Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 06:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe
-
Size
556KB
-
MD5
df9f83686c697a68d57f5983d39f52ee
-
SHA1
46ae2d9fa980e492d59f67ed20ab0803c05d81ea
-
SHA256
53bdb5ed28aaac05555364dcc5dafb711d5f1f9d1b1f75b2956db56ba37adc6c
-
SHA512
47a98791bc2ae5555ca31391e4493be27d2f6d7c6be8bbd2f900fa281ba2b9cf447fc9be7ee70c6afb506b3495b0c8264ea508f9a762432ccb6b3b2b23b7f482
-
SSDEEP
6144:lj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:t6onxOp8FySpE5zvIdtU+Ymef
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hnsqubwcrxc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnbtgymiralvyhtt.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "jfvpeyomxivhmxlnad.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "jfvpeyomxivhmxlnad.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "tnbtgymiralvyhtt.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnbtgymiralvyhtt.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "tnbtgymiralvyhtt.exe" wfipr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfipr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfipr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jvblqagu = "wvoldatuiwmbjxotjpohe.exe" wfipr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation hnsqubwcrxc.exe -
Executes dropped EXE 4 IoCs
pid Process 468 hnsqubwcrxc.exe 3824 wfipr.exe 3980 wfipr.exe 4780 hnsqubwcrxc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager wfipr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys wfipr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc wfipr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power wfipr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys wfipr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc wfipr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "tnbtgymiralvyhtt.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnbtgymiralvyhtt.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnbtgymiralvyhtt.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "avkdrkzwgqcnrbopb.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "hfxtkgyylynbivlpejhz.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "uridtofeqcqdjvknbfc.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "avkdrkzwgqcnrbopb.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "avkdrkzwgqcnrbopb.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "hfxtkgyylynbivlpejhz.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "uridtofeqcqdjvknbfc.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "uridtofeqcqdjvknbfc.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anuflwdsu = "uridtofeqcqdjvknbfc.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "hfxtkgyylynbivlpejhz.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "jfvpeyomxivhmxlnad.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "tnbtgymiralvyhtt.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uridtofeqcqdjvknbfc.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "uridtofeqcqdjvknbfc.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "wvoldatuiwmbjxotjpohe.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvoldatuiwmbjxotjpohe.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tnbtgymiralvyhtt.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "wvoldatuiwmbjxotjpohe.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "tnbtgymiralvyhtt.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "tnbtgymiralvyhtt.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "jfvpeyomxivhmxlnad.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hfxtkgyylynbivlpejhz.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lblziwgydipv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avkdrkzwgqcnrbopb.exe" wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\odmzhuduyci = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfvpeyomxivhmxlnad.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrvdgo = "jfvpeyomxivhmxlnad.exe" wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "jfvpeyomxivhmxlnad.exe ." wfipr.