Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 11:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe
-
Size
740KB
-
MD5
0a87b88c5ce3cc574ea0156658f262b8
-
SHA1
9a76df34ea21dd143bebc8c52dad442efabea189
-
SHA256
6c278feb11d76e076fef0bc71def1ad0d901d3e7b9f7477cae7c9b7d310caab2
-
SHA512
c1f3a6c889fd9b68dc30592d7fcea2b7e407e8426dbb5e4ce29aea1a83054cfdca3a7a08a883f9b50b15b09016e26d1f9fba7b48983d008ffecafd1075ec439b
-
SSDEEP
12288:zgHsqmAdjxORA4GTe2Pr9hroyCMJOcddfm+YvT:zqmwjfz79iSJOUYr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" obhqxfrnylr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whjpykn.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "cxjzsobphaohtivjb.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "lhulfcqfyshboeshad.exe" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "lhulfcqfyshboeshad.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe" obhqxfrnylr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lxahrein = "cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yhhls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe" whjpykn.exe -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation obhqxfrnylr.exe -
Executes dropped EXE 4 IoCs
pid Process 4528 obhqxfrnylr.exe 320 whjpykn.exe 2808 whjpykn.exe 2676 obhqxfrnylr.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager whjpykn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys whjpykn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc whjpykn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power whjpykn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys whjpykn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc whjpykn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "vpaphcobskxpaoan.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "yxnheevnjgyvlevnjpmlb.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "vpaphcobskxpaoan.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "lhulfcqfyshboeshad.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "wthzushxrmcxlcrhbfa.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "jhwplkarmizvkcsjejfd.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "cxjzsobphaohtivjb.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "wthzushxrmcxlcrhbfa.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "yxnheevnjgyvlevnjpmlb.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "jhwplkarmizvkcsjejfd.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "jhwplkarmizvkcsjejfd.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "cxjzsobphaohtivjb.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "cxjzsobphaohtivjb.exe ." whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qflviyfnzmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wthzushxrmcxlcrhbfa.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtuzhs = "jhwplkarmizvkcsjejfd.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "cxjzsobphaohtivjb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe" obhqxfrnylr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "vpaphcobskxpaoan.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "lhulfcqfyshboeshad.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxnheevnjgyvlevnjpmlb.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "lhulfcqfyshboeshad.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cptbmaflv = "wthzushxrmcxlcrhbfa.exe" whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpaphcobskxpaoan.exe ." whjpykn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vjoxjyelwi = "jhwplkarmizvkcsjejfd.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhwplkarmizvkcsjejfd.exe" whjpykn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\whjpykn = "vpaphcobskxpaoan.exe ." obhqxfrnylr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndkvjairesbp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhulfcqfyshboeshad.exe" obhqxfrnylr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA obhqxfrnylr.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whjpykn.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 whatismyip.everdot.org 41 www.showmyipaddress.com 45 www.whatismyip.ca 23 whatismyipaddress.com 30 whatismyip.everdot.org 31 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf whjpykn.exe File created F:\autorun.inf whjpykn.exe File opened for modification C:\autorun.inf whjpykn.exe File created C:\autorun.inf whjpykn.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vpaphcobskxpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\cxjzsobphaohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\yxnheevnjgyvlevnjpmlb.exe whjpykn.exe File created C:\Windows\SysWOW64\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe File opened for modification C:\Windows\SysWOW64\cxjzsobphaohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\wthzushxrmcxlcrhbfa.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\yxnheevnjgyvlevnjpmlb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\jhwplkarmizvkcsjejfd.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\ppgbzasligzxoiatqxvvmh.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\vpaphcobskxpaoan.