Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eaaf3988264b057be42263710a154c02_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
eaaf3988264b057be42263710a154c02_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
eaaf3988264b057be42263710a154c02_JaffaCakes118.exe
-
Size
480KB
-
MD5
eaaf3988264b057be42263710a154c02
-
SHA1
cad262d73d16977be6af22824016b2d7a85dddb0
-
SHA256
0d39657bb20e582a5108850e936d8a093c89ed598e76cd461a69cb4986372472
-
SHA512
635590875cce0a170d29a36095ebebacb113b789df46136b4446d1365962e56559afb42edd77e13a158ecc727d0ba1960598291d5a02c95df84c36933878abe9
-
SSDEEP
6144:lj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion/Rh:t6onxOp8FySpE5zvIdtU+YmefbRh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aahrdis.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "naurqifrngzvkcsjejjw.exe" obhqxfrnylr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "pasnkavfzqhboeshad.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe" obhqxfrnylr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uyjxnwknaku = "gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqyjwcnn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" obhqxfrnylr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation eaaf3988264b057be42263710a154c02_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation obhqxfrnylr.exe -
Executes dropped EXE 4 IoCs
pid Process 3876 obhqxfrnylr.exe 3348 aahrdis.exe 4968 aahrdis.exe 4572 obhqxfrnylr.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys aahrdis.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc aahrdis.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager aahrdis.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys aahrdis.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc aahrdis.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power aahrdis.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "cqljjcankeyvlevnjpqez.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "ziyrmatbtixpaoan.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "ziyrmatbtixpaoan.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "amfbzqmxskcxlcrhbfe.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "gqhbxmgpiyohtivjb.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqhbxmgpiyohtivjb.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "amfbzqmxskcxlcrhbfe.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "gqhbxmgpiyohtivjb.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "ziyrmatbtixpaoan.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "pasnkavfzqhboeshad.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "gqhbxmgpiyohtivjb.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "naurqifrngzvkcsjejjw.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "pasnkavfzqhboeshad.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "ziyrmatbtixpaoan.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "naurqifrngzvkcsjejjw.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "amfbzqmxskcxlcrhbfe.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "amfbzqmxskcxlcrhbfe.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "naurqifrngzvkcsjejjw.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pasnkavfzqhboeshad.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "amfbzqmxskcxlcrhbfe.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qwjzrcsxmykzh = "gqhbxmgpiyohtivjb.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ziyrmatbtixpaoan.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "ziyrmatbtixpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "gqhbxmgpiyohtivjb.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\girdryklw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqhbxmgpiyohtivjb.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe" aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amfbzqmxskcxlcrhbfe.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ucrjdqipguizjwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqljjcankeyvlevnjpqez.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwixoynrfqbp = "cqljjcankeyvlevnjpqez.exe" aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "cqljjcankeyvlevnjpqez.exe ." aahrdis.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zcmzowjlxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pasnkavfzqhboeshad.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rymdwizfvivlug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\naurqifrngzvkcsjejjw.exe ." aahrdis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\girdryklw = "ziyrmatbtixpaoan.exe" aahrdis.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA obhqxfrnylr.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aahrdis.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 whatismyip.everdot.org 33 www.whatismyip.ca 37 whatismyip.everdot.org 16 www.showmyipaddress.com 19 www.whatismyip.ca 26 whatismyipaddress.com 29 www.whatismyip.ca -
Drops file in System32 directory 32 IoCs
