52a7437f9b9c21de2a389039153bc1fa8ac36fdf3be75105dec854a2c8b7a7d0

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
Size

548KB
MD5

e9ed433a3d2b4d3e1a1e1dca910263bd
SHA1

a2361f4fc4dbd96b8ac807b19a0637906c5599a3
SHA256

52a7437f9b9c21de2a389039153bc1fa8ac36fdf3be75105dec854a2c8b7a7d0
SHA512

89c1cda887947efc4ecdd31da383ff4760a258f0adfbed4a81d95549d5fbde35290e46767baf88e9817e68a9f27afa9135fddd35a6e301b2ddff30f1fc9bfa09
SSDEEP

12288:ugHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+Y8:aqmwjfz79iSJOUY8

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jzcalppntjm.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chhxadq.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ixhhuhesjzjfosjtz.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ctfhwlkatlxvgmfrzfg.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exlpgxyqlfttgojxhpslz.exe"	jzcalppntjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdidltlugrwn = "ixhhuhesjzjfosjtz.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iprjotiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jzcalppntjm.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jzcalppntjm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe

Executes dropped EXE 4 IoCs

pid	Process
2816	jzcalppntjm.exe
2380	chhxadq.exe
2364	chhxadq.exe
2800	jzcalppntjm.exe

Loads dropped DLL 8 IoCs

pid	Process
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2816	jzcalppntjm.exe
2816	jzcalppntjm.exe
2816	jzcalppntjm.exe
2816	jzcalppntjm.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "bpyxjvreujsnvyox.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "bpyxjvreujsnvyox.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "ixhhuhesjzjfosjtz.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "ixhhuhesjzjfosjtz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "exlpgxyqlfttgojxhpslz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "bpyxjvreujsnvyox.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfhwlkatlxvgmfrzfg.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exlpgxyqlfttgojxhpslz.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe ."	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "ctfhwlkatlxvgmfrzfg.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "exlpgxyqlfttgojxhpslz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfhwlkatlxvgmfrzfg.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "rhsthvtiarczjogryd.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "phuxndduohutfmgtcjld.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exlpgxyqlfttgojxhpslz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "ixhhuhesjzjfosjtz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "bpyxjvreujsnvyox.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "ixhhuhesjzjfosjtz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpyxjvreujsnvyox.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phuxndduohutfmgtcjld.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "ixhhuhesjzjfosjtz.exe ."	jzcalppntjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "exlpgxyqlfttgojxhpslz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpyxjvreujsnvyox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exlpgxyqlfttgojxhpslz.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "ctfhwlkatlxvgmfrzfg.exe ."	jzcalppntjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "ixhhuhesjzjfosjtz.exe"	jzcalppntjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wfjdkriqblp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "ctfhwlkatlxvgmfrzfg.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "ixhhuhesjzjfosjtz.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wjrpalgshvdxegv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phuxndduohutfmgtcjld.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdjfoxqanzfxc = "phuxndduohutfmgtcjld.exe"	chhxadq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "rhsthvtiarczjogryd.exe"	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tfmjtdxiwjqjpq = "rhsthvtiarczjogryd.exe ."	chhxadq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bjmflrhoyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixhhuhesjzjfosjtz.exe"	chhxadq.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jzcalppntjm.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	www.showmyipaddress.com
2	whatismyip.everdot.org
5	www.whatismyip.ca
7	whatismyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	chhxadq.exe
File created	C:\autorun.inf	chhxadq.exe
File opened for modification	F:\autorun.inf	chhxadq.exe
File created	F:\autorun.inf	chhxadq.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\phuxndduohutfmgtcjld.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\exlpgxyqlfttgojxhpslz.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\vpejbtvokfuvjsodoxbvkp.exe	chhxadq.exe
