Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
-
Size
532KB
-
MD5
43911114fe45fe2349eea1c3c5657bfd
-
SHA1
3ce01eaf787a67fd84d31bee4eddbeaab0b239c9
-
SHA256
371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d
-
SHA512
e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35
-
SSDEEP
12288:D6onxOp8FySpE5zvIdtU+YmefStLpm1tT0:5wp8DozAdO9StLpwR0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eujspiznoet.exe -
UAC bypass 3 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run eujspiznoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "kivwkjyyogpomekmmjge.exe" eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "kivwkjyyogpomekmmjge.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "dyigrnzwjyeavknmj.exe" eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zigsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" eujspiznoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myzoqdgu = "kivwkjyyogpomekmmjge.exe" zigsr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eujspiznoet.exe -
Executes dropped EXE 4 IoCs
pid Process 2164 eujspiznoet.exe 2408 zigsr.exe 1372 zigsr.exe 2932 eujspiznoet.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend zigsr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc zigsr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power zigsr.exe -
Loads dropped DLL 8 IoCs
pid Process 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2164 eujspiznoet.exe 2164 eujspiznoet.exe 2164 eujspiznoet.exe 2164 eujspiznoet.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "wqzwgbmiuinicqsq.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe ." eujspiznoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "xuggtrfetksqnejkjfb.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "wqzwgbmiuinicqsq.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "kivwkjyyogpomekmmjge.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kivwkjyyogpomekmmjge.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "mitsebomaqxuqgkkid.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "zymoddtuleoongnqrpnma.exe ." eujspiznoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "kivwkjyyogpomekmmjge.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqsilzdsx = "zymoddtuleoongnqrpnma.exe" eujspiznoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "xuggtrfetksqnejkjfb.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kivwkjyyogpomekmmjge.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kivwkjyyogpomekmmjge.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "mitsebomaqxuqgkkid.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe" eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "wqzwgbmiuinicqsq.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe ." eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "dyigrnzwjyeavknmj.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqsilzdsx = "zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kivwkjyyogpomekmmjge.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xuggtrfetksqnejkjfb.exe ." eujspiznoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe ." eujspiznoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqsilzdsx = "dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "xuggtrfetksqnejkjfb.exe ." eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqzwgbmiuinicqsq.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqsilzdsx = "xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "xuggtrfetksqnejkjfb.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kutggr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqsilzdsx = "xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "mitsebomaqxuqgkkid.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "zymoddtuleoongnqrpnma.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mitsebomaqxuqgkkid.exe ." zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wkneixcsyg = "kivwkjyyogpomekmmjge.exe ." eujspiznoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "kivwkjyyogpomekmmjge.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejcizgygqri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymoddtuleoongnqrpnma.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "mitsebomaqxuqgkkid.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "xuggtrfetksqnejkjfb.exe" zigsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xiiwxjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kivwkjyyogpomekmmjge.exe ." zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kutggr = "dyigrnzwjyeavknmj.exe" zigsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rgkchxdubkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dyigrnzwjyeavknmj.exe ." zigsr.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eujspiznoet.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zigsr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyip.everdot.org 3 www.whatismyip.ca 4 www.showmyipaddress.com 6 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf zigsr.exe File created C:\autorun.inf zigsr.exe File opened for modification F:\autorun.inf zigsr.exe File created F:\autorun.inf zigsr.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wqzwgbmiuinicqsq.