Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 14:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe
-
Size
564KB
-
MD5
78816ac27a0dff2f3eadec1458c74407
-
SHA1
5953b3db33f79f88180b04a675034bedd5c2a5d7
-
SHA256
0ce2fe6dc70c50750da09bff6c4293485b56f1b338d9827d80a24a927e10d460
-
SHA512
691aa4ed3277261b19a94afd136f110fa82bfa0bf0f786765f6c6550fc3966aaba72ca13d13e7ceda30305ddc1460510219408fbbaf9732e6c948ea84b43c264
-
SSDEEP
12288:vKr3QboC9qLGKgZKe4HYpHvcbTmddEWiS:vQ3QbiGL8LwHQWiS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ejnnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ejnnp.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "cvnbrldyskdjmccrrtg.exe" ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe" pniqiphbzxs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "pjcridwsngahlcdtuxlf.exe" pniqiphbzxs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "rjancvmgzqinpedrqr.exe" ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whrxfrboakv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "eztjbxrokezhmegxzdsnh.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thudodqgviwxvg = "cvnbrldyskdjmccrrtg.exe" ejnnp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pniqiphbzxs.exe Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pniqiphbzxs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation pniqiphbzxs.exe -
Executes dropped EXE 4 IoCs
pid Process 4584 pniqiphbzxs.exe 1612 ejnnp.exe 3488 ejnnp.exe 1984 pniqiphbzxs.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ejnnp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ejnnp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ejnnp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ejnnp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ejnnp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ejnnp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "cvnbrldyskdjmccrrtg.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "izpbphxqiyptuigtr.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "rjancvmgzqinpedrqr.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "pjcridwsngahlcdtuxlf.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "rjancvmgzqinpedrqr.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "izpbphxqiyptuigtr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "pjcridwsngahlcdtuxlf.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "brgrevkctiybbolx.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eztjbxrokezhmegxzdsnh.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "brgrevkctiybbolx.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "cvnbrldyskdjmccrrtg.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "brgrevkctiybbolx.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "cvnbrldyskdjmccrrtg.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "eztjbxrokezhmegxzdsnh.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eztjbxrokezhmegxzdsnh.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\izpbphxqiyptuigtr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "brgrevkctiybbolx.exe ." pniqiphbzxs.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "eztjbxrokezhmegxzdsnh.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\izpbphxqiyptuigtr.exe" pniqiphbzxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rjancvmgzqinpedrqr.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlzjvlzqgujlkws = "eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgrevkctiybbolx.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "izpbphxqiyptuigtr.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "eztjbxrokezhmegxzdsnh.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rjancvmgzqinpedrqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvnbrldyskdjmccrrtg.exe" ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\brgrevkctiybbolx = "rjancvmgzqinpedrqr.exe ." ejnnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjcridwsngahlcdtuxlf.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "izpbphxqiyptuigtr.exe" ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfrzjxjymylli = "izpbphxqiyptuigtr.exe ." ejnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfqxgtesfqcb = "eztjbxrokezhmegxzdsnh.exe" ejnnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pniqiphbzxs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ejnnp.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 www.showmyipaddress.com 29 whatismyip.everdot.org 31 whatismyipaddress.com 36 www.whatismyip.ca 37 whatismyip.everdot.org 46 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ejnnp.exe File created C:\autorun.inf ejnnp.exe File opened for modification F:\autorun.inf ejnnp.exe File created F:\autorun.inf ejnnp.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vrmdwtomjeajpildglbxsj.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\vrmdwtomjeajpildglbxsj.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\izpbphxqiyptuigtr.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File opened for modification C:\Windows\SysWOW64\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe File created C:\Windows\SysWOW64\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe File opened for modification C:\Windows\SysWOW64\cvnbrldyskdjmccrrtg.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\pjcridwsngahlcdtuxlf.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\cvnbrldyskdjmccrrtg.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\rjancvmgzqinpedrqr.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\cvnbrldyskdjmccrrtg.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\eztjbxrokezhmegxzdsnh.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\izpbphxqiyptuigtr.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\rjancvmgzqinpedrqr.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\izpbphxqiyptuigtr.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\eztjbxrokezhmegxzdsnh.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\brgrevkctiybbolx.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\izpbphxqiyptuigtr.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\eztjbxrokezhmegxzdsnh.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\vrmdwtomjeajpildglbxsj.exe ejnnp.exe File created C:\Windows\SysWOW64\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File opened for modification C:\Windows\SysWOW64\rjancvmgzqinpedrqr.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\rjancvmgzqinpedrqr.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\vrmdwtomjeajpildglbxsj.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\brgrevkctiybbolx.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\brgrevkctiybbolx.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\pjcridwsngahlcdtuxlf.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\brgrevkctiybbolx.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\cvnbrldyskdjmccrrtg.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\pjcridwsngahlcdtuxlf.exe pniqiphbzxs.exe File opened for modification C:\Windows\SysWOW64\eztjbxrokezhmegxzdsnh.exe ejnnp.exe File opened for modification C:\Windows\SysWOW64\pjcridwsngahlcdtuxlf.exe ejnnp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File created C:\Program Files (x86)\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File opened for modification C:\Program Files (x86)\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe File created C:\Program Files (x86)\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\pjcridwsngahlcdtuxlf.exe ejnnp.exe File opened for modification C:\Windows\vrmdwtomjeajpildglbxsj.exe ejnnp.exe File opened for modification C:\Windows\cvnbrldyskdjmccrrtg.exe pniqiphbzxs.exe File opened for modification C:\Windows\cvnbrldyskdjmccrrtg.exe ejnnp.exe File opened for modification C:\Windows\pjcridwsngahlcdtuxlf.exe ejnnp.exe File opened for modification