Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 14:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe
-
Size
488KB
-
MD5
9683b5a5db7ef90997e75defa03bee46
-
SHA1
2c335dea0aec7c40365e5e7e4b392463ef667480
-
SHA256
247f07cc6c486b74c0c7af12f9b1c41385c691e77ae7c3d0c4ec0d242745d020
-
SHA512
9907e15365f968b77ced26fdd5580b255767352014bb8ac50544532b73f6bfd356af8ded60ee472e25e77d248a2017125b7cf17468ab18e31eeca3159705db86
-
SSDEEP
12288:sgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+YPk:gqmwjfz79iSJOUYPk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xgiowhs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xgiowhs.exe -
Adds policy Run key to start application 2 TTPs 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "dwiyqlgolxqgbcsqx.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "xsgyspmwvjewtwooxhb.exe" qapkumnpakz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "zwmgcbamndautysufrnka.exe" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "kgvojhfqqfbuswpqalgc.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rekugvkmdjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oenaphzeyhxkca = "wozofztawhzoiixu.exe" xgiowhs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qapkumnpakz.exe -
Executes dropped EXE 4 IoCs
pid Process 1628 qapkumnpakz.exe 2976 xgiowhs.exe 2540 xgiowhs.exe 1572 qapkumnpakz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend xgiowhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xgiowhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xgiowhs.exe -
Loads dropped DLL 8 IoCs
pid Process 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1628 qapkumnpakz.exe 1628 qapkumnpakz.exe 1628 qapkumnpakz.exe 1628 qapkumnpakz.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "dwiyqlgolxqgbcsqx.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" qapkumnpakz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "mgtkdzvecpjawypowf.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "kgvojhfqqfbuswpqalgc.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwmgcbamndautysufrnka.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "dwiyqlgolxqgbcsqx.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "zwmgcbamndautysufrnka.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "dwiyqlgolxqgbcsqx.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwmgcbamndautysufrnka.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "kgvojhfqqfbuswpqalgc.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "mgtkdzvecpjawypowf.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwmgcbamndautysufrnka.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "wozofztawhzoiixu.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "mgtkdzvecpjawypowf.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "xsgyspmwvjewtwooxhb.exe" qapkumnpakz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgvojhfqqfbuswpqalgc.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "xsgyspmwvjewtwooxhb.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "xsgyspmwvjewtwooxhb.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe" xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "zwmgcbamndautysufrnka.exe" qapkumnpakz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgtkdzvecpjawypowf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nckwkbswpxmyp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwiyqlgolxqgbcsqx.exe ." xgiowhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwiyqlgolxqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsgyspmwvjewtwooxhb.exe ." xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wozofztawhzoiixu.exe" xgiowhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wozofztawhzoiixu = "kgvojhfqqfbuswpqalgc.exe ." qapkumnpakz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocjuhxnqipdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgtkdzvecpjawypowf.exe" qapkumnpakz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\risgwpiojtkyrqe = "dwiyqlgolxqgbcsqx.exe" xgiowhs.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xgiowhs.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyip.everdot.org 6 www.showmyipaddress.com 8 whatismyipaddress.com 10 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf xgiowhs.exe File opened for modification F:\autorun.inf xgiowhs.exe File created F:\autorun.inf xgiowhs.exe File opened for modification C:\autorun.inf xgiowhs.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kgvojhfqqfbuswpqalgc.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\zwmgcbamndautysufrnka.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\zwmgcbamndautysufrnka.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\qofaxxxkmdbwwcxamzwulg.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File opened for modification C:\Windows\SysWOW64\dwiyqlgolxqgbcsqx.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\wozofztawhzoiixu.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\mgtkdzvecpjawypowf.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\xsgyspmwvjewtwooxhb.