Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe
-
Size
508KB
-
MD5
891e69cb1cde7862dc9176254867466b
-
SHA1
6f55b9b414acd5ff1bc1aa03b8bf40460702a3d7
-
SHA256
b809eb6146962c7c16d350e440a6f8aaebbad5bf8b8ede9329db7d5dd202fa4a
-
SHA512
ed688f2f891e2ffd44a76e2457df641960361608c6577d5515dc68aee4e6a2edf013d3769d6383e0fd70b45d557d8246ee22c5a0c2a54603aafe9e9593c5ef20
-
SSDEEP
6144:ej6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionw08j:k6onxOp8FySpE5zvIdtU+Ymef8049
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hrnoqjwarbx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idyriceuqhslqalnjwez.exe" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "idyriceuqhslqalnjwez.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "xtpjbwzqnfrlrcoroclhd.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idyriceuqhslqalnjwez.exe" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hrnoqjwarbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "idyriceuqhslqalnjwez.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ktcjowmq = "btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdjnp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe" ipwbek.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hrnoqjwarbx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe -
Executes dropped EXE 4 IoCs
pid Process 3016 hrnoqjwarbx.exe 2712 ipwbek.exe 1864 ipwbek.exe 2488 hrnoqjwarbx.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend ipwbek.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ipwbek.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ipwbek.exe -
Loads dropped DLL 8 IoCs
pid Process 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 3016 hrnoqjwarbx.exe 3016 hrnoqjwarbx.exe 3016 hrnoqjwarbx.exe 3016 hrnoqjwarbx.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "idyriceuqhslqalnjwez.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idyriceuqhslqalnjwez.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipwbek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "xtpjbwzqnfrlrcoroclhd.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "vpjbrklavlvnraklgsz.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "kdwncuuicrarucllfq.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "idyriceuqhslqalnjwez.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "vpjbrklavlvnraklgsz.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "ulcreusewjqfgmtr.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "idyriceuqhslqalnjwez.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipwbek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipwbek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtpjbwzqnfrlrcoroclhd.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "xtpjbwzqnfrlrcoroclhd.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "idyriceuqhslqalnjwez.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpjbrklavlvnraklgsz.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "vpjbrklavlvnraklgsz.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "xtpjbwzqnfrlrcoroclhd.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ulcreusewjqfgmtr.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzmxgsmuiruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "kdwncuuicrarucllfq.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "ulcreusewjqfgmtr.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "kdwncuuicrarucllfq.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "ulcreusewjqfgmtr.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btlbpgfslzhxzgong.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipwbek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idyriceuqhslqalnjwez.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "idyriceuqhslqalnjwez.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "btlbpgfslzhxzgong.exe" hrnoqjwarbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdlrvcr = "kdwncuuicrarucllfq.exe ." ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "idyriceuqhslqalnjwez.