Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 11:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe
-
Size
464KB
-
MD5
ed82058eda9e6ad70b2a81a3b3c0767c
-
SHA1
19e729460740a8371c408b91fbb28358f6b635f8
-
SHA256
a9b2531420fa9044d3a9c4d8f73c947751f4233aa913ea9a7d6cf8835de5c8bc
-
SHA512
721627d74703832c208c1c9fdd587ec52174571c11331c49f37b406bc25bda4c1540ea0244686885366533e6595f14b5c419f92eb608fa6938d745984d579ce7
-
SSDEEP
6144:8eXajnXTrkY9Nfl7ZOD9aelcbhSF1nfWpVbPP/KCIxijzUd/qHBdjK0DdvRgfAvP:8eX0rkcfstvnf9Cvjod/qSOJ2AvP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aihsp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "xqawecpbqhagzqcg.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "eyjgpocpfxryskxcc.exe" aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "eyjgpocpfxryskxcc.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "niusccrfwpksnguabh.exe" aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rsgszysrbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\luuges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eqtijaglt = "aynobewnhdbmkgxgktomb.exe" aihsp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rsgszysrbcq.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rsgszysrbcq.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 396 rsgszysrbcq.exe 1112 aihsp.exe 1240 aihsp.exe 5056 rsgszysrbcq.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power aihsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys aihsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc aihsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager aihsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys aihsp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc aihsp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "liwwikbrkfcmjeucfnhe.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "niusccrfwpksnguabh.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe ." rsgszysrbcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "aynobewnhdbmkgxgktomb.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "aynobewnhdbmkgxgktomb.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "aynobewnhdbmkgxgktomb.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "xqawecpbqhagzqcg.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "xqawecpbqhagzqcg.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "niusccrfwpksnguabh.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "liwwikbrkfcmjeucfnhe.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "liwwikbrkfcmjeucfnhe.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "niusccrfwpksnguabh.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe ." rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqawecpbqhagzqcg.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "aynobewnhdbmkgxgktomb.exe ." rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "yuhgrsixpjfoketacjc.exe ." rsgszysrbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqawecpbqhagzqcg.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "eyjgpocpfxryskxcc.exe" rsgszysrbcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niusccrfwpksnguabh.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyjgpocpfxryskxcc.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "eyjgpocpfxryskxcc.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "xqawecpbqhagzqcg.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "xqawecpbqhagzqcg.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yijwvko = "yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "liwwikbrkfcmjeucfnhe.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liwwikbrkfcmjeucfnhe.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nyaooejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhgrsixpjfoketacjc.exe ." aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "liwwikbrkfcmjeucfnhe.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xkoegyfluf = "aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pekcgajrcpeg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe ." rsgszysrbcq.