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe File opened for modification C:\Windows\SysWOW64\wozofztawhzoiixu.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\dwiyqlgolxqgbcsqx.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\zwmgcbamndautysufrnka.exe qapkumnpakz.exe File created C:\Windows\SysWOW64\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File opened for modification C:\Windows\SysWOW64\qofaxxxkmdbwwcxamzwulg.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\wozofztawhzoiixu.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\zwmgcbamndautysufrnka.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\kgvojhfqqfbuswpqalgc.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\xsgyspmwvjewtwooxhb.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\dwiyqlgolxqgbcsqx.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\dwiyqlgolxqgbcsqx.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\kgvojhfqqfbuswpqalgc.exe xgiowhs.exe File created C:\Windows\SysWOW64\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe File opened for modification C:\Windows\SysWOW64\mgtkdzvecpjawypowf.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\xsgyspmwvjewtwooxhb.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\qofaxxxkmdbwwcxamzwulg.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\wozofztawhzoiixu.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\mgtkdzvecpjawypowf.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\xsgyspmwvjewtwooxhb.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\kgvojhfqqfbuswpqalgc.exe qapkumnpakz.exe File opened for modification C:\Windows\SysWOW64\mgtkdzvecpjawypowf.exe xgiowhs.exe File opened for modification C:\Windows\SysWOW64\qofaxxxkmdbwwcxamzwulg.exe xgiowhs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe File opened for modification C:\Program Files (x86)\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File created C:\Program Files (x86)\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File opened for modification C:\Program Files (x86)\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\kgvojhfqqfbuswpqalgc.exe xgiowhs.exe File opened for modification C:\Windows\zwmgcbamndautysufrnka.exe xgiowhs.exe File opened for modification C:\Windows\zwmgcbamndautysufrnka.exe xgiowhs.exe File opened for modification C:\Windows\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File opened for modification C:\Windows\xsgyspmwvjewtwooxhb.exe qapkumnpakz.exe File opened for modification C:\Windows\kgvojhfqqfbuswpqalgc.exe qapkumnpakz.exe File opened for modification C:\Windows\dwiyqlgolxqgbcsqx.exe qapkumnpakz.exe File opened for modification C:\Windows\kgvojhfqqfbuswpqalgc.exe qapkumnpakz.exe File opened for modification C:\Windows\dwiyqlgolxqgbcsqx.exe xgiowhs.exe File opened for modification C:\Windows\qofaxxxkmdbwwcxamzwulg.exe xgiowhs.exe File opened for modification C:\Windows\mgtkdzvecpjawypowf.exe qapkumnpakz.exe File opened for modification C:\Windows\wozofztawhzoiixu.exe qapkumnpakz.exe File opened for modification C:\Windows\wozofztawhzoiixu.exe xgiowhs.exe File opened for modification C:\Windows\kgvojhfqqfbuswpqalgc.exe xgiowhs.exe File created C:\Windows\zggkqzieppwajycojflsswcluqb.imv xgiowhs.exe File opened for modification C:\Windows\wozofztawhzoiixu.exe qapkumnpakz.exe File opened for modification C:\Windows\zwmgcbamndautysufrnka.exe qapkumnpakz.exe File opened for modification C:\Windows\wozofztawhzoiixu.exe xgiowhs.exe File opened for modification C:\Windows\qofaxxxkmdbwwcxamzwulg.exe xgiowhs.exe File opened for modification C:\Windows\mgtkdzvecpjawypowf.exe xgiowhs.exe File opened for modification C:\Windows\xsgyspmwvjewtwooxhb.exe xgiowhs.exe File opened for modification C:\Windows\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe File opened for modification C:\Windows\xsgyspmwvjewtwooxhb.exe xgiowhs.exe File opened for modification C:\Windows\dwiyqlgolxqgbcsqx.exe qapkumnpakz.exe File opened for modification C:\Windows\zwmgcbamndautysufrnka.exe qapkumnpakz.exe File opened for modification C:\Windows\mgtkdzvecpjawypowf.exe qapkumnpakz.exe File opened for modification C:\Windows\qofaxxxkmdbwwcxamzwulg.exe qapkumnpakz.exe File opened for modification C:\Windows\dwiyqlgolxqgbcsqx.exe xgiowhs.exe File opened for modification C:\Windows\mgtkdzvecpjawypowf.exe xgiowhs.exe File created C:\Windows\wozofztawhzoiixuahyqbqhbvcyjbqkkzwcjas.sjd xgiowhs.exe File opened for modification C:\Windows\xsgyspmwvjewtwooxhb.exe qapkumnpakz.exe File opened for modification C:\Windows\qofaxxxkmdbwwcxamzwulg.exe qapkumnpakz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qapkumnpakz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xgiowhs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 2976 xgiowhs.exe 2976 xgiowhs.