Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
41d9078262c1e7897521578078204cbf_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
41d9078262c1e7897521578078204cbf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
41d9078262c1e7897521578078204cbf_JaffaCakes118.exe
-
Size
832KB
-
MD5
41d9078262c1e7897521578078204cbf
-
SHA1
42dc667acaa80cc721c2799b1e080981bdaf63aa
-
SHA256
4c97a2d092fea544ff1670059a079066b3c46e9af34fb00c0436f52c98f9f44c
-
SHA512
d04751bc47c59d5fc33bdcfb5534911bb6af288ee3987d948b87ad535b5b8ceedcd3a408ed8e3314869a7df4747c06c7fed7793337e254bd160d9d22b4f67a14
-
SSDEEP
12288:QgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUrp:2xsKXa+hHyWseBg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uvtgxqufefd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uvtgxqufefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "kgwvliasmifpwssuhbgc.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "mgurfaqgysnvaussdv.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "dwjfsmbqhaubfyvue.exe" ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dothmyfmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockbjyiseshj = "zwnnecvojgepxuvymhnkb.exe" ksufhq.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uvtgxqufefd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe -
Executes dropped EXE 4 IoCs
pid Process 2140 uvtgxqufefd.exe 1048 ksufhq.exe 2892 ksufhq.exe 2220 uvtgxqufefd.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend ksufhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ksufhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ksufhq.exe -
Loads dropped DLL 8 IoCs
pid Process 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2140 uvtgxqufefd.exe 2140 uvtgxqufefd.exe 2140 uvtgxqufefd.exe 2140 uvtgxqufefd.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "dwjfsmbqhaubfyvue.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "dwjfsmbqhaubfyvue.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "zwnnecvojgepxuvymhnkb.exe ." uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "kgwvliasmifpwssuhbgc.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "kgwvliasmifpwssuhbgc.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwvliasmifpwssuhbgc.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "mgurfaqgysnvaussdv.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "kgwvliasmifpwssuhbgc.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "dwjfsmbqhaubfyvue.exe ." uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe ." uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "mgurfaqgysnvaussdv.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe ." uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "zwnnecvojgepxuvymhnkb.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ritnyqdqfwotvmh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "xshfuqhyrmirxsrsexb.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "mgurfaqgysnvaussdv.exe ." uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnnecvojgepxuvymhnkb.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "zwnnecvojgepxuvymhnkb.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "mgurfaqgysnvaussdv.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "xshfuqhyrmirxsrsexb.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "xshfuqhyrmirxsrsexb.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwvliasmifpwssuhbgc.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe" uvtgxqufefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgurfaqgysnvaussdv.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeohriugukbfgw = "woavhaocskdjmeay.exe ." ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woavhaocskdjmeay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjfsmbqhaubfyvue.exe" ksufhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relbiwfozma = "zwnnecvojgepxuvymhnkb.exe ." ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiodjwemwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwvliasmifpwssuhbgc.exe" ksufhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncldmcnylaqtt = "dwjfsmbqhaubfyvue.exe" ksufhq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uvtgxqufefd.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ksufhq.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyip.everdot.org 3 whatismyipaddress.com 5 www.showmyipaddress.com 8 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf ksufhq.exe File opened for modification F:\autorun.inf ksufhq.exe File created F:\autorun.inf ksufhq.exe File opened for modification C:\autorun.inf ksufhq.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xshfuqhyrmirxsrsexb.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\dwjfsmbqhaubfyvue.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\woavhaocskdjmeay.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\zwnnecvojgepxuvymhnkb.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File opened for modification C:\Windows\SysWOW64\mgurfaqgysnvaussdv.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\mgurfaqgysnvaussdv.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\xshfuqhyrmirxsrsexb.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\qoghzysmigfrayaetpwumn.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\mgurfaqgysnvaussdv.exe ksufhq.exe File created C:\Windows\SysWOW64\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe File opened for modification C:\Windows\SysWOW64\qoghzysmigfrayaetpwumn.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\woavhaocskdjmeay.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\kgwvliasmifpwssuhbgc.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\dwjfsmbqhaubfyvue.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\dwjfsmbqhaubfyvue.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\xshfuqhyrmirxsrsexb.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\qoghzysmigfrayaetpwumn.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\zwnnecvojgepxuvymhnkb.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\kgwvliasmifpwssuhbgc.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\qoghzysmigfrayaetpwumn.exe uvtgxqufefd.exe File created C:\Windows\SysWOW64\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File opened for modification C:\Windows\SysWOW64\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe File opened for modification C:\Windows\SysWOW64\mgurfaqgysnvaussdv.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\zwnnecvojgepxuvymhnkb.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\woavhaocskdjmeay.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\dwjfsmbqhaubfyvue.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\kgwvliasmifpwssuhbgc.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\kgwvliasmifpwssuhbgc.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\zwnnecvojgepxuvymhnkb.exe uvtgxqufefd.exe File opened for modification C:\Windows\SysWOW64\woavhaocskdjmeay.exe ksufhq.exe File opened for modification C:\Windows\SysWOW64\xshfuqhyrmirxsrsexb.exe uvtgxqufefd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File created C:\Program Files (x86)\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File opened for modification C:\Program Files (x86)\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe File created C:\Program Files (x86)\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\dwjfsmbqhaubfyvue.exe uvtgxqufefd.exe File opened for modification C:\Windows\mgurfaqgysnvaussdv.exe uvtgxqufefd.exe File opened for modification C:\Windows\kgwvliasmifpwssuhbgc.exe ksufhq.exe File opened for modification C:\Windows\qoghzysmigfrayaetpwumn.exe ksufhq.exe File opened for modification C:\Windows\woavhaocskdjmeay.exe uvtgxqufefd.exe File opened for modification C:\Windows\kgwvliasmifpwssuhbgc.exe uvtgxqufefd.exe File opened for modification C:\Windows\mgurfaqgysnvaussdv.exe ksufhq.exe File opened for modification