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\thpbiucsvy = "avkdrkzwgqcnrbopb.exe ." wfipr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufktxgl = "jfvpeyomxivhmxlnad.exe ." hnsqubwcrxc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hnsqubwcrxc.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wfipr.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 www.showmyipaddress.com 36 www.whatismyip.ca 38 whatismyip.everdot.org 14 www.whatismyip.ca 15 whatismyipaddress.com 23 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf wfipr.exe File created C:\autorun.inf wfipr.exe File opened for modification F:\autorun.inf wfipr.exe File created F:\autorun.inf wfipr.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hfxtkgyylynbivlpejhz.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\nnhfywqshwndmbtzqxxrpi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\wvoldatuiwmbjxotjpohe.exe wfipr.exe File created C:\Windows\SysWOW64\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File opened for modification C:\Windows\SysWOW64\uridtofeqcqdjvknbfc.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\tnbtgymiralvyhtt.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\jfvpeyomxivhmxlnad.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\wvoldatuiwmbjxotjpohe.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\jfvpeyomxivhmxlnad.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\tnbtgymiralvyhtt.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\uridtofeqcqdjvknbfc.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\avkdrkzwgqcnrbopb.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\uridtofeqcqdjvknbfc.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\avkdrkzwgqcnrbopb.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\wvoldatuiwmbjxotjpohe.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\nnhfywqshwndmbtzqxxrpi.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\avkdrkzwgqcnrbopb.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\nnhfywqshwndmbtzqxxrpi.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\uridtofeqcqdjvknbfc.exe wfipr.exe File created C:\Windows\SysWOW64\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe File opened for modification C:\Windows\SysWOW64\nnhfywqshwndmbtzqxxrpi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File opened for modification C:\Windows\SysWOW64\jfvpeyomxivhmxlnad.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\hfxtkgyylynbivlpejhz.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\hfxtkgyylynbivlpejhz.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\hfxtkgyylynbivlpejhz.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\avkdrkzwgqcnrbopb.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\tnbtgymiralvyhtt.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\tnbtgymiralvyhtt.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\wvoldatuiwmbjxotjpohe.exe wfipr.exe File opened for modification C:\Windows\SysWOW64\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe File opened for modification C:\Windows\SysWOW64\jfvpeyomxivhmxlnad.exe hnsqubwcrxc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File created C:\Program Files (x86)\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File opened for modification C:\Program Files (x86)\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe File created C:\Program Files (x86)\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\jfvpeyomxivhmxlnad.exe hnsqubwcrxc.exe File opened for modification C:\Windows\jfvpeyomxivhmxlnad.exe hnsqubwcrxc.exe File opened for modification C:\Windows\wvoldatuiwmbjxotjpohe.exe wfipr.exe File opened for modification C:\Windows\avkdrkzwgqcnrbopb.exe hnsqubwcrxc.exe File opened for modification C:\Windows\wvoldatuiwmbjxotjpohe.exe hnsqubwcrxc.exe File opened for modification C:\Windows\nnhfywqshwndmbtzqxxrpi.exe wfipr.exe File opened for modification C:\Windows\tnbtgymiralvyhtt.exe wfipr.exe File opened for modification