Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 16:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe
-
Size
456KB
-
MD5
3111a806fe695f254ada08c5309ae02a
-
SHA1
9d5f7c56291968c3154054119380a2783dbb4a6a
-
SHA256
c7132d730f820c84fdea2f9636e9c7e06ff8060b350dc13fe3bf11bc55f398b0
-
SHA512
e8ead6ad107e89f4b7bdce182dea7d78ba324d50d5b53a946973c0ae879a1844c4671fec97a3f6c1eebe37a6c889a02fdb41137b40bc0a6f1e64c498cea8a84d
-
SSDEEP
12288:7pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsyNT0x:7pUNr6YkVRFkgbeqeo68Fhqk
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" yjdebjphitn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "cxlzpigplzyppwznz.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" yjdebjphitn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "jhypiefrqhjdgqwncdfd.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjqxgsjlah = "lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whlpves = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe" whlpves.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yjdebjphitn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe -
Executes dropped EXE 4 IoCs
pid Process 1988 yjdebjphitn.exe 1156 whlpves.exe 2584 whlpves.exe 2624 yjdebjphitn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend whlpves.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc whlpves.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power whlpves.exe -
Loads dropped DLL 8 IoCs
pid Process 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1988 yjdebjphitn.exe 1988 yjdebjphitn.exe 1988 yjdebjphitn.exe 1988 yjdebjphitn.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" yjdebjphitn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "lhwlcwvfcrrjkswlyx.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "lhwlcwvfcrrjkswlyx.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "cxlzpigplzyppwznz.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "jhypiefrqhjdgqwncdfd.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "vpcpewtbwjhxwcer.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "wtjzrmmxvlmfhqvlzza.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "jhypiefrqhjdgqwncdfd.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "vpcpewtbwjhxwcer.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "cxlzpigplzyppwznz.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe ." yjdebjphitn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "jhypiefrqhjdgqwncdfd.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe ." yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "vpcpewtbwjhxwcer.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "jhypiefrqhjdgqwncdfd.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe ." yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "yxphbyannfidhszrhjmld.exe" yjdebjphitn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfnvfskndle = "vpcpewtbwjhxwcer.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ndmvgunrirlx = "yxphbyannfidhszrhjmld.exe ." whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "lhwlcwvfcrrjkswlyx.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cpvbjuklz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhwlcwvfcrrjkswlyx.exe ." whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxphbyannfidhszrhjmld.exe" whlpves.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtjzrmmxvlmfhqvlzza.exe" yjdebjphitn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lxchoynn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" yjdebjphitn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhypiefrqhjdgqwncdfd.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nfqboezfyjftqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe" whlpves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mdnxjysxpzuhd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxlzpigplzyppwznz.exe ." whlpves.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 5 www.whatismyip.ca 8 whatismyip.everdot.org 14 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf whlpves.exe File created C:\autorun.inf whlpves.exe File opened for modification F:\autorun.inf whlpves.exe File created F:\autorun.inf whlpves.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File created C:\Windows\SysWOW64\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe File created C:\Windows\SysWOW64\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File opened for modification C:\Windows\SysWOW64\wtjzrmmxvlmfhqvlzza.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\ppibwuxlmfjfkwexorvvoh.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\wtjzrmmxvlmfhqvlzza.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\cxlzpigplzyppwznz.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File opened for modification C:\Windows\SysWOW64\lhwlcwvfcrrjkswlyx.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\jhypiefrqhjdgqwncdfd.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\lhwlcwvfcrrjkswlyx.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\jhypiefrqhjdgqwncdfd.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\ppibwuxlmfjfkwexorvvoh.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe File opened for modification C:\Windows\SysWOW64\yxphbyannfidhszrhjmld.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\yxphbyannfidhszrhjmld.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\yxphbyannfidhszrhjmld.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\yxphbyannfidhszrhjmld.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\vpcpewtbwjhxwcer.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\vpcpewtbwjhxwcer.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\cxlzpigplzyppwznz.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\ppibwuxlmfjfkwexorvvoh.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\vpcpewtbwjhxwcer.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\jhypiefrqhjdgqwncdfd.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\jhypiefrqhjdgqwncdfd.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\cxlzpigplzyppwznz.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\lhwlcwvfcrrjkswlyx.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\wtjzrmmxvlmfhqvlzza.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\ppibwuxlmfjfkwexorvvoh.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\lhwlcwvfcrrjkswlyx.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\wtjzrmmxvlmfhqvlzza.exe whlpves.exe File opened for modification C:\Windows\SysWOW64\vpcpewtbwjhxwcer.exe yjdebjphitn.exe File opened for modification C:\Windows\SysWOW64\cxlzpigplzyppwznz.exe whlpves.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe File opened for modification C:\Program Files (x86)\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File created C:\Program Files (x86)\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File opened for modification C:\Program Files (x86)\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\lhwlcwvfcrrjkswlyx.exe whlpves.exe File opened for modification C:\Windows\ppibwuxlmfjfkwexorvvoh.exe whlpves.exe File opened for modification C:\Windows\lhwlcwvfcrrjkswlyx.exe yjdebjphitn.exe File opened for modification C:\Windows\jhypiefrqhjdgqwncdfd.exe yjdebjphitn.exe File opened for modification C:\Windows\yxphbyannfidhszrhjmld.exe yjdebjphitn.exe File opened for modification C:\Windows\cxlzpigplzyppwznz.exe whlpves.exe File opened for modification C:\Windows\jhypiefrqhjdgqwncdfd.exe whlpves.exe File opened for modification C:\Windows\jhypiefrqhjdgqwncdfd.exe yjdebjphitn.exe File opened for modification C:\Windows\yxphbyannfidhszrhjmld.exe whlpves.exe File created C:\Windows\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File