description ioc Process File created C:\Windows\SysWOW64\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe File opened for modification C:\Windows\SysWOW64\amfbzqmxskcxlcrhbfe.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\naurqifrngzvkcsjejjw.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\cqljjcankeyvlevnjpqez.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\tiedeyxljezxoiatqxzokj.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe File opened for modification C:\Windows\SysWOW64\tiedeyxljezxoiatqxzokj.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\amfbzqmxskcxlcrhbfe.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\naurqifrngzvkcsjejjw.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File opened for modification C:\Windows\SysWOW64\gqhbxmgpiyohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\naurqifrngzvkcsjejjw.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\gqhbxmgpiyohtivjb.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\tiedeyxljezxoiatqxzokj.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\pasnkavfzqhboeshad.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\amfbzqmxskcxlcrhbfe.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\tiedeyxljezxoiatqxzokj.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\cqljjcankeyvlevnjpqez.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\ziyrmatbtixpaoan.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\ziyrmatbtixpaoan.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\pasnkavfzqhboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\ziyrmatbtixpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\pasnkavfzqhboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\pasnkavfzqhboeshad.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\amfbzqmxskcxlcrhbfe.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\ziyrmatbtixpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\cqljjcankeyvlevnjpqez.exe obhqxfrnylr.exe File created C:\Windows\SysWOW64\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File opened for modification C:\Windows\SysWOW64\gqhbxmgpiyohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\gqhbxmgpiyohtivjb.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\cqljjcankeyvlevnjpqez.exe aahrdis.exe File opened for modification C:\Windows\SysWOW64\naurqifrngzvkcsjejjw.exe aahrdis.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File created C:\Program Files (x86)\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File opened for modification C:\Program Files (x86)\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe File created C:\Program Files (x86)\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\amfbzqmxskcxlcrhbfe.exe aahrdis.exe File opened for modification C:\Windows\naurqifrngzvkcsjejjw.exe aahrdis.exe File opened for modification C:\Windows\gqhbxmgpiyohtivjb.exe aahrdis.exe File opened for modification C:\Windows\naurqifrngzvkcsjejjw.exe aahrdis.exe File opened for modification C:\Windows\tiedeyxljezxoiatqxzokj.exe aahrdis.exe File opened for modification C:\Windows\amfbzqmxskcxlcrhbfe.exe obhqxfrnylr.exe File opened for modification C:\Windows\cqljjcankeyvlevnjpqez.exe aahrdis.exe File opened for modification C:\Windows\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File created C:\Windows\milrzagbgikpnonnrfokntbci.ikm aahrdis.exe File created C:\Windows\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe File opened for modification C:\Windows\amfbzqmxskcxlcrhbfe.exe obhqxfrnylr.exe File opened for modification C:\Windows\pasnkavfzqhboeshad.exe aahrdis.exe File opened for modification C:\Windows\ziyrmatbtixpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\tiedeyxljezxoiatqxzokj.exe aahrdis.exe File opened for modification C:\Windows\naurqifrngzvkcsjejjw.exe obhqxfrnylr.exe File opened for modification C:\Windows\cqljjcankeyvlevnjpqez.exe obhqxfrnylr.exe File opened for modification C:\Windows\tiedeyxljezxoiatqxzokj.exe obhqxfrnylr.exe File opened for modification C:\Windows\gqhbxmgpiyohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\pasnkavfzqhboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\naurqifrngzvkcsjejjw.exe obhqxfrnylr.exe File opened for modification C:\Windows\cqljjcankeyvlevnjpqez.exe obhqxfrnylr.exe File opened for modification C:\Windows\pasnkavfzqhboeshad.exe aahrdis.exe File opened for modification C:\Windows\rymdwizfvivlugqbqpjqevoarxnandmyitih.iwn aahrdis.exe File opened for modification C:\Windows\gqhbxmgpiyohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\tiedeyxljezxoiatqxzokj.exe obhqxfrnylr.exe File opened for modification C:\Windows\ziyrmatbtixpaoan.exe aahrdis.exe File opened for modification C:\Windows\gqhbxmgpiyohtivjb.exe aahrdis.exe File opened for modification C:\Windows\ziyrmatbtixpaoan.exe aahrdis.exe File opened for modification C:\Windows\amfbzqmxskcxlcrhbfe.exe aahrdis.exe File opened for modification C:\Windows\ziyrmatbtixpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\cqljjcankeyvlevnjpqez.exe aahrdis.exe File opened for modification C:\Windows\pasnkavfzqhboeshad.exe obhqxfrnylr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaaf3988264b057be42263710a154c02_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obhqxfrnylr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aahrdis.