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\blvdjsjoz = "ulcreusewjqfgmtr.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbnxfqjqdln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdwncuuicrarucllfq.exe ." ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipwbek = "btlbpgfslzhxzgong.exe" ipwbek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ufqzgqioah = "kdwncuuicrarucllfq.exe ." hrnoqjwarbx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ipwbek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idyriceuqhslqalnjwez.exe" hrnoqjwarbx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hrnoqjwarbx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ipwbek.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 whatismyipaddress.com 10 whatismyip.everdot.org 11 www.whatismyip.ca 5 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf ipwbek.exe File opened for modification C:\autorun.inf ipwbek.exe File created C:\autorun.inf ipwbek.exe File opened for modification F:\autorun.inf ipwbek.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xtpjbwzqnfrlrcoroclhd.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\olidwswomfsnugtxvkuroj.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\xtpjbwzqnfrlrcoroclhd.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\xtpjbwzqnfrlrcoroclhd.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\vpjbrklavlvnraklgsz.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\ulcreusewjqfgmtr.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\idyriceuqhslqalnjwez.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\btlbpgfslzhxzgong.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\vpjbrklavlvnraklgsz.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\idyriceuqhslqalnjwez.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\ulcreusewjqfgmtr.exe ipwbek.exe File created C:\Windows\SysWOW64\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File opened for modification C:\Windows\SysWOW64\kdwncuuicrarucllfq.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\xtpjbwzqnfrlrcoroclhd.exe hrnoqjwarbx.exe File created C:\Windows\SysWOW64\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe File opened for modification C:\Windows\SysWOW64\vpjbrklavlvnraklgsz.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\ulcreusewjqfgmtr.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\kdwncuuicrarucllfq.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\btlbpgfslzhxzgong.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\kdwncuuicrarucllfq.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\btlbpgfslzhxzgong.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\olidwswomfsnugtxvkuroj.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe File opened for modification C:\Windows\SysWOW64\btlbpgfslzhxzgong.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\olidwswomfsnugtxvkuroj.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\idyriceuqhslqalnjwez.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\kdwncuuicrarucllfq.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File opened for modification C:\Windows\SysWOW64\idyriceuqhslqalnjwez.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\vpjbrklavlvnraklgsz.exe ipwbek.exe File opened for modification C:\Windows\SysWOW64\ulcreusewjqfgmtr.exe hrnoqjwarbx.exe File opened for modification C:\Windows\SysWOW64\olidwswomfsnugtxvkuroj.exe hrnoqjwarbx.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File created C:\Program Files (x86)\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File opened for modification C:\Program Files (x86)\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe File created C:\Program Files (x86)\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\idyriceuqhslqalnjwez.exe ipwbek.exe File opened for modification C:\Windows\xtpjbwzqnfrlrcoroclhd.exe ipwbek.exe File created C:\Windows\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe File opened for modification C:\Windows\kdwncuuicrarucllfq.exe hrnoqjwarbx.exe