Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe
-
Size
576KB
-
MD5
ec84d2f90193a2217ed2ccd2feec9d4b
-
SHA1
907e912ecf8e741b6ef6bcf190d157c4b52f1994
-
SHA256
0a8a9b0025e81b6188a01e87638c65d0d7da274a13e8b3c678f0398f3c7e8331
-
SHA512
e96762edac1f78603c88a31a83334165fcd229aa5e320e93f29833fb6c3e7c0fe0009bdf330db45015585ab6cfc38edceeabeb4598c76595cf37282afbe52a7d
-
SSDEEP
6144:A1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvT:wQMiG+2gef5x/xQTB2OfDKC7Wgcxp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hnsqubwcrxc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "gunaxnetmyhteisfg.exe" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "peymkbtjdqanzepdfs.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "neaqqjdvrgshvcpfjyja.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "neaqqjdvrgshvcpfjyja.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "peymkbtjdqanzepdfs.exe" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "curijdyroerhwesjoeqif.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gmxcrzipa = "zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nqyamr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" celmx.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation hnsqubwcrxc.exe -
Executes dropped EXE 4 IoCs
pid Process 2532 hnsqubwcrxc.exe 4608 celmx.exe 3608 celmx.exe 2720 hnsqubwcrxc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys celmx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc celmx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager celmx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys celmx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc celmx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power celmx.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "aqlazrkbwkvjwcodgue.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "peymkbtjdqanzepdfs.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "neaqqjdvrgshvcpfjyja.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "neaqqjdvrgshvcpfjyja.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "peymkbtjdqanzepdfs.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "aqlazrkbwkvjwcodgue.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "peymkbtjdqanzepdfs.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe" hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "neaqqjdvrgshvcpfjyja.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucpwnxirekn = "gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "gunaxnetmyhteisfg.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe ." hnsqubwcrxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqlazrkbwkvjwcodgue.exe" celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neaqqjdvrgshvcpfjyja.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gunaxnetmyhteisfg.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pueiwdlr = "curijdyroerhwesjoeqif.exe ." celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aenqdjq = "peymkbtjdqanzepdfs.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qapyrdqbqydls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe" celmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raowozlvjqub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmeqmbrfxiqbloxj.exe ." celmx.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zgsyoxhpbg = "curijdyroerhwesjoeqif.exe" celmx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA celmx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" celmx.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyip.everdot.org 20 whatismyipaddress.com 35 www.whatismyip.ca 16 www.whatismyip.ca 26 www.whatismyip.ca 27 www.showmyipaddress.com 30 whatismyip.everdot.org 41 whatismyip.everdot.org 42 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf celmx.exe File opened for modification C:\autorun.inf celmx.exe File created C:\autorun.inf celmx.exe File opened for modification F:\autorun.inf celmx.exe -
Drops file in System32 directory 60 IoCs
description ioc Process File created C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe celmx.exe File created C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe celmx.exe File created C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe celmx.exe File opened for modification C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe celmx.exe File created C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe celmx.exe File opened for modification C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe File opened for modification C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File opened for modification C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File opened for modification C:\Windows\SysWOW64\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File opened for modification C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe celmx.exe File opened for modification C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe celmx.exe File created C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe celmx.exe File created C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe celmx.exe File opened for modification