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sglcfygnxjx = "aynobewnhdbmkgxgktomb.exe ." aihsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oelejeoxjxnqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuhgrsixpjfoketacjc.exe" aihsp.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yijwvko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aynobewnhdbmkgxgktomb.exe" aihsp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aihsp.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 www.showmyipaddress.com 19 whatismyipaddress.com 25 www.whatismyip.ca 32 whatismyip.everdot.org 33 www.whatismyip.ca 36 whatismyip.everdot.org 39 www.whatismyip.ca 42 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf aihsp.exe File created C:\autorun.inf aihsp.exe File opened for modification F:\autorun.inf aihsp.exe File created F:\autorun.inf aihsp.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe File opened for modification C:\Windows\SysWOW64\niusccrfwpksnguabh.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\rqgiwatlgdconkcmrbxwmo.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\eyjgpocpfxryskxcc.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\yuhgrsixpjfoketacjc.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\xqawecpbqhagzqcg.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\eyjgpocpfxryskxcc.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\yuhgrsixpjfoketacjc.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\aynobewnhdbmkgxgktomb.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\eyjgpocpfxryskxcc.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\xqawecpbqhagzqcg.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\xqawecpbqhagzqcg.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\liwwikbrkfcmjeucfnhe.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\xqawecpbqhagzqcg.exe aihsp.exe File created C:\Windows\SysWOW64\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe File opened for modification C:\Windows\SysWOW64\eyjgpocpfxryskxcc.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\liwwikbrkfcmjeucfnhe.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\aynobewnhdbmkgxgktomb.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\rqgiwatlgdconkcmrbxwmo.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\niusccrfwpksnguabh.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\liwwikbrkfcmjeucfnhe.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\cexctawrpprgiidqylkmf.bie aihsp.exe File opened for modification C:\Windows\SysWOW64\yuhgrsixpjfoketacjc.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\niusccrfwpksnguabh.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\rqgiwatlgdconkcmrbxwmo.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\yuhgrsixpjfoketacjc.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\liwwikbrkfcmjeucfnhe.exe aihsp.exe File opened for modification C:\Windows\SysWOW64\aynobewnhdbmkgxgktomb.exe aihsp.exe File created C:\Windows\SysWOW64\cexctawrpprgiidqylkmf.bie aihsp.exe File opened for modification C:\Windows\SysWOW64\niusccrfwpksnguabh.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\rqgiwatlgdconkcmrbxwmo.exe rsgszysrbcq.exe File opened for modification C:\Windows\SysWOW64\aynobewnhdbmkgxgktomb.exe aihsp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\cexctawrpprgiidqylkmf.bie aihsp.exe File created C:\Program Files (x86)\cexctawrpprgiidqylkmf.bie aihsp.exe File opened for modification C:\Program Files (x86)\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe File created C:\Program Files (x86)\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\yuhgrsixpjfoketacjc.exe aihsp.exe File created C:\Windows\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe File opened for modification C:\Windows\niusccrfwpksnguabh.exe aihsp.exe File opened for modification C:\Windows\aynobewnhdbmkgxgktomb.exe aihsp.exe File opened for modification C:\Windows\xkoegyflufssfqwunlvimcewdjsdqqdo.slj