140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76

Analysis

max time kernel
148s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Size

323KB
MD5

36659bafc1f622de686564d9de426d2a
SHA1

d21dede6834d6cf489b9271da92bc98d9e3e7212
SHA256

140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76
SHA512

020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8
SSDEEP

6144:1BxeN/Tdx8YzL+4eBDgelLBL9C53TV5n+yNXavM:1Bxe9dx8Yz6nhtL9C53TV5n+4av

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\K0L4B0R451.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgnt.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "notepad.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "cmd.exe /c del"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.exe\Debugger = "notepad.exe"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avgw.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\Debugger = "cmd.exe /c del"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "cmd.exe /c del"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

Executes dropped EXE 10 IoCs

pid	Process
3940	winlogon.exe
1872	winlogon.exe
4456	Kantuk.exe
4724	4K51K4.exe
384	K0L4B0R451.exe
4616	GoldenGhost.exe
4080	Kantuk.exe
4748	4K51K4.exe
1348	K0L4B0R451.exe
3008	GoldenGhost.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	4K51K4.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Revenger = "C:\\Windows\\system32\\K0L4B0R451.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	GoldenGhost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Kantuk.exe
File opened (read-only)	\??\B:	Kantuk.exe
File opened (read-only)	\??\J:	Kantuk.exe
File opened (read-only)	\??\R:	Kantuk.exe
File opened (read-only)	\??\V:	Kantuk.exe
File opened (read-only)	\??\W:	Kantuk.exe
File opened (read-only)	\??\G:	Kantuk.exe
File opened (read-only)	\??\O:	Kantuk.exe
File opened (read-only)	\??\S:	Kantuk.exe
File opened (read-only)	\??\P:	Kantuk.exe
File opened (read-only)	\??\Q:	Kantuk.exe
File opened (read-only)	\??\U:	Kantuk.exe
File opened (read-only)	\??\E:	Kantuk.exe
File opened (read-only)	\??\H:	Kantuk.exe
File opened (read-only)	\??\I:	Kantuk.exe
File opened (read-only)	\??\N:	Kantuk.exe
File opened (read-only)	\??\T:	Kantuk.exe
File opened (read-only)	\??\Y:	Kantuk.exe
File opened (read-only)	\??\Z:	Kantuk.exe
File opened (read-only)	\??\K:	Kantuk.exe
File opened (read-only)	\??\L:	Kantuk.exe
File opened (read-only)	\??\M:	Kantuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Kantuk.exe
File opened for modification	C:\autorun.inf	Kantuk.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Word.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\4K51K4.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shell32.com	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Player.ico	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Kantuk.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\K0L4B0R451.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Asli.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Player.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Rar.ico	winlogon.exe
File created	C:\Windows\SysWOW64\Asli.ico	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Rar.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Word.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Windows_3D.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\4K51K4.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GoldenGhost.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\K0L4B0R451.exe.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Folder.ico	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Kantuk.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GoldenGhost.exe.tmp	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.com.tmp	winlogon.exe
File created	C:\Windows\SysWOW64\Folder.ico	winlogon.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\K0L4B0R451.jpg"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\K0L4B0R451.jpg	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\WallpaperStyle = "0"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	K0L4B0R451.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	GoldenGhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Windows_3D.scr"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s1159 = "K0L4B0R451"	Kantuk.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	GoldenGhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	Kantuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\ScreenSaveTimeOut = "100"	4K51K4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	4K51K4.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\	K0L4B0R451.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\Desktop\TileWallpaper = "0"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\s2359 = "K0L4B0R451"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit\Command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\edit\command\ = "logoff.exe"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GoldenGhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Install\command\ = "logoff.exe"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "K0L4B0R451 File"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Edit\Command	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install\command\ = "logoff.exe"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Kantuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Edit	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\Install	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "K0L4B0R451 File"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\shell\Install\command	K0L4B0R451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\NeverShowExt = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\4K51K4.exe\" \"%1\"%*"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\Shell\Edit\Command	4K51K4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	4K51K4.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4724	4K51K4.exe
4616	GoldenGhost.exe
4456	Kantuk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
3940	winlogon.exe
1872	winlogon.exe
4456	Kantuk.exe
4724	4K51K4.exe
4616	GoldenGhost.exe
4080	Kantuk.exe
4748	4K51K4.exe
1348	K0L4B0R451.exe
3008	GoldenGhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 3940	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	85
PID 372 wrote to memory of 3940	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	85
PID 372 wrote to memory of 3940	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	85
PID 3940 wrote to memory of 1872	3940	winlogon.exe	86
PID 3940 wrote to memory of 1872	3940	winlogon.exe	86
PID 3940 wrote to memory of 1872	3940	winlogon.exe	86
PID 3940 wrote to memory of 4456	3940	winlogon.exe	87
PID 3940 wrote to memory of 4456	3940	winlogon.exe	87
PID 3940 wrote to memory of 4456	3940	winlogon.exe	87
PID 3940 wrote to memory of 4724	3940	winlogon.exe	88
PID 3940 wrote to memory of 4724	3940	winlogon.exe	88
PID 3940 wrote to memory of 4724	3940	winlogon.exe	88
PID 3940 wrote to memory of 384	3940	winlogon.exe	89
PID 3940 wrote to memory of 384	3940	winlogon.exe	89
PID 3940 wrote to memory of 384	3940	winlogon.exe	89
PID 3940 wrote to memory of 4616	3940	winlogon.exe	90
PID 3940 wrote to memory of 4616	3940	winlogon.exe	90
PID 3940 wrote to memory of 4616	3940	winlogon.exe	90
PID 372 wrote to memory of 4080	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	91
PID 372 wrote to memory of 4080	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	91
PID 372 wrote to memory of 4080	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	91
PID 372 wrote to memory of 4748	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	92
PID 372 wrote to memory of 4748	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	92
PID 372 wrote to memory of 4748	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	92
PID 372 wrote to memory of 1348	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	93
PID 372 wrote to memory of 1348	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	93
PID 372 wrote to memory of 1348	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	93
PID 372 wrote to memory of 3008	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	94
PID 372 wrote to memory of 3008	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	94
PID 372 wrote to memory of 3008	372	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe	94