C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe celmx.exe File created C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File opened for modification C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe celmx.exe File created C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe celmx.exe File created C:\Windows\SysWOW64\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe File created C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\gunaxnetmyhteisfg.exe celmx.exe File created C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe celmx.exe File created C:\Windows\SysWOW64\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File created C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe celmx.exe File created C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe celmx.exe File created C:\Windows\SysWOW64\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe celmx.exe File created C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File created C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File created C:\Windows\SysWOW64\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\neaqqjdvrgshvcpfjyja.exe celmx.exe File opened for modification C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\SysWOW64\aqlazrkbwkvjwcodgue.exe celmx.exe File created C:\Windows\SysWOW64\curijdyroerhwesjoeqif.exe celmx.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File created C:\Program Files (x86)\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File opened for modification C:\Program Files (x86)\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe File created C:\Program Files (x86)\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe -
Drops file in Windows directory 39 IoCs
description ioc Process File opened for modification C:\Windows\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe File opened for modification C:\Windows\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File opened for modification C:\Windows\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File opened for modification C:\Windows\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File opened for modification C:\Windows\zmeqmbrfxiqbloxj.exe celmx.exe File opened for modification C:\Windows\peymkbtjdqanzepdfs.exe celmx.exe File opened for modification C:\Windows\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File opened for modification C:\Windows\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File created C:\Windows\gunaxnetmyhteisfg.exe hnsqubwcrxc.exe File created C:\Windows\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\tmkcezvpnesjzixpvmzsqi.exe celmx.exe File opened for modification C:\Windows\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File created C:\Windows\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe File opened for modification C:\Windows\peymkbtjdqanzepdfs.exe celmx.exe File opened for modification C:\Windows\gunaxnetmyhteisfg.exe celmx.exe File opened for modification C:\Windows\neaqqjdvrgshvcpfjyja.exe celmx.exe File created C:\Windows\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File created C:\Windows\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File opened for modification C:\Windows\gunaxnetmyhteisfg.exe celmx.exe File opened for modification C:\Windows\aqlazrkbwkvjwcodgue.exe celmx.exe File opened for modification C:\Windows\dacyeddbdyqlfslhrmdacy.ddb celmx.exe File created C:\Windows\ucpwnxirekntywahciksfmdnyhuadjomq.sya celmx.exe File opened for modification C:\Windows\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File opened for modification C:\Windows\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File opened for modification C:\Windows\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File created C:\Windows\zmeqmbrfxiqbloxj.exe hnsqubwcrxc.exe File created C:\Windows\peymkbtjdqanzepdfs.exe hnsqubwcrxc.exe File created C:\Windows\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File opened for modification C:\Windows\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\curijdyroerhwesjoeqif.exe celmx.exe File opened for modification C:\Windows\neaqqjdvrgshvcpfjyja.exe hnsqubwcrxc.exe File opened for modification C:\Windows\curijdyroerhwesjoeqif.exe hnsqubwcrxc.exe File opened for modification C:\Windows\aqlazrkbwkvjwcodgue.exe hnsqubwcrxc.exe File opened for modification C:\Windows\aqlazrkbwkvjwcodgue.exe celmx.exe File opened for modification C:\Windows\curijdyroerhwesjoeqif.exe celmx.exe File opened for modification C:\Windows\neaqqjdvrgshvcpfjyja.exe celmx.exe File opened for modification C:\Windows\tmkcezvpnesjzixpvmzsqi.exe hnsqubwcrxc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnsqubwcrxc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language celmx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4608 celmx.exe 4608 celmx.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4608 celmx.exe 4608 celmx.