File created	C:\Windows\SysWOW64\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ixhhuhesjzjfosjtz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\exlpgxyqlfttgojxhpslz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\phuxndduohutfmgtcjld.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\bpyxjvreujsnvyox.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\ctfhwlkatlxvgmfrzfg.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\bpyxjvreujsnvyox.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\bpyxjvreujsnvyox.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ctfhwlkatlxvgmfrzfg.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ctfhwlkatlxvgmfrzfg.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\vpejbtvokfuvjsodoxbvkp.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\rhsthvtiarczjogryd.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ctfhwlkatlxvgmfrzfg.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\rhsthvtiarczjogryd.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\rhsthvtiarczjogryd.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ixhhuhesjzjfosjtz.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\phuxndduohutfmgtcjld.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\exlpgxyqlfttgojxhpslz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\vpejbtvokfuvjsodoxbvkp.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\ixhhuhesjzjfosjtz.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\rhsthvtiarczjogryd.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\bpyxjvreujsnvyox.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\exlpgxyqlfttgojxhpslz.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\vpejbtvokfuvjsodoxbvkp.exe	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File created	C:\Windows\SysWOW64\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe
File opened for modification	C:\Windows\SysWOW64\ixhhuhesjzjfosjtz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\SysWOW64\phuxndduohutfmgtcjld.exe	chhxadq.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File created	C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File opened for modification	C:\Program Files (x86)\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe
File created	C:\Program Files (x86)\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\phuxndduohutfmgtcjld.exe	chhxadq.exe
File opened for modification	C:\Windows\rhsthvtiarczjogryd.exe	chhxadq.exe
File opened for modification	C:\Windows\exlpgxyqlfttgojxhpslz.exe	chhxadq.exe
File opened for modification	C:\Windows\bpyxjvreujsnvyox.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\exlpgxyqlfttgojxhpslz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\bpyxjvreujsnvyox.exe	chhxadq.exe
File opened for modification	C:\Windows\rhsthvtiarczjogryd.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\phuxndduohutfmgtcjld.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\rhsthvtiarczjogryd.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\ixhhuhesjzjfosjtz.exe	chhxadq.exe
File opened for modification	C:\Windows\rhsthvtiarczjogryd.exe	chhxadq.exe
File opened for modification	C:\Windows\phuxndduohutfmgtcjld.exe	chhxadq.exe
File created	C:\Windows\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File created	C:\Windows\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe
File opened for modification	C:\Windows\ixhhuhesjzjfosjtz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\ctfhwlkatlxvgmfrzfg.exe	chhxadq.exe
File opened for modification	C:\Windows\ctfhwlkatlxvgmfrzfg.exe	chhxadq.exe
File opened for modification	C:\Windows\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj	chhxadq.exe
File opened for modification	C:\Windows\vpejbtvokfuvjsodoxbvkp.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\phuxndduohutfmgtcjld.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\exlpgxyqlfttgojxhpslz.exe	chhxadq.exe
File opened for modification	C:\Windows\bpyxjvreujsnvyox.exe	chhxadq.exe
File opened for modification	C:\Windows\ixhhuhesjzjfosjtz.exe	chhxadq.exe
File opened for modification	C:\Windows\exlpgxyqlfttgojxhpslz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\vpejbtvokfuvjsodoxbvkp.exe	chhxadq.exe
File opened for modification	C:\Windows\vpejbtvokfuvjsodoxbvkp.exe	chhxadq.exe
File opened for modification	C:\Windows\ixhhuhesjzjfosjtz.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\ctfhwlkatlxvgmfrzfg.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\bpyxjvreujsnvyox.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\ctfhwlkatlxvgmfrzfg.exe	jzcalppntjm.exe
File opened for modification	C:\Windows\jjepnltsuvqxrgidujttozxv.cef	chhxadq.exe
File opened for modification	C:\Windows\vpejbtvokfuvjsodoxbvkp.exe	jzcalppntjm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2380	chhxadq.exe
2380	chhxadq.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	chhxadq.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2816	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	28
PID 2804 wrote to memory of 2816	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	28
PID 2804 wrote to memory of 2816	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	28
PID 2804 wrote to memory of 2816	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	28
PID 2816 wrote to memory of 2380	2816	jzcalppntjm.exe	29
PID 2816 wrote to memory of 2380	2816	jzcalppntjm.exe	29
PID 2816 wrote to memory of 2380	2816	jzcalppntjm.exe	29
PID 2816 wrote to memory of 2380	2816	jzcalppntjm.exe	29
PID 2816 wrote to memory of 2364	2816	jzcalppntjm.exe	30
PID 2816 wrote to memory of 2364	2816	jzcalppntjm.exe	30
PID 2816 wrote to memory of 2364	2816	jzcalppntjm.exe	30
PID 2816 wrote to memory of 2364	2816	jzcalppntjm.exe	30
PID 2804 wrote to memory of 2800	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 2800	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 2800	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	33
PID 2804 wrote to memory of 2800	2804	e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe	33