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 3348 aahrdis.exe 3348 aahrdis.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 3348 aahrdis.exe 3348 aahrdis.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3348 aahrdis.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3876 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 82 PID 2252 wrote to memory of 3876 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 82 PID 2252 wrote to memory of 3876 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 82 PID 3876 wrote to memory of 3348 3876 obhqxfrnylr.exe 85 PID 3876 wrote to memory of 3348 3876 obhqxfrnylr.exe 85 PID 3876 wrote to memory of 3348 3876 obhqxfrnylr.exe 85 PID 3876 wrote to memory of 4968 3876 obhqxfrnylr.exe 86 PID 3876 wrote to memory of 4968 3876 obhqxfrnylr.exe 86 PID 3876 wrote to memory of 4968 3876 obhqxfrnylr.exe 86 PID 2252 wrote to memory of 4572 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 94 PID 2252 wrote to memory of 4572 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 94 PID 2252 wrote to memory of 4572 2252 eaaf3988264b057be42263710a154c02_JaffaCakes118.exe 94 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" obhqxfrnylr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aahrdis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahrdis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aahrdis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaaf3988264b057be42263710a154c02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaaf3988264b057be42263710a154c02_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe"C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\eaaf3988264b057be42263710a154c02_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\aahrdis.exe"C:\Users\Admin\AppData\Local\Temp\aahrdis.exe" "-C:\Users\Admin\AppData\Local\Temp\ziyrmatbtixpaoan.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\aahrdis.exe"C:\Users\Admin\AppData\Local\Temp\aahrdis.exe" "-C:\Users\Admin\AppData\Local\Temp\ziyrmatbtixpaoan.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4968
-
-
-
C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe"C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\eaaf3988264b057be42263710a154c02_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4572
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5a1b0f00ae5a29d458a9c037363001fd1
SHA10b4d5594d8d145554025d057b5c671cb007b26d2
SHA2568110111b621e359cde2ac381f20ce480367c96be7dc8e99834d622926953790c
SHA512c1b9949f8f1d49483aae6ececdfb57b3c72b8188b78a79986ca1e9944851d2535e67a9c14f5de1ba4f50d5992c030da482ee4a4624cdd5e2468868434374cb00
-
Filesize
272B
MD523157c5a8e28b1feb7b68a71727950b6
SHA1961c37b43687fa6bc3bd9c1df029040d2f41e38b
SHA256a6315e3e8e7b5de1efc6f7d8b53638a31f8451ab8287d258a281221f74f59719
SHA51231c32ef445f0599f7ebf563f67dee54aab215030ef00f431b046dd223695541eb76b9408909ff64d39ae7dfc86fa22b5e49c91e711e9c2a92951ad85fb0d6355
-
Filesize
272B
MD5d91abad54da313c5b4ed9ba278f72891
SHA1da8eeb1a7aca3bb27fce59e5fa673165f95dd9be
SHA256195d1b5af92a1eb4dde95f64b0c5c8143ef6ed0d1291d79003ee50645f49d799
SHA512b2d028aa1626533d09a98e6c296c10fabdb6311d87bdf2c91a3543e3184a8c6e42b90073c6c06a9c7d23004b85feb640ac618e641c11074fe4e31eb644e4bf7c
-
Filesize
272B
MD5fc39c3b0fb02ce09f0447109bfacb1c7
SHA1d1f8cb11ceb3de073b6bd4f5d934e45dd235aff6
SHA2565a08f1504da23b95b94f9e2dc9dfb353fa6fbe3345c5a937287f9c15ca8e13a9
SHA51228dadbea8cefd8ea4177e27e181d0836f249ea2f3c02a778cbc83b2b05eff5a9d2627611d6b93c6139f215e23504f35d98cc0dd554610ee15e58bde2e87f6415
-
Filesize
720KB
MD5750669f3c10b0d647956804157d135ec
SHA1e4ee62c6e3d79412723e78b303693764844ca11b
SHA256be1d54b904fcb0ac113e483e654ffc57ea0ede28df60be5ae41a142677bc2d56
SHA512d1ee8e1a3abcfab8d14552024d0b793f95c8689668712d30570b9f6f5ea1dfe991e8b0578507711495f18f5b0cc92ab8fd0c99e7527ba744f0df85ed732b172e
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
272B
MD5b642cdda1134518ac0baaa97a926f4c9
SHA10531f80540b2baa2a127dd99c0ff8bfccd394638
SHA256a8c46aea67963d63587df51e5379f2a46be1718867659caef1cb3bb97734a677
SHA512afc49c889ae324b1c57eabcc1a7221d987af2f0c86af4ee8c834f113fb82953fc6c27775a2e9a13f4de12d2509a19a93f14fa8b02e1f44d1a0c8d7e16f3d057c
-
Filesize
3KB
MD59b271130fad8a479152bc7e09332514d
SHA1fb27381dc7b5a01651a068735b777db839278bc0
SHA2566a76448660720264888b0910b4feae1a1190bfa383ae6a2f68350c552b785835
SHA512a7a079c9d340fe025335895c06f51d9ea16364a2681e468bbbec4aa9ffd12ab5643bd248df229e7be02512f62aa259d4318ef39b8c629d013f4ae2e320ecef1c
-
Filesize
480KB
MD5eaaf3988264b057be42263710a154c02
SHA1cad262d73d16977be6af22824016b2d7a85dddb0
SHA2560d39657bb20e582a5108850e936d8a093c89ed598e76cd461a69cb4986372472
SHA512635590875cce0a170d29a36095ebebacb113b789df46136b4446d1365962e56559afb42edd77e13a158ecc727d0ba1960598291d5a02c95df84c36933878abe9