aihsp.exe File opened for modification C:\Windows\niusccrfwpksnguabh.exe rsgszysrbcq.exe File opened for modification C:\Windows\yuhgrsixpjfoketacjc.exe rsgszysrbcq.exe File opened for modification C:\Windows\aynobewnhdbmkgxgktomb.exe rsgszysrbcq.exe File opened for modification C:\Windows\aynobewnhdbmkgxgktomb.exe aihsp.exe File opened for modification C:\Windows\xqawecpbqhagzqcg.exe aihsp.exe File opened for modification C:\Windows\liwwikbrkfcmjeucfnhe.exe aihsp.exe File opened for modification C:\Windows\liwwikbrkfcmjeucfnhe.exe rsgszysrbcq.exe File opened for modification C:\Windows\yuhgrsixpjfoketacjc.exe aihsp.exe File opened for modification C:\Windows\xqawecpbqhagzqcg.exe rsgszysrbcq.exe File opened for modification C:\Windows\eyjgpocpfxryskxcc.exe rsgszysrbcq.exe File opened for modification C:\Windows\rqgiwatlgdconkcmrbxwmo.exe rsgszysrbcq.exe File opened for modification C:\Windows\xqawecpbqhagzqcg.exe aihsp.exe File opened for modification C:\Windows\rqgiwatlgdconkcmrbxwmo.exe aihsp.exe File opened for modification C:\Windows\niusccrfwpksnguabh.exe rsgszysrbcq.exe File opened for modification C:\Windows\yuhgrsixpjfoketacjc.exe rsgszysrbcq.exe File opened for modification C:\Windows\aynobewnhdbmkgxgktomb.exe rsgszysrbcq.exe File opened for modification C:\Windows\rqgiwatlgdconkcmrbxwmo.exe rsgszysrbcq.exe File opened for modification C:\Windows\niusccrfwpksnguabh.exe aihsp.exe File opened for modification C:\Windows\liwwikbrkfcmjeucfnhe.exe aihsp.exe File opened for modification C:\Windows\eyjgpocpfxryskxcc.exe aihsp.exe File opened for modification C:\Windows\eyjgpocpfxryskxcc.exe rsgszysrbcq.exe File created C:\Windows\cexctawrpprgiidqylkmf.bie aihsp.exe File opened for modification C:\Windows\xqawecpbqhagzqcg.exe rsgszysrbcq.exe File opened for modification C:\Windows\liwwikbrkfcmjeucfnhe.exe rsgszysrbcq.exe File opened for modification C:\Windows\eyjgpocpfxryskxcc.exe aihsp.exe File opened for modification C:\Windows\rqgiwatlgdconkcmrbxwmo.exe aihsp.exe File opened for modification C:\Windows\cexctawrpprgiidqylkmf.bie aihsp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rsgszysrbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aihsp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 1112 aihsp.exe 1112 aihsp.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 1112 aihsp.exe 1112 aihsp.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 aihsp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4212 wrote to memory of 396 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 82 PID 4212 wrote to memory of 396 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 82 PID 4212 wrote to memory of 396 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 82 PID 396 wrote to memory of 1112 396 rsgszysrbcq.exe 85 PID 396 wrote to memory of 1112 396 rsgszysrbcq.exe 85 PID 396 wrote to memory of 1112 396 rsgszysrbcq.exe 85 PID 396 wrote to memory of 1240 396 rsgszysrbcq.exe 86 PID 396 wrote to memory of 1240 396 rsgszysrbcq.exe 86 PID 396 wrote to memory of 1240 396 rsgszysrbcq.exe 86 PID 4212 wrote to memory of 5056 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 94 PID 4212 wrote to memory of 5056 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 94 PID 4212 wrote to memory of 5056 4212 ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe 94 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rsgszysrbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rsgszysrbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rsgszysrbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aihsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rsgszysrbcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aihsp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aihsp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed82058eda9e6ad70b2a81a3b3c0767c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe"C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe" "c:\users\admin\appdata\local\temp\ed82058eda9e6ad70b2a81a3b3c0767c_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396 -