opened for modification C:\Windows\wtjzrmmxvlmfhqvlzza.exe yjdebjphitn.exe File opened for modification C:\Windows\wtjzrmmxvlmfhqvlzza.exe whlpves.exe File opened for modification C:\Windows\ppibwuxlmfjfkwexorvvoh.exe whlpves.exe File opened for modification C:\Windows\vpcpewtbwjhxwcer.exe yjdebjphitn.exe File opened for modification C:\Windows\ppibwuxlmfjfkwexorvvoh.exe yjdebjphitn.exe File opened for modification C:\Windows\vpcpewtbwjhxwcer.exe yjdebjphitn.exe File opened for modification C:\Windows\qjvhvmipjvshfklxhdatfrfwsztfcrpuvhrnk.pbp whlpves.exe File opened for modification C:\Windows\jhypiefrqhjdgqwncdfd.exe whlpves.exe File created C:\Windows\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe File opened for modification C:\Windows\wtjzrmmxvlmfhqvlzza.exe yjdebjphitn.exe File opened for modification C:\Windows\ppibwuxlmfjfkwexorvvoh.exe yjdebjphitn.exe File opened for modification C:\Windows\vpcpewtbwjhxwcer.exe whlpves.exe File opened for modification C:\Windows\vpcpewtbwjhxwcer.exe whlpves.exe File opened for modification C:\Windows\lhwlcwvfcrrjkswlyx.exe whlpves.exe File opened for modification C:\Windows\wtjzrmmxvlmfhqvlzza.exe whlpves.exe File opened for modification C:\Windows\pxyzcitpyzlpcwmnmxjrstwcnj.tfj whlpves.exe File opened for modification C:\Windows\yxphbyannfidhszrhjmld.exe yjdebjphitn.exe File opened for modification C:\Windows\cxlzpigplzyppwznz.exe yjdebjphitn.exe File opened for modification C:\Windows\lhwlcwvfcrrjkswlyx.exe yjdebjphitn.exe File opened for modification C:\Windows\cxlzpigplzyppwznz.exe yjdebjphitn.exe File opened for modification C:\Windows\cxlzpigplzyppwznz.exe whlpves.exe File opened for modification C:\Windows\yxphbyannfidhszrhjmld.exe whlpves.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1156 whlpves.exe 1156 whlpves.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1156 whlpves.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1988 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 29 PID 1712 wrote to memory of 1988 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 29 PID 1712 wrote to memory of 1988 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 29 PID 1712 wrote to memory of 1988 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 29 PID 1988 wrote to memory of 1156 1988 yjdebjphitn.exe 30 PID 1988 wrote to memory of 1156 1988 yjdebjphitn.exe 30 PID 1988 wrote to memory of 1156 1988 yjdebjphitn.exe 30 PID 1988 wrote to memory of 1156 1988 yjdebjphitn.exe 30 PID 1988 wrote to memory of 2584 1988 yjdebjphitn.exe 31 PID 1988 wrote to memory of 2584 1988 yjdebjphitn.exe 31 PID 1988 wrote to memory of 2584 1988 yjdebjphitn.exe 31 PID 1988 wrote to memory of 2584 1988 yjdebjphitn.exe 31 PID 1712 wrote to memory of 2624 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 32 PID 1712 wrote to memory of 2624 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 32 PID 1712 wrote to memory of 2624 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 32 PID 1712 wrote to memory of 2624 1712 3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe 32 -
System policy modification 1 TTPs 41 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" yjdebjphitn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System yjdebjphitn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whlpves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whlpves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yjdebjphitn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whlpves.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3111a806fe695f254ada08c5309ae02a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\yjdebjphitn.exe"C:\Users\Admin\AppData\Local\Temp\yjdebjphitn.exe" "c:\users\admin\appdata\local\temp\3111a806fe695f254ada08c5309ae02a_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\whlpves.exe"C:\Users\Admin\AppData\Local\Temp\whlpves.exe" "-C:\Users\Admin\AppData\Local\Temp\vpcpewtbwjhxwcer.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\whlpves.exe"C:\Users\Admin\AppData\Local\Temp\whlpves.exe" "-C:\Users\Admin\AppData\Local\Temp\vpcpewtbwjhxwcer.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\yjdebjphitn.exe"C:\Users\Admin\AppData\Local\Temp\yjdebjphitn.exe" "c:\users\admin\appdata\local\temp\3111a806fe695f254ada08c5309ae02a_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5e3b79e45886eeb74cf69af29a21b9df6
