Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 02:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe
-
Size
476KB
-
MD5
d57d5ea560e477737a2b9fe8a55733dd
-
SHA1
a2cf9826288e15d2107acd5ffc444665bd65cd36
-
SHA256
ae4ad56a5e8cf751b1b792e78060de75430f19024fe95356b0baa6cc9ca9b3ba
-
SHA512
64d9c51b7374b1a41606f711c5840d13f10cf5b9be0f61d17ba7a9e974c908c80b574794a3d4258588ef667188eaece130b4b4307782c4615b55cfb79228ba4d
-
SSDEEP
6144:E8X8RUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU9j1:nsRy+ZyYpaCDJFuPyAHcqrUR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" unvumojhexf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "wuugczssijmenpbgopnnz.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "wuugczssijmenpbgopnnz.exe" unvumojhexf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "wuugczssijmenpbgopnnz.exe" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nudy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ueqowfk = "hedojfxwllnemnycjjgf.exe" hqbyfn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" unvumojhexf.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation unvumojhexf.exe -
Executes dropped EXE 4 IoCs
pid Process 5116 unvumojhexf.exe 4992 hqbyfn.exe 4164 hqbyfn.exe 2692 unvumojhexf.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager hqbyfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys hqbyfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc hqbyfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power hqbyfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys hqbyfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc hqbyfn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "tmhofxlgrnlyczgg.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "auqyqjyugdcqvtbcg.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "auqyqjyugdcqvtbcg.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe ." unvumojhexf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" unvumojhexf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe ." unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "tmhofxlgrnlyczgg.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe ." unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "hedojfxwllnemnycjjgf.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\auqyqjyugdcqvtbcg.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "uqoysnecqpqgnnxagfb.exe ." unvumojhexf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "auqyqjyugdcqvtbcg.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jebkdxnkxvvkqpyafd.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgvwhtbqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmhofxlgrnlyczgg.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jebkdxnkxvvkqpyafd.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jebkdxnkxvvkqpyafd.exe ." hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\weokq = "tmhofxlgrnlyczgg.exe" unvumojhexf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" unvumojhexf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weokq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqoysnecqpqgnnxagfb.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juhgpzfs = "wuugczssijmenpbgopnnz.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocsugtcsypi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hedojfxwllnemnycjjgf.exe" hqbyfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "wuugczssijmenpbgopnnz.exe ." hqbyfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\amaakvcqu = "tmhofxlgrnlyczgg.exe ." unvumojhexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hqbyfn = "uqoysnecqpqgnnxagfb.exe ." hqbyfn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unvumojhexf.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hqbyfn.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 www.whatismyip.ca 16 whatismyipaddress.com 21 whatismyip.everdot.org 23 www.showmyipaddress.com 28 whatismyip.everdot.org 32 whatismyip.everdot.org 57 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf hqbyfn.exe File opened for modification F:\autorun.inf hqbyfn.exe File created F:\autorun.inf hqbyfn.exe File opened for modification C:\autorun.inf hqbyfn.exe -
Drops file in System32 directory 60 IoCs
description ioc Process File created C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe hqbyfn.exe File created C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File created C:\Windows\SysWOW64\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe File created C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File created C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe hqbyfn.exe File created C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe hqbyfn.exe File created C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File created C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe unvumojhexf.exe File created C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe hqbyfn.exe File created C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File created C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File created C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File created C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe hqbyfn.exe File created