Malware Analysis Report

2025-03-15 00:50

Sample ID 240626-vvc7wsxbpm
Target 12c82b718d17020e6668fec1d50ae021_JaffaCakes118
SHA256 98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73

Threat Level: Known bad

The file 12c82b718d17020e6668fec1d50ae021_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Adds policy Run key to start application

Disables RegEdit via registry modification

Checks computer location settings

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 17:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 17:18

Reported

2024-06-26 17:20

Platform

win7-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ibaujlbvliscxxtnnsex.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "vnlestibqmveyxslkoz.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "vnlestibqmveyxslkoz.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "vnlestibqmveyxslkoz.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ibaujlbvliscxxtnnsex.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ibaujlbvliscxxtnnsex.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "xrrmcfwrigrcyzwrsylff.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "kbyqddrjxsaibztljm.exe ." C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Windows\SysWOW64\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Windows\SysWOW64\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Program Files (x86)\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Program Files (x86)\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ujeufdpfrkqwnjbr.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\vnlestibqmveyxslkoz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\brneqpctgahogdwnk.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ojkgxbtphgsebdbxzgupqm.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\kbyqddrjxsaibztljm.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\xrrmcfwrigrcyzwrsylff.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Windows\cdkmjtrtrwogjrvxfsmnuwtd.dbg C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File created C:\Windows\lxpckfobkadguncpiglxpckfobkadguncpi.lxp C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
File opened for modification C:\Windows\ibaujlbvliscxxtnnsex.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2056 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
PID 2212 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2212 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe

"C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe

"C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.179.238:80 www.youtube.com tcp
ZA 41.151.132.154:30029 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 jrwykqq.net udp
US 8.8.8.8:53 ywjytvmz.net udp
ZA 41.151.132.154:30029 tcp
US 8.8.8.8:53 vmhhrib.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 bigmrsg.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 thtzwllqvjjg.info udp
US 8.8.8.8:53 zrdjzfpso.net udp
US 8.8.8.8:53 tqbsamossau.org udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 lebcyqd.com udp
US 8.8.8.8:53 aterzo.net udp
US 8.8.8.8:53 mowyegya.org udp
US 8.8.8.8:53 datrxkxgvqhi.net udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 dicsfwql.info udp
US 8.8.8.8:53 dqlfhoz.org udp
US 8.8.8.8:53 joqukgtsi.com udp
US 8.8.8.8:53 assgayckue.org udp
US 8.8.8.8:53 dglapaaeb.info udp
US 8.8.8.8:53 qaxyvsymzas.info udp
US 8.8.8.8:53 gybkkuekoig.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 wchjzwzahue.net udp
US 8.8.8.8:53 pvpebmdt.net udp
US 8.8.8.8:53 difoyoiwkq.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 eoagosgwciko.org udp
US 8.8.8.8:53 ydvrme.net udp
US 8.8.8.8:53 ouumqemi.com udp
US 8.8.8.8:53 dqarln.info udp
US 8.8.8.8:53 hzveejfiyuj.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 ynnsxknyv.info udp
US 8.8.8.8:53 jinzhwrsqi.info udp
US 8.8.8.8:53 sfbvncka.net udp
US 8.8.8.8:53 ncusnlcx.info udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 lzmkqyueh.info udp
US 8.8.8.8:53 mokcscyg.com udp
US 8.8.8.8:53 nvpsroxs.net udp
US 8.8.8.8:53 nbwpnwtp.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 fzfetmzob.com udp
US 8.8.8.8:53 hfreyramirlz.info udp
US 8.8.8.8:53 kgcqac.org udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 bkzwvij.info udp
US 8.8.8.8:53 nefmpo.net udp
US 8.8.8.8:53 qqmcgygssm.com udp
US 8.8.8.8:53 yaoqkiwwme.org udp
US 8.8.8.8:53 fqzwnde.net udp
US 8.8.8.8:53 kbcmkiqa.net udp
US 8.8.8.8:53 ukyimmqeguge.com udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 eqyaym.org udp
US 8.8.8.8:53 krufud.info udp
US 8.8.8.8:53 lriyqqd.com udp
US 8.8.8.8:53 ialwjmfwl.info udp
US 8.8.8.8:53 ostdxxh.info udp

Files

\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

MD5 492e48e205d31d05c9912850001d9a30
SHA1 be4f248cd3f2df7701e28becfa0be3f6caf9e55a
SHA256 a212eb2aeb534dc6b9b1dfc06016e55a54a2375b88fbdcd99d386ccd28987c15
SHA512 bae5e3f1e7805b3f847a3e0db78ce729ef1edbb111123c95719c4c824affa03f74aa6d8988cb68923865c5668256c7679bb7762ef075adb14a0d375e11020443

C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe

MD5 12c82b718d17020e6668fec1d50ae021
SHA1 53e81b3546eea831169150f94fbe8b44ceeef862
SHA256 98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73
SHA512 9ec86d72c5d8655e894448f838e35ac0bf85bff4bf98d0430c749560fb84370d850f979473524c507adabf1d2034776ac43ccc7f36cb9ab818f3197ac45ba309

\Users\Admin\AppData\Local\Temp\vbnuwlo.exe

MD5 bb892b9135eaefbc46a415a53003ee46
SHA1 88d46b5f5e25c2c7439bf042a6d73ccf0d794ec6
SHA256 587084b72372e3c31602e7a9f89b48764b56fefb09367c389507c70bce07148b
SHA512 193ed47f02452586f7e41776d5cdd1e24fb2a5c12db9f0b05467db5fce887b00387497a234e96b56f79cd135761d94c8399dd6a9e2ab570077bfbf81093f28f1

C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 4f3cf96a461d7503cfbb8490cc18896c
SHA1 ef9246dd53c9b42c4e20d89d9bc31791aa4e681c
SHA256 023bc7189f6d0ef73e7627a9fd444068c06b4dcb1024147c3a2744a4d678562f
SHA512 fb02ca10152b86d7fb404bf7fcfe8077e62e0251cb1ab08299844e86992b472b34c3a262ab64bbebf3417d3bbe88e97da82be9c82c34bb595d6919b1127538c4

C:\Users\Admin\AppData\Local\lxpckfobkadguncpiglxpckfobkadguncpi.lxp

MD5 f48c6dd8c6b5041801b5abb4659ba161
SHA1 d8430d4290526149136b8b60c2f71f12a3405fbb
SHA256 d1791810f3ec339c1c479db2238266347e4a5a59d58efb6a8645139290561961
SHA512 d74b30d6fd9959027039b86e21b54c70196913728150eacfa0b34e3466fdbebf5acc1e36ac49762d8e832559efc5b19b480c0d874dea4e091c7888424d8bc88e

C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 b1fba51febb58bef68bb4cc61bd9ea64
SHA1 5d66e314631b57313a14212cf213723cc232b128
SHA256 5019358177f832abd9c7d98e88fdb0f668c0050c98321a65f805d8642e294e6e
SHA512 8b8c1aa7a25e6b5e0bded56fdf92908bc30138f44bb49bffb0a8c211cd271a32538cf1b2311c4b0c01cda568cef1b9ed4fc88e232bb1365c4ed8936338f324b5

C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 6cc3651bce4acadf871874ce64a5a75d
SHA1 2fc9f0cb540dc440faaca251c207d5bdf8ed0751
SHA256 fbbac591cd708aa8766fa5951c96b480881d9aabf8f803ddedfbcb3257cb0c8d
SHA512 def98e607da901e16c98565e60f71e7c5eaa1c42ea604d1de9a6298347f8a159fb6e104e20ff1455e246a7f929dea2efcb3a6b53222f7db35e72566790eec668

C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 741777248c358034e2aac219b9cf406c
SHA1 7009c7a6806557bdc523bcacbda2f0bec33dc5c1
SHA256 d2af533e057f7bb5df6a69b189c4ec148a919a9d5503c2a111810584e87a5229
SHA512 15ea8e4fc61258101822ac3c9819ac4feb5aa80770d147e506d8f5438fef451ad53422e20e5b0c7c079bd83626802794d91e74743edef530cadb846698896373

C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 b8037c8bf948eaa7fa3cf21f18132fea
SHA1 253692289d0697161b0230303770129413a611cf
SHA256 da99d0b5ba8628ed7280da7ec34789ce77b55b92436a521c7777a3fea908d7dc
SHA512 8bfe8ef8056e8340337c84c0cecc42d84e1451620fbe737056b60c3252e9a682babe4cc21ff53116f13db7bac12b700ed9d02ea4550ab448bbabf030a56fe462

C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 f905dcd5c95bd1d5433946ed311e96c5
SHA1 f06d7ca66b0f8800ca0c2c5781f76a7af4cdd5b9
SHA256 170ce6ebabce47e4681c1fde674ba82b17e900ac88582bc74504b11975471282
SHA512 bc460a961b8b9e85cec96e75c7239db0b7397c2ac34c415fb59015cad6db31a452d2f99c333af0a13ef429e69889b54b7593d72147fc42c9a97a05ef58a6bb95

C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 ae827e3db1d451d8c13c64159abb084a
SHA1 c1ecc66afe4fb72ff46ca1f491704b98c8036907
SHA256 9b4568b6f2c76ed7b222235ef46d9c152d987a309833c1e7e21e3b963fa04068
SHA512 9df6f08604324b0196847834b72a604b8bd8d52d68033774ce1224e39ecae117a9199297cf2eeb76425afc78a1d3cc3c8390e730e901c52f57df16f2ec009973

C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg

MD5 3ad13a2e960cb0e7eb2054523d89fdd4
SHA1 08368c2862e2c03643f5eeffa881b075a90dc459
SHA256 f24dacf698a2fea8348c0875f8b6c0c881e4826a921c2d9dcd90b332cf79cc61
SHA512 b8742104a33073944b70c9db2a36276adca6801819604ed084a3de283a392511f57d594f2ff35d1e06938b81b839d77f8c82cde033ff84e53e18fcc1453b9dc1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 17:18

Reported

2024-06-26 17:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "zyibvjxsogtdwupml.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "vymjhzrqqmdroqpqtwkhf.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "givrofwutoernommoqdz.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "sqzrkxkezqcldauq.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "sqzrkxkezqcldauq.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "vymjhzrqqmdroqpqtwkhf.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "zyibvjxsogtdwupml.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "givrofwutoernommoqdz.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "zyibvjxsogtdwupml.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "tugbxndayshtoolklmy.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "iitnixmifymxrqmkkk.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "sqzrkxkezqcldauq.exe" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "iitnixmifymxrqmkkk.exe ." C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File created C:\Windows\SysWOW64\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File created C:\Windows\SysWOW64\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File created C:\Program Files (x86)\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Program Files (x86)\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File created C:\Program Files (x86)\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\sqzrkxkezqcldauq.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\iitnixmifymxrqmkkk.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\mqfdcvoopmetruuwaetrqj.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File created C:\Windows\wexzczwafgcvxeiowexzcz.afg C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File created C:\Windows\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\givrofwutoernommoqdz.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\tugbxndayshtoolklmy.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
File opened for modification C:\Windows\vymjhzrqqmdroqpqtwkhf.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
File opened for modification C:\Windows\zyibvjxsogtdwupml.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 2556 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 2556 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 1544 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 1544 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 1544 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 1544 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 1544 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 1544 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gutbkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\gutbkn.exe

"C:\Users\Admin\AppData\Local\Temp\gutbkn.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gutbkn.exe

"C:\Users\Admin\AppData\Local\Temp\gutbkn.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.adobe.com udp
US 8.8.8.8:53 www.bbc.co.uk udp
US 8.8.8.8:53 www.facebook.com udp

Files

C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe

MD5 3190d1519e362a1b068c45dc3e37bcb3
SHA1 af0b7d47f0af9ca6591d21d0ae5b428d27a869b8
SHA256 580765128d698196b9c6eb7d75db1fc5beeca9c253cb59d6af0f7ec82b206a51
SHA512 1a814ff08a11ee64d931a4b0485f1956e41dbb951ea531c8813787f1bd42dd1af4651db53f9c8c049eb4b4412f3fbaa8cc2f9177e9cb4ebeefd42b4c89a374ba

C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe

MD5 12c82b718d17020e6668fec1d50ae021
SHA1 53e81b3546eea831169150f94fbe8b44ceeef862
SHA256 98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73
SHA512 9ec86d72c5d8655e894448f838e35ac0bf85bff4bf98d0430c749560fb84370d850f979473524c507adabf1d2034776ac43ccc7f36cb9ab818f3197ac45ba309

C:\Users\Admin\AppData\Local\Temp\gutbkn.exe

MD5 94be5b4f83bffc9ea13acd2ecb6fbf4c
SHA1 760deaff132321233eb2a30d8620a001345dc6bb
SHA256 620457b94018399280b725764f5db073ae8d43dd5509f5440ea41998c4258230
SHA512 9a92f39a0f2518682f072938a9c92e1e74e7ddbdeaf887a1d90daaf4f2e44682afee1e5ec629017213cd3ec52e579cc7480fedfcdbcdfe6febc3e81bef656cbb

C:\Users\Admin\AppData\Local\wexzczwafgcvxeiowexzcz.afg

MD5 10bc0dedcedeb3c5f4e5206f54037cc1
SHA1 73241a5c1bae5520dd9f16d10a9b086e3b9bd47e
SHA256 de784d8693b184a4da772ed2a7b7b273e82e73d2fe6a2ed88309f64b3e2a8999
SHA512 6af6e21947394ccb0e04a93e56258454110c7c9c33f91cdf1a87492b5a64d7cb1121d555ba3c3dca3b703fbbbdb7b171e2b8fd57f6c8f44d02309614edd3ab71

C:\Users\Admin\AppData\Local\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz

MD5 93f9972bc469197b15b04c608c8a9588
SHA1 06f03e0f5bd3fdc4d049ff3f27754d4766382ee2
SHA256 804e5d4fc439afa0e75654a0bf7ca1656691486a62df244c36096d078c3584a4
SHA512 1370f469fe8809a9a2bfc44b60b1acb650ec0a58af7fbc50bb9c4d1f7d9004e38192cba79e95705979ec84b7fff697c561cf01c0513e57f76e7b2bd263cf8129