Analysis
-
max time kernel
42s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:11
Static task
static1
Behavioral task
behavioral1
Sample
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
-
Size
323KB
-
MD5
36659bafc1f622de686564d9de426d2a
-
SHA1
d21dede6834d6cf489b9271da92bc98d9e3e7212
-
SHA256
140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76
-
SHA512
020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8
-
SSDEEP
6144:1BxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:1Bxe9dx8Yz6nhtL9C53TV5n+4av
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
K0L4B0R451.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exeKantuk.exe4K51K4.exewinlogon.exeGoldenGhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\"" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exeKantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" K0L4B0R451.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" GoldenGhost.exe -
Processes:
Kantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe -
Disables RegEdit via registry modification 12 IoCs
Processes:
winlogon.exeKantuk.exe4K51K4.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exeK0L4B0R451.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 12 IoCs
Processes:
K0L4B0R451.exewinlogon.exe4K51K4.exeKantuk.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
Processes:
4K51K4.exeK0L4B0R451.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exeKantuk.exeGoldenGhost.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "notepad.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "cmd.exe /c del" winlogon.exe -
Executes dropped EXE 10 IoCs
Processes:
winlogon.exewinlogon.exeKantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exeKantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exepid process 2024 winlogon.exe 2388 winlogon.exe 964 Kantuk.exe 268 4K51K4.exe 1756 K0L4B0R451.exe 1744 GoldenGhost.exe 2496 Kantuk.exe 1900 4K51K4.exe 2488 K0L4B0R451.exe 1764 GoldenGhost.exe -
Loads dropped DLL 20 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exepid process 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 2024 winlogon.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
winlogon.exe4K51K4.exeK0L4B0R451.exeKantuk.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File" GoldenGhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
4K51K4.exeK0L4B0R451.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exeKantuk.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe" winlogon.exe -
Processes:
Kantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Kantuk.exeK0L4B0R451.exedescription ioc process File opened (read-only) \??\Q: Kantuk.exe File opened (read-only) \??\U: Kantuk.exe File opened (read-only) \??\Z: K0L4B0R451.exe File opened (read-only) \??\E: Kantuk.exe File opened (read-only) \??\H: Kantuk.exe File opened (read-only) \??\Z: Kantuk.exe File opened (read-only) \??\B: K0L4B0R451.exe File opened (read-only) \??\Y: K0L4B0R451.exe File opened (read-only) \??\O: K0L4B0R451.exe File opened (read-only) \??\P: K0L4B0R451.exe File opened (read-only) \??\G: Kantuk.exe File opened (read-only) \??\I: Kantuk.exe File opened (read-only) \??\L: Kantuk.exe File opened (read-only) \??\V: Kantuk.exe File opened (read-only) \??\G: K0L4B0R451.exe File opened (read-only) \??\L: K0L4B0R451.exe File opened (read-only) \??\R: K0L4B0R451.exe File opened (read-only) \??\X: K0L4B0R451.exe File opened (read-only) \??\X: Kantuk.exe File opened (read-only) \??\E: K0L4B0R451.exe File opened (read-only) \??\M: K0L4B0R451.exe File opened (read-only) \??\B: Kantuk.exe File opened (read-only) \??\J: Kantuk.exe File opened (read-only) \??\W: Kantuk.exe File opened (read-only) \??\K: K0L4B0R451.exe File opened (read-only) \??\N: K0L4B0R451.exe File opened (read-only) \??\Y: Kantuk.exe File opened (read-only) \??\J: K0L4B0R451.exe File opened (read-only) \??\V: K0L4B0R451.exe File opened (read-only) \??\W: K0L4B0R451.exe File opened (read-only) \??\U: K0L4B0R451.exe File opened (read-only) \??\M: Kantuk.exe File opened (read-only) \??\R: Kantuk.exe File opened (read-only) \??\H: K0L4B0R451.exe File opened (read-only) \??\Q: K0L4B0R451.exe File opened (read-only) \??\S: K0L4B0R451.exe File opened (read-only) \??\T: K0L4B0R451.exe File opened (read-only) \??\I: K0L4B0R451.exe File opened (read-only) \??\K: Kantuk.exe File opened (read-only) \??\N: Kantuk.exe File opened (read-only) \??\O: Kantuk.exe File opened (read-only) \??\P: Kantuk.exe File opened (read-only) \??\S: Kantuk.exe File opened (read-only) \??\T: Kantuk.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Kantuk.exedescription ioc process File created C:\autorun.inf Kantuk.exe File opened for modification C:\autorun.inf Kantuk.exe -