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	K0L4B0R451.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	4K51K4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	K0L4B0R451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Kantuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	GoldenGhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	GoldenGhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kantuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	4K51K4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4K51K4.exe

C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36659bafc1f622de686564d9de426d2a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:372
- C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3940
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\Kantuk.exe
    C:\Windows\system32\Kantuk.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4456
- - C:\Windows\SysWOW64\4K51K4.exe
    C:\Windows\system32\4K51K4.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4724
- - C:\Windows\SysWOW64\K0L4B0R451.exe
    C:\Windows\system32\K0L4B0R451.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - System policy modification
    PID:384
- - C:\Windows\SysWOW64\GoldenGhost.exe
    C:\Windows\system32\GoldenGhost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4616
- C:\Windows\SysWOW64\Kantuk.exe
  C:\Windows\system32\Kantuk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Windows\SysWOW64\4K51K4.exe
  C:\Windows\system32\4K51K4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4748
- C:\Windows\SysWOW64\K0L4B0R451.exe
  C:\Windows\system32\K0L4B0R451.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Windows\SysWOW64\GoldenGhost.exe
  C:\Windows\system32\GoldenGhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
2ee749d1db733c151f93d2f036a44154

SHA1
b72070fcfda1ee067ae470de60046d0de5f2b245

SHA256
8a1e089fb14f7bd6adfb6a16aa919c3b74fff68f69b3dff910cc830e865d2967

SHA512
c6f0f29ecf98957c955ea5ae2675973ae19c52d6a6454e762635767c617e2c6e3d003285f2dfd3c256a9401f7ffda26fc89ace51223f1c0afe708efbd4039357

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
f5fd17e68908625be6b479c8605709a1

SHA1
e01d665414c9f3563fa9634b22a9e09a97914de9

SHA256
29eab43d8af3e97ac7c4c2373b9ebf9a17898ddd435f447aa01c68cc1a60d827

SHA512
20480d318629fcdd6357d0fd34e1906c582526dc355070d68324412d66d9b8818b730dec3c069de810969ea2df58d0775577b005b3fb931ffeed95c199b8e6f9

Download Submit
C:\Aut0exec.bat.tmp

Filesize
323KB

MD5
e48a6a32aab52d29963c2996cbead6ba

SHA1
4bc9756a7464cd1c549c1c1d03adf11d224c9347

SHA256
01d160e1370adf02806d7a60bd9640c67fa738f0b828927532e533f561f56c9a

SHA512
0ba577f178f1e579ea4f9008fc6c52a449a31ea72c5caab8a8452f547631d80930b385ae2f5684b212310cdf2738f411bea6db7a816c09eec18a3b8d46d85308