File opened for modification C:\Windows\idyriceuqhslqalnjwez.exe hrnoqjwarbx.exe File opened for modification C:\Windows\olidwswomfsnugtxvkuroj.exe hrnoqjwarbx.exe File opened for modification C:\Windows\xtpjbwzqnfrlrcoroclhd.exe hrnoqjwarbx.exe File opened for modification C:\Windows\btlbpgfslzhxzgong.exe ipwbek.exe File opened for modification C:\Windows\vpjbrklavlvnraklgsz.exe ipwbek.exe File opened for modification C:\Windows\ulcreusewjqfgmtrjswnetgwugylshiovtluyp.viy ipwbek.exe File opened for modification C:\Windows\vpjbrklavlvnraklgsz.exe hrnoqjwarbx.exe File opened for modification C:\Windows\btlbpgfslzhxzgong.exe hrnoqjwarbx.exe File opened for modification C:\Windows\xtpjbwzqnfrlrcoroclhd.exe hrnoqjwarbx.exe File opened for modification C:\Windows\olidwswomfsnugtxvkuroj.exe hrnoqjwarbx.exe File opened for modification C:\Windows\ulcreusewjqfgmtr.exe ipwbek.exe File opened for modification C:\Windows\olidwswomfsnugtxvkuroj.exe ipwbek.exe File opened for modification C:\Windows\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File opened for modification C:\Windows\btlbpgfslzhxzgong.exe hrnoqjwarbx.exe File opened for modification C:\Windows\kdwncuuicrarucllfq.exe hrnoqjwarbx.exe File opened for modification C:\Windows\kdwncuuicrarucllfq.exe ipwbek.exe File opened for modification C:\Windows\vpjbrklavlvnraklgsz.exe ipwbek.exe File opened for modification C:\Windows\ulcreusewjqfgmtr.exe hrnoqjwarbx.exe File opened for modification C:\Windows\idyriceuqhslqalnjwez.exe hrnoqjwarbx.exe File opened for modification C:\Windows\vpjbrklavlvnraklgsz.exe hrnoqjwarbx.exe File opened for modification C:\Windows\btlbpgfslzhxzgong.exe ipwbek.exe File opened for modification C:\Windows\kdwncuuicrarucllfq.exe ipwbek.exe File opened for modification C:\Windows\xtpjbwzqnfrlrcoroclhd.exe ipwbek.exe File created C:\Windows\xdjnpuhiprnrhcylsqjpvzbgtub.zdt ipwbek.exe File opened for modification C:\Windows\ulcreusewjqfgmtr.exe hrnoqjwarbx.exe File opened for modification C:\Windows\idyriceuqhslqalnjwez.exe ipwbek.exe File opened for modification C:\Windows\olidwswomfsnugtxvkuroj.exe ipwbek.exe File opened for modification C:\Windows\ulcreusewjqfgmtr.exe ipwbek.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrnoqjwarbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipwbek.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 2712 ipwbek.exe 2712 ipwbek.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2712 ipwbek.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2464 wrote to memory of 3016 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 30 PID 2464 wrote to memory of 3016 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 30 PID 2464 wrote to memory of 3016 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 30 PID 2464 wrote to memory of 3016 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 30 PID 3016 wrote to memory of 2712 3016 hrnoqjwarbx.exe 31 PID 3016 wrote to memory of 2712 3016 hrnoqjwarbx.exe 31 PID 3016 wrote to memory of 2712 3016 hrnoqjwarbx.exe 31 PID 3016 wrote to memory of 2712 3016 hrnoqjwarbx.exe 31 PID 3016 wrote to memory of 1864 3016 hrnoqjwarbx.exe 32 PID 3016 wrote to memory of 1864 3016 hrnoqjwarbx.exe 32 PID 3016 wrote to memory of 1864 3016 hrnoqjwarbx.exe 32 PID 3016 wrote to memory of 1864 3016 hrnoqjwarbx.exe 32 PID 2464 wrote to memory of 2488 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 34 PID 2464 wrote to memory of 2488 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 34 PID 2464 wrote to memory of 2488 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 34 PID 2464 wrote to memory of 2488 2464 891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe 34 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hrnoqjwarbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hrnoqjwarbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hrnoqjwarbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hrnoqjwarbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ipwbek.