Drops file in System32 directory 47 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Kantuk.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\4K51K4.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\K0L4B0R451.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Folder.ico winlogon.exe File created C:\Windows\SysWOW64\Asli.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Rar.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp winlogon.exe File created C:\Windows\SysWOW64\Rar.ico winlogon.exe File created C:\Windows\SysWOW64\Word.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Shell32.com winlogon.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\GoldenGhost.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Shell32.com 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\Asli.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Shell32.com 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windows_3D.scr 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe.tmp winlogon.exe File created C:\Windows\SysWOW64\Player.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Folder.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~ winlogon.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe.tmp winlogon.exe File opened for modification C:\Windows\SysWOW64\4K51K4.exe.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Kantuk.exe.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Shell32.com.tmp 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File created C:\Windows\SysWOW64\Player.ico 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\GoldenGhost.exe winlogon.exe File created C:\Windows\SysWOW64\Word.ico winlogon.exe File opened for modification C:\Windows\SysWOW64\K0L4B0R451.exe 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exedescription ioc process File created C:\Windows\K0L4B0R451.jpg 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 45 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exe4K51K4.exeK0L4B0R451.exeKantuk.exeGoldenGhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallpaperStyle = "0" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" K0L4B0R451.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" GoldenGhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\TileWallpaper = "0" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\ Kantuk.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s1159 = "K0L4B0R451" 4K51K4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\s2359 = "K0L4B0R451" 4K51K4.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" GoldenGhost.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" Kantuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100" 4K51K4.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\ K0L4B0R451.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr" K0L4B0R451.exe -
Modifies registry class 64 IoCs
Processes:
GoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe4K51K4.exeK0L4B0R451.exewinlogon.exeKantuk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe" GoldenGhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command\ = "logoff.exe" 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" Kantuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command K0L4B0R451.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 4K51K4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