C:\Windows\kgwvliasmifpwssuhbgc.exe ksufhq.exe File opened for modification C:\Windows\zwnnecvojgepxuvymhnkb.exe ksufhq.exe File opened for modification C:\Windows\mgurfaqgysnvaussdv.exe ksufhq.exe File opened for modification C:\Windows\qoghzysmigfrayaetpwumn.exe ksufhq.exe File created C:\Windows\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File opened for modification C:\Windows\dwjfsmbqhaubfyvue.exe uvtgxqufefd.exe File opened for modification C:\Windows\xshfuqhyrmirxsrsexb.exe uvtgxqufefd.exe File opened for modification C:\Windows\xshfuqhyrmirxsrsexb.exe ksufhq.exe File opened for modification C:\Windows\xshfuqhyrmirxsrsexb.exe ksufhq.exe File opened for modification C:\Windows\qoghzysmigfrayaetpwumn.exe uvtgxqufefd.exe File opened for modification C:\Windows\woavhaocskdjmeay.exe ksufhq.exe File opened for modification C:\Windows\woavhaocskdjmeay.exe ksufhq.exe File opened for modification C:\Windows\kgwvliasmifpwssuhbgc.exe uvtgxqufefd.exe File opened for modification C:\Windows\qoghzysmigfrayaetpwumn.exe uvtgxqufefd.exe File opened for modification C:\Windows\dwjfsmbqhaubfyvue.exe ksufhq.exe File opened for modification C:\Windows\zwnnecvojgepxuvymhnkb.exe ksufhq.exe File opened for modification C:\Windows\qwwffmoquahbsyiurvkqqzzgik.ubv ksufhq.exe File created C:\Windows\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe File opened for modification C:\Windows\woavhaocskdjmeay.exe uvtgxqufefd.exe File opened for modification C:\Windows\zwnnecvojgepxuvymhnkb.exe uvtgxqufefd.exe File opened for modification C:\Windows\dwjfsmbqhaubfyvue.exe ksufhq.exe File opened for modification C:\Windows\ritnyqdqfwotvmhembbsdxianapgydfwrowll.nhs ksufhq.exe File opened for modification C:\Windows\mgurfaqgysnvaussdv.exe uvtgxqufefd.exe File opened for modification C:\Windows\xshfuqhyrmirxsrsexb.exe uvtgxqufefd.exe File opened for modification C:\Windows\zwnnecvojgepxuvymhnkb.exe uvtgxqufefd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uvtgxqufefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksufhq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 1048 ksufhq.exe 1048 ksufhq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1048 ksufhq.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2140 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2140 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2140 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2140 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 30 PID 2140 wrote to memory of 1048 2140 uvtgxqufefd.exe 31 PID 2140 wrote to memory of 1048 2140 uvtgxqufefd.exe 31 PID 2140 wrote to memory of 1048 2140 uvtgxqufefd.exe 31 PID 2140 wrote to memory of 1048 2140 uvtgxqufefd.exe 31 PID 2140 wrote to memory of 2892 2140 uvtgxqufefd.exe 32 PID 2140 wrote to memory of 2892 2140 uvtgxqufefd.exe 32 PID 2140 wrote to memory of 2892 2140 uvtgxqufefd.exe 32 PID 2140 wrote to memory of 2892 2140 uvtgxqufefd.exe 32 PID 2816 wrote to memory of 2220 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 34 PID 2816 wrote to memory of 2220 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 34 PID 2816 wrote to memory of 2220 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 34 PID 2816 wrote to memory of 2220 2816 41d9078262c1e7897521578078204cbf_JaffaCakes118.exe 34 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" uvtgxqufefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uvtgxqufefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ksufhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ksufhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uvtgxqufefd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ksufhq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d9078262c1e7897521578078204cbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41d9078262c1e7897521578078204cbf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe"C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\41d9078262c1e7897521578078204cbf_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\ksufhq.exe"C:\Users\Admin\AppData\Local\Temp\ksufhq.exe" "-C:\Users\Admin\AppData\Local\Temp\woavhaocskdjmeay.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\ksufhq.exe"C:\Users\Admin\AppData\Local\Temp\ksufhq.exe" "-C:\Users\Admin\AppData\Local\Temp\woavhaocskdjmeay.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe"C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\41d9078262c1e7897521578078204cbf_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD512cd2db6474ba6ec04dfcc1f9e7b3086