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2976 xgiowhs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1628 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 31 PID 1412 wrote to memory of 1628 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 31 PID 1412 wrote to memory of 1628 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 31 PID 1412 wrote to memory of 1628 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 31 PID 1628 wrote to memory of 2540 1628 qapkumnpakz.exe 32 PID 1628 wrote to memory of 2540 1628 qapkumnpakz.exe 32 PID 1628 wrote to memory of 2540 1628 qapkumnpakz.exe 32 PID 1628 wrote to memory of 2540 1628 qapkumnpakz.exe 32 PID 1628 wrote to memory of 2976 1628 qapkumnpakz.exe 33 PID 1628 wrote to memory of 2976 1628 qapkumnpakz.exe 33 PID 1628 wrote to memory of 2976 1628 qapkumnpakz.exe 33 PID 1628 wrote to memory of 2976 1628 qapkumnpakz.exe 33 PID 1412 wrote to memory of 1572 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 34 PID 1412 wrote to memory of 1572 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 34 PID 1412 wrote to memory of 1572 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 34 PID 1412 wrote to memory of 1572 1412 9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe 34 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qapkumnpakz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qapkumnpakz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qapkumnpakz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xgiowhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xgiowhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qapkumnpakz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9683b5a5db7ef90997e75defa03bee46_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe"C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe" "c:\users\admin\appdata\local\temp\9683b5a5db7ef90997e75defa03bee46_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\xgiowhs.exe"C:\Users\Admin\AppData\Local\Temp\xgiowhs.exe" "-C:\Users\Admin\AppData\Local\Temp\wozofztawhzoiixu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\xgiowhs.exe"C:\Users\Admin\AppData\Local\Temp\xgiowhs.exe" "-C:\Users\Admin\AppData\Local\Temp\wozofztawhzoiixu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe"C:\Users\Admin\AppData\Local\Temp\qapkumnpakz.exe" "c:\users\admin\appdata\local\temp\9683b5a5db7ef90997e75defa03bee46_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5291f2bbf699f04dc332122bcc5dd3344
SHA1a2eb3b13980cd0f204ac86fe510f46b85a41212c
SHA256e1ad53404967e1f516ffbad28890ccd31e27a3d300b5109611470a4689003f87
SHA512562a4fda47bfa696049da8319b0cb8e7ec75289cceb0fcc139a6a6481bda410cb3176c2685221f0197bf4a07a867b9f1860152cbd890d1c6ea09b0778cd99ea0
-
Filesize
272B
MD5c7502bf159babfd501b634494e2ffcea
SHA1143ea2a324599ecde318de082734e1cf1131941b
SHA256f0999140a9a02d9a661e2751313c7d1ff75447cd08ceccd6c560dc69c07264dc
SHA512f8521aa9936899fed2b8629f05d4fcdde47a1362c656b811ffcc5ae06a725a1d12f900076b175c98f5bfb76ee766854d6d7c49688e0d3ccfa16d49445d0644ec
-
Filesize
272B
MD5f38f478c614f865519410838ed589d0c
SHA125f3e36e132f51665f6b0f71646ca928494f866a
SHA25689b41e00360883dd3b158ec83a4f98bccf3fff4bce3740789711ef3e06cf9089
SHA5121c5ba2a5b43b5e5d5d832cd69f899b071feddf1a1d1da4e3f3d0e22e4e1ad876bbb22b4735a06df2936729808405d07e76f674bb9180cb56ebc7a6c513b79c21
-
Filesize
3KB
MD5bf9bd51daf86e0f98cd45233a339aca1
SHA1cfec8044728cb988964f2f58d05e0e3ca6871cf1
SHA256b499c0aef4a0b156fc193a595ca27296beee806eea014a00380be6ecb1ec70fe
SHA512affccf161801a00e7d3d5885b99eb277a19b1496da91859359ac17b2eb921231b45e376b91b48eb8a28bf1a1876993d3671c280396685e9797908e2a1f4d797a
-
Filesize
272B
MD5ddd5d700b78f21587724170c86e6e08f
SHA1fa4b4620e8ee53edddedfc6783e354dab710d729
SHA256331f687a6af2268e3ef94066fabf5c8b4a9a0c2f3a262187f628cf4b9500706b
SHA512b3eb6ccd9f3a0c662901817353112baf839efb3b069de2da1affeebac6476931f3ebabe2fcd65d98e332b5144e39d83c39cf51876802bfd41ad3806baf1ce760
-
Filesize
272B
MD5bafe5bad1266526e1daa2f520447b918
SHA1447e7b60ea59b6bfad7b8305b041ec631ef06355
SHA256a2c98737d33fbedddf8d792f23d08fdc50b07b3051233cfe899f1676a896d740
SHA512d2e5d4957c1c0e64171c120356851f38e539bc56700e160c30a1b9aa263b5219b623495485ff6338153dcd82c5880148cd6b46f6451dde6bedf4800f22ed39d8
-
Filesize
272B
MD57a2f79408ab954cb73f68c7df96bf809
SHA135ef17f7e09df24dd2a36cbb125a2043b018bfb4
SHA256b64ab9d4834fd8d1bdc257b3f58c0768444be8f2e571cc2f12f1a32003d89c17
SHA512a2aaf3e3795087e57011de6b57f8fa48fb29240b5c9dfad4d5ef24fef5f1813c0112a08fbf554a5550a4d0b293d73a80d08e75c2b2e356456db4fd9fb5991287
-
Filesize
488KB
MD59683b5a5db7ef90997e75defa03bee46
SHA12c335dea0aec7c40365e5e7e4b392463ef667480
SHA256247f07cc6c486b74c0c7af12f9b1c41385c691e77ae7c3d0c4ec0d242745d020
SHA5129907e15365f968b77ced26fdd5580b255767352014bb8ac50544532b73f6bfd356af8ded60ee472e25e77d248a2017125b7cf17468ab18e31eeca3159705db86
-
Filesize
320KB
MD5b92314203327a733531042bc58e54f57
SHA11f3d0081f308a82c9659f4a57fc1ad551167a181
SHA256d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3
SHA5122982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7
-
Filesize
696KB
MD5f028e3e6cb8acbbd218e56d9f437a90b
SHA1523998a01a84a31b21b5e0cc859797f4860b0df4
SHA256621b444c4a634d533e349b337cb79567568f22090021ab0dde11a7afc836dd5f
SHA512a79866b017f84c9c13a3ef1085372659295ed1939d75e3daa2bc4d84508a38576a2dbd5418653a4a1cc14d0058c9eb996f1a6748e955cf0423ba20dcb0c4a96d