Analysis
-
max time kernel
47s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
30230ccc32bfe060df96a9d313380493
-
SHA1
a2b57e9405ff4f3e981c5dbd484eade8a136345b
-
SHA256
078b4378c55c6f1c1ea4ff9d7a1bb6e58172785be140c78f32467f78a9fbd5be
-
SHA512
e5fcf4dab9adcc31b404bc8d9bc8625ddcc31b3fc3eb7c375b3f3875641058822edc4e56d2b4a1c0a8bdd3ec39a754e238cee6861dcd5f185ffecea6324875a7
-
SSDEEP
24576:DSeaWMYCNjap9JGzCHJgrGlnW57xOokesf05W12W7tFf6:DS8R9UCHJgrGlW5zspsyg
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral2/memory/3376-20-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3376-23-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3376-18-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3376-17-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3412-52-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3412-53-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3412-54-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3412-51-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/4756-64-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/4756-63-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Modifies firewall policy service 2 TTPs 15 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Mqehdmf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2728 Mqehdmf.exe -
Executes dropped EXE 4 IoCs
pid Process 3412 Mqehdmf.exe 4756 Mqehdmf.exe 2728 Mqehdmf.exe 3424 Mqehdmf.exe -
resource yara_rule behavioral2/memory/3376-1-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-5-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-7-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-11-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-20-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3376-23-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3376-22-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-18-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3376-17-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3376-6-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-14-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3376-10-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-3-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-19-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3376-35-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3412-48-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3412-52-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3412-53-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3412-54-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3412-51-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4756-57-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-72-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-70-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-69-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-68-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/3412-78-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-80-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-81-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-82-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-79-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-77-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/4756-71-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/3412-76-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/4756-65-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-66-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/4756-64-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4756-63-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4756-60-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4756-67-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/3412-85-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/4756-110-0x0000000001080000-0x000000000210E000-memory.dmp upx behavioral2/memory/3412-83-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3412-88-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Mqehdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Mqehdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Mqehdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Mqehdmf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Mqehdmf.exe File opened (read-only) \??\G: Mqehdmf.exe File opened (read-only) \??\H: Mqehdmf.exe File opened (read-only) \??\I: Mqehdmf.exe File opened (read-only) \??\J: Mqehdmf.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mqehdmf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mqehdmf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Mqehdmf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Mqehdmf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Mqehdmf.