Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe
-
Size
352KB
-
MD5
295cc3b23f85406482718a84ac12667c
-
SHA1
dbff739862ae87ce2014e02d19e95078b47f0c18
-
SHA256
157ab7601903696053a7db033923b9eaca049c1138b21520d78d782306312232
-
SHA512
f4e40084f550d0c48840d8111b4e4e7de2eefec551d3d92f3f4ea2a356fab7d09b07c71ceb915c98171efce13069ba9221ee83f87f80bfd333d4fe93b4b8e5f9
-
SSDEEP
6144:Ap2qm4uyX++8DKNT3gQI1C43WnaJF19eAyFHQUYJ/31u3jmDrcz7n/p5:AAl4uO8DKNbgw4GnaJtejFHL33j6cz7z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ߙJviewʚ.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ߙJviewʚ.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ϝshimgvwʅ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ߙJviewʚ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ߙJviewʚ.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blastclnnn.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blastclnn.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfrules.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfuser.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunme.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfwiz.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoa.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "rundll32.exe" ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunme.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_login.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfports.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfrules.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "rundll32.exe" ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_login.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfwiz.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\New Folder.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_tray.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npcsvc32.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npflgutl.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtpsvc.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blastclnnn.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsched.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtpsvc.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg32.exe ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scsaver.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfsvc32.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe" ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npflgutl.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg32.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_tray.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scsaver.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfwiz.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ise32.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npcsvc32.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\New Folder.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg32.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "cmd.exe /c del /f /q " ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scsaver.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfuser.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoa.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nuaa.exe ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfuser.exe ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe\Debugger = "cmd.exe /c del /f /q " ϝshimgvwʅ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4124 ϝshimgvwʅ.exe 3952 ߙJviewʚ.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ߙJviewʚ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ߙJviewʚ.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPDEBJWH̉ = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ϝshimgvwʅ.exe" ϝshimgvwʅ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jre = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ߙJviewʚ.exe" ϝshimgvwʅ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPDEBJWH̉ = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ϝshimgvwʅ.exe" ߙJviewʚ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jre = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ߙJviewʚ.exe" ߙJviewʚ.exe -
Checks for any installed AV software in registry 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService ϝshimgvwʅ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\AntiVirService ϝshimgvwʅ.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira ϝshimgvwʅ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService ߙJviewʚ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\AntiVirService ߙJviewʚ.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira ߙJviewʚ.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ߙJviewʚ.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Java\Desktop.ini 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Java\Desktop.ini 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe -
AutoIT Executable 31 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4728-134-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-153-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-154-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-155-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-156-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-157-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-158-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-160-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-159-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-161-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-162-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-165-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-164-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-166-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-167-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-168-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-169-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-170-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-171-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-172-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-173-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-174-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-175-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-176-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-177-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-178-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-179-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-180-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-181-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/4124-182-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/3952-183-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ϝshimgvwʅ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ߙJviewʚ.exe -
Modifies Control Panel 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WaitToKillAppTimeout = "400" ϝshimgvwʅ.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop ߙJviewʚ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\AutoEndTasks = "1" ߙJviewʚ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\HungAppTimeout = "400" ߙJviewʚ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WaitToKillAppTimeout = "400" ߙJviewʚ.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop ϝshimgvwʅ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\AutoEndTasks = "1" ϝshimgvwʅ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\HungAppTimeout = "400" ϝshimgvwʅ.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ϝshimgvwʅ.exe,0" ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\NeverShowExt ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile ϝshimgvwʅ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\ϝshimgvwʅ.exe,0" ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\NeverShowExt ߙJviewʚ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ߙJviewʚ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ߙJviewʚ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 3952 ߙJviewʚ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe 4124 ϝshimgvwʅ.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2464 Rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2464 Rundll32.exe 2464 Rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4728 wrote to memory of 2464 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 86 PID 4728 wrote to memory of 2464 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 86 PID 4728 wrote to memory of 2464 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 86 PID 4728 wrote to memory of 4124 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 87 PID 4728 wrote to memory of 4124 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 87 PID 4728 wrote to memory of 4124 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 87 PID 4728 wrote to memory of 3952 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 89 PID 4728 wrote to memory of 3952 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 89 PID 4728 wrote to memory of 3952 4728 295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ϝshimgvwʅ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ϝshimgvwʅ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ߙJviewʚ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ߙJviewʚ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\295cc3b23f85406482718a84ac12667c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe shimgvw.dll, ImageView_Fullscreen2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
C:\Users\Admin\AppData\Roaming\Java\ϝshimgvwʅ.exe"C:\Users\Admin\AppData\Roaming\Java\ϝshimgvwʅ.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4124
-
-
C:\Users\Admin\AppData\Roaming\Java\ߙJviewʚ.exe"C:\Users\Admin\AppData\Roaming\Java\ߙJviewʚ.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d9ade77b9d242a66b758ed5fde50b4ca
SHA105a211b7e8ba678b30174d880d090762c6bacf45
SHA256c3d7fbd0a861a18e42538af7531da5d502d7ac59b6b8dca438dd5a53af3ce51e
SHA512ed97be6ac38df746b15c630997b828c9e3cfc9bdfacb118faf115fceffc3d7c2ade44fe1263ae77b36b2fb40b00d9eb77c0f2e847327117b61209f60557a2150
-
Filesize
48KB
MD5a3cdde0e33417b12b399f9f19c1c6a02
SHA1f76abb20cb7e1420cdfcb449670b76368dd0cf16
SHA256d54f6a6284324f7237f8cec0347c34436b504b169d567e2c5f70d6627c171690
SHA51274aabcf764a848f3a416bfd50cd11ebf64d456dff0ab5127fca5e3ff74ea697d180ff6a47f7d8ccbd6f609fcd7a2dda9f7490281070954d49f8b1cf9a488ef86
-
Filesize
60B
MD5f4c9af294e039c9a006fe34a210e0d9a
SHA151f0831826e5b6ea363d4270aa11fea1b316687e
SHA2564da6dfcad4b86e00e32d9d32d9a71a7ae35af2bceff9c16e3c671a3d2a279c3c
SHA512c9561594aea9e40899af31574e1aceaeb9d161956bf668e2fce4c2c7ca5c0c92fe14da1e258a38c82c8f788e0d75b0f28ded74774ead52e31f0e6596d77faa97
-
Filesize
352KB
MD5295cc3b23f85406482718a84ac12667c
SHA1dbff739862ae87ce2014e02d19e95078b47f0c18
SHA256157ab7601903696053a7db033923b9eaca049c1138b21520d78d782306312232
SHA512f4e40084f550d0c48840d8111b4e4e7de2eefec551d3d92f3f4ea2a356fab7d09b07c71ceb915c98171efce13069ba9221ee83f87f80bfd333d4fe93b4b8e5f9