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jzcalppntjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jzcalppntjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jzcalppntjm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	chhxadq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jzcalppntjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	chhxadq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	chhxadq.exe

C:\Users\Admin\AppData\Local\Temp\e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ed433a3d2b4d3e1a1e1dca910263bd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\jzcalppntjm.exe
  "C:\Users\Admin\AppData\Local\Temp\jzcalppntjm.exe" "c:\users\admin\appdata\local\temp\e9ed433a3d2b4d3e1a1e1dca910263bd_jaffacakes118.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\chhxadq.exe
    "C:\Users\Admin\AppData\Local\Temp\chhxadq.exe" "-C:\Users\Admin\AppData\Local\Temp\bpyxjvreujsnvyox.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\chhxadq.exe
    "C:\Users\Admin\AppData\Local\Temp\chhxadq.exe" "-C:\Users\Admin\AppData\Local\Temp\bpyxjvreujsnvyox.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\jzcalppntjm.exe
  "C:\Users\Admin\AppData\Local\Temp\jzcalppntjm.exe" "c:\users\admin\appdata\local\temp\e9ed433a3d2b4d3e1a1e1dca910263bd_jaffacakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
c959e954b0e8b207558a7ebe1df63cc8

SHA1
aaedc738b3601f58b019896806ff1116e718ba34

SHA256
a2b00df6b30cb38be53b793fcb9ce28916f6fe35e921a3b7896b9f53dadd3bab

SHA512
d10f3ec62407f11ccba69a0f9cf6a9b10bc314de37c95e42c94b3dd1bae479ec17a2b13c9d387d85bf3eb431efb7ad74c5ff9abd7890239b40039e67de6bfa61

Download Submit
C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
55ead53ad3c4c9508d4e8d699410fa7a

SHA1
181a135c3135dc944ca2cf10a734f527e25f1a4f

SHA256
f67ac98dbe99f4e5bd7189edd8ce4cbd39b49ff89cca9be91816f3530824a142

SHA512
85df648e5b497ddc8ca6ba8a2a7de166dfaf064d68aee7f4a9c56c539fb755d474b7d4b38fc8c19240e61358d0f31d2efd7ba2fb990bcc7af63e3f1a93f30c57

Download Submit
C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
161facb8e94fd62c1e34565b4327a37c

SHA1
1d350687c55494bb7982c81d02a3b8c0d1841e1d

SHA256
83cc3ea1f796fa5c977011602692a04aaaef672741d3a115dc5e2f0341b76514

SHA512
74edf9e5daa1321094d20217d8266fabd3f6fb98aacbe0fe38b4f3bc845463eb1354f379ae88643c7472283cbbb5e5825951b1a4ba93a79f9bad9a3211ff8898

Download Submit
C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
a5a89ea6193cbd79740964e21a06a8be

SHA1
f999074be7fedc15e1cda84ab5fc3f1d8957e6c5

SHA256
72dfbe4d0419075314750bf8d00362a230fc98cee47aca37e03e6cafe4f7ae7e

SHA512
4faa34ffbfca1b05d47ba06d9a3ca23f405902e71d8d0a589087e87623a21705635f18e2139f5aacd12c5f90022d9640e63eb33e5ea1845e1349bc943f3ace18