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ipwbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hrnoqjwarbx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\891e69cb1cde7862dc9176254867466b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe"C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe" "c:\users\admin\appdata\local\temp\891e69cb1cde7862dc9176254867466b_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\ipwbek.exe"C:\Users\Admin\AppData\Local\Temp\ipwbek.exe" "-C:\Users\Admin\AppData\Local\Temp\ulcreusewjqfgmtr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\ipwbek.exe"C:\Users\Admin\AppData\Local\Temp\ipwbek.exe" "-C:\Users\Admin\AppData\Local\Temp\ulcreusewjqfgmtr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe"C:\Users\Admin\AppData\Local\Temp\hrnoqjwarbx.exe" "c:\users\admin\appdata\local\temp\891e69cb1cde7862dc9176254867466b_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2488
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5062e6ce29b824ce16763c22ffee74c68
SHA13fe6e04de5a29210425ea2f251e6cd468d8bffad
SHA2563961f4f7dfd3560ff165a248a3d68c215fc810c087c96939e6baefe7c8bea5a6
SHA512ba914145145e2bbf7b230fb30f0d3a9c1793d8f5bc6f1807e7baf76dd3411fdcb4d257426685da3880c6a0dee808116ac018b76b37ddf1bc7da434b229eaf47e
-
Filesize
272B
MD507a8e8559e04bf0e62f8ed069d1f6d49
SHA15f8f2429e357ec577ed1801d796458164b27015b
SHA2563d27f3a3472634f4165878c25d98dc9a45a23cc8cb91a565b1b385d7cbb6e5d5
SHA5122fbc256c7d133f3935c75186ed4ad65e2927bf8525159f0795f981c05da9b989cec02114a845ac030deeecd5e07b5a1f4aed664965f118687797a88dc933003b
-
Filesize
272B
MD532d17e05d255ca63722408f155d25622
SHA13710511b292fce5c43b88146982c8bcdaa393328
SHA256686befd708b1e010fd2e0b5157a3c24477c46718b48166dfd1526e9914221d6e
SHA51285863bfc1dd5f0518a472276fdbe370fc3f27a9ebc795ca191765e79baf1d0879ddb361bf7c8969cf649302798b3cb5523b0034576794e1b62b5f9d33303ac63
-
Filesize
272B
MD5bd8d975e5f620d25951712874732f367
SHA18d5270850bed305c6ccad6987847ea4d955a62f2
SHA2560a6b0a30031abb3e40a10e389375ef9c0303b16fdffc3e7cb7b8132a71c0046e
SHA512c12695c899d574b7427673eec783181ae5369c73aab25dc6c70e0f2bdf4a4dcc0f7a6011c8fd0a4fdf9e3d9e74b66d41a6d1270b3979a6ce01eb56263f55226d
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
3KB
MD5f7428b04ae3974724bf7aefa26199e54
SHA144dfbae22b02c614edf23618f85a70fedf2f79f3
SHA25692b9e331a47a42816aef8a4fdca2e83bcd9636dbd57f7257fe0670e178e65cc6
SHA51201596073c82ea33696fa0013e42ee162c9d5ab0194c9f218e8042609f12e7118796940f0a35020ff3fc45c7f31797a36f92320a3ba52fbebcee50790db014829
-
Filesize
272B
MD57853999395eec291afad7ab1a3cc3571
SHA14431168e1f692ac4e8d0ff015329141b23bc932f
SHA256d6b60f842a8a010ed4c5903a296ef7b4bfd12927702733d2f5ca674abd4bdf88
SHA5125b0bdebad0856d8c76e647fc665c70247253d39fb48d70136e0cb1b80f00a25ad0eda9b1b3596622bcf34870331ee00c548fc563e1aed8de8ea56dfbdc0aa21b
-
Filesize
272B
MD5f2107d50a6c2a4ab654565d276de56df
SHA13af76c64a26b2d0cdc237d408d842d8c1a6d2360
SHA25673b9b13795c1e672317339ce367ebeafd884c25e8657006bf39fed25aebada88
SHA512fc0e13a65026695b0b9dc691d413967f63557133415cd61683e0552dd2a6b72e948c03462858ce015704db0402e1f5dfc064b27961186fa9870ef7bd51d07eb8
-
Filesize
272B
MD5bbb904ccee38dcc533bab81bd31c9460
SHA13138ef2bb935d44d99cdecd9e7b0b74984457100
SHA2566ee4e5098f0274d2f7bf675f1864340c511956c214c3a464bac25625f85f7542
SHA5125f173bb3a4bdc3e16b09fadde2bcbbddab7975271b12438b7fbc15c4a5a54a9a8ef02c185e09af863c0e7084b9dfab11f5e0d23d250c94858f02002b80279a74
-
Filesize
508KB
MD5891e69cb1cde7862dc9176254867466b
SHA16f55b9b414acd5ff1bc1aa03b8bf40460702a3d7
SHA256b809eb6146962c7c16d350e440a6f8aaebbad5bf8b8ede9329db7d5dd202fa4a
SHA512ed688f2f891e2ffd44a76e2457df641960361608c6577d5515dc68aee4e6a2edf013d3769d6383e0fd70b45d557d8246ee22c5a0c2a54603aafe9e9593c5ef20
-
Filesize
696KB
MD5ecb9796011f7c889495c5e77af177f2e
SHA1b2e856aa5d0696bf321a49ebe847a2a7ecb7ee05
SHA25690641d735af9c9e76e317e1cf77ad979669c4b91418c2c62f9070ff82431f6c4
SHA51288562ac608440c331b1ec5d4820e8add121e22878c12068cb06d090e5756fbd4b0628d747dc1b95c40508b02abe3546db57be096d6493a0d2613a039021d4edd