Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe
-
Size
472KB
-
MD5
2afc84a5a79d5f773f6333d11fe6c72d
-
SHA1
c0d800b008dfbe06516edfb2c138651a21a48909
-
SHA256
e753843b9b89738a7dc192a7566e0e595981b48f3054d947cf8cb81390679027
-
SHA512
0a818e71292c2bec71368faf354c5a7c0a41f03c9cc3b3562b389d2b33bf1abd2aea6875f7a311872f327ebc10559bb08f705d77add8960dd7ee6c1215b8a46e
-
SSDEEP
12288:i6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLg1+:zvdezCByqTtlMQsFuqzRbzI7IB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" avbhxuykkfl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" avbhxuykkfl.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "brgewpgdujorftrwicf.exe" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "hvieulavkxabnzvyi.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "ofvunhzxpflpetsylgkb.exe" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "brgewpgdujorftrwicf.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfiuahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahnclvdrzf = "brgewpgdujorftrwicf.exe" dfgqu.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation avbhxuykkfl.exe -
Executes dropped EXE 4 IoCs
pid Process 732 avbhxuykkfl.exe 1520 dfgqu.exe 2328 dfgqu.exe 3392 avbhxuykkfl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dfgqu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dfgqu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dfgqu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dfgqu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dfgqu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dfgqu.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "hvieulavkxabnzvyi.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "qftqhzplbptvivswha.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "qftqhzplbptvivswha.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "qftqhzplbptvivswha.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "anzujznhvhjjufac.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "hvieulavkxabnzvyi.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "brgewpgdujorftrwicf.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "anzujznhvhjjufac.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "ofvunhzxpflpetsylgkb.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "brgewpgdujorftrwicf.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "qftqhzplbptvivswha.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qftqhzplbptvivswha.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvmmgbutmdkpfvvcqmrja.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdkakvetcjg = "hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "brgewpgdujorftrwicf.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "hvieulavkxabnzvyi.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "dvmmgbutmdkpfvvcqmrja.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "ofvunhzxpflpetsylgkb.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbjalxhxhpnj = "qftqhzplbptvivswha.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "anzujznhvhjjufac.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "hvieulavkxabnzvyi.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbkcobmdoxwtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdngthtlxhhfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brgewpgdujorftrwicf.exe" dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvieulavkxabnzvyi.exe ." dfgqu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvzmtbht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofvunhzxpflpetsylgkb.exe" dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "ofvunhzxpflpetsylgkb.exe ." dfgqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnsgoxery = "ofvunhzxpflpetsylgkb.exe ." dfgqu.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfgqu.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 www.whatismyip.ca 55 whatismyip.everdot.org 19 whatismyipaddress.com 23 whatismyip.everdot.org 28 www.whatismyip.ca 33 whatismyip.everdot.org 34 www.whatismyip.ca 35 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf dfgqu.exe File created C:\autorun.inf dfgqu.exe File opened for modification F:\autorun.inf dfgqu.exe File created F:\autorun.inf dfgqu.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File opened for modification C:\Windows\SysWOW64\qftqhzplbptvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\brgewpgdujorftrwicf.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\dvmmgbutmdkpfvvcqmrja.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\hvieulavkxabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\dvmmgbutmdkpfvvcqmrja.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\qftqhzplbptvivswha.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\ofvunhzxpflpetsylgkb.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\brgewpgdujorftrwicf.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe File created C:\Windows\SysWOW64\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe File opened for modification C:\Windows\SysWOW64\anzujznhvhjjufac.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\anzujznhvhjjufac.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\brgewpgdujorftrwicf.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\hvieulavkxabnzvyi.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\qftqhzplbptvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\unfgbxrrldlrizaixuatlm.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\unfgbxrrldlrizaixuatlm.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\unfgbxrrldlrizaixuatlm.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\anzujznhvhjjufac.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\dvmmgbutmdkpfvvcqmrja.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\hvieulavkxabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\ofvunhzxpflpetsylgkb.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\anzujznhvhjjufac.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\dvmmgbutmdkpfvvcqmrja.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\qftqhzplbptvivswha.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\ofvunhzxpflpetsylgkb.exe dfgqu.exe File created C:\Windows\SysWOW64\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File opened for modification C:\Windows\SysWOW64\unfgbxrrldlrizaixuatlm.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\brgewpgdujorftrwicf.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\ofvunhzxpflpetsylgkb.exe dfgqu.exe File opened for modification C:\Windows\SysWOW64\hvieulavkxabnzvyi.exe dfgqu.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File created C:\Program Files (x86)\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File opened for modification C:\Program Files (x86)\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe File created C:\Program Files (x86)\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\ofvunhzxpflpetsylgkb.exe avbhxuykkfl.exe File opened for modification C:\Windows\hvieulavkxabnzvyi.exe dfgqu.exe File opened for modification C:\Windows\qftqhzplbptvivswha.exe dfgqu.exe File opened for modification C:\Windows\anzujznhvhjjufac.exe dfgqu.exe File opened for modification C:\Windows\unfgbxrrldlrizaixuatlm.exe avbhxuykkfl.exe File opened for modification C:\Windows\ofvunhzxpflpetsylgkb.exe dfgqu.exe File created C:\Windows\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File opened for modification C:\Windows\dvmmgbutmdkpfvvcqmrja.exe avbhxuykkfl.exe File opened for modification C:\Windows\anzujznhvhjjufac.exe avbhxuykkfl.exe File opened for modification C:\Windows\ofvunhzxpflpetsylgkb.exe dfgqu.exe File opened for modification C:\Windows\anzujznhvhjjufac.exe avbhxuykkfl.exe File opened for modification C:\Windows\hvieulavkxabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\brgewpgdujorftrwicf.exe dfgqu.exe File opened for modification C:\Windows\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe File opened for modification C:\Windows\hvieulavkxabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\brgewpgdujorftrwicf.exe avbhxuykkfl.exe File opened for modification C:\Windows\unfgbxrrldlrizaixuatlm.exe dfgqu.exe File opened for modification C:\Windows\qftqhzplbptvivswha.exe dfgqu.exe File opened for modification C:\Windows\unfgbxrrldlrizaixuatlm.exe dfgqu.exe File opened for modification C:\Windows\ofvunhzxpflpetsylgkb.exe avbhxuykkfl.exe File opened for modification C:\Windows\unfgbxrrldlrizaixuatlm.exe avbhxuykkfl.exe File created C:\Windows\nnmuwzahihwjhfncycppowybc.kjy dfgqu.exe File opened for modification C:\Windows\sdngthtlxhhfoxqqxmkvfylzldpzzxgpiipe.nxq dfgqu.exe File opened for modification C:\Windows\qftqhzplbptvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\brgewpgdujorftrwicf.exe avbhxuykkfl.exe File opened for modification C:\Windows\brgewpgdujorftrwicf.exe dfgqu.exe File opened for modification C:\Windows\dvmmgbutmdkpfvvcqmrja.exe dfgqu.exe File opened for modification C:\Windows\hvieulavkxabnzvyi.exe dfgqu.exe File opened for modification C:\Windows\dvmmgbutmdkpfvvcqmrja.exe dfgqu.exe File opened for modification C:\Windows\qftqhzplbptvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\dvmmgbutmdkpfvvcqmrja.exe avbhxuykkfl.exe File opened for modification C:\Windows\anzujznhvhjjufac.exe dfgqu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avbhxuykkfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfgqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1520 dfgqu.exe 1520 dfgqu.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1520 dfgqu.exe 1520 dfgqu.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 1520 dfgqu.exe 1520 dfgqu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1520 dfgqu.