C:\Windows\avkdrkzwgqcnrbopb.exe wfipr.exe File opened for modification C:\Windows\uridtofeqcqdjvknbfc.exe wfipr.exe File opened for modification C:\Windows\hfxtkgyylynbivlpejhz.exe wfipr.exe File opened for modification C:\Windows\wvoldatuiwmbjxotjpohe.exe hnsqubwcrxc.exe File opened for modification C:\Windows\uridtofeqcqdjvknbfc.exe wfipr.exe File opened for modification C:\Windows\jfvpeyomxivhmxlnad.exe wfipr.exe File opened for modification C:\Windows\uridtofeqcqdjvknbfc.exe hnsqubwcrxc.exe File opened for modification C:\Windows\avkdrkzwgqcnrbopb.exe hnsqubwcrxc.exe File opened for modification C:\Windows\uridtofeqcqdjvknbfc.exe hnsqubwcrxc.exe File opened for modification C:\Windows\nnhfywqshwndmbtzqxxrpi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\hfxtkgyylynbivlpejhz.exe hnsqubwcrxc.exe File opened for modification C:\Windows\hfxtkgyylynbivlpejhz.exe wfipr.exe File created C:\Windows\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File created C:\Windows\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe File opened for modification C:\Windows\ydcfdgfmgawrfzwhdputwux.dxr wfipr.exe File opened for modification C:\Windows\tnbtgymiralvyhtt.exe hnsqubwcrxc.exe File opened for modification C:\Windows\nnhfywqshwndmbtzqxxrpi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\tnbtgymiralvyhtt.exe wfipr.exe File opened for modification C:\Windows\jfvpeyomxivhmxlnad.exe wfipr.exe File opened for modification C:\Windows\wvoldatuiwmbjxotjpohe.exe wfipr.exe File opened for modification C:\Windows\lblziwgydipvuzhdkhxhvescuzelrqvdzg.tdr wfipr.exe File opened for modification C:\Windows\tnbtgymiralvyhtt.exe hnsqubwcrxc.exe File opened for modification C:\Windows\hfxtkgyylynbivlpejhz.exe hnsqubwcrxc.exe File opened for modification C:\Windows\nnhfywqshwndmbtzqxxrpi.exe wfipr.exe File opened for modification C:\Windows\avkdrkzwgqcnrbopb.exe wfipr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnsqubwcrxc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfipr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 3824 wfipr.exe 3824 wfipr.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 3824 wfipr.exe 3824 wfipr.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3824 wfipr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1660 wrote to memory of 468 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 86 PID 1660 wrote to memory of 468 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 86 PID 1660 wrote to memory of 468 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 86 PID 468 wrote to memory of 3824 468 hnsqubwcrxc.exe 91 PID 468 wrote to memory of 3824 468 hnsqubwcrxc.exe 91 PID 468 wrote to memory of 3824 468 hnsqubwcrxc.exe 91 PID 468 wrote to memory of 3980 468 hnsqubwcrxc.exe 92 PID 468 wrote to memory of 3980 468 hnsqubwcrxc.exe 92 PID 468 wrote to memory of 3980 468 hnsqubwcrxc.exe 92 PID 1660 wrote to memory of 4780 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 99 PID 1660 wrote to memory of 4780 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 99 PID 1660 wrote to memory of 4780 1660 df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe 99 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wfipr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wfipr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfipr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfipr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wfipr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df9f83686c697a68d57f5983d39f52ee_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe"C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe" "c:\users\admin\appdata\local\temp\df9f83686c697a68d57f5983d39f52ee_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:468 -
C:\Users\Admin\AppData\Local\Temp\wfipr.exe"C:\Users\Admin\AppData\Local\Temp\wfipr.exe" "-C:\Users\Admin\AppData\Local\Temp\tnbtgymiralvyhtt.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\wfipr.exe"C:\Users\Admin\AppData\Local\Temp\wfipr.exe" "-C:\Users\Admin\AppData\Local\Temp\tnbtgymiralvyhtt.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3980