Download Submit
C:\Program Files (x86)\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
1361df521e453f76de6796199061f9ba

SHA1
b9a8235951575b63a3ffb481ef79a561fc7cdd3a

SHA256
474ccb7924eacb9fb4b9203aae7243eeb3c9561f08544b96647406285110edb0

SHA512
49bb1325b7dbab7f4ff4f97cb66c60772026527f57ab774c06f737b6195258ceab5be83483306a5f50588ecdea935c170296fd85a608f05617feee471543778e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chhxadq.exe

Filesize
728KB

MD5
212dc161a1437d28c5c791728b58f0b7

SHA1
c34f47c630e8fe29df9d9e87e79361357588cfb3

SHA256
c1862c2f443414c6fa146603dd56664f01fc0cef08b19eecce3e9b1f571ff9da

SHA512
f489ab92537abe90304e626b2acab8def43ef8a07677612d7ff32755f6e43f96c00abc6885f254794dfc7055e1c72b90e6dd4f3a0e139f66df3ce7fec67307f6

Download Submit
C:\Users\Admin\AppData\Local\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
981eb5daac13198a64c3985d1361a6e0

SHA1
4574263d3fa6479d7008df667df3e6b071f0537c

SHA256
38557d65fa757924e778776e1b60d6e5b6278156e586fe11f8541a0dbb3ee0d1

SHA512
10ce76121c2e8385fdf44f7ffd23d887a0b0ee0face2600b55e8e2fc757415a5b38177e8d6b960ff7e984ebf2e9ec7ad84872e617c6189a7167c328131815726

Download Submit
C:\Users\Admin\AppData\Local\jjepnltsuvqxrgidujttozxv.cef

Filesize
272B

MD5
fadc46fe0740a1af316bf44c2f45ceea

SHA1
4badea433d066db9f3372dfe9e3020c8c14699b0

SHA256
54fa29ef51a8b43ce1251ba506bb2ebcf63c4893ba2ecff9eb8bfc83d5fc322e

SHA512
56793f0dfc9aa1ba79f46ac95484fe78fb412c9b065c52794a19a8e1593ffdd50e28ce5d5cb5fbc10832cd13c6100970d312056a3a07a39e5f38dc110cc00ec2

Download Submit
C:\Users\Admin\AppData\Local\sdjfoxqanzfxccpvxxsdjfoxqanzfxccpvx.sdj

Filesize
3KB

MD5
5f500a5f3bac1f7d1ef198995d025ad0

SHA1
2c9d78b869effc0d0f173f63820bbd6370fbd05f

SHA256
f4e25fdab9898c0b4ee4d0b729dd34ceafbb4f06d13304e9b24f822aea81d79d

SHA512
6b7170c07570185f5d96a91972d7e03c3e8f9e3120a43a40bb2f7e596e45e19bf65969867e68fd72a2cbf6559a58be4566a0c41c40ad957b7009f22e5c13cf84

Download Submit
C:\Windows\SysWOW64\rhsthvtiarczjogryd.exe

Filesize
548KB

MD5
e9ed433a3d2b4d3e1a1e1dca910263bd

SHA1
a2361f4fc4dbd96b8ac807b19a0637906c5599a3

SHA256
52a7437f9b9c21de2a389039153bc1fa8ac36fdf3be75105dec854a2c8b7a7d0

SHA512
89c1cda887947efc4ecdd31da383ff4760a258f0adfbed4a81d95549d5fbde35290e46767baf88e9817e68a9f27afa9135fddd35a6e301b2ddff30f1fc9bfa09

Download Submit
\Users\Admin\AppData\Local\Temp\jzcalppntjm.exe

Filesize
320KB

MD5
b92314203327a733531042bc58e54f57

SHA1
1f3d0081f308a82c9659f4a57fc1ad551167a181

SHA256
d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3

SHA512
2982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7

Download Submit