f6040b4047094868e17be9428ea636efb9406f6526e2eb10a3f3917e48c96f6a

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
Size

26KB
MD5

43f4a2878cadd6343b497ff2fb490856
SHA1

7909df003d31fe602dcf02427221b6a3fcca2585
SHA256

f6040b4047094868e17be9428ea636efb9406f6526e2eb10a3f3917e48c96f6a
SHA512

1742a70157a5872346acb2724ae9de324633f92cb7429061735587359ba01c7d3ab95b96fe6b8cd60f6a47192e1793c164769f63bcc8d56e3d5b732e21953a88
SSDEEP

768:Chw2aHt0dcYsITFT2jqQKG/d4uH8Czb0OmSM:Ww2UF9IJs5f/d42zbgb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	tdhleba.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	tdhleba.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tdhleba.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	tdhleba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "C:\\Program Files\\Common Files\\Microsoft Shared\\tettaje.exe"	tdhleba.exe

Executes dropped EXE 2 IoCs

pid	Process
3844	tdhleba.exe
3164	tettaje.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	tdhleba.exe
File opened (read-only)	\??\q:	tdhleba.exe
File opened (read-only)	\??\v:	tdhleba.exe
File opened (read-only)	\??\w:	tdhleba.exe
File opened (read-only)	\??\h:	tettaje.exe
File opened (read-only)	\??\k:	tettaje.exe
File opened (read-only)	\??\w:	tettaje.exe
File opened (read-only)	\??\j:	tdhleba.exe
File opened (read-only)	\??\p:	tdhleba.exe
File opened (read-only)	\??\t:	tdhleba.exe
File opened (read-only)	\??\x:	tdhleba.exe
File opened (read-only)	\??\h:	tdhleba.exe
File opened (read-only)	\??\y:	tdhleba.exe
File opened (read-only)	\??\l:	tettaje.exe
File opened (read-only)	\??\n:	tettaje.exe
File opened (read-only)	\??\u:	tettaje.exe
File opened (read-only)	\??\z:	tettaje.exe
File opened (read-only)	\??\g:	tdhleba.exe
File opened (read-only)	\??\r:	tdhleba.exe
File opened (read-only)	\??\e:	tettaje.exe
File opened (read-only)	\??\g:	tettaje.exe
File opened (read-only)	\??\l:	tdhleba.exe
File opened (read-only)	\??\j:	tettaje.exe
File opened (read-only)	\??\o:	tettaje.exe
File opened (read-only)	\??\y:	tettaje.exe
File opened (read-only)	\??\p:	tettaje.exe
File opened (read-only)	\??\r:	tettaje.exe
File opened (read-only)	\??\s:	tettaje.exe
File opened (read-only)	\??\o:	tdhleba.exe
File opened (read-only)	\??\s:	tdhleba.exe
File opened (read-only)	\??\z:	tdhleba.exe
File opened (read-only)	\??\i:	tettaje.exe
File opened (read-only)	\??\u:	tdhleba.exe
File opened (read-only)	\??\t:	tettaje.exe
File opened (read-only)	\??\e:	tdhleba.exe
File opened (read-only)	\??\i:	tdhleba.exe
File opened (read-only)	\??\k:	tdhleba.exe
File opened (read-only)	\??\m:	tdhleba.exe
File opened (read-only)	\??\m:	tettaje.exe
File opened (read-only)	\??\q:	tettaje.exe
File opened (read-only)	\??\v:	tettaje.exe
File opened (read-only)	\??\x:	tettaje.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\autorun.inf	tdhleba.exe
File created	\??\c:\autorun.inf	tdhleba.exe
File opened for modification	\??\f:\autorun.inf	tdhleba.exe
File created	\??\f:\autorun.inf	tdhleba.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\nkedjdo.inf	tdhleba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\nkedjdo.inf	tettaje.exe
File opened for modification	C:\Program Files\Common Files\System\tdhleba.exe	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\tettaje.exe	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\tdhleba.exe	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
File created	C:\Program Files\1.hiv	tdhleba.exe
File created	C:\Program Files\2.hiv	tdhleba.exe
File opened for modification	C:\Program Files\meex.exe	tettaje.exe
File created	C:\Program Files\Common Files\Microsoft Shared\tettaje.exe	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\tdhleba.exe	tdhleba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared	tdhleba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\tettaje.exe	tettaje.exe
File created	C:\Program Files\Common Files\Microsoft Shared\nkedjdo.inf	tettaje.exe
File created	C:\Program Files\3.hiv	tettaje.exe
File opened for modification	C:\Program Files\Common Files\System	tdhleba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\tettaje.exe	tdhleba.exe
File opened for modification	C:\Program Files\Common Files\System\tdhleba.exe	tettaje.exe
File opened for modification	C:\Program Files\Common Files\System\nkedjdo.inf	tdhleba.exe
File opened for modification	C:\Program Files\dld.dat	tdhleba.exe
File created	C:\Program Files\meex.exe	tettaje.exe
File created	C:\Program Files\4.hiv	tettaje.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	tdhleba.exe
3844	tdhleba.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe
3164	tettaje.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3844	tdhleba.exe
Token: SeRestorePrivilege	3844	tdhleba.exe
Token: SeBackupPrivilege	3844	tdhleba.exe
Token: SeRestorePrivilege	3844	tdhleba.exe
Token: SeBackupPrivilege	3164	tettaje.exe
Token: SeRestorePrivilege	3164	tettaje.exe
Token: SeBackupPrivilege	3164	tettaje.exe
Token: SeRestorePrivilege	3164	tettaje.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe
3844	tdhleba.exe
3164	tettaje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3844	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	84
PID 3060 wrote to memory of 3844	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	84
PID 3060 wrote to memory of 3844	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	84
PID 3060 wrote to memory of 3164	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	86
PID 3060 wrote to memory of 3164	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	86
PID 3060 wrote to memory of 3164	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	86
PID 3060 wrote to memory of 3264	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	87
PID 3060 wrote to memory of 3264	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	87
PID 3060 wrote to memory of 3264	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	87
PID 3060 wrote to memory of 1440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	88
PID 3060 wrote to memory of 1440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	88
PID 3060 wrote to memory of 1440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	88
PID 3844 wrote to memory of 4752	3844	tdhleba.exe	89
PID 3844 wrote to memory of 4752	3844	tdhleba.exe	89
PID 3844 wrote to memory of 4752	3844	tdhleba.exe	89
PID 3060 wrote to memory of 3772	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	90
PID 3060 wrote to memory of 3772	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	90
PID 3060 wrote to memory of 3772	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	90
PID 3060 wrote to memory of 3312	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	91
PID 3060 wrote to memory of 3312	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	91
PID 3060 wrote to memory of 3312	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	91
PID 3060 wrote to memory of 1112	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	92
PID 3060 wrote to memory of 1112	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	92
PID 3060 wrote to memory of 1112	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	92
PID 3060 wrote to memory of 3940	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	93
PID 3060 wrote to memory of 3940	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	93
PID 3060 wrote to memory of 3940	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	93
PID 3060 wrote to memory of 3088	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	94
PID 3060 wrote to memory of 3088	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	94
PID 3060 wrote to memory of 3088	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	94
PID 3060 wrote to memory of 1144	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	95
PID 3060 wrote to memory of 1144	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	95
PID 3060 wrote to memory of 1144	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	95
PID 3060 wrote to memory of 3400	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	96
PID 3060 wrote to memory of 3400	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	96
PID 3060 wrote to memory of 3400	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	96
PID 3060 wrote to memory of 3428	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	97
PID 3060 wrote to memory of 3428	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	97
PID 3060 wrote to memory of 3428	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	97
PID 3060 wrote to memory of 4440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	98
PID 3060 wrote to memory of 4440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	98
PID 3060 wrote to memory of 4440	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	98
PID 3060 wrote to memory of 2976	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	99
PID 3060 wrote to memory of 2976	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	99
PID 3060 wrote to memory of 2976	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	99
PID 3060 wrote to memory of 4368	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	100
PID 3060 wrote to memory of 4368	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	100
PID 3060 wrote to memory of 4368	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	100
PID 3060 wrote to memory of 2872	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	101
PID 3060 wrote to memory of 2872	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	101
PID 3060 wrote to memory of 2872	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	101
PID 3060 wrote to memory of 824	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	102
PID 3060 wrote to memory of 824	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	102
PID 3060 wrote to memory of 824	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	102
PID 3060 wrote to memory of 2028	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	103
PID 3060 wrote to memory of 2028	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	103
PID 3060 wrote to memory of 2028	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	103
PID 3060 wrote to memory of 1812	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	104
PID 3060 wrote to memory of 1812	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	104
PID 3060 wrote to memory of 1812	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	104
PID 3060 wrote to memory of 2608	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	105
PID 3060 wrote to memory of 2608	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	105
PID 3060 wrote to memory of 2608	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	105
PID 3060 wrote to memory of 1412	3060	43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe	106