C:\Windows\brgrevkctiybbolx.exe pniqiphbzxs.exe File opened for modification C:\Windows\izpbphxqiyptuigtr.exe pniqiphbzxs.exe File opened for modification C:\Windows\vrmdwtomjeajpildglbxsj.exe pniqiphbzxs.exe File opened for modification C:\Windows\brgrevkctiybbolx.exe ejnnp.exe File opened for modification C:\Windows\rjancvmgzqinpedrqr.exe ejnnp.exe File created C:\Windows\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File opened for modification C:\Windows\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe File opened for modification C:\Windows\rjancvmgzqinpedrqr.exe pniqiphbzxs.exe File opened for modification C:\Windows\eztjbxrokezhmegxzdsnh.exe ejnnp.exe File opened for modification C:\Windows\eztjbxrokezhmegxzdsnh.exe pniqiphbzxs.exe File opened for modification C:\Windows\izpbphxqiyptuigtr.exe ejnnp.exe File opened for modification C:\Windows\izpbphxqiyptuigtr.exe ejnnp.exe File opened for modification C:\Windows\rjancvmgzqinpedrqr.exe ejnnp.exe File opened for modification C:\Windows\eztjbxrokezhmegxzdsnh.exe ejnnp.exe File opened for modification C:\Windows\ffezwxwyzyylvszvclffez.xwy ejnnp.exe File created C:\Windows\whrxfrboakvtowovnhmxhnvhreqaljeme.dxc ejnnp.exe File opened for modification C:\Windows\cvnbrldyskdjmccrrtg.exe pniqiphbzxs.exe File opened for modification C:\Windows\pjcridwsngahlcdtuxlf.exe pniqiphbzxs.exe File opened for modification C:\Windows\brgrevkctiybbolx.exe ejnnp.exe File opened for modification C:\Windows\vrmdwtomjeajpildglbxsj.exe ejnnp.exe File opened for modification C:\Windows\izpbphxqiyptuigtr.exe pniqiphbzxs.exe File opened for modification C:\Windows\vrmdwtomjeajpildglbxsj.exe pniqiphbzxs.exe File opened for modification C:\Windows\brgrevkctiybbolx.exe pniqiphbzxs.exe File opened for modification C:\Windows\eztjbxrokezhmegxzdsnh.exe pniqiphbzxs.exe File opened for modification C:\Windows\rjancvmgzqinpedrqr.exe pniqiphbzxs.exe File opened for modification C:\Windows\cvnbrldyskdjmccrrtg.exe ejnnp.exe File opened for modification C:\Windows\pjcridwsngahlcdtuxlf.exe pniqiphbzxs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pniqiphbzxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejnnp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 1612 ejnnp.exe 1612 ejnnp.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 1612 ejnnp.exe 1612 ejnnp.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1612 ejnnp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4584 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 87 PID 4920 wrote to memory of 4584 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 87 PID 4920 wrote to memory of 4584 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 87 PID 4584 wrote to memory of 1612 4584 pniqiphbzxs.exe 90 PID 4584 wrote to memory of 1612 4584 pniqiphbzxs.exe 90 PID 4584 wrote to memory of 1612 4584 pniqiphbzxs.exe 90 PID 4584 wrote to memory of 3488 4584 pniqiphbzxs.exe 91 PID 4584 wrote to memory of 3488 4584 pniqiphbzxs.exe 91 PID 4584 wrote to memory of 3488 4584 pniqiphbzxs.exe 91 PID 4920 wrote to memory of 1984 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 109 PID 4920 wrote to memory of 1984 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 109 PID 4920 wrote to memory of 1984 4920 78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe 109 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ejnnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" pniqiphbzxs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pniqiphbzxs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pniqiphbzxs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ejnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pniqiphbzxs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\78816ac27a0dff2f3eadec1458c74407_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\pniqiphbzxs.exe"C:\Users\Admin\AppData\Local\Temp\pniqiphbzxs.exe" "c:\users\admin\appdata\local\temp\78816ac27a0dff2f3eadec1458c74407_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\ejnnp.exe"C:\Users\Admin\AppData\Local\Temp\ejnnp.exe" "-C:\Users\Admin\AppData\Local\Temp\brgrevkctiybbolx.