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

Filesize
323KB

MD5
a4203ca4f90a58eb53b295e1d5f8b8db

SHA1
626d97162331436b1d59f6f56d1c4726ad2c3dc9

SHA256
cbc1100758de592464b25ad00ea592b043d4cc296ae59c4d2bdb63002d0f4cae

SHA512
fd2b5d20c1ef2f1c865fc03fd13902eb375abc815d5c2891ac77ddc0d12ee139e35b1135463f23def3bcfb631890e6dba76dbf39d866641a6f7416f18f80cc8b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif

Filesize
323KB

MD5
41410939d6d23749c1ea047f11ecf40d

SHA1
e3ff716c7d05445fb9bb9f41873901baad067d33

SHA256
547cdfa23cf1814581053c7bb85d14319b16b534ee41d7503eb3e6f511bb0440

SHA512
e0a2fcb39358db8fcbcd6da20882370272cf5cd95c1edc34c8375ab8c7a8f264e144546e790a12df526d29b423023bc784ab510cd0174d192ac5557658b8ae51

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Empty.pif.tmp

Filesize
323KB

MD5
1d17f6684ccb1b01a9ed4253359a072a

SHA1
6eb9e1443cf99cc941f7f3b989b94d0d86f34ecd

SHA256
b28175c6f9fac6e18f070a2ee5a47c380c546c3ee925c62f30efb02c4dbe7781

SHA512
3f607fdb4ca27af875dad4dc03fbf84ef720be059916da8ca0535a898fc66f66daef60a54f0c628c65c77b502b513d1592e7b47898e0af676a05fb1187112215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr

Filesize
323KB

MD5
d974fba1c18f7f58241ce12de544dd6b

SHA1
21047214f4b85119e00c3ace0560171362b8a6a5

SHA256
92b7b50593a8f4ad5501c48dfbdf45170909e342b204624beaa6557b7fec1b66

SHA512
1623a49710bb0d69b712c3319f8c274189f2ed5db6121aef81a0a7e72f1d469ac6885c0bea1e742d2431200aa07e5870950c472a61fe0927fa0db3aa9122c58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr.tmp

Filesize
323KB

MD5
4ecb6d13b4410a3df3195fe234e5577a

SHA1
31b94dc22a3c767bf9ed269811a6c11a33827fae

SHA256
1fec7790a36e02db73d776a97b57b8cd464180f12e7e44ccdb23d564aeeb6349

SHA512
b941cf73e25d580cb51f928070437be04b08e023fa3b79b917318738d8248827d5ce08f561b6df6fccea6f08dcc21af56140a478957601f08e6873a88d0276da

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
433c57baa608728a1d4c418d3e8bc977

SHA1
f91ad67a74b2fe3c27d030a2b773698b01573777

SHA256
284ddde4f008eb92cb39ebb5af9baaa159bf4b989619b4b2bb465cd569c33d0b

SHA512
c305f032e85e6b829a19766cb78aef57570be49be0182e530c3db8a9e615a723d4b60ed6125a46b2eea1cf9cd04d10cf065465c052b582862f835be908c44b5b

Download Submit
C:\Windows\SysWOW64\4K51K4.exe

Filesize
323KB

MD5
aa0a5574434c3135f70934f2e74c9d27

SHA1
05b81df691b08f005dd8b7da7473ac6883b7352b

SHA256
32039ccdbec7ccc419767e99fcbfe2fb6c80c242fa53f7cbccd417681a9888cb

SHA512
97e688f4e3c8244c6d2280372a657a97fd5695c968e8694bff3c3d626c6647be3979489cbb299051ec8ebf5704ecb710e1a2507430760e6928620cb4685c273f

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
d37bfeff2f7cefd9fc9fdead07b5228c

SHA1
187ac30e1cfb264efce44479f1d1dcf28a85a352

SHA256
d55141464ddcc00ff06349c9120417731c36c96f88a05ec5a23d5541d05bb427

SHA512
96f0cc4d3084ec88fd110f91ea6f7f51d20cdfa137fee3536a1fd9910de28b712051760a1c23d5006700ea47b0e07715c5440c820517f527d675d36cf17b1929