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 celmx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4744 wrote to memory of 2532 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 82 PID 4744 wrote to memory of 2532 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 82 PID 4744 wrote to memory of 2532 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 82 PID 2532 wrote to memory of 4608 2532 hnsqubwcrxc.exe 87 PID 2532 wrote to memory of 4608 2532 hnsqubwcrxc.exe 87 PID 2532 wrote to memory of 4608 2532 hnsqubwcrxc.exe 87 PID 2532 wrote to memory of 3608 2532 hnsqubwcrxc.exe 88 PID 2532 wrote to memory of 3608 2532 hnsqubwcrxc.exe 88 PID 2532 wrote to memory of 3608 2532 hnsqubwcrxc.exe 88 PID 4744 wrote to memory of 2720 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 95 PID 4744 wrote to memory of 2720 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 95 PID 4744 wrote to memory of 2720 4744 ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe 95 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hnsqubwcrxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hnsqubwcrxc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" celmx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" celmx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec84d2f90193a2217ed2ccd2feec9d4b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe"C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe" "c:\users\admin\appdata\local\temp\ec84d2f90193a2217ed2ccd2feec9d4b_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\celmx.exe"C:\Users\Admin\AppData\Local\Temp\celmx.exe" "-C:\Users\Admin\AppData\Local\Temp\zmeqmbrfxiqbloxj.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\celmx.exe"C:\Users\Admin\AppData\Local\Temp\celmx.exe" "-C:\Users\Admin\AppData\Local\Temp\zmeqmbrfxiqbloxj.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3608
-
-
-
C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe"C:\Users\Admin\AppData\Local\Temp\hnsqubwcrxc.exe" "c:\users\admin\appdata\local\temp\ec84d2f90193a2217ed2ccd2feec9d4b_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD56ba6bc14f4adcffbea99c64f298b8e01
SHA1e2381b178d4738726fd2b94ab604b0d101d33733
SHA25665bf670f2312b827f17d15a091af7f47b48a33220486e57b08b4384cd84b4d06
SHA5128aec02f486a5656fdfb8ae9009092546e59fd4829b90b5f7537ff8c4a7eeaa4b4c57406635ba170cfbf29cc3eafb46303b06930457adf317660ebf78a8c054e9
-
Filesize
260B
MD57fec11c611d0698371dc403d19eb01e3
SHA151bd500349a07e866b16b4efe198b7aec64f3cbc
SHA256557d76ff6080e2c6cffb667836c58a2b97d14cdc62b27298ecdcdabb7fc3e484
SHA512cf8bc10a91ec183ad58b8ff34dbdab0e8acb4e9c631ba554b011575428ba0962b6e45f98f8ea76410a1e5df4bd90242995ec3b4f682f21f52e6741effb02e9d8
-
Filesize
260B
MD5e44c24307531169970b8f29336587afe
SHA10a9c41193db0dde9363376dd57fa666dc72164bd
SHA256c2387c8572fd9e6255e0a152113f61e3fc790a6b25c38adccb5cbdab483970ca
SHA512fb61239b73fa96b5b1dbc0c3be5fa264b054806ab88c412f0dab9058e0c9b1b613442c9e5e1f1c762b34726fce58c620cbb8e4a83eea69090cd1ab0467c82655
-
Filesize
260B
MD5f6006ccfffb1677981b387c17e953a03
SHA1d4ce824e004a5462224cdae8bf5e209d18092c4e
SHA256c47e17b4071192e8e7adfc428b0e43af17193523973a96d6b80046894c50eba9
SHA5121e008cdedabb388e2c940f64a54bb8af0c09ba6aee3ad703815714bde42a4a9792fcb1d01b47d9c15be372856d790f4f15bc21797646398e4413e84a4c57ee99
-
Filesize
260B
MD59031028f550348ce3b7f67856cb122c2
SHA10a1c0acc1f5ebeebf171e681ef5ed92f5505fe3f
SHA256287358da958bd0f61148b7076901a23ff45530b2fcd30897bfe6a877438a4109
SHA512341d8b783468dd37f8d7ca4546452352f1b3ca6cb062a64ac2bdc21c4d712806eed571de6e8f126da70958ca681025ee34f09a7b3bc82b3548c7a10281c63f48
-
Filesize
708KB
MD531cd2776b43bd934d20363f8abd11dd9
SHA1e17f2f9e730005e1042f352488639db87a3440ab
SHA25699544c695628e6ed8b8cc63cbc1af1bdb0e5a38a81362cdd3801b2121415b2fb
SHA51287153797cd14a0717e5e2151b912552bbc758e7e32bb1c91177ddc3c5172bd10f32de227b2bff1bdbf57dc6b33e0fdd231396417ca7cd619ddca92a70e213424
-
Filesize
320KB
MD5304415df6ad55a90301aa8158e5e3582
SHA1cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd
SHA25634a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d
SHA5124ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687
-
Filesize
260B
MD5f5cdb0b0c702d8b38bebf1dd3549e5dc
SHA1c621943ded5bb8cd2c657070da27f9912f26c6f2
SHA256238be47ac29ae6cb9ea534bbe99e5b5dd0901a7da583aa94453693bd6f4bb7e2
SHA5129b69c06120ba5f40fa3d7e5f4c9dadef7a11599ebbdff632a2ec6ea75fb2c2038bf9e126864080788b3b40c2cbc51f440ec2297086ddee1db755849ec2d96b24
-
Filesize
260B
MD5a84ce7fec05e56c420cdcb2cd8b0d17d
SHA1c530fc2abcfea8c8a268885ea3067ef99139b36c
SHA2561d20ed99bc4da3afca017b15abba1024517605ed9f9f396470534d1c2e995805
SHA512eb6c19103664623f24f2b21f2537e99c8dd4c5e9c1fe7a95a2b4fc4eb08c362df78ec302d3d5ce7ae8b7a5c3caa7f13d6667fa13cb29c6f2bd668afe4a18058c
-
Filesize
3KB
MD58805e4860a8a2aa0f52784f731c4ec89
SHA12b466a88670bbd2226d66bf34f441ef6ad3b3886
SHA2566c6f488c964727f26a22852d26ee8e822cce9dc99a4ceb4c4a06d015717cf148
SHA51290e0edfd7bda7b8430497bdba8f5f66850bdeee40150e0a9b8466da0eeeecb7a01cbed2f1b4fd094a2b0392fd94448be4816bf3c97215c19040320d506817823
-
Filesize
576KB
MD5ec84d2f90193a2217ed2ccd2feec9d4b
SHA1907e912ecf8e741b6ef6bcf190d157c4b52f1994
SHA2560a8a9b0025e81b6188a01e87638c65d0d7da274a13e8b3c678f0398f3c7e8331
SHA512e96762edac1f78603c88a31a83334165fcd229aa5e320e93f29833fb6c3e7c0fe0009bdf330db45015585ab6cfc38edceeabeb4598c76595cf37282afbe52a7d