C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File created C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File created C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe hqbyfn.exe File created C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe File created C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File created C:\Windows\SysWOW64\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File created C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe hqbyfn.exe File created C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe File created C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File created C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File created C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File created C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe hqbyfn.exe File created C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe File opened for modification C:\Windows\SysWOW64\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File opened for modification C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe unvumojhexf.exe File created C:\Windows\SysWOW64\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File opened for modification C:\Windows\SysWOW64\tmhofxlgrnlyczgg.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File created C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File created C:\Windows\SysWOW64\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File created C:\Windows\SysWOW64\hedojfxwllnemnycjjgf.exe hqbyfn.exe File opened for modification C:\Windows\SysWOW64\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe File opened for modification C:\Program Files (x86)\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File created C:\Program Files (x86)\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File opened for modification C:\Program Files (x86)\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe -
Drops file in Windows directory 39 IoCs
description ioc Process File opened for modification C:\Windows\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File opened for modification C:\Windows\wuugczssijmenpbgopnnz.exe hqbyfn.exe File opened for modification C:\Windows\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe File opened for modification C:\Windows\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File created C:\Windows\tmhofxlgrnlyczgg.exe unvumojhexf.exe File created C:\Windows\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\tmhofxlgrnlyczgg.exe hqbyfn.exe File opened for modification C:\Windows\auqyqjyugdcqvtbcg.exe hqbyfn.exe File opened for modification C:\Windows\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File opened for modification C:\Windows\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File created C:\Windows\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File opened for modification C:\Windows\wuugczssijmenpbgopnnz.exe hqbyfn.exe File opened for modification C:\Windows\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File created C:\Windows\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File opened for modification C:\Windows\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File created C:\Windows\jebkdxnkxvvkqpyafd.exe unvumojhexf.exe File opened for modification C:\Windows\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File opened for modification C:\Windows\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\tmhofxlgrnlyczgg.exe hqbyfn.exe File opened for modification C:\Windows\uqoysnecqpqgnnxagfb.exe hqbyfn.exe File created C:\Windows\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe File opened for modification C:\Windows\tmhofxlgrnlyczgg.exe unvumojhexf.exe File created C:\Windows\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\auqyqjyugdcqvtbcg.exe hqbyfn.exe File opened for modification C:\Windows\jebkdxnkxvvkqpyafd.exe hqbyfn.exe File opened for modification C:\Windows\nmnaxvpqhjngqtgmvxwxkh.exe hqbyfn.exe File opened for modification C:\Windows\tmhofxlgrnlyczgg.exe unvumojhexf.exe File opened for modification C:\Windows\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\auqyqjyugdcqvtbcg.exe unvumojhexf.exe File opened for modification C:\Windows\hedojfxwllnemnycjjgf.exe hqbyfn.exe File created C:\Windows\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File opened for modification C:\Windows\hedojfxwllnemnycjjgf.exe hqbyfn.exe File created C:\Windows\hedojfxwllnemnycjjgf.exe unvumojhexf.exe File opened for modification C:\Windows\weokqxakkvikdplasdlvrxehrrc.rkw hqbyfn.exe File opened for modification C:\Windows\tmhofxlgrnlyczggjfytarjxsdzxkolssvrkfm.vje hqbyfn.exe File opened for modification C:\Windows\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe File opened for modification C:\Windows\wuugczssijmenpbgopnnz.exe unvumojhexf.exe File opened for modification C:\Windows\nmnaxvpqhjngqtgmvxwxkh.exe unvumojhexf.exe File opened for modification C:\Windows\uqoysnecqpqgnnxagfb.exe unvumojhexf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqbyfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unvumojhexf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 4992 hqbyfn.exe 4992 hqbyfn.