7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Size

320KB
MD5

305efd8a0813d6137905717404f55080
SHA1

5f562bb803a979450f77cab880bdbd482a97d290
SHA256

7bad3075466bf0a7c4a51fc47beb48ed49fb60bff3c485be9693d399da106703
SHA512

529b5c16382d7c86e233936d59f688c1db009ec9600d88e976bb2dfefe6c31f63c362ab8041ca9b8eac19c02dff63c5ba1c2cb6c3e5d5427046e997b336ecf72
SSDEEP

6144:rTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:fXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	guuajs.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	guuajs.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "giwqnkwtrfywafvjhece.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "zyjauoxrmxnijlyje.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "sqaqjckdxhwqqrdn.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fqn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\guuajs = "giwqnkwtrfywafvjhece.exe"	guuajs.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	305efd8a0813d6137905717404f55080_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3508	guuajs.exe
2036	guuajs.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	guuajs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	guuajs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	guuajs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	guuajs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	guuajs.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	guuajs.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "sqaqjckdxhwqqrdn.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "giwqnkwtrfywafvjhece.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynigerpodxwbhynmkjmb.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "tuhawsdzwjbybfuheax.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "giwqnkwtrfywafvjhece.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "giwqnkwtrfywafvjhece.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "sqaqjckdxhwqqrdn.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "sqaqjckdxhwqqrdn.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "giwqnkwtrfywafvjhece.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "iiumhcmhdpgcehvhdy.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "tuhawsdzwjbybfuheax.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "iiumhcmhdpgcehvhdy.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "vynigerpodxwbhynmkjmb.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "vynigerpodxwbhynmkjmb.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "zyjauoxrmxnijlyje.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "giwqnkwtrfywafvjhece.exe"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "zyjauoxrmxnijlyje.exe ."	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "vynigerpodxwbhynmkjmb.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiumhcmhdpgcehvhdy.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "vynigerpodxwbhynmkjmb.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwqnkwtrfywafvjhece.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vihmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhawsdzwjbybfuheax.exe ."	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "giwqnkwtrfywafvjhece.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mywa = "sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skoylyanbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tijqakj = "zyjauoxrmxnijlyje.exe"	guuajs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iyaiteep = "iiumhcmhdpgcehvhdy.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynigerpodxwbhynmkjmb.exe ."	guuajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtcoabna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaqjckdxhwqqrdn.exe ."	guuajs.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	www.showmyipaddress.com
21	whatismyip.everdot.org
25	www.whatismyip.ca
30	www.whatismyip.ca
31	whatismyipaddress.com
34	whatismyip.everdot.org
37	www.whatismyip.ca

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File created	C:\Windows\SysWOW64\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File opened for modification	C:\Windows\SysWOW64\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe
File created	C:\Windows\SysWOW64\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe
File opened for modification	C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File created	C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File opened for modification	C:\Program Files (x86)\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File created	C:\Windows\mywahokrzxaiwlljrygsqubiel.ruc	guuajs.exe
File opened for modification	C:\Windows\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe
File created	C:\Windows\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu	guuajs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	guuajs.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	guuajs.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe
3508	guuajs.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2036	guuajs.exe
3508	guuajs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	guuajs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3508	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	92
PID 4224 wrote to memory of 3508	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	92
PID 4224 wrote to memory of 3508	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	92
PID 4224 wrote to memory of 2036	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2036	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2036	4224	305efd8a0813d6137905717404f55080_JaffaCakes118.exe	93

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	guuajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	305efd8a0813d6137905717404f55080_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	guuajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	guuajs.exe

C:\Users\Admin\AppData\Local\Temp\305efd8a0813d6137905717404f55080_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\305efd8a0813d6137905717404f55080_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4224
- C:\Users\Admin\AppData\Local\Temp\guuajs.exe
  "C:\Users\Admin\AppData\Local\Temp\guuajs.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\guuajs.exe
  "C:\Users\Admin\AppData\Local\Temp\guuajs.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - System policy modification
  PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4364,i,10426317566413639638,17907471819827662535,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
094e0b4007bfab5ffb4b58d645dba724

SHA1
8ce0cc548b4199a1376dfcdcb5a122c7a557ee7f

SHA256
434848950e9c462c3561889ac74cf3dfa37612049963f4e9f57777a0c2362922

SHA512
07163302099832b85c0a96a82bf16d14d80dca26088faac1eeab35936776496f2684f8548d88a892831b94a5501c856b058f328d212b60bf08a38b0069926bcb

Download Submit
C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
471b7ef9542026c069eb06771b166d7f