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
1b88ffcd90f03d9ece39704559823665

SHA1
7d648e63d6e38a691b04ad0945ba62f7585416e4

SHA256
413bd39a108d3003fcc1a19b6ad43b91a1b6f531acef75be753962d307a17045

SHA512
577c45764eedf52f343e3182e59094b020f23788669b0d24492d29dcaf397cae6700f62ab72edde87e545fcbb2aa94f3c6e99816f8a9c9c15e22c4c8cd7227ea

Download Submit
C:\Windows\SysWOW64\4K51K4.exe.tmp

Filesize
323KB

MD5
63ec2239c327fdd6e456f2fe973b3bee

SHA1
ddf3fe28bc4dba7510615222051da1e8ed82869e

SHA256
af46bc3d2d3047971acb19d6cd607c1f5b1472841bd3f291b8ed58700703fc10

SHA512
640915f7b780f9a9a03390f39779a21cb515f4feb4120063072aaf373eb82f900a03f375d5be7f3d00660278d4d5edb9bfb7e780a93579b1cbf6995ce772fc00

Download Submit
C:\Windows\SysWOW64\Folder.ico

Filesize
7KB

MD5
d7f9d9553c172cba8825fa161e8e9851

SHA1
e45bdc6609d9d719e1cefa846f17d3d66332a3a0

SHA256
cd2e513851d519098acef16d191188ac2586d2174dfd1a84f4db7f41a6970086

SHA512
a03a806d9db86c0c4f6f8efc4b40008aa51f1625fc1c703a929bfa57a5caf962119b3c76044775af607d4ee1a8a671e1d0a2be66d19ee551717398f9ddc8ad24

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
772587f1d197498847ce90d06ef439d5

SHA1
b81a18c4a23ce4c32d21ededbaf6ce9f2ccfe960

SHA256
d24497ebcfb01abc5ac9e65d2ede7ba27dd4c8087b0097d2793e61e5779df4ae

SHA512
1215002e9d057797bf9592026d856dc76fda63e54a750281350aa0846a070b47bf463f5f2a178d209638eabd6dcc5a19d79966eff4377602c1de544aa76bf39b

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
be2d1deb40ff7c84717043635ae3e131

SHA1
f069b6ad10c8d88eb8177aff2ff83b0ed1b6d70b

SHA256
59eec4cfc78a39e28257eb61c2aa92d14d1197aeeb689fdbcd2803911c171082

SHA512
da9fe5130fe12f7998722b9cbaed7c03ccb72a337f7cc62d12a260ba66d53e603eac0db6140786aa6c3d436b1481272cc03cf06443c7bdc0828c4e95b9be79d2

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe

Filesize
323KB

MD5
36659bafc1f622de686564d9de426d2a

SHA1
d21dede6834d6cf489b9271da92bc98d9e3e7212

SHA256
140dd714a75b80950a61d473241b407aa71bebb408377be179d0fd775d60de76

SHA512
020bc4047d99925fb7624e4c1857be610df577e63443b905befe9a6badf70f597da1925d64cdee7a136d59342ace17d59ad022b566c6048149ae8e3aaf159fd8

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
edec18a0e72c109151e6912b0226331c

SHA1
ad71b3aad40c49365682dfa8baee7bf23269cab0

SHA256
3b11f61c67dfb123041901212677f22c128c1134d2dc7cd260c094c34b9efd92

SHA512
688e38b6d63c39ed11014a9b9712cb35c51732f710f1666705a28f2dd10f0a7a5b944cdba1725f0e1bfe0ba8fcb4fcdcc85deb9f0523ea964257e26ea314af4a

Download Submit
C:\Windows\SysWOW64\GoldenGhost.exe.tmp

Filesize
323KB

MD5
3c1abd922c92e39107fa08ffd15d516c

SHA1
74b624cf7841340b84f69140a941048477532055

SHA256
d1898c4a6103ae30318f60dbef39cc041d8f0eef52d751be2a01c5f4c26420ea

SHA512
b9a0bf4d7621ae12ed6f37f10c2b37026a953baa9b50fa89c54a781cd741212172f524d28277feb49db7bbb0c1054c47cab9a4230c6f9e6e1b14c9a06e7d5498