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\dyigrnzwjyeavknmj.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\bewcvztytqeilitafhjme.dhb zigsr.exe File opened for modification C:\Windows\SysWOW64\xuggtrfetksqnejkjfb.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\kivwkjyyogpomekmmjge.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\wqzwgbmiuinicqsq.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\dyigrnzwjyeavknmj.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\kivwkjyyogpomekmmjge.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File opened for modification C:\Windows\SysWOW64\kivwkjyyogpomekmmjge.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\dyigrnzwjyeavknmj.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\wqzwgbmiuinicqsq.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\dyigrnzwjyeavknmj.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\zymoddtuleoongnqrpnma.exe zigsr.exe File created C:\Windows\SysWOW64\bewcvztytqeilitafhjme.dhb zigsr.exe File opened for modification C:\Windows\SysWOW64\xuggtrfetksqnejkjfb.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\qqfiyzqskepqqkswyxwwlo.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\mitsebomaqxuqgkkid.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\kivwkjyyogpomekmmjge.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\xuggtrfetksqnejkjfb.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\qqfiyzqskepqqkswyxwwlo.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\mitsebomaqxuqgkkid.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\zymoddtuleoongnqrpnma.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\qqfiyzqskepqqkswyxwwlo.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\qqfiyzqskepqqkswyxwwlo.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\wqzwgbmiuinicqsq.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\mitsebomaqxuqgkkid.exe zigsr.exe File created C:\Windows\SysWOW64\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File opened for modification C:\Windows\SysWOW64\zymoddtuleoongnqrpnma.exe eujspiznoet.exe File opened for modification C:\Windows\SysWOW64\mitsebomaqxuqgkkid.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\xuggtrfetksqnejkjfb.exe zigsr.exe File opened for modification C:\Windows\SysWOW64\zymoddtuleoongnqrpnma.exe zigsr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\bewcvztytqeilitafhjme.dhb zigsr.exe File opened for modification C:\Program Files (x86)\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File created C:\Program Files (x86)\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File opened for modification C:\Program Files (x86)\bewcvztytqeilitafhjme.dhb zigsr.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\xuggtrfetksqnejkjfb.exe eujspiznoet.exe File opened for modification C:\Windows\dyigrnzwjyeavknmj.exe zigsr.exe File opened for modification C:\Windows\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File created C:\Windows\wkneixcsygfuiqmeuhuilcgvaqwedsgo.csf zigsr.exe File opened for modification C:\Windows\kivwkjyyogpomekmmjge.exe eujspiznoet.exe File opened for modification C:\Windows\qqfiyzqskepqqkswyxwwlo.exe eujspiznoet.exe File opened for modification C:\Windows\zymoddtuleoongnqrpnma.exe zigsr.exe File opened for modification C:\Windows\mitsebomaqxuqgkkid.exe zigsr.exe File opened for modification C:\Windows\xuggtrfetksqnejkjfb.exe zigsr.exe File opened for modification C:\Windows\kivwkjyyogpomekmmjge.exe zigsr.exe File opened for modification C:\Windows\kivwkjyyogpomekmmjge.exe eujspiznoet.exe File opened for modification C:\Windows\wqzwgbmiuinicqsq.exe eujspiznoet.exe File opened for modification C:\Windows\kivwkjyyogpomekmmjge.exe zigsr.exe File opened for modification C:\Windows\zymoddtuleoongnqrpnma.exe zigsr.exe File opened for modification C:\Windows\dyigrnzwjyeavknmj.exe eujspiznoet.exe File created C:\Windows\bewcvztytqeilitafhjme.dhb zigsr.exe File opened for modification C:\Windows\mitsebomaqxuqgkkid.exe zigsr.exe File opened for modification C:\Windows\qqfiyzqskepqqkswyxwwlo.exe zigsr.exe File opened for modification C:\Windows\mitsebomaqxuqgkkid.exe eujspiznoet.exe File opened for modification C:\Windows\wqzwgbmiuinicqsq.exe zigsr.exe File opened for modification C:\Windows\xuggtrfetksqnejkjfb.exe zigsr.exe File opened for modification C:\Windows\qqfiyzqskepqqkswyxwwlo.exe zigsr.exe File opened for modification C:\Windows\bewcvztytqeilitafhjme.dhb zigsr.exe File opened for modification C:\Windows\wqzwgbmiuinicqsq.exe eujspiznoet.exe File opened for modification C:\Windows\qqfiyzqskepqqkswyxwwlo.exe eujspiznoet.exe File opened for modification C:\Windows\wqzwgbmiuinicqsq.exe zigsr.exe File opened for modification C:\Windows\dyigrnzwjyeavknmj.exe zigsr.exe File opened for modification C:\Windows\dyigrnzwjyeavknmj.exe eujspiznoet.exe File opened for modification C:\Windows\mitsebomaqxuqgkkid.exe eujspiznoet.exe File opened for modification C:\Windows\zymoddtuleoongnqrpnma.exe eujspiznoet.exe File opened for modification C:\Windows\zymoddtuleoongnqrpnma.exe eujspiznoet.exe File opened for modification C:\Windows\xuggtrfetksqnejkjfb.exe eujspiznoet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eujspiznoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zigsr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe 2408 zigsr.