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "145"	tdhleba.exe

C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files\Common Files\System\tdhleba.exe
  "C:\Program Files\Common Files\System\tdhleba.exe"
  2⤵
  - Modifies security service
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo Y| cacls C:\Program Files\dld.dat /t /g everyone:F
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Program Files\dld.dat /t /g everyone:F
      4⤵
      PID:4420
- C:\Program Files\Common Files\Microsoft Shared\tettaje.exe
  "C:\Program Files\Common Files\Microsoft Shared\tettaje.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo Y| cacls C:\Program Files\meex.exe /t /g everyone:F
    3⤵
    PID:3396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Program Files\meex.exe /t /g everyone:F
      4⤵
      PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\43f4a2878cadd6343b497ff2fb490856_JaffaCakes118.exe"
  2⤵
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\nkedjdo.inf

Filesize
169B

MD5
a54b00618165462a8efb329fed687faa

SHA1
11aeca130e833935fe7efdb8403433eb271cc4f8

SHA256
ee4862d6ebf8e622959c213db4513d043bb8fede1e376f908ae09f7bcf75e244

SHA512
72de05b116bd3c2d00393f1076942df1e328c257aceffd16aeda09841bf4e2f20a8fa0dcf1782512cb4bbe5781056ec8ee67ea95eb204d891013b6f2204271be

Download Submit
C:\Program Files\Common Files\System\tdhleba.exe

Filesize
26KB

MD5
43f4a2878cadd6343b497ff2fb490856

SHA1
7909df003d31fe602dcf02427221b6a3fcca2585

SHA256
f6040b4047094868e17be9428ea636efb9406f6526e2eb10a3f3917e48c96f6a

SHA512
1742a70157a5872346acb2724ae9de324633f92cb7429061735587359ba01c7d3ab95b96fe6b8cd60f6a47192e1793c164769f63bcc8d56e3d5b732e21953a88

Download Submit
memory/3060-1-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3060-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3060-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3060-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3164-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3164-16-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3164-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3164-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3164-47-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3844-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3844-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3844-45-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/3844-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3844-10-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download