4K51K4.exeGoldenGhost.exeKantuk.exeK0L4B0R451.exepid process 268 4K51K4.exe 1744 GoldenGhost.exe 964 Kantuk.exe 1756 K0L4B0R451.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exewinlogon.exeKantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exeKantuk.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exepid process 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 2024 winlogon.exe 2388 winlogon.exe 964 Kantuk.exe 268 4K51K4.exe 1756 K0L4B0R451.exe 1744 GoldenGhost.exe 2496 Kantuk.exe 1900 4K51K4.exe 2488 K0L4B0R451.exe 1764 GoldenGhost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
36659bafc1f622de686564d9de426d2a_JaffaCakes118.exewinlogon.exedescription pid process target process PID 3032 wrote to memory of 2024 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe winlogon.exe PID 3032 wrote to memory of 2024 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe winlogon.exe PID 3032 wrote to memory of 2024 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe winlogon.exe PID 3032 wrote to memory of 2024 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe winlogon.exe PID 2024 wrote to memory of 2388 2024 winlogon.exe winlogon.exe PID 2024 wrote to memory of 2388 2024 winlogon.exe winlogon.exe PID 2024 wrote to memory of 2388 2024 winlogon.exe winlogon.exe PID 2024 wrote to memory of 2388 2024 winlogon.exe winlogon.exe PID 2024 wrote to memory of 964 2024 winlogon.exe Kantuk.exe PID 2024 wrote to memory of 964 2024 winlogon.exe Kantuk.exe PID 2024 wrote to memory of 964 2024 winlogon.exe Kantuk.exe PID 2024 wrote to memory of 964 2024 winlogon.exe Kantuk.exe PID 2024 wrote to memory of 268 2024 winlogon.exe 4K51K4.exe PID 2024 wrote to memory of 268 2024 winlogon.exe 4K51K4.exe PID 2024 wrote to memory of 268 2024 winlogon.exe 4K51K4.exe PID 2024 wrote to memory of 268 2024 winlogon.exe 4K51K4.exe PID 2024 wrote to memory of 1756 2024 winlogon.exe K0L4B0R451.exe PID 2024 wrote to memory of 1756 2024 winlogon.exe K0L4B0R451.exe PID 2024 wrote to memory of 1756 2024 winlogon.exe K0L4B0R451.exe PID 2024 wrote to memory of 1756 2024 winlogon.exe K0L4B0R451.exe PID 2024 wrote to memory of 1744 2024 winlogon.exe GoldenGhost.exe PID 2024 wrote to memory of 1744 2024 winlogon.exe GoldenGhost.exe PID 2024 wrote to memory of 1744 2024 winlogon.exe GoldenGhost.exe PID 2024 wrote to memory of 1744 2024 winlogon.exe GoldenGhost.exe PID 3032 wrote to memory of 2496 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Kantuk.exe PID 3032 wrote to memory of 2496 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Kantuk.exe PID 3032 wrote to memory of 2496 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Kantuk.exe PID 3032 wrote to memory of 2496 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Kantuk.exe PID 3032 wrote to memory of 1900 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 4K51K4.exe PID 3032 wrote to memory of 1900 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 4K51K4.exe PID 3032 wrote to memory of 1900 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 4K51K4.exe PID 3032 wrote to memory of 1900 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe 4K51K4.exe PID 3032 wrote to memory of 2488 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe K0L4B0R451.exe PID 3032 wrote to memory of 2488 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe K0L4B0R451.exe PID 3032 wrote to memory of 2488 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe K0L4B0R451.exe PID 3032 wrote to memory of 2488 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe K0L4B0R451.exe PID 3032 wrote to memory of 1764 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe GoldenGhost.exe PID 3032 wrote to memory of 1764 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe GoldenGhost.exe PID 3032 wrote to memory of 1764 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe GoldenGhost.exe PID 3032 wrote to memory of 1764 3032 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe GoldenGhost.exe -
System policy modification 1 TTPs 48 IoCs
Processes:
winlogon.exe4K51K4.exeK0L4B0R451.exeGoldenGhost.exe36659bafc1f622de686564d9de426d2a_JaffaCakes118.exeKantuk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" K0L4B0R451.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4K51K4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Kantuk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Kantuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4K51K4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" K0L4B0R451.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" GoldenGhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer GoldenGhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exeC:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\Kantuk.exeC:\Windows\system32\Kantuk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\4K51K4.exeC:\Windows\system32\4K51K4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\K0L4B0R451.exeC:\Windows\system32\K0L4B0R451.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\GoldenGhost.exeC:\Windows\system32\GoldenGhost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
7Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Aut0exec.batFilesize
323KB
MD5cbea825e3b81e95f12a0687a61390df8
SHA1d2976ab1289c540b176d5871098b34c041bf32cb
SHA256c20f9e595569f57d774e5d3f5cec39228c2524e5ceeb38f880ed6adc132a4e5a
SHA51278af85b91059e02357d73beffdea0d6a998b60671f4ee683ce4aa6433d4ad7ea2ad73819ca337911d8d9c32835c33eeb61404dac970ad1158ddeb97150843610
-
C:\Aut0exec.bat.tmpFilesize
323KB
MD52bcdc47786b8061516a374d91229e021
SHA1b792df88e8e32205600c81780aefddb57fdd067e
SHA256264051b1df356a0597576cbe635b5543235cf9d860759c79834ddf2c4abd51e8
SHA5127b33fe3b8cd13db3ae05a38e16592b45cfa85d86f51b277744c7116f88b156efa59e61fe2e7093623039ff8feb8760b192c1b9f06d93823bf96340ab93fdfce5
-
C:\Aut0exec.bat.tmpFilesize
323KB
MD54506bf4b190605821996b5d8705ccabb
SHA17cba66227890af2de17c03114368c44d0b4ad0f3
SHA256c486a2261089c793b3dd624a701cdc81ca4bf845a074b0d764146e7733ed5007
SHA5126f5d2d89956123f80791a103a3259b321a07ed7be8845d93f3c31826f5cdcf77b1365510d806a5282d3dc997935a235e34f5a819a116f7c6699841450f525bbf
-
C:\JPG.icoFilesize
2KB
MD562b7610403ea3ac4776df9eb93bf4ba4
SHA1b4a6cd17516f8fba679f15eda654928dc44dc502
SHA256b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29
SHA512fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmpFilesize
323KB
MD541410939d6d23749c1ea047f11ecf40d
SHA1e3ff716c7d05445fb9bb9f41873901baad067d33
SHA256547cdfa23cf1814581053c7bb85d14319b16b534ee41d7503eb3e6f511bb0440
SHA512e0a2fcb39358db8fcbcd6da20882370272cf5cd95c1edc34c8375ab8c7a8f264e144546e790a12df526d29b423023bc784ab510cd0174d192ac5557658b8ae51
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif.tmpFilesize
323KB
MD51e3986c7affc2ad8da1f36d2c6129fce
SHA18fbc0d1c6f4a825803f994fc837fe8542f2c3d57
SHA256367a1cdf306ba98a7f0b79525f082ddde4cfff183c37a781fe0b909a7ef43f12
SHA51241acb894d2f81da66a97650d279c45864815ab8b8291386933fb6ecbb75f7a987d65f9f36694cb07e2de48c1127debb06c1cef7436e0aac9792db752deea5441
-
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmpFilesize
323KB
MD51b9192c67035c0d99e7d5e5045e1ba19
SHA1a223cd0860ee682e4da0d2907be9a6df006f3bef
SHA2565892c5a9e1032162965df9793c14ef052278835902074417efe33eb383fafce2
SHA512cc9298393de36710c859a49ac1edfff4e9bcf84327c102a2720de009c2e79f0a3650e157e8bda6a60c36f02a273347b535b7a0c640358361e323dd24f73a6e50
-
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmpFilesize
323KB
MD5f39aac33f91f5472b923c6b15a6ca366
SHA12335c0c187309cba7091f4fba7753308a5aca92f
SHA256698e37cd706077566b3eb8dbe3596e6b6b3c7d90a73510779a64287c7ca05a6f
SHA512b2b3d67923915553a73f16c5a1107006d39856fab574623852e5ec4cc6da25a295214ea93dcb7e05bb1b01817ffd901a5e8ef686160c52acfccc9e76f729cdfc
-
C:\Windows\SysWOW64\4K51K4.exeFilesize
323KB
MD5433c57baa608728a1d4c418d3e8bc977
SHA1f91ad67a74b2fe3c27d030a2b773698b01573777
SHA256284ddde4f008eb92cb39ebb5af9baaa159bf4b989619b4b2bb465cd569c33d0b
SHA512c305f032e85e6b829a19766cb78aef57570be49be0182e530c3db8a9e615a723d4b60ed6125a46b2eea1cf9cd04d10cf065465c052b582862f835be908c44b5b
-
C:\Windows\SysWOW64\4K51K4.exe.tmpFilesize
323KB
MD5d37bfeff2f7cefd9fc9fdead07b5228c
SHA1187ac30e1cfb264efce44479f1d1dcf28a85a352
SHA256d55141464ddcc00ff06349c9120417731c36c96f88a05ec5a23d5541d05bb427
SHA51296f0cc4d3084ec88fd110f91ea6f7f51d20cdfa137fee3536a1fd9910de28b712051760a1c23d5006700ea47b0e07715c5440c820517f527d675d36cf17b1929
-
C:\Windows\SysWOW64\4K51K4.exe.tmpFilesize
323KB
MD51b88ffcd90f03d9ece39704559823665
SHA17d648e63d6e38a691b04ad0945ba62f7585416e4