SHA1
4b38dd82dbf3b3c823ac32dff863037e0d633a64

SHA256
3794b0c669a1cc4540318a2eb3d611f3c70fe0b5a78d62901387007fe89f1a5d

SHA512
9bac6557945fd75818bf5cb5d6acb7c37ea7b4a633ad78b1696f657d9f1f9e74832713b8ac03d81e3abdb9271a862181f57f137e2da1e22713c0ccad02bdee99

Download Submit
C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
5a385ce26983fd1fca178f9b322f24f8

SHA1
bf61551200f5fda1a9edbd79a6dce2d06de4804f

SHA256
a9b615c89d03787503c313085da67adf0cc3900277be58f5cde3fbad643ffdf8

SHA512
e049b14f159d757f38ebdae63715da8c27e80f9ce13191ac6b777aaf1aaa986619d11f790d0d687cad549b425c05b250adcd980466d4df516ce512a4a826a759

Download Submit
C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
accac77748ff44ea6ba2eb28e3260ccc

SHA1
82b881a516e595949ed28fb44882d3bc143ece53

SHA256
c3c82b0e25fac1c4ed3f9649107c4f0db7578e4cc98486baaa7676fe32dbeeb5

SHA512
8d4b2c1babc50744d7f83bce896ac34e58091ee19c01222857be648fd94fe6709d87525fa39bca81f8a7b0a59564bf161d3ebf1cf9ad442ed06f6728bbc50881

Download Submit
C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
3cce0559c2d39cc225d998ffe067e7b6

SHA1
e949a00d45ab7e9b39f2d8f63bf0f251f27af210

SHA256
d7709a0b06f0b3203d858c83cfd693ca3657d1b212c407a98dee5a44ea5f31df

SHA512
1274decb8cc1a94a17360a1c69763158536b5ca397be9d3fc0a155ac9617fa6c0c22f72aa4427f3d0d351f698e7e8b1958089d23003664def725bf08d7dd0336

Download Submit
C:\Program Files (x86)\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
44132309b9a17521994d1ea5477a1455

SHA1
ce71d140b3780c839e0974bce73227380ce511f0

SHA256
c766bc7080fa5b4fae84d2dff4322ede46de748807c2d32bdc6e4e69328106e8

SHA512
a0efdd116288f019fafb5f11b6d9d6d1acbe4cc407d2b0880f68a5d6da24e15ab59097dcc1bf6928396376a50ebfb81ef8b7cae1542f75aaf8d43a33731eeb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\guuajs.exe

Filesize
716KB

MD5
68bead5fd5603e3084d8c62e1ec2fe2c

SHA1
1fc35d82b520bc7f81e23d98778cf64b0045fa3e

SHA256
f1e185e11589b63f1f06c2a54e03ba271a7f86443c95527fb04d968995a95b41

SHA512
2c81f78eefe74ea1b077e86d81f92a4d437a9cf59d4b4b5d5a7e9db0aabf1efc458dda8705f6b7dc1ce5082833bac4826910e31746645b1f45d310c7dae9f3f1

Download Submit
C:\Users\Admin\AppData\Local\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
f6fa5c8e9a99c689ed92548a110538cc

SHA1
dea96b69ede5c4f45ef253287acafc15bf43f850

SHA256
e577c2c3852326626b73edf447f45f6b688c42643e17a658eef06d14e9c89e2a

SHA512
12732582d0ecb80d70e6dc5b8fbce81ea5440c78ac49edd627e7448bd03481de9cc720d05faa348d3ec681dc98aa42c1f6fc482fd1d30f01680487f3e1260ef4

Download Submit
C:\Users\Admin\AppData\Local\mywahokrzxaiwlljrygsqubiel.ruc

Filesize
280B

MD5
c00bf8e78aa899f277019466e3927b8e

SHA1
dc1256cb26ca98250ca79e05022ced2624907264

SHA256
4e86e25bd34e2c3ed2074b4d26dc8938fd1197cd061e5d0a0969fe2323c0b89e

SHA512
23d6b8b0df82b27328707a807a7935ce4a78edd2f458ab23183ce6749393dd4b801edc5820af93ce0c974b7823533330e22df617322b31531a33d00e45316556

Download Submit
C:\Users\Admin\AppData\Local\nktiaszrkthazzktmexudskcjbudrkjjudwoh.ncu

Filesize
4KB

MD5
cc4a8f114ff1799c96e9e6adce650ca8

SHA1
6d90776535102910098cc7b0222672888b95168a

SHA256
1cdc24d8cd21b808a451034899ac7dd992c18b8f1b64cbd8bad5cc7bfe84f85e

SHA512
977018583b23300692a12fe90726b4d890749be77e40e2df96d2ca6eb9f27594f4c2c8373311b457a432aa74b6bcb854c924eedf6c3e0559892399aa0b8ef403

Download Submit