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\yxnheevnjgyvlevnjpmlb.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File opened for modification C:\Windows\SysWOW64\jhwplkarmizvkcsjejfd.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\vpaphcobskxpaoan.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\cxjzsobphaohtivjb.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\wthzushxrmcxlcrhbfa.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\lhulfcqfyshboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\ppgbzasligzxoiatqxvvmh.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\jhwplkarmizvkcsjejfd.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\ppgbzasligzxoiatqxvvmh.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\vpaphcobskxpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\wthzushxrmcxlcrhbfa.exe obhqxfrnylr.exe File created C:\Windows\SysWOW64\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File opened for modification C:\Windows\SysWOW64\jhwplkarmizvkcsjejfd.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\wthzushxrmcxlcrhbfa.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\lhulfcqfyshboeshad.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe File opened for modification C:\Windows\SysWOW64\yxnheevnjgyvlevnjpmlb.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\ppgbzasligzxoiatqxvvmh.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\lhulfcqfyshboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\SysWOW64\lhulfcqfyshboeshad.exe whjpykn.exe File opened for modification C:\Windows\SysWOW64\cxjzsobphaohtivjb.exe whjpykn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File created C:\Program Files (x86)\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File opened for modification C:\Program Files (x86)\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe File created C:\Program Files (x86)\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\wthzushxrmcxlcrhbfa.exe obhqxfrnylr.exe File opened for modification C:\Windows\cxjzsobphaohtivjb.exe whjpykn.exe File opened for modification C:\Windows\wthzushxrmcxlcrhbfa.exe whjpykn.exe File opened for modification C:\Windows\vpaphcobskxpaoan.exe whjpykn.exe File opened for modification C:\Windows\lhulfcqfyshboeshad.exe whjpykn.exe File opened for modification C:\Windows\jhwplkarmizvkcsjejfd.exe whjpykn.exe File created C:\Windows\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File opened for modification C:\Windows\vpaphcobskxpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\yxnheevnjgyvlevnjpmlb.exe obhqxfrnylr.exe File opened for modification C:\Windows\lhulfcqfyshboeshad.exe whjpykn.exe File opened for modification C:\Windows\yxnheevnjgyvlevnjpmlb.exe whjpykn.exe File opened for modification C:\Windows\ppgbzasligzxoiatqxvvmh.exe whjpykn.exe File opened for modification C:\Windows\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe File opened for modification C:\Windows\jhwplkarmizvkcsjejfd.exe obhqxfrnylr.exe File created C:\Windows\qflviyfnzmuhnwdlxtgvblyovdpckxdmt.njw whjpykn.exe File opened for modification C:\Windows\wthzushxrmcxlcrhbfa.exe obhqxfrnylr.exe File opened for modification C:\Windows\ppgbzasligzxoiatqxvvmh.exe whjpykn.exe File opened for modification C:\Windows\lhulfcqfyshboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\vpaphcobskxpaoan.exe whjpykn.exe File opened for modification C:\Windows\cxjzsobphaohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\jhwplkarmizvkcsjejfd.exe whjpykn.exe File opened for modification C:\Windows\cxjzsobphaohtivjb.exe whjpykn.exe File opened for modification C:\Windows\yxnheevnjgyvlevnjpmlb.exe whjpykn.exe File opened for modification C:\Windows\vpaphcobskxpaoan.exe obhqxfrnylr.exe File opened for modification C:\Windows\yxnheevnjgyvlevnjpmlb.exe obhqxfrnylr.exe File opened for modification C:\Windows\jhwplkarmizvkcsjejfd.exe obhqxfrnylr.exe File opened for modification C:\Windows\ppgbzasligzxoiatqxvvmh.exe obhqxfrnylr.exe File opened for modification C:\Windows\wthzushxrmcxlcrhbfa.exe whjpykn.exe File opened for modification C:\Windows\zdyxzeaxyaxzusolmxzdyx.eax whjpykn.exe File opened for modification C:\Windows\cxjzsobphaohtivjb.exe obhqxfrnylr.exe File opened for modification C:\Windows\lhulfcqfyshboeshad.exe obhqxfrnylr.exe File opened for modification C:\Windows\ppgbzasligzxoiatqxvvmh.exe obhqxfrnylr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obhqxfrnylr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whjpykn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 320 whjpykn.exe 320 whjpykn.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 320 whjpykn.exe 320 whjpykn.