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1104 wrote to memory of 732 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 86 PID 1104 wrote to memory of 732 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 86 PID 1104 wrote to memory of 732 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 86 PID 732 wrote to memory of 1520 732 avbhxuykkfl.exe 87 PID 732 wrote to memory of 1520 732 avbhxuykkfl.exe 87 PID 732 wrote to memory of 1520 732 avbhxuykkfl.exe 87 PID 732 wrote to memory of 2328 732 avbhxuykkfl.exe 88 PID 732 wrote to memory of 2328 732 avbhxuykkfl.exe 88 PID 732 wrote to memory of 2328 732 avbhxuykkfl.exe 88 PID 1104 wrote to memory of 3392 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 92 PID 1104 wrote to memory of 3392 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 92 PID 1104 wrote to memory of 3392 1104 2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe 92 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" avbhxuykkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dfgqu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfgqu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2afc84a5a79d5f773f6333d11fe6c72d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe"C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe" "c:\users\admin\appdata\local\temp\2afc84a5a79d5f773f6333d11fe6c72d_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:732 -
C:\Users\Admin\AppData\Local\Temp\dfgqu.exe"C:\Users\Admin\AppData\Local\Temp\dfgqu.exe" "-C:\Users\Admin\AppData\Local\Temp\anzujznhvhjjufac.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\dfgqu.exe"C:\Users\Admin\AppData\Local\Temp\dfgqu.exe" "-C:\Users\Admin\AppData\Local\Temp\anzujznhvhjjufac.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2328
-
-
-
C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe"C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe" "c:\users\admin\appdata\local\temp\2afc84a5a79d5f773f6333d11fe6c72d_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3392
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD517131ae30e8d91483291bbf30a21c5d3
SHA15f4f1b30dbb28f662960bcaff4e95a5a48e0fcd2
SHA25690236d4d72d9b5c2d1761395b782ca08aec3954e9f7ff9ceadd39547d2893fdf
SHA512cf06abff3046f0119bc6672179c9b2bc9ec518807c65d40382e8abfb0360857159fc9266740fcdbf142e7e22baa873b278fa87fb45b48d487fc9f1ffcc0d6dbe
-
Filesize
272B
MD532866fd29b395f6ae27085edb1861991
SHA1ac18eedde411a25e5889624bf44457d926da79be
SHA2566938d0d06f86f8646d4f2551049d79d73f2f8203bc723dad2f7739c0b8245867
SHA512d7755e18147d98f006880e999e3d329b3c66106f4fbd4a9f75a5e3dc06da3336eb50761757284c5825ae9dc35e26528ebdf3d5087f713007ac913d77534ec15a
-
Filesize
272B
MD5f4bf6f41cd8c030385ad81af99507604
SHA1463dece117958f556bac399c3e77c66e8e26649b
SHA2569b117475f84aaa49628b35e638c183db065e60bdc5672858224189695824c069
SHA5127c4c09ce41afaab4d5af98f9ac2d2517a1614d7a8141328213ddc11256a05028bc0bd5f9568089f774c3bd29168f8c212a8d825924e261e7dfb64df0ebd83c72
-
Filesize
272B
MD50a69a0f0266a0ad461e22ef6febfbcc3
SHA17c67ccc3a9ccb19abf545287f581a0a35f42b207
SHA2562761cc7bd2177e24e1ebaaa04d0a5f696183c1dd9e656033b2775a9f60a748b4
SHA512d474dfb47260787fafd6fc6a83ac3baff316a02c0725f354208bc141977107f6919f847995d91c721aed374392bac63030d9b08c34a9b3a3bff9e5bdfcdd586c
-
Filesize
272B
MD5ad63b522c708ac2de87eb07499bc1c09
SHA1ae0fb87e5302f046e6fcabeb5286f2fb33a5c14e
SHA25698cb949540fef1e5bbca1bf1691837bc30b16957aa0c2d2825a49f177e194345
SHA5125d5afaf40253875dc9f9717a14f35207a87a987648946b0a24b64134e4338ab6097cb9770df75e2ec32dc06eb7c942526bd12e090f0eafe146b68d121b8124a4
-
Filesize
272B
MD52c5df27696dc32e22393f9ebdb926259
SHA1cda86b2ea3fd0dee645c2047a99c648370236e1d
SHA25612b9609e8aa49fa354fccc01cdcf8b7ff638cfd5ced835139d69181584a332d7
SHA5120933c6c128c25ade666114cb903cc7966489525b8ec2e9f63ff89b73d40389fe2a5d6a64b906c648650b14adc3eb6d5b110d3d8c2d9f51b09a431b4931b96004
-
Filesize
320KB
MD589ec3461ef4a893428c32f89de78b396
SHA18067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA2561849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA5127804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8
-
Filesize
704KB
MD5c2bc548487fe0acd841b387c3863ffce
SHA155fd452029b4f83737eb3f83d0837f5d32dbc7db
SHA256a0011f1ff42110fa6a44996fa38de23371ac0a85e4a472f68b96d5482db2d35a
SHA512b9c110b03b03299d0e87d139379143130472e68929cf3a8bd9ddd1461bdeaa91e6f9ab4cddefb2dae018f4f5bee8266b9210426e3389827f195df2831b35d7d9
-
Filesize
272B
MD57fb2ff812abe0253e1efd85c0a421148
SHA15a35fc258ed4de4a9118578422da0cf7fc8680ef
SHA2562fc87194d9ac110dd857ced5a95747763f59e79e016f5aa82ae5f171db757900
SHA5125119a9cc71943579d9a7975f501e04282bfb06c004424a8a11e45048997fe40ab3d08358559b34debfa9a96d42a5434c46f3d9e5bf3edb9da49b40246b6f632b
-
Filesize
272B
MD5c54a5efd8d7193be98c3b592469a4d02
SHA1df8048e3191bc11e0a05a1a79e3d59ce66f78807
SHA2562e8ef0c0dd387510a13b3bbe2ce018bca2ee4e48d215d95df19622249aaa6498
SHA51271e61e5b120add94d89a1e4708a28ad831d9af8f4b91829a259374c2461e40678a44c820b16829531b75f22b5a6db22b410ce703bd3f3ecf7e85ff490cfbc6f2
-
Filesize
3KB
MD577e23c145b60d1064e1e69c5080de798
SHA12eff323a3e72e1c41390d3f17ddeea59ca353f35
SHA2567c6b2750e6930cce122039b6521170a7d045c4ecabaadd4e051d414f6c169d1f
SHA5125ee81fa01f08ff8c711bdfa258eab92d0654a24abab963b74ff12bbe444e33432cbcfa4f3d88ab7d163365e99ec1e22ab1d4d7f0c06c867a3a96152527faaa0c
-
Filesize
472KB
MD52afc84a5a79d5f773f6333d11fe6c72d
SHA1c0d800b008dfbe06516edfb2c138651a21a48909
SHA256e753843b9b89738a7dc192a7566e0e595981b48f3054d947cf8cb81390679027
SHA5120a818e71292c2bec71368faf354c5a7c0a41f03c9cc3b3562b389d2b33bf1abd2aea6875f7a311872f327ebc10559bb08f705d77add8960dd7ee6c1215b8a46e