SHA1b79882f327512aed9b011ce7d795c833cb995417
SHA2564dc6a87a7fcbf05a95ddead9e32df9d567f43d80a99158af5765c4b0c58f1e0b
SHA512d37d93f86ccd075259b09640dc71916d3902700ed69d769bd4f0f60c578f77a9c645b95d246817f08ec304ec83d6700fddf048091372ae29e2c504d69dfafa01
-
Filesize
272B
MD594e7a7699666da98c5c04f0d84551605
SHA1a96210818f10333eb20d78fba3e2063739120dc7
SHA256caad9af8af385f6acd39eca82b3a9e3af2e6095832ae521b99b2655c1a4435c9
SHA5124293a85aa5134cc86e05b706e72f67eb7b963a38b50b487651bd5bf2ffe5728dc08184bf4711269e4933681db93117dec566c8a1d4c54312a5a64b92fe7351ba
-
Filesize
272B
MD5976ac4b0e62e64d994d907c6c2d68317
SHA15b921f4af9c403a4fb4d2de0db299e523085f7b1
SHA256056573954a4f5b9cf829c6eabea9ecd463a3e5cc3e93b1d04c2b2fe974631069
SHA5122826ac0528b31952587712d6f5e83f201fae59b204358b46ebb7f44385a6464dd33c7e9d4240bbca0cd998ec2cd69b2ad288235422c51843137a4f567d81b4d7
-
Filesize
272B
MD51a3e9bf63ab4ae90156fd19ec3001076
SHA10d514a6ef3af4d43bb7cd940c5bc758d47f54337
SHA25627df774c1891286c420e9b1991bc5f9bbf968d7f2aab3ca071fed71c2dfabff2
SHA51237bee6e442ad0464c95113a5258653279567ea31a39a8fe4d8b52b2aea278098df3ced250a04e6e7ccaec81c18b9bb0941f1c0698a484c7b84b795ba9236c9d6
-
Filesize
272B
MD5f72e7b5c54c36bf33455a0dcdba2404e
SHA188949cdcdc0ec229275a970d760a64978ba5c3fa
SHA256099479a4d9e3735315c3c405b4262d4e30ed05bb361e214cbfdfd1a883ac6c10
SHA512243e2df91ccebf983daabbb5be50eb10c969d5e0b8263d1713b8043d2311d68bfb88cc272e914494028ecd50984111a642e79d70a0d6e5ec219fd682bbffc134
-
Filesize
272B
MD580a8b4a7c6f526df4bc6e07dd6e115a2
SHA16629b7f489a377fbbdee52ac6d1f434011adcdba
SHA2562d67d2e59e2292dfaf26bf7f386672ae422f4ab201d80ec10a717a518d2e767d
SHA5123f14b296fc2f3ff2ee2fc9bc2eb2e37ac2b9108c389c9560f96e824015c3f8f0b6c529afa9ffed2b3ff77069278c646a0aa0189b4a21582fe85924d3d47512c0
-
Filesize
272B
MD572cdb9de9c74caa5afe9b89c097b5e1a
SHA1492d10c0ebc390f7cc1d8c9d35e32b6a54a9819f
SHA256b60bbe483c59c4622dfb7e3a7c6113b9461ea356a7a1a8f680a869f64083e899
SHA5128b57018f43585d73c9666b64db970f4753df78661937d531f23221b8bfd40083a85b486ea57acab7f64c051a64b0053923db0e0ecb6fdf2029b2d4bcd11ca6df
-
Filesize
272B
MD59939f97b976a1227eecd55406ffccfd5
SHA1cf3af6b690811ec522b4686b1c24bc9fcc3ac007
SHA256ca3f53112f419dbbc3d756ea77d01c820d2ae65bc89693444f5f3e9556c06e40
SHA5129af23097edeaf9c78e721d902c9151ae763b0134b416b3c9e52e3205ca05c53609cdb038781bac16047bf41e66227d0a5d6c3db98d3290139c8849c8b907d4f5
-
Filesize
3KB
MD509fc8e46e1527eb2623ce4175826f466
SHA1f7ebaa647a172e235d44155b9bb5ae0f82828a23
SHA25670db2fc801a47153e506ae0593f82ae120d5f09a0a8fea269815ceec5d3293be
SHA512f652153c14f52b0caa7dd3fd3b26aab4b15f08bf6f3a7706e64320999cd56492c96dc6fa57affb88584a5a67380e433c00957430b83a666baa32eb6ed2ef3b8a
-
Filesize
832KB
MD541d9078262c1e7897521578078204cbf
SHA142dc667acaa80cc721c2799b1e080981bdaf63aa
SHA2564c97a2d092fea544ff1670059a079066b3c46e9af34fb00c0436f52c98f9f44c
SHA512d04751bc47c59d5fc33bdcfb5534911bb6af288ee3987d948b87ad535b5b8ceedcd3a408ed8e3314869a7df4747c06c7fed7793337e254bd160d9d22b4f67a14
-
Filesize
700KB
MD5f5b283b98a30728c15f1043fba0a9640
SHA14818cb833391aecf672112fcdab44410de531dc9
SHA25683e8cdfbdcb6d65ada23596d475f8a7b800f7bf8a64baad9799ddbcd9141137b
SHA5120e379df66ffee7b413ba9bacc0bf336e1d5b8f855f1ef1ab3759e917db204955ba989ea00038deda91076497b98a965fcf315c77d98cb6e7b01d319436f1e9ac
-
Filesize
320KB
MD51dd5dd5561723f37ccc81e15ecdbf830
SHA1eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5