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 2408 zigsr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2408 zigsr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2164 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 31 PID 2280 wrote to memory of 2164 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 31 PID 2280 wrote to memory of 2164 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 31 PID 2280 wrote to memory of 2164 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 31 PID 2164 wrote to memory of 2408 2164 eujspiznoet.exe 32 PID 2164 wrote to memory of 2408 2164 eujspiznoet.exe 32 PID 2164 wrote to memory of 2408 2164 eujspiznoet.exe 32 PID 2164 wrote to memory of 2408 2164 eujspiznoet.exe 32 PID 2164 wrote to memory of 1372 2164 eujspiznoet.exe 33 PID 2164 wrote to memory of 1372 2164 eujspiznoet.exe 33 PID 2164 wrote to memory of 1372 2164 eujspiznoet.exe 33 PID 2164 wrote to memory of 1372 2164 eujspiznoet.exe 33 PID 2280 wrote to memory of 2932 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 35 PID 2280 wrote to memory of 2932 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 35 PID 2280 wrote to memory of 2932 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 35 PID 2280 wrote to memory of 2932 2280 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 35 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eujspiznoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zigsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zigsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eujspiznoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eujspiznoet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe"C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\zigsr.exe"C:\Users\Admin\AppData\Local\Temp\zigsr.exe" "-C:\Users\Admin\AppData\Local\Temp\wqzwgbmiuinicqsq.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\zigsr.exe"C:\Users\Admin\AppData\Local\Temp\zigsr.exe" "-C:\Users\Admin\AppData\Local\Temp\wqzwgbmiuinicqsq.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1372
-
-
-
C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe"C:\Users\Admin\AppData\Local\Temp\eujspiznoet.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5078286a0bec7cd8d765fd37b602f6af9
SHA11928d99b771c690beca7a433f88351c1a5d78be0
SHA25687089d6dae145bba8146d36f30351b3f45a91abe3063794e919c92e2a33fad3e
SHA512e8f5f8b20f785762db047c1eb26d2788009e94652404fedca7581b36ac41c015bbd4f8f2fdb651b180a4c53f1826f726d9c78404c84dabd98eaa9e67cfa06b24
-
Filesize
272B
MD5dbaad30372d8cc48e5d89b62e972639b
SHA1c30c2f63c8aebd2522fb5166b60ecb20daeedf6d
SHA2568ed1c6609645cc5070a60b1cd0e67dc3d89b27990e18c7877e3c15c6a8811aab
SHA512bbf4ee046df007140061a8a552cd09914714675426e53a918c203a6cdd26a3e8d7092ff4040a216a157f1121eab5ec545caaa62422e09a48e30322e2770bde5c
-
Filesize
272B
MD5075cc3cb518044fd90aced98d7494361
SHA16d38dcb2c2fa6e6351cf24adbd71ac54e139f16e
SHA25615843dca3a42072c74cf7ff9a912fbe2bd9fb8a6dd18ddb11e710b558a0a98c1
SHA512761dcf6e55bab435e7c98bd450a3616f1f56e784bf75d257e4eb82cb4c1462d29b1bc8faa8e016152a01f91a5ef7c0b5a0b3c3ec2463d7d76bf36fa05748d95b
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
272B
MD51b4fcd262cf00dde543aa96dd99ff4a9
SHA14babe6960ccbd7b216a11fead77e2ffe0df7bd73
SHA256cf81873f56689e5f2a6d894e987e8c7bfbeeee652fb85ec5dd695420fa43b7bc
SHA5124eef355ea378c130d357d6bcea6cc81f2b2d9eee5348e1820164f23c1f186b852baa6b7117ce6d86ae5777f5886d1e21df724e7f752224774280ec014c9a223f
-
Filesize
272B
MD5805bca1f5fb9d0d5adffe0208043a98a
SHA1e8df72c3313eec052f79861b6cf53862fefd0559
SHA2560599e38f6fb234e6cff25183e774e7c48bfc6ebd4a7e180aeaf880723a6df3fb
SHA5124e4bf7ad9bf7ccf5fe0348729775137f8081682e8d400211186d5ede37688051e499bdddbf27b2d84dbaef7fb8a6e672b5cbc71b2c5a72bc10b1b3985e5160dc
-
Filesize
272B
MD54853facadbc1ef276dd693dfca6d21e5
SHA1ac5c1455f2d45293345c8c31155cdd6a04264a3d
SHA2564d983afa766a60b448d32585176464d4022a8f1ff60b14e5ed75c8d04fab666f
SHA512c88e09c3ae853ef89c1800fb71a36b70be279d2398ddb358fb7b65ee0f0cea5d30d3abfb64f5310448ecfc242838e0ca277b1f47516e72d9537f2464df31918a
-
Filesize
3KB
MD5d473bc33d2cd07a9a0ffb7cc001d6a19
SHA1a72f447edbf63bd63cac3867ddfa2386085128db
SHA2567d0b4bb9e39b5cca7c42cdbc199c3365c6a763191ee1caf1a63a7548ce6bd9c4
SHA512415bd92227cb0a36d2b5bc0bfc765c4bf3b89c4baf7a778cb8c32af58d0a589ea601fd3b5d6c8dba349ed4048ebe4c48289080ed5f2ba17ec607bba91d91b1fb
-
Filesize
532KB
MD543911114fe45fe2349eea1c3c5657bfd
SHA13ce01eaf787a67fd84d31bee4eddbeaab0b239c9
SHA256371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d
SHA512e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35
-
Filesize
720KB
MD54fed162de72a3aaaabcc7a1141308eee
SHA1327060a6c942868d75bb76ea9618c9a89356cdce
SHA256fa50aa2e49ddb840cc7fde875495169944ecf30e37bc60d812f9431f5038c683
SHA51224004176eb4dc5fe91f46ad68d2f46c8584b527cfd1e73834dafbd039a5acbbb190430f02dd122624939e7c964adca8bc3a34c5b3752a893c574dd256b8340b0