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
d3ad0ea2f0d0b277fb4b8ee7bd21de90

SHA1
7c4b0c0409ad34b7647f34d83a15da343d617d15

SHA256
7d48f4ef805bceeacd172460fee2dec0c9f3860f96080d268882ced9de988e53

SHA512
c61101af250b2f276d8e0d8a61c264f1b42c0baf986cfb460c5513de0605e8589b8daa0efef923a492c7894fb313539328830c41600c605723af7b97830faba0

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
52c329f921dbf8daf37457f555d483f9

SHA1
320a9abb1ddb850c8efb173caede24cc61a630a5

SHA256
63c1eadc2cb57d5beddfdbd1bb1782569aff3565d7bf955abc2217b52c64f09d

SHA512
eee62ce9c7fab6897c994c19c5c4606e4e31ca9bd1edb97da21b93f0e4c950848bee5db13cb421f031668a53dabaf78a8967ba231799e9e43b15a2373077a253

Download Submit
C:\Windows\SysWOW64\K0L4B0R451.exe.tmp

Filesize
323KB

MD5
82a83e1d066d788a4825093d1f31ab05

SHA1
eb6d98e93b3d36792f961d07e3b153dc86030fc9

SHA256
50f3cb4c58e574c93068e1232cad6eaffe6fc0d1bf2d9430dc58933129ee1ac7

SHA512
d516592bec50fdd009b90757d554339a3454e5e9915ff083074ea6fa09b7b584fd386d1416ec902a72069d6b5599aeaf7a5a583f8de66878d1591783860b55eb

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
5a7457f6470a9935bb780c6d9badf6e0

SHA1
6899bb3e7a6350438c3b93cbd6c554391c31d05a

SHA256
bfadcf8c9faf6c8a9c64e06d7d966480f9d7727d7ae51607b998f2820fbd9308

SHA512
e6bef934db9f1fd6e0e34ec14637e3ce8464a878bbcb9b8978d25fca3aa4969c3f352287b3901dbb8dacefae0c78ea63c16466b25dd3dcc6adc8242562652811

Download Submit
C:\Windows\SysWOW64\Kantuk.exe

Filesize
323KB

MD5
ac0985194caa0e52e4d52515176fb3c9

SHA1
22fb1c07fbe1cedba8c2dbb519e014dd5484ba72

SHA256
dece85809f79df184044d41db17926ca7086c3d255d1f77a366c0e9506161366

SHA512
05a82b88a6755748f17eafcd415f6e4ef4d34e119cd5f3215ff0dc717e16bfe32d46a5fa53dc8bb35315f276295c9a963bf47bb89b6f8381572cb38ac2ad5a8e

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
0e707eb9238f48e0acd8184dc92bc50e

SHA1
e2bd353eaa6107bb76840f0af57c05b13f825120

SHA256
d1c8908e694e3b74f322ce3cd1f6a0c75703a5291074f892f716661a77cac7d9

SHA512
502c3532566a2c8476730a5969cb6eb2c1d0167485743e2fc5b8a06619fff81a35f1ba01b712eae09c2d73083ddfb526cdf0370dc9a48da7d814bfce3a8b5d7f

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
4a16b057f7e401b7830fd5a1c3758e8b

SHA1
f0437544514dd7f396476635ebcd82760ef65138

SHA256
1584366645baacde9495ae1463687f817062417c12b47640c58f9feb8f088be5

SHA512
b79afcbd41c192a7315552f2feaaeb4738a9f3b520b27e95665500859d074c6eb618ad90f21c373a7b8fb4209b6bd06eacc0c11bb3766d13554c4e897f94a07b

Download Submit
C:\Windows\SysWOW64\Kantuk.exe.tmp

Filesize
323KB

MD5
bb08da9635c9dfbbfa8cd808c598711c

SHA1
1f9b14bb06fa5e1cf56ece6e427c880fba9416d2

SHA256
e54fc1761efddb1dd12eb77e2fce191308752fd389fef588d2b497118e53bfb7

SHA512
8c3b6b48b1be9bb9d1618f220e9cf6950acf0267ae8fff29c8de4abf3206be8d22142f3fbab7c77ae32a377d69ff5161a227435537e64dcbd18e450ad64313ab

