7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Size

320KB
MD5

305efd8a0813d6137905717404f55080
SHA1

5f562bb803a979450f77cab880bdbd482a97d290
SHA256

7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703
SHA512

529b5c16382d7c86e233936d59f688c1db009ec9600d88e976bb2dfefe6c31f63c362ab8041ca9b8eac19c02dff63c5ba1c2cb6c3e5d5427046e997b336ecf72
SSDEEP

6144:rTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:fXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	adpwadn.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpwadn.exe

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "zlgwjvoctjcktiin.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe"	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "pdashvqgzrmwhyahog.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptgotxio = "apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cdnsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1668	adpwadn.exe
1060	adpwadn.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	adpwadn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	adpwadn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	adpwadn.exe

Loads dropped DLL 4 IoCs

pid	Process
2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdashvqgzrmwhyahog.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "ndcwndasnheqdwajsmjz.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "apngwlhyslhsewzhpie.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "zlgwjvoctjcktiin.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "cttogxvokfdqeydnxsqhh.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdashvqgzrmwhyahog.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "ndcwndasnheqdwajsmjz.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apngwlhyslhsewzhpie.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "zlgwjvoctjcktiin.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtpguhbqiztcmcdjp.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzqcltisfrgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\npagjl = "ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "cttogxvokfdqeydnxsqhh.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "cttogxvokfdqeydnxsqhh.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "pdashvqgzrmwhyahog.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\npagjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "ndcwndasnheqdwajsmjz.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "ndcwndasnheqdwajsmjz.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "ndcwndasnheqdwajsmjz.exe"	adpwadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ubrckrfoalz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "pdashvqgzrmwhyahog.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "gtpguhbqiztcmcdjp.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "pdashvqgzrmwhyahog.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "zlgwjvoctjcktiin.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zfuelremxh = "gtpguhbqiztcmcdjp.exe ."	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\glziotfmw = "gtpguhbqiztcmcdjp.exe"	adpwadn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\adpwadn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zlgwjvoctjcktiin.exe ."	adpwadn.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	whatismyipaddress.com
3	www.showmyipaddress.com
5	www.whatismyip.ca
7	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File created	C:\Windows\SysWOW64\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File opened for modification	C:\Windows\SysWOW64\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe
File created	C:\Windows\SysWOW64\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe
File opened for modification	C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File created	C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File opened for modification	C:\Program Files (x86)\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File created	C:\Windows\hfmonlqqtvaupqctkmrpwyxv.adf	adpwadn.exe
File opened for modification	C:\Windows\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe
File created	C:\Windows\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr	adpwadn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe
1668	adpwadn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	adpwadn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1668	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1668	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1668	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1668	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1060	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1060	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1060	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1060	2960	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	31

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	adpwadn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	adpwadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	adpwadn.exe

C:\Users\Admin\AppData\Local\Temp\305efd8a0813d6137905717404f55080_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\305efd8a0813d6137905717404f55080_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960
- C:\Users\Admin\AppData\Local\Temp\adpwadn.exe
  "C:\Users\Admin\AppData\Local\Temp\adpwadn.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\adpwadn.exe
  "C:\Users\Admin\AppData\Local\Temp\adpwadn.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
8bda9492bfe9c2a37d0b9d17ed2aead8

SHA1
0438eaf84ffb3eaa8baed76603f6388cca536106

SHA256
e52d82bd4c90bbb8ac410f97810cb062afe04816762bf10675fe768d656f0631

SHA512
4bdba90c73470fccd5b6bf49f24e71b2ccc4bf49684e9788bf11409acd1ecb8e7edd7849067f4c71b7c9d95453e277b25ea330771443092d4f5d67721fd25c69

Download Submit
C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
ccca35fda6d51493410fcf1dbc84282d

SHA1
c2bf36b63dd62a383fd20c5b764590eaf02e7d0a

SHA256
5df6d670523c1ffa1f8d32277128f46d635107b6d5256f0984da5e4be9f0d479

SHA512
ee82711dae3e2389f413159c7f77c24bcf0f8852dc08961a8041b8325fc2e30b53e5f507efd389d1d0f6de5f80599d36b7fba43db229a62058cbe4536960f36b

Download Submit
C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
ebe3e308561a8e1fa9cd9256f3015db7

SHA1
5a0400b38e07aa99582f96da70649dfd0120dd24

SHA256
746d13e955df300d21eb424b5491e8b65ef1eef7a3c5343ae7ce8c60b62c3ea9

SHA512
7562613b7e6d44b8db6c779da94650170b339079fe33768353f16d62f751999a4a802ea75a7689e98d5d62792d5c03d9a219ff855fe9286a463a8b23ef1692af

Download Submit
C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
61e0c2910a70ac8aedb34961e833b012

SHA1
4bde3bfbf7b4862634229e9fb71da37a311a1e3b

SHA256
2e18eb3e44e6adcfb90e43681cfb2e4242dd95338518788af5d8a0110d1ed4ce

SHA512
0ddc22cc4dd8edb21b10cbf2cbf273a4c6b7eef613e8c4b1ee122122a4af72c20cb7125e56de5b070675fecefd5502a6b82d89a8387d91fe9b02e2e883368d8f

Download Submit
C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
3f08a2a56a0bee74016729e80dc78a21

SHA1
df97bc13618d38019e5e1a3fd68c297fc751f01b

SHA256
b47df9c61eb78699cb98a4aba7020923338ab7b2b7e90728bbf8161b0a11daa7

SHA512
c9be58b9430a6f9ac40c915b2f9711582b079acc20a49915adfdde4ed2859a1f1062c501eeac109d705d0d3fe4094645cf7c1b63d95c0643ab4c05be3b264e1f

Download Submit
C:\Program Files (x86)\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
02aaf20ef25b18d10054cc5705959f71

SHA1
3f8152d5d2d1575b02281f8a03d113be8c6c4ab1

SHA256
014f673389afc957b92e6ea668f35d5fa6fd1aaf7662bd9bd189a7f96e01149c

SHA512
c570e9c2652c1ebca24bbde86ec7ccb3ac10e036b3647352d603df1fa8e48223286d367796a4f8c8df4264cbbaa52db13d37a5e1003e9a36f53c746ce42dec93

Download Submit
C:\Users\Admin\AppData\Local\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
64819ed6d1f0a0f1ae9d7699b81be8c7

SHA1
2e9aa52d5ed983a306adb354aa384f0fc5825573

SHA256
3898772f2fe8eb7728c034b74578ec6b36cab6b0a83014f4c660bb4eb5004919

SHA512
97efaf63b8efc41421c5cc8aec643b32e02a492ba9ed6615d9f05aa21f61e939a079b23d0a4de3cc8e199bd0ba70bae88298483eb99301ae1a3d4908c5d1c535

Download Submit
C:\Users\Admin\AppData\Local\hfmonlqqtvaupqctkmrpwyxv.adf

Filesize
280B

MD5
78d6a483816ac0caac1c16a53c022e88

SHA1
a02f646559e01277e4ec1ed16c61f5f192e74272

SHA256
3604f377516b76814ea626c19aa95522f857ad8e213c81c450796a08b691a1e2

SHA512
73d4c3d4a638c3858115a8472019aa8eea9df9bd3365e9b50bd8d86796def15eb820fbdceb9d4cbaaaf7063cd2d0ea680d32f1ceb21b020b3fdaba46c8db315b

Download Submit
C:\Users\Admin\AppData\Local\qzreoxnymzpuamjlnaqzreoxnymzpuamjln.qzr

Filesize
4KB

MD5
1f7111c9acae754a6fb255944b87eecb

SHA1
07014e105756f2184246b318210153d2e8a6b374

SHA256
abbfbf6e20bb1e3ad6fac91a717691ef78006e3d8015fb82963be6c6e0177853

SHA512
ab19f4e078bda32a6ba42f40856c4ca9bddc04b0557990b240874e93f27310666124f8adf2b69945ec4ad6f6cbdc9804be326504a812529abe6b58d9cd56be77

Download Submit
\Users\Admin\AppData\Local\Temp\adpwadn.exe

Filesize
700KB

MD5
677e7411e01b91a100f8e135b50ede22

SHA1
d618c44cce853576a25b379b53cf8b9bfb6773fb

SHA256
205f9de8d25ddc6cd6233dfa3e58dbf272bbf35faec0c4515901e825302374af

SHA512
e5dad2313f16163b10f9973cdbc8cbf5ed75e6af7b02de3e96cc54e08d467071c87ed675cd8072ac11ff561fd3f87b9404df20fbbd7da6c44716b0ae89db5002

Download Submit