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 4992 hqbyfn.exe 4992 hqbyfn.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4992 hqbyfn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3444 wrote to memory of 5116 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 86 PID 3444 wrote to memory of 5116 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 86 PID 3444 wrote to memory of 5116 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 86 PID 5116 wrote to memory of 4992 5116 unvumojhexf.exe 87 PID 5116 wrote to memory of 4992 5116 unvumojhexf.exe 87 PID 5116 wrote to memory of 4992 5116 unvumojhexf.exe 87 PID 5116 wrote to memory of 4164 5116 unvumojhexf.exe 88 PID 5116 wrote to memory of 4164 5116 unvumojhexf.exe 88 PID 5116 wrote to memory of 4164 5116 unvumojhexf.exe 88 PID 3444 wrote to memory of 2692 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 98 PID 3444 wrote to memory of 2692 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 98 PID 3444 wrote to memory of 2692 3444 d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe 98 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unvumojhexf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" unvumojhexf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System unvumojhexf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hqbyfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hqbyfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hqbyfn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d57d5ea560e477737a2b9fe8a55733dd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe"C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe" "c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\hqbyfn.exe"C:\Users\Admin\AppData\Local\Temp\hqbyfn.exe" "-c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\hqbyfn.exe"C:\Users\Admin\AppData\Local\Temp\hqbyfn.exe" "-c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe"C:\Users\Admin\AppData\Local\Temp\unvumojhexf.exe" "c:\users\admin\appdata\local\temp\d57d5ea560e477737a2b9fe8a55733dd_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD510fe36688485d641edd9a00c02d6f947
SHA1f69373522d8406b9708b7f89a90f0e1b13e58fd0
SHA2566f9c49057e3f335319650ca8d0fd89134f436aa0a9a4cc9be868949fea72276b
SHA5129c8ee5736204d2851f14d5c0ef5ebbcc2570bfa0f8a4927a25e030173eb557bdb6bc9c1583710fb4124a31dfcfb4afdcad8c354f675b89bd71162d1e98195502
-
Filesize
120B
MD5d05de28bcdb5cc52312da55a83c981cb
SHA193d1e31bb93ec589e2715409b606873b435744ae
SHA256ca60460580bf33d7cfc00c524d58c12640916310a46f3cbf5e53d3abe6b4a328
SHA512f4ac173ce60887577c943c911c41d029d24fc35441dc346a932794806a109b857934d71c43826d159188fc680f38d2b6016447349e04cf6fa386ad3ce5da1074
-
Filesize
120B
MD5259d900794d6eab94d749b10b15dcc1f
SHA1a1d716fb4a42320fcb69de7b4932adb1b0f6ee67
SHA256d8e3635b4f19db4c2a373a93370da2f2919def22f6b7434a26023429a9f62234
SHA5122d1bd77345cb9e223bf1b75e004e395481ba99dec6d6913201fc760f9663b28cfb7f98202b1a3b7365486aaef0bce856c0e4a2cff9c482c14a14e58ffde3e347
-
Filesize
688KB
MD5bce873da9077490251edb62eacd08dc0
SHA1925f4efe6450e24e6c8bf4474ad86bdb91ce4e82
SHA2562edd6c943b4280b54e9abb0f979c680b36a828dab09e26ea8e78da3e852f8583
SHA5124d2b6dccd5865b28c8d90d41f03445f4f1a6490b096ba7d8d4cf2f13543201bb2918abba23d0edac5e916e5fc5eb94ede8c674ce1bffb39ce1e2018617c45564
-
Filesize
308KB
MD585cb856b920e7b0b7b75115336fc2af2
SHA11d1a207efec2f5187583b652c35aef74ee4c473f
SHA2566fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8
-
Filesize
3KB
MD5824ffce86c4e69c940f67a7689a27adc
SHA152915dbd2412f4fe1f221f2165f86a7e19253477
SHA25615550d2ac2bb0e8cecb9fafe0be03b94325f858c930a1c1a7d7f66bcac7470da
SHA512234f912927ec30526a7111da2e060e4ce01d0506df7df9ac7b6cd2e7aeff965b8c2c2f9fe262525c06e098727c02fcab9536702aa6ad91f564cb5140791c2fde
-
Filesize
120B
MD561f0e9d1963cac364283808c38f4268c
SHA151d4b1feb649c5f99d2360d20957a834fa9fa653
SHA2565dcd2107596219f5f0e9eeaf0d210e1357e96cf5dc141dd290ecd301993c8da6
SHA512945a1c953e8af896bf35e645f8ce659f8c8f67471fd2df1983ba608c05ae7c140f2909ee637e3a863aa5f6726b24ed22eed4b0f4b7e2ea9565d22301c4aa4e82
-
Filesize
120B
MD5d703f1d7bbf9e245cd5b20ffd39b31d3
SHA16104b3040a5ad04d70cfa6b7f9a7fcc7325c17fe
SHA256e558b08acb01df4d18acd1a816e4f6b2ac98a8f4de024276e66c5ecd3463ca43
SHA5129f6ce2146066c048080a70e54142453e77784fa4317770571a432349c57882e1e84b0b392d72f71c41f01d21cce59c9e3bd13dc1defc3c7e5548c8dd2103ae9e
-
Filesize
120B
MD52e4cc31a8a84978fbbd0110884cda581
SHA1e456f76611119e067f6bcaeb5e959f2e1d8b25fd
SHA25621d0c2e746539dc48aef7836b18cb2312de568a984a7b370f845ef3fded7b294
SHA512cca882e3605da13f306fb7a7cdc5ee1b86ee432ac3e3974c9238a4ef75972ae440bdfcb0041b5941f2cb99364a25b31968f1b6b19a1b25fb47422a7b4e85d1ae
-
Filesize
476KB
MD5d57d5ea560e477737a2b9fe8a55733dd
SHA1a2cf9826288e15d2107acd5ffc444665bd65cd36
SHA256ae4ad56a5e8cf751b1b792e78060de75430f19024fe95356b0baa6cc9ca9b3ba
SHA51264d9c51b7374b1a41606f711c5840d13f10cf5b9be0f61d17ba7a9e974c908c80b574794a3d4258588ef667188eaece130b4b4307782c4615b55cfb79228ba4d
-
Filesize
508KB
MD596f7d9828d29761ce44e087ee4875603
SHA151b5fa4c04891d325f174e91f777776a994a5631
SHA2566ff45728bef1f06a56589e2c4051498531b7d4b82e45e70edc993bc911e13971
SHA5125cdaddf33751a3d505d6d1f36059aa95654a4c05d60e8aaf3880665fa858401a871bb183ec66dedbbba5ab40e1f6086d128382da68dff40cc4d479d2dc6a36d0