-
-
-
C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe"C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe" "c:\users\admin\appdata\local\temp\df9f83686c697a68d57f5983d39f52ee_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4780
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD589a8f6b25a8ee23f5adcb7922be59620
SHA17b1307d008f87eba2d3090ec71c16cc022506ee6
SHA256794044bbae91143ab4b6d5d7d1b8e17bc8ac6a41cbcb9e24b54dd8313e9bf503
SHA5127aeb0da01711321842ed0b6388bd3d30ca4932594c69d8149e58f8b3e7b07e4cbf56152b7d7e8fa83ab785bc7f2bc2dd9355054257abaf089040f30e4bc56ff9
-
Filesize
272B
MD55613c6ac2a463ccf39f4600b44977d28
SHA1cbab04215ce29907fd0c39742a29abd617ea516c
SHA256670b356a724deadcf5c0d22fa2238013459896003a5aee6aa2560bc02cfe9b7a
SHA5125ae6930dc89762048245f4a286ed6ab09b4a33f1f99477738de71e705f20e4a6c06d6b8ebc790abdc824eb80e0d857c86f2f99d7753e3898654a6130e161d1f7
-
Filesize
272B
MD5851e416593e0fd73d2371d59e3922a28
SHA1dae0d2936a59265126cf43f9f11cfe1b22511be6
SHA256a835c01d3052d1bf8cc8dc0fe2eca7bbf75dbeb0d98684c8623c7f5659ccbbcb
SHA512643d7ef015cdc5832539172780213de508e3a87e3ca970188965f3386c5568dcfdcbfd0856b4f3a918caa50f3760d591b247d5bd63664e3a8c90386b785a3bc0
-
Filesize
272B
MD54f435978212251cd885d4eac5cb62b7c
SHA1d78ec35e43010830e4543d62c72ed3437615944f
SHA256d03b6178047365c23ebbfc6f3867e69063302f7d98b0de9071e0af7e94a7db08
SHA512273003ff2763fcd7ce3515dc26230134b9c17b0b6b5a411c021cad90adf36ef2ec8c66adfd374bda18aebe76ec6b83b50dd7abc5f18eea186482bf7e77357a85
-
Filesize
272B
MD538779710ad4763d43b12c815b6128799
SHA1d3a46fa3b085ffc66b06687c1799148a8ba13f4a
SHA256d48ca2ecb3718c88a1f7a00232995bdf542087ed759034450108350d18baa2e6
SHA5125eadd6f9cd60979d976f05e11f378e3c2c4c48566978f825b8338a7dee3638401b98b636c972546ee52e56ce55113da2979a3b87a416d61ca83410a9f5555668
-
Filesize
272B
MD5d16ca8cf4a240e67f7a37354376ddbcc
SHA17b9470744fd0cc802424f2f5d21b8a3c4b9caa36
SHA2566e2077db3890ad3e4cc3a1e0913f751f42510a39d8bfd2ee14b2349606cc1f6d
SHA51286983da975ab183734f6459b26234f40093f5f49168c71d89f29abd8180a0b790f503d3c196373ff83c72a092da31ab905742bd389797d73e62868828b3657ed
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
716KB
MD561c5c7754a60bff3ab969829a5d7eba4
SHA14dde90e974576e739c8164c9ce6837a00f5bfb68
SHA2567b96da75fa9567e2090bd236faaecdc67ddf765f91eff9f8dda714f811a09fe3
SHA5123e9eb64777182576ef8cd9b3b98c820186771b74defed3f12e324628decef8945c18c74b3ec35ba1ecdcd8ea4bb6627b62f25a0b19370d56aad1f73e8b1aaafa
-
Filesize
3KB
MD533058d81fa57eb66e3b16cb2560160d7
SHA19d79a96351d8c2c348dc80f882c794fb488b8c21
SHA256914cbb99b16e504febd72005cb598705586976196c89fcf08e1381883e1c7c9d
SHA512ea4f93f077d796109fed83e85a60c714010fe5a5176dc23ac5c3ebcd536a63947fe3a080efec430e3d7dfaa7a7bd825d81934d749ebe67e8206a59d0c9f5a0a7
-
Filesize
272B
MD5152429121e21020bd487c12c1aa71382
SHA1b410f223793ea2b4224d505ce70b5794f96f4931
SHA256df749f7f748d87905029fed1123fd1ceb4a10a9171ad819f5ac868b4e7a24d6b
SHA5121df4460b8b46187e23673f60aff92e20c73233e63d323d428ed11ac1e7411525100bd3bec7130b915ce2a97c0b0199c8b3f34f0921957db1a6b48f8005d7124d
-
Filesize
272B
MD5e0fc8c5bc831d4948101546f041261f5
SHA139e683d20bd27acd95d8d536572ad90d18e5313c
SHA25699892f5788a1a10548b5880ebc6146af6c5e5a6954d8dde04f2aae0cd41aae74
SHA51216f9e8be47302632ae903ce642b6f73658132720b5add07920062788ec12e9cf777515dd905d28b69afbb0fc469a5d4437f4fa7ea9a6ffe908f2f34b6d52e071
-
Filesize
556KB
MD5df9f83686c697a68d57f5983d39f52ee
SHA146ae2d9fa980e492d59f67ed20ab0803c05d81ea
SHA25653bdb5ed28aaac05555364dcc5dafb711d5f1f9d1b1f75b2956db56ba37adc6c
SHA51247a98791bc2ae5555ca31391e4493be27d2f6d7c6be8bbd2f900fa281ba2b9cf447fc9be7ee70c6afb506b3495b0c8264ea508f9a762432ccb6b3b2b23b7f482
-
Filesize
532KB
MD575ee271969b3c52f8d22864bb19c0426
SHA1e2b5e05bc38c0577018f1fc09d8e74cd53624385
SHA256f6acea36ea9f149a8fe12ec7e0493ed312ba46bfc2d655003036df27f161ac23
SHA5126d915173abf243ac909a55f59c0ba3a100eca48a409053e68c34f63e3f663a1282bd6c02cddba338d5fdf90bbf38cbe3db8245ad78e7aca25627b92372bdc02b