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_21 = "1513940894" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_29 = "2356311118" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_39 = "3635583909" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_7 = "1313303640" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_17 = "2559280298" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_27 = "3838471105" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "267" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_3 = "4244254259" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_17 = "2575888003" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_19 = "1110423052" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_11 = "2660744376" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_17 = "2115347458" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_17 = "2575889126" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_25 = "1008969086" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_29 = "2372996024" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_8 = "2728053400" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_12 = "4075505101" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_15 = "4164244369" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_22 = "1059697325" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_3 = "1636000428" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_16 = "1161139504" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_1 = "2648613131" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_4 = "1364026700" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_14 = "1642987725" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_35 = "2254855280" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_30 = "1892755690" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_34 = "856802288" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_40 = "755365112" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_47 = "2068675617" Mqehdmf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_5 = "2762200246" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_10 = "1262583102" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_14 = "2626609802" Mqehdmf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0800687474703A2F2F616C7468617772792E6F72672F696D616765732F78732E6A706700687474703A2F2F7777772E6361726565726465736B2E6F72672F696D616765732F78732E6A706700687474703A2F2F6172746875722E6E697269612E62697A2F78732E6A706700687474703A2F2F616D73616D65782E636F6D2F78732E6A706700687474703A2F2F6170706C652D7069652E696E2F696D616765732F78732E6A706700687474703A2F2F61686D65646979652E6E65742F78732E6A706700687474703A2F2F67322E6172726F776869746563682E636F6D2F78732E6A706700687474703A2F2F616D7079617A696C696D2E636F6D2E74722F696D616765732F7873322E6A7067" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_0 = "3299283285" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_13 = "1228464926" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_47 = "2068670013" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_31 = "907530509" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_38 = "2220842841" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_2 = "2846218383" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_5 = "2778771304" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_45 = "3534136432" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_47 = "3606199589" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_18 = "3974049279" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_20 = "2525161315" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_27 = "3662222949" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_45 = "1598608590" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_24 = "2516244158" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_38 = "2220835410" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_0 = "0" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_3 = "4244245497" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_23 = "2457758812" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_37 = "806089723" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_39 = "3652317580" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_41 = "2170113611" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_2 = "2829496998" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_7 = "1313304901" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_28 = "958252308" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_32 = "2322280765" Mqehdmf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "23E4F7F25F8A545EF07859773043475EDD1D103E2D9C27F1F3A268ED09F30DE884DB9D92FD831B72EEF599E8C233EB23FBE7145BFA46281679ED385593CEE8869548167F08C5681A4B967232DBC5E0E01EC06026FCE8B24FCB589B28C073413E3C9C326851C4731397E851C96D85B6EDDDAA4E25FA227776D385991927AE94FC" Mqehdmf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_18 = "3990638905" Mqehdmf.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 4756 Mqehdmf.exe 4756 Mqehdmf.exe 3412 Mqehdmf.exe 3412 Mqehdmf.exe 2728 Mqehdmf.exe 2728 Mqehdmf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Token: SeDebugPrivilege 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 808 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 9 PID 3376 wrote to memory of 816 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 10 PID 3376 wrote to memory of 1020 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 13 PID 3376 wrote to memory of 2552 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 44 PID 3376 wrote to memory of 2576 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 45 PID 3376 wrote to memory of 2796 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 48 PID 3376 wrote to memory of 3484 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 56 PID 3376 wrote to memory of 3628 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 57 PID 3376 wrote to memory of 3804 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 58 PID 3376 wrote to memory of 3936 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 59 PID 3376 wrote to memory of 4020 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 60 PID 3376 wrote to memory of 1360 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 61 PID 3376 wrote to memory of 3988 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 62 PID 3376 wrote to memory of 432 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 64 PID 3376 wrote to memory of 1744 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 74 PID 3376 wrote to memory of 2772 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 78 PID 3376 wrote to memory of 2156 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 79 PID 3376 wrote to memory of 3412 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 81 PID 3376 wrote to memory of 3412 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 81 PID 3376 wrote to memory of 3412 3376 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe 81 PID 4756 wrote to memory of 808 4756 Mqehdmf.exe 9 PID 4756 wrote to memory of 816 4756 Mqehdmf.exe 10 PID 4756 wrote to memory of 1020 4756 Mqehdmf.exe 13 PID 4756 wrote to memory of 2552 4756 Mqehdmf.exe 44 PID 4756 wrote to memory of 2576 4756 Mqehdmf.exe 45 PID 4756 wrote to memory of 2796 4756 Mqehdmf.exe 48 PID 4756 wrote to memory of 3484 4756 Mqehdmf.exe 56 PID 4756 wrote to memory of 3628 4756 Mqehdmf.exe 57 PID 4756 wrote to memory of 3804 4756 Mqehdmf.exe 58 PID 4756 wrote to memory of 3936 4756 Mqehdmf.exe 59 PID 4756 wrote to memory of 4020 4756 Mqehdmf.exe 60 PID 4756 wrote to memory of 1360 4756 Mqehdmf.exe 61 PID 4756 wrote to memory of 3988 4756 Mqehdmf.exe 62 PID 4756 wrote to memory of 432 4756 Mqehdmf.exe 64 PID 4756 wrote to memory of 1744 4756 Mqehdmf.exe 74 PID 4756 wrote to memory of 2772 4756 Mqehdmf.exe 78 PID 4756 wrote to memory of 2156 4756 Mqehdmf.exe 79 PID 4756 wrote to memory of 3412 4756 Mqehdmf.exe 81 PID 4756 wrote to memory of 3412 4756 Mqehdmf.exe 81 PID 4756 wrote to memory of 2536 4756 Mqehdmf.exe 82 PID 3412 wrote to memory of 808 3412 Mqehdmf.exe 9 PID 4756 wrote to memory of 2728 4756 Mqehdmf.exe 84 PID 4756 wrote to memory of 2728 4756 Mqehdmf.exe 84 PID 4756 wrote to memory of 2728 4756 Mqehdmf.exe 84 PID 4756 wrote to memory of 3424 4756 Mqehdmf.exe 85 PID 4756 wrote to memory of 3424 4756 Mqehdmf.exe 85 PID 4756 wrote to memory of 3424 4756 Mqehdmf.exe 85 PID 2728 wrote to memory of 808 2728 Mqehdmf.exe 9 PID 2728 wrote to memory of 816 2728 Mqehdmf.exe 10 PID 2728 wrote to memory of 1020 2728 Mqehdmf.exe 13 PID 2728 wrote to memory of 2552 2728 Mqehdmf.exe 44 PID 2728 wrote to memory of 2576 2728 Mqehdmf.exe 45 PID 2728 wrote to memory of 2796 2728 Mqehdmf.exe 48 PID 2728 wrote to memory of 3484 2728 Mqehdmf.exe 56 PID 2728 wrote to memory of 3628 2728 Mqehdmf.exe 57 PID 2728 wrote to memory of 3804 2728 Mqehdmf.exe 58 PID 2728 wrote to memory of 3936 2728 Mqehdmf.exe 59 PID 2728 wrote to memory of 4020 2728 Mqehdmf.exe 60 PID 2728 wrote to memory of 1360 2728 Mqehdmf.exe 61 PID 2728 wrote to memory of 3988 2728 Mqehdmf.exe 62 PID 2728 wrote to memory of 432 2728 Mqehdmf.exe 64 PID 2728 wrote to memory of 1744 2728 Mqehdmf.exe 74 PID 2728 wrote to memory of 2156 2728 Mqehdmf.exe 79 PID 2728 wrote to memory of 2276 2728 Mqehdmf.exe 86 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Mqehdmf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30230ccc32bfe060df96a9d313380493_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3376 -
C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3804
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1360
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1744
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2772
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2156
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2536
-
C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4756 -
C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728
-
-
C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"C:\Program Files (x86)\Microsoft Qasbto\Mqehdmf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- System policy modification
PID:3424
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2276
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.1MB
MD5529ad1e2fefe7acdddd75479eb7f6305
SHA1bd86af12313d866b579e6c6e7d98b7bf1bd0806a
SHA256bf29284b84a56c24c0cc5d997a95daee4ad5259fedb77d3b427212dbdf57354d
SHA51220a11010eaf4dc0715cceb1728fb7ff534a988b9563c4e517f28e4d13d803ddad9310311007bac3a2a5faad1c86533d563caf18786ad4fa5817755396c7d448c
-
Filesize
257B
MD56f0d8c446ef06bfae5d9fc38875ff544
SHA1dabfcbe2b27b8da1e504fc13cf489c9a8ba21b77
SHA256c548e93722033e910eefb00abcbeefca2205924aa62ad177b6c4c1b4226bef0a
SHA51234e1caea242a5c4476706f6615eed3152c92372ded25adb66961ba0f5a841bdc4dde622a51a2d01b1bd1e00f9a3aaac8a5d0e08c6274973dc6c97a849b0fa5d3
-
Filesize
100KB
MD5507aea4b4e8c0b948c92be7bf2bfa911
SHA1b821e172478b39f112f306eda78cbc40bfeb637c
SHA256a2edab8e1ede7ac1b872e67febd98d72e989320fb221dd6a90bba9f15201c6c8
SHA512f81e7d26ed47e176f90ee336d2354cbd6bed41b12742b18174071312fa5ff62c4ed489a2df58e1907c18025083113bea97fe4de4a4dcd293272933b231f13e66