_UKeyTool.exe
CFCA_UKEY_SRV.exe
User:
admin
Integrity Level:
MEDIUM
Description:
CFCA_Client Module
Version:
1.1.8.28
Modules
Images
c:\program files\cfca\ukey\cfca_ukeytool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3980"C:\Users\admin\AppData\Local\Temp\CFCA_UKTool_RU.exe" C:\Users\admin\AppData\Local\Temp\CFCA_UKTool_RU.exeexplorer.exe
User:
admin
Company:
China Financial Certification Authority
Integrity Level:
MEDIUM
Description:
CFCA Illustrate Internet Banking UKey InstallPack
Exit code:
3221226540
Version:
1.1.8.28
Modules
Images
c:\users\admin\appdata\local\temp\cfca_uktool_ru.exe
c:\windows\system32\ntdll.dll
4084"C:\Users\admin\AppData\Local\Temp\CFCA_UKTool_RU.exe" C:\Users\admin\AppData\Local\Temp\CFCA_UKTool_RU.exe
explorer.exe
User:
admin
Company:
China Financial Certification Authority
Integrity Level:
HIGH
Description:
CFCA Illustrate Internet Banking UKey InstallPack
Exit code:
0
Version:
1.1.8.28
Modules
Images
c:\users\admin\appdata\local\temp\cfca_uktool_ru.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
2 631
Read events
2 620
Write events
11
Delete events
0

Modification events

(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\CFCA FOR UKEY CSP v1.1.0
Operation:writeName:Image Path
Value:
C:\Windows\system32\CFCA_UKEY_scsp.dll
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\CFCA FOR UKEY CSP v1.1.0
Operation:writeName:Type
Value:
1
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\CFCA FOR UKEY CSP v1.1.0
Operation:writeName:Signature
Value:
1DAF88156253014172108695D99BAD731E8771EBA5D633136E0342870DD19E90BD32F745953102E9559207F4C66B5B5FF68C560B5CC2D13F64160FA6ECD94C542A21FEB1B69E732F46CFCB202C5F25CD1161B463BFB92570DA0F818DD02549887607A436B5A6FB8C049B21AFA54FA5B607235DC32AFA0EE6D8A9EAAE2B5822700000000000000000
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\SKF\CFCA
Operation:writeName:Name
Value:
CFCA
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\SKF\CFCA
Operation:writeName:Path
Value:
C:\Windows\system32\CFCA_UKEY_GMAPI.dll
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:cfca_client
Value:
"C:\Program Files\CFCA\UKEY\CFCA_UKeyTool.exe" /min
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CFCA UKey Tool
Operation:writeName:DisplayName
Value:
CFCA UKey Tool V1.1.8.28
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CFCA UKey Tool
Operation:writeName:UninstallString
Value:
C:\Program Files\CFCA\UKEY\uninst.exe
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CFCA UKey Tool
Operation:writeName:DisplayIcon
Value:
C:\Program Files\CFCA\UKEY\CFCA_UKeyTool.exe
(PID) Process:(4084) CFCA_UKTool_RU.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CFCA UKey Tool
Operation:writeName:DisplayVersion
Value:
V1.1.8.28
Executable files
11
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4084CFCA_UKTool_RU.exeC:\Users\admin\AppData\Local\Temp\nsi3F6E.tmp\System.dllexecutable
MD5:3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA256:FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
4084CFCA_UKTool_RU.exeC:\Windows\system32\CFCA_UKEY_CSP.dllexecutable
MD5:3A3CEF8F884B016C73DDDBB600C6B3DA
SHA256:F689D215A52EA61586F00761988C2E9DAE4544F9F0BB1D459344489C78712EB6
4084CFCA_UKTool_RU.exeC:\Windows\system32\CFCA_UKEY_SRV.exeexecutable
MD5:9A83C6FC5515CA7D8255A1945692C16F
SHA256:B90700DAE5BC20424759622B54481022DFF97A5C605DC68A71D26C2F779894C3
4084CFCA_UKTool_RU.exeC:\Windows\system32\CFCA_UKEY_LIB.dllexecutable
MD5:CBCA3257DA31B83503C83979702A68B8
SHA256:193A71FE6505BB57C5003D5604057E9239D9C1928AB087C674BEA2485F0117E1
4084CFCA_UKTool_RU.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CFCA UKey Tool\User\UKey tool.lnkbinary
MD5:9F764C59CB15C6324DED8378A48A06D2
SHA256:F2A5A532625BF284E4E2D14B2C5E44443C524F611A1CC4D7318888D663905767
4084CFCA_UKTool_RU.exeC:\Windows\system32\CFCA_UKEY_GMAPI.dllexecutable
MD5:995A757F87AF66761070345CDA5ED4A9
SHA256:5DF7DB40698290B3E03EDB75296389FFB4A0634F500EB44AA77C5CC7C5FC847B
4084CFCA_UKTool_RU.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CFCA UKey Tool\User\uninstall UKey tool.lnklnk
MD5:4CDCA5BEDF307A24A18F5C51A9592C6F
SHA256:45A21777648FE568DE505062109F197288B752351BD6A2106E5648E99C4AA7A8
4084CFCA_UKTool_RU.exeC:\Windows\system32\CFCA_UKEY_scsp.sigbinary
MD5:4F9B21ED006AD3EB4963BDAF16FEE87F
SHA256:81994E5295F30965A669078A3FF371E848F3D51EB788D7EDE8C0D0DB10051D19
4084CFCA_UKTool_RU.exeC:\Users\admin\AppData\Local\Temp\nsi3F6E.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
4084CFCA_UKTool_RU.exeC:\Users\admin\AppData\Local\Temp\nsi3F6E.tmp\UserInfo.dllexecutable
MD5:C22C9D7B6937B8960FBA4C8A145076B2
SHA256:510E466A715933499FB9D5A1753B483826B2BF89161B9D466DD2AD7E52EDE2FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
CFCA_UKTool_RU.exe
lib_Interface.cpp 38 JK305_InitEnv * *
CFCA_UKTool_RU.exe
lib_Interface.cpp 33 JK305_InitEnv * *
CFCA_UKTool_RU.exe
lib_Interface.cpp 35 JK305_InitEnv * *
CFCA_UKTool_RU.exe
lib_Interface.cpp 39 JK305_InitEnv *******************************************
CFCA_UKTool_RU.exe
lib_Interface.cpp 49 JK305_InitEnv InitEnv End........
CFCA_UKTool_RU.exe
Jinkecsp.cpp 1464 CPGetAuthCode pbCode:0x3a2f79c; dwCodeLen:[0x3a2f778]=0x80
CFCA_UKTool_RU.exe
Jinkecsp.cpp 1440 CPGetCSPName CPGetCSPName Start......
CFCA_UKTool_RU.exe
lib_Interface.cpp 34 JK305_InitEnv * UKEY V2.0 Lib Log File *
CFCA_UKTool_RU.exe
lib_Interface.cpp 32 JK305_InitEnv * *
CFCA_UKTool_RU.exe
lib_Interface.cpp 36 JK305_InitEnv * ------> is error *
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CFCA_UKTool_RU.exe