Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
submitted
31/10/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
-
Size
284KB
-
MD5
8134e598125e14e6bd192b3bf1a5fa85
-
SHA1
e6d8f38208f789e5880085c43db65ddb0422df67
-
SHA256
e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d
-
SHA512
354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8
-
SSDEEP
6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edkts.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b00-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "pdzxlifwqhhurprsdflz.exe" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" edkts.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1284 edkts.exe 4988 edkts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager edkts.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys edkts.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc edkts.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power edkts.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys edkts.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc edkts.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "rdxtfavkcrpavrrqzz.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "pdzxlifwqhhurprsdflz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "etqpecasnfgusruwilshe.exe ." edkts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" edkts.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." edkts.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edkts.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 38 whatismyip.everdot.org 40 www.whatismyip.ca 44 whatismyip.everdot.org 48 www.whatismyip.ca 28 www.whatismyip.ca 29 whatismyip.everdot.org 30 whatismyipaddress.com 33 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe File created C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe File opened for modification C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe File created C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe File opened for modification C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe File created C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe File opened for modification C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe File opened for modification C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe File created C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs edkts.exe File opened for modification C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda edkts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edkts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edkts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings edkts.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings edkts.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe 1284 edkts.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4988 edkts.exe 1284 edkts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1284 edkts.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2800 wrote to memory of 1284 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 90 PID 2800 wrote to memory of 1284 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 90 PID 2800 wrote to memory of 1284 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 90 PID 2800 wrote to memory of 4988 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 91 PID 2800 wrote to memory of 4988 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 91 PID 2800 wrote to memory of 4988 2800 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 91 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edkts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edkts.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edkts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\edkts.exe"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\edkts.exe"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4988
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1720
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD528ae0d37ef6f445447a2f0b593086a7b
SHA12e8e747ec765b6032e0f0c77402d898f2ebe3dc4
SHA25642aedf2680a724681de7d605a8480f1e2b32f1002625ccd2f54a2efb69638249
SHA5122dff23be05f6aaa8f18984ae9b47ba587f8506ef368c89802205e3c45ec2c6fd1019e86686c13d283392e7530b97c2dbb0aa3295a4b88b6cbcc8602f10fea44d
-
Filesize
272B
MD5b3a7136ba28b4549925db353b2dc875f
SHA1961ce8cc0adfdfc93125383b90f026d9a3c2fee0
SHA25697a338dedc4f622a5f0cb3733320cc8f478a805a5964448727864678b9543ec7
SHA5122ee8b37b4b51d71154c55102c2daedd87253cc62e5bc1cbd89b741b140cbc0bf8003d8ab6057ee58d6fef3750ecb6b93a565297e61051d4fd87988dbde6f9e62
-
Filesize
272B
MD59cbab60847526b36b3a5434056207392
SHA17ed9cc5e65e867f317369817887377a0f183dd25
SHA25606343f6e79c92fa841387c172b5857e596476d302ac2bed7556a2fa3bd02552b
SHA5120e8814a2ef435bb5700d3132eccf837843fba25a11bab6366c0930857dce4f937656c580b56e774f125c5113fcddcd2cd966b182f2c27a3c1b1e62d00fe27546
-
Filesize
272B
MD5417b61f8ec53265751c09f28d4831da6
SHA1710d83c09b490eb54d4a8af8521d0feb898f13ea
SHA256fb562cad74df0b40fd96eb7a574b98f70e7f8bb826e1200c86dd406d63ffa084
SHA5122c655b8c69bdfac1681e8d44c51cfb7739a242be6c0d4a9b1484202f9df3cafedcbb70cc3b649c62ea8b9eb511cdf2528125e1ac3f31972d655ff1abfb355c07
-
Filesize
272B
MD5ede15df8e32ac3d9d648c215c0551dc2
SHA182f3b51dbd202ddc515d62742ff24bd6585ad360
SHA25679bff2fc93df0100c0ff8ff5ed5a17ddb72d58ecbac8d9d41b9ffd428b7c6fba
SHA512fbeb60ec43bd76c374e64183cf3e050f0965d7592b85bc5697ad72abb4fa20e4c9554f94b8233479293684b3b63b849f8cba1b401c9ea1ff654e82e52248e491
-
Filesize
604KB
MD5f196c33bc700545ced4f24c4dd321fc9
SHA1c8e46a70920d93e6fd24aec624610828fd4a1ef3
SHA256c095994da53e13dcffb50fd33a6a6de4a6dc7c3b5c5213c77344da8446c69f01
SHA5122952019338d8ba004101e3822bba235835cdab1d3d5db78c5c47d86087a500a21178a22d488042e463dd4fd0201f238c3db545268bdfa1daa107d9b77c83d274
-
Filesize
272B
MD5b926bbc95b52747d2768e466b8eaa9f2
SHA12e10a49dd17ff285a6d88eb29671535449ac2826
SHA25638eeeb834fe4d4470440d7c4871c5af91d68a9f6c391f83a3d90119d0821c48e
SHA51224484ed7c60cf80f57c0a1ebb01702210ac2262e0466d01e178070df7c6cb6928f5299f2608f333ecd594e1bdfdec6cba8de340699bf1ece79a26745da089998
-
Filesize
272B
MD579cfa24a7b1f0b182deed9c7ade2fb76
SHA15cc271e703d245116b6814db44244e6730dd98ab
SHA256e4f999a8fe21085ec68762812cbbb94107adbd84d887ad1f2e9ca32b69b2bf86
SHA5128bf63a9b84016acaea800ffa789bc23624eb9a2332a71b67b08f204c81693a11a6c0e4cde27b59ced03ade19aa6e2d0f5ae770c0e75319fb96a353934cdb7dc6
-
Filesize
272B
MD56f3f2406a2f139059ea9e840f0348804
SHA1a5eba04f60365f00c1e21585c80900f5dbc567ca
SHA256260e320b38132150343efb19b6c93a910190b4bdaeaeec4129857b840f44f5f4
SHA5124ac5826d45bd403c71a45032f8de19351e1a3af4fe34e1c8fb6fef32dbe464c75219919194d2712ab11118ebf8eabb9a07a635087f2770bb1f53fff482eb82c7
-
Filesize
3KB
MD59f289e2923206c04b8cfe855492c5986
SHA175d22b34af6a17983563291514565aa8f4068359
SHA2561b8a16abf586d253f66d51e65c891859fe8d6ae796df7f1b5658d5b330d31a98
SHA512dc6cefb509eab43f5bcffddb45991692db3f99acd96aedc99bb772b9a4d012d0a9b8b0f77e5d78ac82c67f01f81a7bdcf3168a074c4804b2d558f4af0079ac45