Download Submit
C:\Windows\SysWOW64\Player.ico

Filesize
2KB

MD5
43be35d4fb3ebc6ca0970f05365440e3

SHA1
87bc28e5d9a6ab0c79a07118ca578726ce61b1bc

SHA256
5a15c1aab77f132e7ce5928996919ed66564c6082a7f94d0a42229c480113fc5

SHA512
b2e24ff3702805d2ff8ecf3ddde8a8e6258965f992f37104c2ed9b763e1448ab32c7609a607e1d90cfba281e7add1e839855656d6453433a42c0d6c8923c9395

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
cf614558e5fc1b074f964897f5590b34

SHA1
49379dfb847024e67d4a6e4e5ccff0e87c45bc41

SHA256
9bf677465bf01fc11300a71272441b7a47748c490c2bf690fca684995fea1cd2

SHA512
22a1928a9059362e89966a6b88a9fc96750d0758d081fc617dd4ca80a7c829316844ec733bbdc502d4ae90b3d7fd4f9dcac7f4c627be13d1a1b4759f4d94a0fd

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
b76788384d85e99dd5c63d9c1b602809

SHA1
42b4e49ce68bccfb2a465788769404b7e1b8c674

SHA256
5b7222cb8e2edf8c50c66b0d94f9e267c273acf9034978394e0810318ce22753

SHA512
3515b79bd3959774312ee27141f3cca63c4d6d2bb4788e758795a6809f84fe66ebbe4396dbb17900031b8339a9142865ff72244578c1d0f65a999b9359f6d77a

Download Submit
C:\Windows\SysWOW64\Shell32.com.tmp

Filesize
323KB

MD5
666e2252ac302180682c3fa85e509c4e

SHA1
a8795b41b2736325ae93e7807a25be5c142d3da8

SHA256
b8fafcd4fc6a53afb83340a6246d1896346096a219fc16568375f58f1b4679a8

SHA512
26aa4d373f0967e1241c6fa36095e8269ded11b208d70ca324956b08aad2e2590ed9cc95b61262c0545008fd8861a0dfdcf8aca7d9b8daf4fe4b74bf52ee2ca1

Download Submit
C:\Windows\SysWOW64\Word.ico

Filesize
3KB

MD5
8482935ff2fab6025b44b5a23c750480

SHA1
d770c46d210c0fd302fa035a6054f5ac19f3bd13

SHA256
dcbcdce04483e9d2d8a5d7779b18b7f64cfc06e758b07f671493e38dfb9ab33c

SHA512
00c711d815815a88fc15f73c8cba6a81b2bfc505baff2cc67b456545151fe896029f11127e447c9bbc5a2d5dc561a06a52be9a9f9c0d28e98ea4e174cdd54398

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\JPG.ico

Filesize
2KB

MD5
62b7610403ea3ac4776df9eb93bf4ba4

SHA1
b4a6cd17516f8fba679f15eda654928dc44dc502

SHA256
b0fd7ffb4c8f0e4566658a7284ca0652961648aaab44a53c5b9713664b122c29

SHA512
fa1995a21ffe073a15fa00a3a8717492b0a67f3615abe4c7e6bce054bb23cf545e10e21cfe3625b665c8bb199577815dbeccc7c6107cdb49f673b8d53f23888d

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
2a33431cc320a1f4439efcb05b2688f8

SHA1
ad9e921d7facd3cfa2c9caabe57f25701e11a5dd

SHA256
cfe501958aa0e02118c9384c582011e76754738a663cc4326e548296a7d58df4

SHA512
8ce1ce3d0e67b44059e7735ae86ebe294436a8bc53c5fa15fcb16d484a565ad81ad96a4480de08abc7721598dbcb484a6e7460e3e04c4aef9c5190c520c19deb

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe.tmp

Filesize
323KB

MD5
f825cde86841ec3b4d633316bba80c55

SHA1
17b3b5f33f0aff9f1fc29ee89093883c70293263

SHA256
086ea177d5764d445d2b5246b59b132c2209d839be797c1368e2d70571dde888

SHA512
be5bd0a30cc3fb6615a26c77bbb0d497ab72ec98e66c889d43c72b3d03ae2c3e9226ba72164266e3efbfdc2024fd40c361201a814fc1fe4687d05a08abee1ac4

Download Submit
memory/372-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1348-350-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3940-207-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4456-312-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4616-338-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4724-331-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads