Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe
-
Size
644KB
-
MD5
8e8d8dd457411eaf96c3e5f1cf646ec5
-
SHA1
b03b741382822e3f012bc8d1c87331aaefeff1a4
-
SHA256
b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24
-
SHA512
e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c
-
SSDEEP
12288:/6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgmb4qtz4g:AvdezCByqTtlMQsFuqzRbzI7IXb46N
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rdyvhyibbni.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rdyvhyibbni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "fqoysmgriastwolba.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" rdyvhyibbni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" rdyvhyibbni.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rdyvhyibbni.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation rdyvhyibbni.exe -
Executes dropped EXE 4 IoCs
pid Process 1452 rdyvhyibbni.exe 4256 mmzyhq.exe 2088 mmzyhq.exe 1968 rdyvhyibbni.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mmzyhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mmzyhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mmzyhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mmzyhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mmzyhq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mmzyhq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "bqsgecapkgchoklfiujlz.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "yifohatdtkbbduqf.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." rdyvhyibbni.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "maboliftnidhniibdocd.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "yifohatdtkbbduqf.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "bqsgecapkgchoklfiujlz.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "maboliftnidhniibdocd.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "bqsgecapkgchoklfiujlz.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "fqoysmgriastwolba.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "fqoysmgriastwolba.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "maboliftnidhniibdocd.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "yifohatdtkbbduqf.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." rdyvhyibbni.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "oazkfavhzslnrkizzi.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "maboliftnidhniibdocd.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "maboliftnidhniibdocd.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "oazkfavhzslnrkizzi.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "yifohatdtkbbduqf.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "fqoysmgriastwolba.exe" mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" rdyvhyibbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." mmzyhq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" mmzyhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." mmzyhq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmzyhq.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mmzyhq.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 59 whatismyip.everdot.org 28 whatismyip.everdot.org 33 www.whatismyip.ca 34 whatismyip.everdot.org 44 www.whatismyip.ca 25 www.whatismyip.ca 29 www.showmyipaddress.com 35 whatismyipaddress.com 40 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf mmzyhq.exe File created C:\autorun.inf mmzyhq.exe File opened for modification F:\autorun.inf mmzyhq.exe File created F:\autorun.inf mmzyhq.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe mmzyhq.exe File created C:\Windows\SysWOW64\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe File created C:\Windows\SysWOW64\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe rdyvhyibbni.exe File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe mmzyhq.exe File opened for modification C:\Windows\SysWOW64\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe rdyvhyibbni.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe File created C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe File opened for modification C:\Program Files (x86)\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe File created C:\Program Files (x86)\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\maboliftnidhniibdocd.exe mmzyhq.exe File opened for modification C:\Windows\yifohatdtkbbduqf.exe rdyvhyibbni.exe File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe rdyvhyibbni.exe File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe mmzyhq.exe File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe mmzyhq.exe File opened for modification C:\Windows\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe File opened for modification C:\Windows\fqoysmgriastwolba.exe rdyvhyibbni.exe File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe rdyvhyibbni.exe File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe mmzyhq.exe File created C:\Windows\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm mmzyhq.exe File opened for modification C:\Windows\maboliftnidhniibdocd.exe rdyvhyibbni.exe File opened for modification C:\Windows\fqoysmgriastwolba.exe mmzyhq.exe File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe mmzyhq.exe File opened for modification C:\Windows\fqoysmgriastwolba.exe mmzyhq.exe File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe rdyvhyibbni.exe File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe rdyvhyibbni.exe File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe rdyvhyibbni.exe File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe mmzyhq.exe File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe mmzyhq.exe File opened for modification C:\Windows\maboliftnidhniibdocd.exe mmzyhq.exe File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe rdyvhyibbni.exe File opened for modification C:\Windows\yifohatdtkbbduqf.exe mmzyhq.exe File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe mmzyhq.exe File opened for modification C:\Windows\yifohatdtkbbduqf.exe mmzyhq.exe File opened for modification C:\Windows\yifohatdtkbbduqf.exe rdyvhyibbni.exe File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe rdyvhyibbni.exe File opened for modification C:\Windows\fqoysmgriastwolba.exe rdyvhyibbni.exe File created C:\Windows\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe mmzyhq.exe File opened for modification C:\Windows\maboliftnidhniibdocd.exe rdyvhyibbni.exe File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe rdyvhyibbni.exe File opened for modification C:\Windows\dygaeimhikmxkmttcupxrvz.yzb mmzyhq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdyvhyibbni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmzyhq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 4256 mmzyhq.exe 4256 mmzyhq.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 4256 mmzyhq.exe 4256 mmzyhq.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4256 mmzyhq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1452 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 89 PID 1920 wrote to memory of 1452 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 89 PID 1920 wrote to memory of 1452 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 89 PID 1452 wrote to memory of 4256 1452 rdyvhyibbni.exe 92 PID 1452 wrote to memory of 4256 1452 rdyvhyibbni.exe 92 PID 1452 wrote to memory of 4256 1452 rdyvhyibbni.exe 92 PID 1452 wrote to memory of 2088 1452 rdyvhyibbni.exe 93 PID 1452 wrote to memory of 2088 1452 rdyvhyibbni.exe 93 PID 1452 wrote to memory of 2088 1452 rdyvhyibbni.exe 93 PID 1920 wrote to memory of 1968 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 110 PID 1920 wrote to memory of 1968 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 110 PID 1920 wrote to memory of 1968 1920 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe 110 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rdyvhyibbni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mmzyhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rdyvhyibbni.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mmzyhq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mmzyhq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe"C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe"C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe"C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe"C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5061b0dcb3060d6ca66f10ccce7ab61be
SHA11153d1abe74369829ad1e7bd47af925db4e359ae
SHA256309ee03438e0163a9e74641168c2f52aad0212d59fd113da0d866d12f99b2e88
SHA512abcdfc97c5b271ef096aa5db38141edf267263ae6eba3d0d6fe1968362edc8963a6383135d55208510347e54febb505b922ad471a87a8640bf8b0a71885c174f
-
Filesize
272B
MD5090933cb1b985003f97868500747aef0
SHA17f9477a2d53eff62f6a372521bbbcca6c4a4dd4d
SHA25611ca72a0d2aa6f1d5bf3c48929d560643bf0daf538737920267b258a2d1604f8
SHA5126b5feed19871a7ee66cb821f9d57fb4b3dba4360358f154c87714994f9fea61e637c08fd9d9e586bf25c8d64a6d37c21f15cd7172af54b7a2acbe4ab9d6ce39b
-
Filesize
272B
MD5c360240777510807942609591f7898df
SHA1371be61eb3c76ad30bf089a8cf5de0907fc0ff8b
SHA2563631ffe7906d9cf7bfa7dacf3dee1d1ca889266d1da3b6437a8de3793f533332
SHA512da8beaa0703ca360d7e943e449c38bd4a8169a296b7236906942c796b5b360b697e6c5b0dd8c8ec216d68d0913faed41964b8b7c8c78f11d6ef04352a5e80e96
-
Filesize
272B
MD56e0e2d3217412caec52ea2c72bbe6c89
SHA10a507501387046e565ae2f5958cd02d37d1d9e1e
SHA2567fa81602da215a8836f11b3dd1b57a0d1a0dff7e9adc641eea420a55692e0644
SHA512661666bac8d46d08759216dcbb355039008d6e75b6b8118ea94e41fd59f708af1a3907930112fd73141973d24a17cc4f5999bf243e6ca07ae77feca824ce2fe4
-
Filesize
272B
MD55ab2d671d5424fe84386eaa59176c574
SHA178698bbf4c8abc06830ee09ee5001232c2293b5c
SHA256c988d04e54a3510aedc4a357a5354ffb12e2a1632d7c6fb0cb32d8114120b9f3
SHA51233e8029479b29729f6acaa8a089808042b8e8c5f28c8babe68447adfa78373dcf9891c7b8743f769f006c5de2ec9583ab508d21ef2eb0c485e06b8bb8fdcfbeb
-
Filesize
704KB
MD59427724fbec4c66729e704d4b0a10e7e
SHA1b08d9b608e9d36a0d7f9e895e2b191a9b879cf8b
SHA256ca1861c8eccbcbc9fe74d2b0ce8eab88f6119cd2ce18d89eec5204961a996c25
SHA5125616761f8d2398148d7970d2071137692d8feb7271d15d79cacdc32ac0f7abd0e219a4255d5ce4b7c00c179e568d9c069c3f60669a4ea5bcc37249873a53284b
-
Filesize
320KB
MD589ec3461ef4a893428c32f89de78b396
SHA18067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA2561849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA5127804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8
-
Filesize
272B
MD505190f09ee38a61772bb23e86c5be4a0
SHA1240c1b4963ab189b6b5f4782958cc61b99fef669
SHA256e572ee95628466ef878889dc10af8f16d221eede47bc31fa890da94d13836947
SHA51275b25cf204118a8bb3935b826424aa1b8b4f243b380e66f2ae3edb6528534d89e3cb3da53467949454aa5fcd09dc9a2d14d8c9ae0949ddcdb34110d24be2e486
-
Filesize
272B
MD5fc5d0ecde43e2d21db42ab95d4329073
SHA1e1f3856c0ddf8738626f40f9dce852410bab7aaa
SHA2562ab7ed12d4b9748ffb1b56be1d5c56183299138b86903ece2f07cab5ebfa3b46
SHA5127cb612f9c80619df2c80d9d138d6e5e6bf8d008d38c62c465cc98e708d1f409855a2aef9cf12f35c2cf3b6e652d9472d1f9dace1494bf09eefa23fe182a0beae
-
Filesize
3KB
MD5a3cebc39acf1b5b58d65c58da405dd75
SHA12d491a1e3cfe8901f9f935a7dcd743f010512003
SHA256fc4635cd23f148139340f9f18d2b376fc1114f88fb14cd6907799d62a097a450
SHA512fb82f12c4b83b556629808035c60a50d8b7f0f4f35906d630e0463c3ddcf1973af30cf8018c9382ec0bcda7c5e08792e09ae5d3bbaf0a77b6d5d46aacfd66354
-
Filesize
644KB
MD58e8d8dd457411eaf96c3e5f1cf646ec5
SHA1b03b741382822e3f012bc8d1c87331aaefeff1a4
SHA256b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24
SHA512e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c