SHA167588db3a6c14bcf16e56235d2fb51730e565e2e
SHA25633002bc100e3380bc05fcf68dfe95940b5361b7ce626fe542f96c39e107c25ec
SHA512e14b0ffd9f55bd74bafe431853dd1af012ca4d1d6493b6ec76116d1f3b49fa52aef3179c101c99f32b2036069752be77acad40fee51d706d69998c4efb505fee
-
Filesize
280B
MD5d703289ae96268e67bf487474ab84057
SHA1e63f259b7e20dd5d1ae0bb7a04ad916ef067982c
SHA25694760d73d4284396cfbbc049b15b41b53c0d64f43fd360f9cafbc764ec05dc9e
SHA512b48d67d1a161bcd653c920e3834fa3c75017c56d35225e2edc938abb348674d7a8dce4e662fb0732a3697403534c6158b1f6c593885885ada80943c4956d8315
-
Filesize
280B
MD530193333c6821cfd89f4757149b24800
SHA17775539c60f05360fa1c7eb46cea45cd39358d9b
SHA256124048c079d9822d7c93aa93e07e514fb5a25d2f0ea9aa5235b1d238d577269c
SHA51267012be9032f5abe2f609122d5bf192a01a37ad93df05a7d36e6db3af79bc4be1fd4ddef316cad6f84af67705cdb57318f3df97707e5f0ec149c522ecefe1662
-
Filesize
280B
MD52634ec4c718e05ac48c7951dbaadc91f
SHA1e4fd208652b9b72b51078fed5f68a83578504dd0
SHA2566220297ff13c9e0a7ea694e91c666ddae7c73ee4bdd8c06d1f6aec33a89a7cee
SHA51232117e012714af81f646f5e103e41e283f544eca056e850d332da146f558fa254e8f7f716d28ba1d6a759d4df0a8589b722a4046deb20b616757dc0b65b3eef8
-
Filesize
280B
MD55467335c7b28b2b839cb86fd10ccc9c5
SHA173278c171d42c3624e1fa6be2b66fb909a0de598
SHA256e9e35d20d69eb60749a534594ccfa6d2b70305acc1195c2f4638ddafaeb5d4bc
SHA512b3365f57700f5dbabbc233264cc98387a4a771b213e5cf98e655c82679f1238b969f2b0a6949a322343e3d18dbf3d40ce3c8a2182bfe59c2262fa4855ac60465
-
Filesize
280B
MD5efee2f390d79f7da1054d6a76ee27774
SHA1b28e5400e8e17cf598c60c1ae2b334adde0fbf9d
SHA256a698a627d464729e38cfc56b9ec216036cda966786bf1b93347e6228695427ee
SHA5125809b2bd18d41931acdb69ba1f1d66a6c2799ee63eaafc80ab6c124979f7ff14cb1e4cdfdb1ef16e4fb6091a0ea6a932bd2fac77d07d44501cd658cfdc0fde65
-
Filesize
280B
MD583bcf5b68f624cdbb190ab21e32d06ab
SHA13919b6bd90e353acdf9cb6b02555f1760a7c36a8
SHA256cafd3f1737891cb377a0edf84b510bfd1ae9209ca010d5b5620d530b212a0775
SHA512dff39298059d58be4bc28acd3473e64970605bddf1f6687440e1d757eda892062e5b38497e57b1fa34242fa67626cc951a639ba029dc034a81e86ce3aae8f5eb
-
Filesize
4KB
MD5cc9126f07246ae781e3fc992529c187f
SHA165bfd4002bee6f81e8e321d942d3e7fc03b7da4d
SHA2564e06ef145e13e9be13a03135c1d601633ee11c50ec0ba907c9ba3d7855f1a9a2
SHA512e0d63ee99354d9b77ad9f9aefde785b652295b05697f913f57d8fa630644d4579516e48c580a934f2a2162ec628784c60d26f10fa74ed8cb2567a3028c2c1656
-
Filesize
456KB
MD53111a806fe695f254ada08c5309ae02a
SHA19d5f7c56291968c3154054119380a2783dbb4a6a
SHA256c7132d730f820c84fdea2f9636e9c7e06ff8060b350dc13fe3bf11bc55f398b0
SHA512e8ead6ad107e89f4b7bdce182dea7d78ba324d50d5b53a946973c0ae879a1844c4671fec97a3f6c1eebe37a6c889a02fdb41137b40bc0a6f1e64c498cea8a84d
-
Filesize
720KB
MD5ad17145b97d8ef6ff9eb2fc799e98d48
SHA1efa1a3d39270b376cb60f02d3f5ab3f38ac12851
SHA2564922514f68afdd44de942ce0f765cfc66d1a62ed4051b5c3d2accc94511b4a43
SHA5124edb31c2a2e3d9b8824b9ed860122b6c948f5dad2676b5b8cf59b8efa30a762a93e4a7c74f9ef243806df43ab3c4a94bdf20b220c77faa056a9b7e059131ec81
-
Filesize
320KB
MD53e57f936ca3277b7a6b0f4e08b631123
SHA14c902e80881a486a817afa4e0401fbed54317143
SHA256c9db7cf4b0fab4536abd1837157c12c1ec6658da8b67105647bd37a8edb549b5
SHA512b7f4e10060b602700731ffd40cefd527193c32bb4235a2e46664eeb9443508dcb46b27bcfa27304e4823a83c8ff0593185ba646554c351d39dba86d2e3024971