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 320 whjpykn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1616 wrote to memory of 4528 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 82 PID 1616 wrote to memory of 4528 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 82 PID 1616 wrote to memory of 4528 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 82 PID 4528 wrote to memory of 320 4528 obhqxfrnylr.exe 83 PID 4528 wrote to memory of 320 4528 obhqxfrnylr.exe 83 PID 4528 wrote to memory of 320 4528 obhqxfrnylr.exe 83 PID 4528 wrote to memory of 2808 4528 obhqxfrnylr.exe 84 PID 4528 wrote to memory of 2808 4528 obhqxfrnylr.exe 84 PID 4528 wrote to memory of 2808 4528 obhqxfrnylr.exe 84 PID 1616 wrote to memory of 2676 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 95 PID 1616 wrote to memory of 2676 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 95 PID 1616 wrote to memory of 2676 1616 0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe 95 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" obhqxfrnylr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" obhqxfrnylr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whjpykn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whjpykn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System obhqxfrnylr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a87b88c5ce3cc574ea0156658f262b8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe"C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\0a87b88c5ce3cc574ea0156658f262b8_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\whjpykn.exe"C:\Users\Admin\AppData\Local\Temp\whjpykn.exe" "-c:\users\admin\appdata\local\temp\0a87b88c5ce3cc574ea0156658f262b8_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\whjpykn.exe"C:\Users\Admin\AppData\Local\Temp\whjpykn.exe" "-c:\users\admin\appdata\local\temp\0a87b88c5ce3cc574ea0156658f262b8_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2808
-
-
-
C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe"C:\Users\Admin\AppData\Local\Temp\obhqxfrnylr.exe" "c:\users\admin\appdata\local\temp\0a87b88c5ce3cc574ea0156658f262b8_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5a9159224cc6baf8f195a68ae55610d29
SHA12ccfd6a7f5c5c0722dccb8450fa904e0bc04d27c
SHA25696cb0b5e1f77785268997139b0814097ddba673b25cdc125a099cf4afc87153d
SHA512dc0e68fdb37df63988b37b5bf00e18167d3529540c2242542406f497029efd05437e38c385f38a971bdf1111488ea81608ddc21b58498bc20a091441b392879f
-
Filesize
272B
MD54a3987af2fab4164a44a1badffa7e67a
SHA1536e07aa9c32dd4703e7dfff329f6bd140764209
SHA256528b381fae0b8ef3fe1be4856002969d1f9aa042e99c552f7bb5d183b7136df7
SHA5129756a24e312cb8f8251695e6c34af0aa5220a7e54317a875e111263abb526524dfc43b73d46653fb34a44285b51403b5bf43d583775ebcb3dbb20d95b0e9de5b
-
Filesize
272B
MD580f822b54083016ff56184295a4fb9ee
SHA1bf2c020e44079464b890448f9f9e7007ce45293e
SHA2565be0fa40d237d2247a8ac14c774f6f3039d093328cad5173f19a843f1d6bf8ed
SHA5128f1d2420a04fe58fc5251f96a7b6dc41ef5a7a64abfe34c300e6f08b940b61f6116d44d75b2aa9fa6b6a8a4ebabfff5b543429ddfa86542155f16040e421f682
-
Filesize
272B
MD55be1214c43b85f3449f5baaf128b8afa
SHA14b795e715d1831a366c898c7596ef8d52c7152e8
SHA25630f3c82dab03e611484c960fbe531d6eee93bf1b9308ea716f356980a983af78
SHA512d9590d9ba01b92330c1775da287ce81a2c05a5cbef429d1f3797fef6850d15f7df85accf8c1d72f853ba9e87993ddd9570cff81b0ba5fc6e273206ac62d66cb3
-
Filesize
272B
MD508b5e4b2de7e3a9c2b796729a5f7956e
SHA1375e48b9f4114ef3ddebe1d9f0bd90f1759ff9df
SHA256a047ffa86aac3cdfc5c85a5465d9b7879cbbb939377fe432d13526836846f594
SHA512281e2adcba6adfe8ee5667d3f7aa5bf28858ef7ee76ec1d1d61d5b427bf7dd9a1be83103168992ca1d19b8f35e1f763e5b57993e944be11f6c826ceaf00877c1
-
Filesize
272B
MD578fee3a0a144e299f57de82a56fe9701
SHA17368f8806c2a8321b2666d8c8dad8c0ba58c10f3
SHA256586bd4611669f0fc8fcef041527273b1ac045cd500f97e1d77fece35c9e6b2b8
SHA512d833b3814b6014d0194087ebe924ee6edf1e3d7ebd3d3a447739ea69ab64c2ce410d629e448b52ee2122e3d05ea5fe443b3b88fbb961682dd3be525f91798cb1
-
Filesize
320KB
MD5b92314203327a733531042bc58e54f57
SHA11f3d0081f308a82c9659f4a57fc1ad551167a181
SHA256d936bfd3b4264fe1650dee22119858b9d0cc58598e7e956ebecf72fb82f7c7d3
SHA5122982559183e13830cd795c7badadb15b4dad50315155299d9713970aff034c827ade98c79d6da836aea743890aca71bc0f7d5348a32f2858b4f40884ecccf7f7
-
Filesize
720KB
MD5b159f04ab4b7dd5be8b15ebffaff75e5
SHA1f2f1f8d454c0cbe7cc9e512620db3f7ff6f2e6e2
SHA2566a6cfc7830c41486e858dc82814a98dc0fa0aad376fbc2eb08074eeddd8a5a80
SHA5126185fc55aa1f3ebb5e1b63765132ca687da6b00c1db46113295ab616656a0147403ed3ff3374ade45a9a5cc0ce6be54ba7494ea134853606c6edf71063d11b6e
-
Filesize
3KB
MD5f3e563444d75824c7fc6d5b4f0b15fff
SHA1e4f9d4607f56531f34e68a539b8869cf202b7630
SHA256f1571bea737bbae171f2819488567ab2d52bd0546d504c3fe5b58731a827ede7
SHA5129325560fb5b156cca75bfff450d4bf9993aefb100d1eb6132a81b1f34adb47c2d092e2ff7e1c3be467b82541ae55ab4991aed27da5a16ebdc6098212e0622d24
-
Filesize
272B
MD53f133736fb734eb8613b9c049f17ad2e
SHA1c67af41ecacf7d726d3b53cc6f56208fa47442ae
SHA25685d8e69de8e89c532a3e21425fcae0d690f5a1974675477da106a1e8d9fbd9ea
SHA512f67894e442276ac5617f32d67e04011ae44e1262588fc2fd9933d343140a0d6683394ccf9baf3713d372ffdafb9ad586a9fc068f4156a1531ab88b90f122fa67
-
Filesize
740KB
MD50a87b88c5ce3cc574ea0156658f262b8
SHA19a76df34ea21dd143bebc8c52dad442efabea189
SHA2566c278feb11d76e076fef0bc71def1ad0d901d3e7b9f7477cae7c9b7d310caab2
SHA512c1f3a6c889fd9b68dc30592d7fcea2b7e407e8426dbb5e4ce29aea1a83054cfdca3a7a08a883f9b50b15b09016e26d1f9fba7b48983d008ffecafd1075ec439b