C:\Users\Admin\AppData\Local\Temp\aihsp.exe"C:\Users\Admin\AppData\Local\Temp\aihsp.exe" "-C:\Users\Admin\AppData\Local\Temp\xqawecpbqhagzqcg.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\aihsp.exe"C:\Users\Admin\AppData\Local\Temp\aihsp.exe" "-C:\Users\Admin\AppData\Local\Temp\xqawecpbqhagzqcg.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1240
-
-
-
C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe"C:\Users\Admin\AppData\Local\Temp\rsgszysrbcq.exe" "c:\users\admin\appdata\local\temp\ed82058eda9e6ad70b2a81a3b3c0767c_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a6ca6901ec1433096bc397b2729d32e1
SHA1fed8d2569e114d353be0d97dea1146543543a0e4
SHA256ceabb7a28cfbfa7e8f6d8061657904d4cd0504589b98d091e9741aabd00cd20e
SHA512c9c034374f80d566fa2d7e2f6e9315092b10328fefdcfd0d4d5ea68a6d023f813513d051005a51a3e49e984f85f444987a2901dbbba0c0828ad001b3d8667ba5
-
Filesize
280B
MD5bd65fd7dbf5a5b2caedc87f411d68301
SHA17846cdaffb59254ce2a54980fca576e9820f023e
SHA256052dadeb0cc86560c3e645e8a615a98d172ce768b6760a51df76583b383fc062
SHA512cf4a06b01923e1b54e6896752602aa11850d5f1f8a8b79e60069c273b1e40a4fc75ecbf9103dff3cf47f9713fb49561868813a7f7a0af484b4a6f9e5a506e073
-
Filesize
280B
MD55d3bcc366fcf69edab4f95e877056764
SHA1ae0694c315ae46bfb3ace5d780938c9914cde8e9
SHA256a67b6090b8090e793f980db3e819d54e6cd0809e6ba1bc1d4ae706cb8a88b7e5
SHA51297b98f914a6c3f78b9007d53eb8da746f85f8e4370a312de37013123b8dad171600956c9341168f6d185150fd12bae493f951760061dea8a1a0cf76c49ca6e79
-
Filesize
280B
MD5a45f2ce7e2e4d1e7902e8b9375d9624f
SHA1b82ab952210f2637eba49afb009060336d527f2f
SHA25634fae099840cdd338e8c6a2f89701a440f17e60ce5e125721419c8d1d2e31ce9
SHA5126914651f3a8b50d749baa34c7e520597a16915636fad97d151ee1804102dc2cf7dea3a16c748aba919fb06738289e09db72680fa794b6a4abe9991043b313bf7
-
Filesize
704KB
MD536f19d08b1a5fb313337e0adb6a2c664
SHA100a6870179238b67d3475c876ad5dca7e2bb5466
SHA256c29e57144db0f88f5cb7fa0dbda83971e0b82ed1f4217bbcb165f3c3c92decfe
SHA5126e771ec8c176402a816b855afeac46b426fd9c4fdc2ce41585fab611a664b3bb8ae26deabac705ce85756cbdf38b38e2842b2fab096a47a525373f8cd17cad67
-
Filesize
320KB
MD57adc2278b71606c7a9ffc31c8cb93316
SHA17eda3f9020f67dc402a730aee229c13ed07fd4e4
SHA2562b53bc5efd6a2ec7fbf3cb12ee04e4ff4323eadf53accdc28e0a5aa565f04a28
SHA512dba56ddb3d403f8244022c99321db078f12caccf940cd72eb6b07fae781ab6335a9b97e2b44714924fb949902ea26b0a70239de74a0e09cba13db50e9ff91190
-
Filesize
280B
MD5a8c39a8a9fc8810c54cf27707111fe9f
SHA18900d573810d492a6447119ca3b38057beee1d51
SHA2569cec1a53830621f1aacdef6d67cd352b001cb4bb9e2275f107604af30d72b2e2
SHA512a2719d110b300883f8e4cf4ade1b3852743a7023365f92576ea37efd5b938cda28d851af5faf8a29128319c9869fa0c8c16638c04fab054db778686051450fd2
-
Filesize
280B
MD5d624fbe6daa9632051105b3072fc48da
SHA1eb5e14ab89a81286ff1d9ffede25a178ab0bc972
SHA2562457ec5148893df331a7629ab4befae97945eb2e1f20875a06e42ba76bf2bc2c
SHA512535b23ba608c4019e2906d6b0a8a27617e4ebb1159261d007675a52b9a9ded1e08c99e42d8797e8dc453648519f42920fea456b3b4597d1a5de8bd5e30b4fd86
-
Filesize
4KB
MD50f42d3d54adce4341313f7e525e2a9b6
SHA18ee775246175a52fc929dba436a7fe6782b2e1e6
SHA256d61c040dc938d30e5a819f66cc4d079d4bd1edc16251a601bd1e2f524bad3b24
SHA512369c419e202c01374a3c548257967e60b606dcc8a85aaa3e4c9f4b35b8f902fa3233b8c5a7fe2a3cc8b0b892c0ab4ff8e3c11e1ea78cb2fb844b539976ca3c6a
-
Filesize
464KB
MD5ed82058eda9e6ad70b2a81a3b3c0767c
SHA119e729460740a8371c408b91fbb28358f6b635f8
SHA256a9b2531420fa9044d3a9c4d8f73c947751f4233aa913ea9a7d6cf8835de5c8bc
SHA512721627d74703832c208c1c9fdd587ec52174571c11331c49f37b406bc25bda4c1540ea0244686885366533e6595f14b5c419f92eb608fa6938d745984d579ce7
-
Filesize
516KB
MD5ead834dcf7af71e886d52bf218952688
SHA1eeeeeb7aab823e54378754c97712b30e0ef960e9
SHA2560a0990bef8d217083fd01edbfb129f718070ef398fd4906e9bc286109dc0bcff
SHA5128438792c1011514b6811ce696184bb36ebe52e842fe40424d4ea3e8a146f5997d0831b5dace89853761af205f2efa8e76afe1011c2b31409bf18f3e43c779e0c