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\ejnnp.exe"C:\Users\Admin\AppData\Local\Temp\ejnnp.exe" "-C:\Users\Admin\AppData\Local\Temp\brgrevkctiybbolx.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\pniqiphbzxs.exe"C:\Users\Admin\AppData\Local\Temp\pniqiphbzxs.exe" "c:\users\admin\appdata\local\temp\78816ac27a0dff2f3eadec1458c74407_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD51ad704ece371d682d864703045293b54
SHA12e726446b6be56a8acd8ab0804089fef18a0be8b
SHA256f7468639b442ca0772fb244a1b10f02c90f0a1062a7c425bfd053a4946a04a0a
SHA512d1b1d9231d7b273e4f15be2332925bcc8282a524356ab67280012e1e1c7fdb5256ff973d686b3f84f4c4a051b0e01f318eea3ea49678cc1806bbb90dd23f2e0a
-
Filesize
280B
MD5c0b4a6bf8ef79a4f02dbcb2b947a93c8
SHA1d3bfb3fe96502daf1e0733778cdb01fe6edfa2ef
SHA2564224f1f887219cb92f54cfb0b44868c6233c8b7ec3e02a1d66fd4e57d8b95f0a
SHA51223d2fac33ca93e0d03a6930df00aeb29094b309155c3a5d0e1dfe2a6a2375720a950d0e6d0cd3137aee7a4942558dfcc1f26d239de0ebac44f39052861f419d0
-
Filesize
280B
MD55696691f6bc6e1f223535092a2bf220c
SHA1d2c82313fd50bff300feed37934e31e24f1ba734
SHA2568dcf15b1c266295c03fc8488451c628245b5783d734390705a828f6b560cef63
SHA512e92b374c7aad224fe91fef052a7952adca84316060917c6109866c584304099ef984c4d9b6314a3f41f74a36431d30e3b9e998742c37381492ea06f775477f14
-
Filesize
280B
MD5e0da04d454b72403edff9a8909256c8c
SHA1f0857f74dc504c09eda0fed0a9af9e13a7fb35c3
SHA25682014bded90f05dc9dcad465db70ef1d40217d1b1d88505f6c0ce53ef4e01c0e
SHA512d17eae24403bd7c9119938f8a05a344de471d2916f656182f398b98eb9b932fe71403404e47c3c499d63d777e20d3fcecda6cfd486e13718985929aa65a98b4b
-
Filesize
280B
MD5eb2508e8f325992a827cf317e43b0a5a
SHA1579ea75a5aa70af29afeb6886320426974ec0deb
SHA25627fa8669c5bf87be4637198afce5f39daf13668af0876a3ce890051ca77d3a87
SHA5124bb8caa0ba7efb306976a67ed942f39b881dfffff3cc3aea73bf8f56ae976022dcb32d9a4834fbe11e6c32e5b244a00e2a7735388ae9483f983bcda1630a47de
-
Filesize
280B
MD5fd55719511c910d5151aeab7bccf063b
SHA10b82a266415a2745aaea413db34e35afb370f479
SHA256c6fa6086310b6249d1b7d9991ca98dbf3ef53d51951760c5fcc179cf3fd600f8
SHA5123d1719a2c68dbf14e1bc3d311a3ed9eb32d1ec98ad76894515d2fa6ceac9d01b357c03b0e62b601543f21748640cab5a5797633b1cc700270a1ed0b2f5dc46ad
-
Filesize
712KB
MD5e9e538d8db272f48107ae764894a461e
SHA151341d1f87fb6967f55f2215e77c797915ac5655
SHA2566a7c75b9909107a5bc16a5864e14b95109530162d0ecd32f0901752eb0eca52d
SHA5125eaa7567cfba2da3e76b087cb0ce816f5fc232d5f561ac7bcdacb8affe2382528dd371f4091e1a77dead5060fd619ab0f42f037886e0a8b33fb5077a223bdc28
-
Filesize
320KB
MD508b16e4ac8ad754742cc30981da0eff3
SHA150dc22991a43f311028db1f5a17fc58f67572af0
SHA25606e8fcb18084b90fc51132a00763162a53458fd980dae82dd304ba6ee1d3c954
SHA5128eac805e0da0808d9d42addbc8471995a4d0514735f58ed5ded1a389750e19073309f6f0d4349085b2e46fedc30462b6571de05b8221d91ec0262d54ca386722
-
Filesize
280B
MD57de99e170c910e46d2c89c94dce298c9
SHA119306d1bdb4b145945a07a7420f1940e0c30f609
SHA256eb2cd17cc25e948f5f30207f20fa1d032996acbca86b5bd29bf2068384a68778
SHA5122d838c67b08d5cdcde7a6c7f28b8175d73d29931f96a71a6f2f96916eb6bba7e79e23b1096b04d5188682193a7450e74fc0cf542a6d498cb4ae34c03a05c06ca
-
Filesize
4KB
MD5f3091f533a3ec4db479f1d17d0666697
SHA130e5b7919acc28780b9ce0180e1b72dd49961a76
SHA256dc5ba63ef876dae12793a714715612f1c9cf016de54ffd9ccf4693e151cf6571
SHA512b2885b3865909a46105b4a7b8aaad5f9b2ec35e28e7975ccf530e9fd7dc429b93944531238c17133a75acb9c1335d0e6b4e6f7e86e946215b476b65c07b3336f
-
Filesize
564KB
MD578816ac27a0dff2f3eadec1458c74407
SHA15953b3db33f79f88180b04a675034bedd5c2a5d7
SHA2560ce2fe6dc70c50750da09bff6c4293485b56f1b338d9827d80a24a927e10d460
SHA512691aa4ed3277261b19a94afd136f110fa82bfa0bf0f786765f6c6550fc3966aaba72ca13d13e7ceda30305ddc1460510219408fbbaf9732e6c948ea84b43c264