Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/06/2024, 22:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe
-
Size
564KB
-
MD5
031b34370c6913ac54cbcbccac4a55c7
-
SHA1
d0778c193dbf76cf93df3db1d5b51b136a02c9b1
-
SHA256
939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700
-
SHA512
6dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae
-
SSDEEP
6144:G7KEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aAL:G7Kr3QboC9qLGKgZKe4HYpHvcbT
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tiovyrrldsy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "yymjdewtkedcsjwzjnmma.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "yymjdewtkedcsjwzjnmma.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yymjdewtkedcsjwzjnmma.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "cyibrocviytoanwvb.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nejxiajxfqgw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qksjxsevgungqbi = "litnecrlzqmivjttab.exe" tiovyrrldsy.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tiovyrrldsy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe -
Executes dropped EXE 4 IoCs
pid Process 1376 tiovyrrldsy.exe 2380 jutbgs.exe 2964 jutbgs.exe 2956 tiovyrrldsy.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend jutbgs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jutbgs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jutbgs.exe -
Loads dropped DLL 8 IoCs
pid Process 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 1376 tiovyrrldsy.exe 1376 tiovyrrldsy.exe 1376 tiovyrrldsy.exe 1376 tiovyrrldsy.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe ." tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "cyibrocviytoanwvb.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe ." tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "jivrkkbxngecrhtvehfe.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "yymjdewtkedcsjwzjnmma.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "jivrkkbxngecrhtvehfe.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "yymjdewtkedcsjwzjnmma.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "wugbtsidskheshstbda.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "yymjdewtkedcsjwzjnmma.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "jivrkkbxngecrhtvehfe.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "litnecrlzqmivjttab.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "wugbtsidskheshstbda.exe ." tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "yymjdewtkedcsjwzjnmma.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe ." tiovyrrldsy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yymjdewtkedcsjwzjnmma.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yymjdewtkedcsjwzjnmma.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "litnecrlzqmivjttab.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "vqzrgcphticwhtbz.exe ." tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\litnecrlzqmivjttab.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "cyibrocviytoanwvb.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ngndqkvlviasbl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yymjdewtkedcsjwzjnmma.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cyibrocviytoanwvb = "vqzrgcphticwhtbz.exe ." jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wugbtsidskheshstbda = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yymjdewtkedcsjwzjnmma.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "wugbtsidskheshstbda.exe" jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "wugbtsidskheshstbda.exe" tiovyrrldsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\litnecrlzqmivjttab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyibrocviytoanwvb.exe ." jutbgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\vqzrgcphticwhtbz = "vqzrgcphticwhtbz.exe" jutbgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mekzleodmypgo = "yymjdewtkedcsjwzjnmma.exe" jutbgs.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 whatismyip.everdot.org 2 www.whatismyip.ca 5 whatismyipaddress.com 7 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf jutbgs.exe File created C:\autorun.inf jutbgs.exe File opened for modification F:\autorun.inf jutbgs.exe File created F:\autorun.inf jutbgs.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jivrkkbxngecrhtvehfe.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\pqfdyatrjeeevnbfqvvwlj.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\wugbtsidskheshstbda.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\yymjdewtkedcsjwzjnmma.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File opened for modification C:\Windows\SysWOW64\jivrkkbxngecrhtvehfe.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\cyibrocviytoanwvb.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\wugbtsidskheshstbda.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\yymjdewtkedcsjwzjnmma.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\pqfdyatrjeeevnbfqvvwlj.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\vqzrgcphticwhtbz.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\litnecrlzqmivjttab.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\pqfdyatrjeeevnbfqvvwlj.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\cyibrocviytoanwvb.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\wugbtsidskheshstbda.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\jivrkkbxngecrhtvehfe.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\litnecrlzqmivjttab.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\cyibrocviytoanwvb.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\pqfdyatrjeeevnbfqvvwlj.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\vqzrgcphticwhtbz.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\cyibrocviytoanwvb.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\vqzrgcphticwhtbz.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\agaddkiliinsolendnsysvv.ada jutbgs.exe File created C:\Windows\SysWOW64\agaddkiliinsolendnsysvv.ada jutbgs.exe File created C:\Windows\SysWOW64\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File opened for modification C:\Windows\SysWOW64\wugbtsidskheshstbda.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\jivrkkbxngecrhtvehfe.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\yymjdewtkedcsjwzjnmma.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\vqzrgcphticwhtbz.exe jutbgs.exe File opened for modification C:\Windows\SysWOW64\litnecrlzqmivjttab.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\litnecrlzqmivjttab.exe tiovyrrldsy.exe File opened for modification C:\Windows\SysWOW64\yymjdewtkedcsjwzjnmma.exe tiovyrrldsy.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File created C:\Program Files (x86)\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File opened for modification C:\Program Files (x86)\agaddkiliinsolendnsysvv.ada jutbgs.exe File created C:\Program Files (x86)\agaddkiliinsolendnsysvv.ada jutbgs.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\pqfdyatrjeeevnbfqvvwlj.exe tiovyrrldsy.exe File opened for modification C:\Windows\yymjdewtkedcsjwzjnmma.exe jutbgs.exe File opened for modification C:\Windows\wugbtsidskheshstbda.exe tiovyrrldsy.exe File opened for modification C:\Windows\vqzrgcphticwhtbz.exe tiovyrrldsy.exe File opened for modification C:\Windows\cyibrocviytoanwvb.exe tiovyrrldsy.exe File opened for modification C:\Windows\jivrkkbxngecrhtvehfe.exe jutbgs.exe File created C:\Windows\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File opened for modification C:\Windows\cyibrocviytoanwvb.exe jutbgs.exe File opened for modification C:\Windows\jivrkkbxngecrhtvehfe.exe jutbgs.exe File opened for modification C:\Windows\agaddkiliinsolendnsysvv.ada jutbgs.exe File created C:\Windows\agaddkiliinsolendnsysvv.ada jutbgs.exe File opened for modification C:\Windows\jivrkkbxngecrhtvehfe.exe tiovyrrldsy.exe File opened for modification C:\Windows\vqzrgcphticwhtbz.exe jutbgs.exe File opened for modification C:\Windows\yymjdewtkedcsjwzjnmma.exe tiovyrrldsy.exe File opened for modification C:\Windows\litnecrlzqmivjttab.exe jutbgs.exe File opened for modification C:\Windows\yymjdewtkedcsjwzjnmma.exe jutbgs.exe File opened for modification C:\Windows\litnecrlzqmivjttab.exe tiovyrrldsy.exe File opened for modification C:\Windows\wugbtsidskheshstbda.exe jutbgs.exe File opened for modification C:\Windows\wugbtsidskheshstbda.exe jutbgs.exe File opened for modification C:\Windows\pqfdyatrjeeevnbfqvvwlj.exe jutbgs.exe File opened for modification C:\Windows\jivrkkbxngecrhtvehfe.exe tiovyrrldsy.exe File opened for modification C:\Windows\yymjdewtkedcsjwzjnmma.exe tiovyrrldsy.exe File opened for modification C:\Windows\litnecrlzqmivjttab.exe tiovyrrldsy.exe File opened for modification C:\Windows\pqfdyatrjeeevnbfqvvwlj.exe jutbgs.exe File opened for modification C:\Windows\litnecrlzqmivjttab.exe jutbgs.exe File opened for modification C:\Windows\wugbtsidskheshstbda.exe tiovyrrldsy.exe File opened for modification C:\Windows\vqzrgcphticwhtbz.exe jutbgs.exe File opened for modification C:\Windows\cyibrocviytoanwvb.exe jutbgs.exe File opened for modification C:\Windows\nejxiajxfqgwdlpjkfvmrfqirfnyoeltxr.ndu jutbgs.exe File opened for modification C:\Windows\vqzrgcphticwhtbz.exe tiovyrrldsy.exe File opened for modification C:\Windows\cyibrocviytoanwvb.exe tiovyrrldsy.exe File opened for modification C:\Windows\pqfdyatrjeeevnbfqvvwlj.exe tiovyrrldsy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2380 jutbgs.exe 2380 jutbgs.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2380 jutbgs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1376 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 28 PID 2168 wrote to memory of 1376 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 28 PID 2168 wrote to memory of 1376 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 28 PID 2168 wrote to memory of 1376 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 28 PID 1376 wrote to memory of 2964 1376 tiovyrrldsy.exe 29 PID 1376 wrote to memory of 2964 1376 tiovyrrldsy.exe 29 PID 1376 wrote to memory of 2964 1376 tiovyrrldsy.exe 29 PID 1376 wrote to memory of 2964 1376 tiovyrrldsy.exe 29 PID 1376 wrote to memory of 2380 1376 tiovyrrldsy.exe 30 PID 1376 wrote to memory of 2380 1376 tiovyrrldsy.exe 30 PID 1376 wrote to memory of 2380 1376 tiovyrrldsy.exe 30 PID 1376 wrote to memory of 2380 1376 tiovyrrldsy.exe 30 PID 2168 wrote to memory of 2956 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2956 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2956 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 33 PID 2168 wrote to memory of 2956 2168 031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe 33 -
System policy modification 1 TTPs 41 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jutbgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tiovyrrldsy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jutbgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tiovyrrldsy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tiovyrrldsy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\031b34370c6913ac54cbcbccac4a55c7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe"C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\jutbgs.exe"C:\Users\Admin\AppData\Local\Temp\jutbgs.exe" "-C:\Users\Admin\AppData\Local\Temp\vqzrgcphticwhtbz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\jutbgs.exe"C:\Users\Admin\AppData\Local\Temp\jutbgs.exe" "-C:\Users\Admin\AppData\Local\Temp\vqzrgcphticwhtbz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2380
-
-
-
C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe"C:\Users\Admin\AppData\Local\Temp\tiovyrrldsy.exe" "c:\users\admin\appdata\local\temp\031b34370c6913ac54cbcbccac4a55c7_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5df483996473a6718c2bb37a394d71936
SHA15dc3312178ff09d2032c96c6da48e93ce058892f
SHA25620f030ce5223e537d8cc479c255e57a6c0dbc44fb0b23f45f18b1d1b573f81f9
SHA512de274a86545c2305c315ce825bc35a4cb4a14e9bd92fbbb4707a1e33cb5419728108e64f17c290d89f11222a034651c2da3601cbcde9f698d5810ad0fa9af188
-
Filesize
280B
MD54baa6819f1f9589ce90bf2eee49122a7
SHA14c57de943fa8d0217f5ecb90f9128ed75233e299
SHA2568c201ba1c6c691624c75dccb89e43d559421b238d3fb2f6e96fadba7d3136d13
SHA512bcbef982123cce800bf10838747f14ca9fa0380ecaf481bdae34d1caa052c44a8c135106eccdee5803b3440783620b0a53ee8909f6508454fabd34a756498d38
-
Filesize
280B
MD55e604153f4e56805e153ec4d280403bb
SHA190e39f67a9cab50afd4f41c4ed022b77ceb5d596
SHA25604e8b5e56f987cabaddd894fff110c5ec5641a06cb8c467dc434253d08f610ea
SHA5122f6d989a852638a26bca16f8ea61480664604b78969be6c8d1b10ba27170d996cb0bbe5d4994cd3dffbf1f4cdfc7f7c7b3f3a2a9738149fd42fbff10f141fa82
-
Filesize
280B
MD50ea21fc408ac52cbc3022f1923c48d8c
SHA1cdbcf206aa4644b9960522731b6489e707dd8dfc
SHA2564f76055596d5652a38bd6ef4c7d99a85307a4b72979f4047f3f296803bbe3fac
SHA512a3865d7a3c5e4ad23e9e850af7e5da8fe6815012be6652b34dacb44649899c4ec33f9417ecb14cd7eedc5fd8ffc49761ca4c59a6e65d432c4d638886c063a05c
-
Filesize
280B
MD583eec3a67a302039412f35c90d529d7c
SHA18c5bc88452467991a74da93ec2b5b847850d7549
SHA256bc3a22996be6f15554a4bf29ddf020b5a49b06460af8f59cbe3d6df12db96b1c
SHA51259822b5181d115dfa1e203885c13426575db6bb42cc4a8163e331127623b568606998f3701625c9e8da7cb0ec840655c081d19bf8369fa01cf7aaa21371428d5
-
Filesize
280B
MD5881aab93ad97cac29936c879a7fcac69
SHA1e724913366f20c92a08ed20c69ab74b800d7380c
SHA2562c9c061ba007428003928ec657aa3c827be6417a6460182a09e9d5d5e306bb75
SHA512541984193beb4f9aa4af5f45ff99fce2e4aa7bf12fa063d61b5ec6cfd70c8d06da0fd4a90a87fc0b8569d65271a1894a3882f01da2c671f6daa1e1856da35faa
-
Filesize
280B
MD54321db089362efbaa55af7a8778b92b0
SHA1c2fef3f8130d6f1b284f02e8f7940ed22e77ff36
SHA2564e536bb40d2727707ec2cbc8f38372432eaf346779cde1a7c21e68746a143d26
SHA5127a5558563e29f8ecdf383693d5abcd0ad2befc956c50a321e830587c8dca877dadaf6b49375ee4ed3c81f75d758192983c71e6986a3caf1d6e94f5f53b93ecff
-
Filesize
4KB
MD5045840b107400df29459b8315fcd560e
SHA13112cfee7dd02b7e38c48ff61b09157a94e37911
SHA25666ad72cc47c5c2f23c6f08057394b776960f273337dbd973d69a91e4fc68908f
SHA512dc49e152c996f2b6e830f1ce8217f23f1f2985028ab761886d1f7741a65340a5f5baff8916136056b70bc307d2372f8d69802e52ffa0e4dd680cc77d2e27fefc
-
Filesize
564KB
MD5031b34370c6913ac54cbcbccac4a55c7
SHA1d0778c193dbf76cf93df3db1d5b51b136a02c9b1
SHA256939895d56ad30824b5c8dfbd70e36e35ead9ca0cbb987fcc322212d01de25700
SHA5126dec35c09395e06069ced9496561afcb9c09b5ad80b8ac16c3f3857ca11d7e071554970dde6894eac7cee5a42d63d62db996e027c579dc2dfe52ce05efa492ae
-
Filesize
720KB
MD5a2f9cf358e110cd92de351f245f6176f
SHA1b6b66b85fbe9f6bb7c1459bd173c0454cbdc454d
SHA256b9b222700762c392beae582512df1d0468d1d247ed7075a8b35be3f7d7637e14
SHA512eb93a3c958d87fa2a530e4e54d75caa3069b2f0de52b2096686a2e9cfffbb1a55665d0d3a32a176693547a1fb65601eb87d79022e911424ec0c29c58e623bb0d
-
Filesize
320KB
MD59f85776f207cb712552c7feb1a5a5c88
SHA1e4aa69c1485198cbfdf431a62b545ac99920b4b6
SHA2562d69ed157346f6920ddfe04aa3244f82d2e88abf13e628533243380c752ead53
SHA51259f7b06f25b3c4c752973b1dbf3881fde09a4817df39399977863411201049ecf82fc140d97ee2bd48753c913c3ed8d9447cb1efdac2d366a93ace4f459cf7e1