Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 00:25
Static task
static1
Behavioral task
behavioral1
Sample
80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe
-
Size
548KB
-
MD5
80cdc7c264ea951dedde8d7cda97fe25
-
SHA1
9961e22ff166d873068b85f829c0b17f8680c889
-
SHA256
a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1
-
SHA512
1efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53
-
SSDEEP
12288:N6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWgho+5:GvdezCByqTtlMQsFuqzRbzI7IVQ5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tgmoojbsdqw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "soyohwrjzicufmrr.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe" gssyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe" tgmoojbsdqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "soyohwrjzicufmrr.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "tsfyumkfykhcqaillkx.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "tsfyumkfykhcqaillkx.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciujulzlqgu = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe" tgmoojbsdqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zoramuitc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" gssyhm.exe -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tgmoojbsdqw.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tgmoojbsdqw.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tgmoojbsdqw.exe -
Executes dropped EXE 4 IoCs
pid Process 2632 tgmoojbsdqw.exe 2744 gssyhm.exe 1552 gssyhm.exe 1964 tgmoojbsdqw.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power gssyhm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend gssyhm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc gssyhm.exe -
Loads dropped DLL 8 IoCs
pid Process 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2632 tgmoojbsdqw.exe 2632 tgmoojbsdqw.exe 2632 tgmoojbsdqw.exe 2632 tgmoojbsdqw.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "igskfwtnfqmgtcjlki.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "soyohwrjzicufmrr.exe ." tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "gguoledztgeapajnoocc.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemarexnbiaqze = "soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "igskfwtnfqmgtcjlki.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "tsfyumkfykhcqaillkx.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfyumkfykhcqaillkx.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "vwlgeyyvqedaqcmrtujkz.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfyumkfykhcqaillkx.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "zwhysiexoytmygmnl.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe ." tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "igskfwtnfqmgtcjlki.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemarexnbiaqze = "gguoledztgeapajnoocc.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfyumkfykhcqaillkx.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe ." tgmoojbsdqw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igskfwtnfqmgtcjlki.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nirgymgxmuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguoledztgeapajnoocc.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyohwrjzicufmrr.exe ." tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "tsfyumkfykhcqaillkx.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemarexnbiaqze = "soyohwrjzicufmrr.exe ." gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemarexnbiaqze = "soyohwrjzicufmrr.exe ." tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhysiexoytmygmnl.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "zwhysiexoytmygmnl.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemarexnbiaqze = "vwlgeyyvqedaqcmrtujkz.exe ." gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "soyohwrjzicufmrr.exe" gssyhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlgeyyvqedaqcmrtujkz.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\simwjshtdg = "gguoledztgeapajnoocc.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\soyohwrjzicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfyumkfykhcqaillkx.exe" tgmoojbsdqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjwmyqfsypem = "tsfyumkfykhcqaillkx.exe" gssyhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejuisivgkz = "tsfyumkfykhcqaillkx.exe ." gssyhm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gssyhm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gssyhm.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyipaddress.com 5 www.showmyipaddress.com 15 whatismyip.everdot.org 2 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf gssyhm.exe File created C:\autorun.inf gssyhm.exe File opened for modification F:\autorun.inf gssyhm.exe File created F:\autorun.inf gssyhm.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zwhysiexoytmygmnl.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\igskfwtnfqmgtcjlki.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\gguoledztgeapajnoocc.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\zwhysiexoytmygmnl.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\gguoledztgeapajnoocc.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\moeazuvtpeectgrxacsukg.exe gssyhm.exe File created C:\Windows\SysWOW64\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe File opened for modification C:\Windows\SysWOW64\zwhysiexoytmygmnl.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\gguoledztgeapajnoocc.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\tsfyumkfykhcqaillkx.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File opened for modification C:\Windows\SysWOW64\tsfyumkfykhcqaillkx.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\vwlgeyyvqedaqcmrtujkz.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\soyohwrjzicufmrr.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\igskfwtnfqmgtcjlki.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\vwlgeyyvqedaqcmrtujkz.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\igskfwtnfqmgtcjlki.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe File opened for modification C:\Windows\SysWOW64\tsfyumkfykhcqaillkx.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\moeazuvtpeectgrxacsukg.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\soyohwrjzicufmrr.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\moeazuvtpeectgrxacsukg.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\moeazuvtpeectgrxacsukg.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\vwlgeyyvqedaqcmrtujkz.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\zwhysiexoytmygmnl.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\igskfwtnfqmgtcjlki.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\tsfyumkfykhcqaillkx.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\soyohwrjzicufmrr.exe gssyhm.exe File created C:\Windows\SysWOW64\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File opened for modification C:\Windows\SysWOW64\vwlgeyyvqedaqcmrtujkz.exe gssyhm.exe File opened for modification C:\Windows\SysWOW64\soyohwrjzicufmrr.exe tgmoojbsdqw.exe File opened for modification C:\Windows\SysWOW64\gguoledztgeapajnoocc.exe tgmoojbsdqw.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File created C:\Program Files (x86)\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File opened for modification C:\Program Files (x86)\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe File created C:\Program Files (x86)\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\igskfwtnfqmgtcjlki.exe gssyhm.exe File created C:\Windows\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File opened for modification C:\Windows\soyohwrjzicufmrr.exe tgmoojbsdqw.exe File opened for modification C:\Windows\zwhysiexoytmygmnl.exe tgmoojbsdqw.exe File opened for modification C:\Windows\soyohwrjzicufmrr.exe gssyhm.exe File opened for modification C:\Windows\tsfyumkfykhcqaillkx.exe tgmoojbsdqw.exe File opened for modification C:\Windows\gguoledztgeapajnoocc.exe tgmoojbsdqw.exe File opened for modification C:\Windows\vwlgeyyvqedaqcmrtujkz.exe tgmoojbsdqw.exe File opened for modification C:\Windows\zwhysiexoytmygmnl.exe gssyhm.exe File opened for modification C:\Windows\vwlgeyyvqedaqcmrtujkz.exe gssyhm.exe File opened for modification C:\Windows\tsfyumkfykhcqaillkx.exe gssyhm.exe File opened for modification C:\Windows\vwlgeyyvqedaqcmrtujkz.exe tgmoojbsdqw.exe File opened for modification C:\Windows\vwlgeyyvqedaqcmrtujkz.exe gssyhm.exe File opened for modification C:\Windows\moeazuvtpeectgrxacsukg.exe gssyhm.exe File opened for modification C:\Windows\vgfkswgnsqzggcwlxihsrweisze.lss gssyhm.exe File opened for modification C:\Windows\zwhysiexoytmygmnl.exe tgmoojbsdqw.exe File opened for modification C:\Windows\igskfwtnfqmgtcjlki.exe tgmoojbsdqw.exe File opened for modification C:\Windows\moeazuvtpeectgrxacsukg.exe tgmoojbsdqw.exe File opened for modification C:\Windows\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe File created C:\Windows\soyohwrjzicufmrrokuqaqjytlbkewhottqmws.sla gssyhm.exe File opened for modification C:\Windows\soyohwrjzicufmrr.exe tgmoojbsdqw.exe File opened for modification C:\Windows\igskfwtnfqmgtcjlki.exe gssyhm.exe File opened for modification C:\Windows\gguoledztgeapajnoocc.exe gssyhm.exe File opened for modification C:\Windows\moeazuvtpeectgrxacsukg.exe gssyhm.exe File opened for modification C:\Windows\zwhysiexoytmygmnl.exe gssyhm.exe File opened for modification C:\Windows\igskfwtnfqmgtcjlki.exe tgmoojbsdqw.exe File opened for modification C:\Windows\tsfyumkfykhcqaillkx.exe tgmoojbsdqw.exe File opened for modification C:\Windows\gguoledztgeapajnoocc.exe tgmoojbsdqw.exe File opened for modification C:\Windows\soyohwrjzicufmrr.exe gssyhm.exe File opened for modification C:\Windows\tsfyumkfykhcqaillkx.exe gssyhm.exe File opened for modification C:\Windows\moeazuvtpeectgrxacsukg.exe tgmoojbsdqw.exe File opened for modification C:\Windows\gguoledztgeapajnoocc.exe gssyhm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tgmoojbsdqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gssyhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 2744 gssyhm.exe 2744 gssyhm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 gssyhm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2632 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 28 PID 2712 wrote to memory of 2632 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 28 PID 2712 wrote to memory of 2632 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 28 PID 2712 wrote to memory of 2632 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 28 PID 2632 wrote to memory of 1552 2632 tgmoojbsdqw.exe 29 PID 2632 wrote to memory of 1552 2632 tgmoojbsdqw.exe 29 PID 2632 wrote to memory of 1552 2632 tgmoojbsdqw.exe 29 PID 2632 wrote to memory of 1552 2632 tgmoojbsdqw.exe 29 PID 2632 wrote to memory of 2744 2632 tgmoojbsdqw.exe 30 PID 2632 wrote to memory of 2744 2632 tgmoojbsdqw.exe 30 PID 2632 wrote to memory of 2744 2632 tgmoojbsdqw.exe 30 PID 2632 wrote to memory of 2744 2632 tgmoojbsdqw.exe 30 PID 2712 wrote to memory of 1964 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 33 PID 2712 wrote to memory of 1964 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 33 PID 2712 wrote to memory of 1964 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 33 PID 2712 wrote to memory of 1964 2712 80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe 33 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gssyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tgmoojbsdqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gssyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tgmoojbsdqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gssyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tgmoojbsdqw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tgmoojbsdqw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gssyhm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gssyhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tgmoojbsdqw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80cdc7c264ea951dedde8d7cda97fe25_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe"C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\gssyhm.exe"C:\Users\Admin\AppData\Local\Temp\gssyhm.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\gssyhm.exe"C:\Users\Admin\AppData\Local\Temp\gssyhm.exe" "-c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe"C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\80cdc7c264ea951dedde8d7cda97fe25_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD549835b131243614a275975638559081b
SHA1870150d801905e6ee2b1a5a5f02dfec6128823d4
SHA25699ed0a78a37808c4e2b6734884098ce3d23441ade2d1eb18fd63faca76f4678c
SHA512a6189ef25b179f73efbaaf6d0b271d9c7eb29e5bd14783b0a27d2db5fbe058431da9c122a79eab5f2a749ee4206ea841b5d588969872868cc37d236a1a79885f
-
Filesize
272B
MD5400fe42db273bcc17fd36c5e93058d3c
SHA115ebaa9378c071f2ddb3057a991ed901dd1ea649
SHA2563e0e4e3078a3317a098d3e981194c9e5a9cbcc3553bf07c322ef7112129fa355
SHA51269e3779d9fceb1e723aa09e5be38db49070de8a1242e2fc4cc40c92cd45c3148ce4ee5f301da6bd1bac74e903bd3bd6a060545490cb18daeb03c15a687fc5904
-
Filesize
272B
MD5b105162b5c37cd04f382fb40e316efe1
SHA1197d3d95597e6276ee575027c8492211fb8c5680
SHA256f9779815b06d937a1cb0c4bcb040b0d7b56ccb65942c89ab39f45a764399e9ff
SHA512775cd780ed7a4fe1104e89563bfbaf7b9e02e94cb7f5a9dc11de938e88b4c26aa912f99f24fcb2d47472234c759335d3d5961450cb1f2b37fe2d625af618490a
-
Filesize
272B
MD5c7141bf3490cc3a6fedb8a61581b80ac
SHA171e3cb6cb00e388b0556b11944dd90e56fb9494b
SHA25616851eb70e0d601cf2ae42aba18b39e058f02a965b3128193f2e8e7246446ffd
SHA512b57647d20d10fe4cf15a262ba016a3b7d1d5a3e2c8a631a22b938810ab9e3012e0432984fc4ec930153943499a78d8cf118d4cef99f917810090bf64e2193e83
-
Filesize
272B
MD5fee4953d56b7dd84558e8f9c0799be13
SHA1332431b03b28c79b653eb7f4effcfbc659560b2e
SHA2568183288c5bf3e1bbfc2d4d861c06121607ee8a9b016bc59a3d4e34e03a7c1701
SHA5124e4843fd00880ba99ba189ae72ece5f0d841502b15f0d4410635a6ce0bf3b80db0f55b855b9215d4ae6b03883700e15f0eb638bfb23fe88a85ae04fb5687fc60
-
Filesize
3KB
MD57ccef092b835bfca8a84526098d4d2f5
SHA1fa940c0ca5a9082a1007a578a0eec17cbf51d8c9
SHA256b11ff6c22c1902c8277bce90e6abcca24487fd6a25b6f12f1a88db6b5650ef67
SHA5129464ec22c6c762816175371c8be58adace9ae8d4899e7df03e1c120dcee5d6308095648184e3d121372ec046915ffab2d208a927d3414ac599b2be1e33ce5db9
-
Filesize
272B
MD555aae867e6a6e7e29933077c41111307
SHA1a1f0fd054c2b87a9d53e3a0f303805919a21cb77
SHA256081974e1c0e9f73e9d50b2658889a1c82e0656d9475cee67fe9108f094093821
SHA512b80e3eb75f7de40580230a3c31fafb9cb694f9e0f37b8be47c11153aa2ac37e336be3d2376b7d28e0432b940d40b2abb034258ea8e71c447a7933f961a1ea2ee
-
Filesize
272B
MD50b268aae6a5b52e3f98bbe949ae280c3
SHA142ce8e02252bc97f6eb003d284120b786af4c685
SHA256b2797a3cbc304aededba0e0531ba3b1afda014c2903f3c8c81c52502f5b14c9d
SHA51295a1ff3ebc179347464665beb3d993989a908a9aebc7a2eeb3a358c591e075649a50edd7bd13550855fe15eea61addf3b73e96efe8d0452b5e874ba367f2dd8a
-
Filesize
548KB
MD580cdc7c264ea951dedde8d7cda97fe25
SHA19961e22ff166d873068b85f829c0b17f8680c889
SHA256a7b6fb08d17320632c5a3f97d3f265a5e594035fc2b92585b81d0aba16a46df1
SHA5121efb232e4569fbb233dd9e60f2d38225cc6e091008a2375f6834e5f0785dddd71970c005b78540123ffb9735df1949933937748d554450e51cd9c302f0d44e53
-
Filesize
696KB
MD54c43b695391adccdf409c2a1fffe0bce
SHA1e145fe5b0ff77f2e5e18424bb91de2fa2e79dddf
SHA2567dbf0715bc46c45e08cd0d171924c45521d27f9f658102aae94484ffd884b6f5
SHA512d526d0fbb495a0ef248f8cd6fecdddcf692527be0e805c331299cc673efa57f889efd879d67ac87780ac551666422c32b538a489f3d9a0021da5ba5c337e5892
-
Filesize
320KB
MD589ec3461ef4a893428c32f89de78b396
SHA18067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA2561849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA5127804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8