SHA256413bd39a108d3003fcc1a19b6ad43b91a1b6f531acef75be753962d307a17045
SHA512577c45764eedf52f343e3182e59094b020f23788669b0d24492d29dcaf397cae6700f62ab72edde87e545fcbb2aa94f3c6e99816f8a9c9c15e22c4c8cd7227ea
-
C:\Windows\SysWOW64\GoldenGhost.exeFilesize
323KB
MD533279cf64e0b53986748ef946540f7b4
SHA128108809487679e5df703c1421cba4a0ed1acf96
SHA2561a0595fe43c409d2e94f7d2f19c8b83aeb76d388bd4d2aaa84b5bb169ebe7bcd
SHA51214cc79a07903ac14119463771edb996308e180a4045779e88a8749aef9ef90308a698cb92b22edd12e096067c1fb95ae9f2a4d74e416ee55901eb09b7c2beaa7
-
C:\Windows\SysWOW64\GoldenGhost.exeFilesize
323KB
MD536659bafc1f622de686564d9de426d2a
SHA1d21dede6834d6cf489b9271da92bc98d9e3e7212
SHA256140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76
SHA512020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8
-
C:\Windows\SysWOW64\GoldenGhost.exe.tmpFilesize
323KB
MD57945c934647a8ab4bcfc7b7e5da52d5d
SHA1dd4d05427034b4da1a04044a32e39d2571fc945e
SHA25634d143b36af0cd8b39006c5aa558a396c0af14c7de6719a11fdd92b5e57ee134
SHA512af98fae9299b897dd997ff6b8f51379db5c3d4f3710f9b1b9d9ab5a552d071adf57f86048031117656db8775e827e4a827ddcff988aa2cb8cda60eea165d7965
-
C:\Windows\SysWOW64\GoldenGhost.exe.tmpFilesize
323KB
MD5cf3eb80b8d2cd1c0fa310fac82bc0ef4
SHA11f828d4e9b6cec1003df5ca2c298e4c30573a122
SHA256e9aceed74eb0ab62dbff143044a2c85ee44c6085601d2428cf4928c2121fc113
SHA512d6dec293b9800c60e5e1d6611e74123e7ef51bbcb5bfb054a0e91f1f6faba2cc48b5f0cdea70eaf60b8ef2e17b10303d95e01317ba5508081f9114221c160953
-
C:\Windows\SysWOW64\K0L4B0R451.exe.tmpFilesize
323KB
MD59ff1c483376cb914cd4841b7830006f0
SHA1a485020b5dc5c8b8b09b3476c51d136ff88fa1ae
SHA2562a464263cd08647804bcba8e64045a6f21264e87680ef189c84ff846645605d2
SHA512d5b4206c829fee3ed80570652a9713a464fa7349d4b39890ebd2c39a3a0c7b91b8fe9f547035097549b97185da7309e90fde8bf143493d30405c894eb3c2901c
-
C:\Windows\SysWOW64\Kantuk.exeFilesize
323KB
MD522282a1b04a86adbac6020bf0d450427
SHA1d43e6a9738ec3f0026276f2b57b68785d09a98ba
SHA256977cc3d657da5a068b75243e0640d1a4db902d67f44a76055820e7c31dffc421
SHA5122f6298d75792baf5792683983217510ee49b0abd7d71b11f60399661215dcb1daa65b42b68558d8f8fbcf9872e3d1425929907b9823de027b90371eb2fce0f8f
-
C:\Windows\SysWOW64\Kantuk.exe.tmpFilesize
323KB
MD54a16b057f7e401b7830fd5a1c3758e8b
SHA1f0437544514dd7f396476635ebcd82760ef65138
SHA2561584366645baacde9495ae1463687f817062417c12b47640c58f9feb8f088be5
SHA512b79afcbd41c192a7315552f2feaaeb4738a9f3b520b27e95665500859d074c6eb618ad90f21c373a7b8fb4209b6bd06eacc0c11bb3766d13554c4e897f94a07b
-
C:\Windows\SysWOW64\Kantuk.exe.tmpFilesize
323KB
MD5be3c90b32d7eaae783436c1973a0106d
SHA165304ef09eea62e3bc5f96887b975c49e4ed2d4b
SHA256df986aeb53fd24280ca8be37d134f744958cb0b52051e66550a55e8cb106b799
SHA512c0ad4c55e28eec0c69c5b16ab129701d5e96cc2c70dce8771bd89fff49be567b7ec3f8e068a6187016bfc879b510803739d9866e4f1b153c0fefc2aa2196a8af
-
C:\Windows\SysWOW64\Shell32.comFilesize
323KB
MD53d8a7ed27d95beb5ecd09d93799190d0
SHA149728516ef9545b64c9c82161dc4e027497a4748
SHA256de4ac87a73a130d1e07ba1c1b72ccf08442e63f136a9ffcfa2e83f99de57a82b
SHA5129abe830cde032e6f31241039519d1160af7c013bcc8602a5759eabf0fefc110292e1629b85a3f5dd5c5fd104c4a4d250179e64af87aebb300a516f1612943729
-
C:\Windows\SysWOW64\Shell32.com.tmpFilesize
323KB
MD5cf614558e5fc1b074f964897f5590b34
SHA149379dfb847024e67d4a6e4e5ccff0e87c45bc41
SHA2569bf677465bf01fc11300a71272441b7a47748c490c2bf690fca684995fea1cd2
SHA51222a1928a9059362e89966a6b88a9fc96750d0758d081fc617dd4ca80a7c829316844ec733bbdc502d4ae90b3d7fd4f9dcac7f4c627be13d1a1b4759f4d94a0fd
-
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmpFilesize
323KB
MD52a33431cc320a1f4439efcb05b2688f8
SHA1ad9e921d7facd3cfa2c9caabe57f25701e11a5dd
SHA256cfe501958aa0e02118c9384c582011e76754738a663cc4326e548296a7d58df4
SHA5128ce1ce3d0e67b44059e7735ae86ebe294436a8bc53c5fa15fcb16d484a565ad81ad96a4480de08abc7721598dbcb484a6e7460e3e04c4aef9c5190c520c19deb
-
memory/268-275-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/964-252-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1744-291-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1756-281-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3032-0-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB