Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe
-
Size
532KB
-
MD5
43911114fe45fe2349eea1c3c5657bfd
-
SHA1
3ce01eaf787a67fd84d31bee4eddbeaab0b239c9
-
SHA256
371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d
-
SHA512
e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35
-
SSDEEP
12288:D6onxOp8FySpE5zvIdtU+YmefStLpm1tT0:5wp8DozAdO9StLpwR0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfsgytrrgpc.exe -
UAC bypass 3 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "bokhxtiwvjkbwssvbjf.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "bokhxtiwvjkbwssvbjf.exe" wfsgytrrgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sarjulveyhdpfw = "akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vaodlzgmdjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe" dcktv.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wfsgytrrgpc.exe -
Executes dropped EXE 4 IoCs
pid Process 3048 wfsgytrrgpc.exe 1052 dcktv.exe 212 dcktv.exe 116 wfsgytrrgpc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dcktv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dcktv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dcktv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dcktv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dcktv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dcktv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "dsqphfwmndgzwuwbjtrge.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "dsqphfwmndgzwuwbjtrge.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "hsmhvpcolxwleywxb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "hsmhvpcolxwleywxb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "qcxtidrecppfzutvah.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "akdxkdpawhftlebb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "oczxolbqqfhzvstxenky.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "hsmhvpcolxwleywxb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "bokhxtiwvjkbwssvbjf.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "qcxtidrecppfzutvah.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "dsqphfwmndgzwuwbjtrge.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "qcxtidrecppfzutvah.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "bokhxtiwvjkbwssvbjf.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcxtidrecppfzutvah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\akdxkdpawhftlebb = "qcxtidrecppfzutvah.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "dsqphfwmndgzwuwbjtrge.exe ." dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vewpbteojtqdumi = "hsmhvpcolxwleywxb.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryofpfowpxsds = "oczxolbqqfhzvstxenky.exe ." dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "dsqphfwmndgzwuwbjtrge.exe" dcktv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syndmbjqipjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bokhxtiwvjkbwssvbjf.exe" dcktv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsmhvpcolxwleywxb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\akdxkdpawhftlebb.exe ." dcktv.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfsgytrrgpc.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dcktv.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 www.whatismyip.ca 28 whatismyip.everdot.org 29 www.showmyipaddress.com 32 www.whatismyip.ca 35 whatismyip.everdot.org 43 www.whatismyip.ca 21 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf dcktv.exe File created C:\autorun.inf dcktv.exe File opened for modification F:\autorun.inf dcktv.exe File created F:\autorun.inf dcktv.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ukjjcbtkmdhbzybhqbaqpp.exe dcktv.exe File created C:\Windows\SysWOW64\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File opened for modification C:\Windows\SysWOW64\ukjjcbtkmdhbzybhqbaqpp.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\dsqphfwmndgzwuwbjtrge.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\hsmhvpcolxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\hsmhvpcolxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\bokhxtiwvjkbwssvbjf.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\qcxtidrecppfzutvah.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\hsmhvpcolxwleywxb.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\bokhxtiwvjkbwssvbjf.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\qcxtidrecppfzutvah.exe dcktv.exe File created C:\Windows\SysWOW64\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe File opened for modification C:\Windows\SysWOW64\akdxkdpawhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\hsmhvpcolxwleywxb.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\dsqphfwmndgzwuwbjtrge.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe File opened for modification C:\Windows\SysWOW64\akdxkdpawhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\dsqphfwmndgzwuwbjtrge.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\bokhxtiwvjkbwssvbjf.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File opened for modification C:\Windows\SysWOW64\oczxolbqqfhzvstxenky.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\qcxtidrecppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\akdxkdpawhftlebb.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\akdxkdpawhftlebb.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\ukjjcbtkmdhbzybhqbaqpp.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\oczxolbqqfhzvstxenky.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\ukjjcbtkmdhbzybhqbaqpp.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\oczxolbqqfhzvstxenky.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\qcxtidrecppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\oczxolbqqfhzvstxenky.exe dcktv.exe File opened for modification C:\Windows\SysWOW64\bokhxtiwvjkbwssvbjf.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\dsqphfwmndgzwuwbjtrge.exe wfsgytrrgpc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File created C:\Program Files (x86)\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File opened for modification C:\Program Files (x86)\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe File created C:\Program Files (x86)\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\hsmhvpcolxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\ukjjcbtkmdhbzybhqbaqpp.exe dcktv.exe File opened for modification C:\Windows\bokhxtiwvjkbwssvbjf.exe dcktv.exe File opened for modification C:\Windows\oczxolbqqfhzvstxenky.exe dcktv.exe File opened for modification C:\Windows\akdxkdpawhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\ukjjcbtkmdhbzybhqbaqpp.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dsqphfwmndgzwuwbjtrge.exe dcktv.exe File opened for modification C:\Windows\akdxkdpawhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\hsmhvpcolxwleywxb.exe dcktv.exe File opened for modification C:\Windows\bokhxtiwvjkbwssvbjf.exe dcktv.exe File opened for modification C:\Windows\qcxtidrecppfzutvah.exe dcktv.exe File opened for modification C:\Windows\qcxtidrecppfzutvah.exe wfsgytrrgpc.exe File created C:\Windows\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe File opened for modification C:\Windows\bokhxtiwvjkbwssvbjf.exe wfsgytrrgpc.exe File opened for modification C:\Windows\oczxolbqqfhzvstxenky.exe wfsgytrrgpc.exe File opened for modification C:\Windows\hsmhvpcolxwleywxb.exe dcktv.exe File opened for modification C:\Windows\oczxolbqqfhzvstxenky.exe dcktv.exe File opened for modification C:\Windows\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File opened for modification C:\Windows\bokhxtiwvjkbwssvbjf.exe wfsgytrrgpc.exe File opened for modification C:\Windows\akdxkdpawhftlebb.exe dcktv.exe File opened for modification C:\Windows\akdxkdpawhftlebb.exe dcktv.exe File created C:\Windows\eybfcfbwcxfdfipzmbeybf.fbw dcktv.exe File opened for modification C:\Windows\vaodlzgmdjclymezxxlqetbpwctzsbocu.nnb dcktv.exe File opened for modification C:\Windows\ukjjcbtkmdhbzybhqbaqpp.exe dcktv.exe File opened for modification C:\Windows\hsmhvpcolxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\qcxtidrecppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\oczxolbqqfhzvstxenky.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dsqphfwmndgzwuwbjtrge.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dsqphfwmndgzwuwbjtrge.exe wfsgytrrgpc.exe File opened for modification C:\Windows\ukjjcbtkmdhbzybhqbaqpp.exe wfsgytrrgpc.exe File opened for modification C:\Windows\qcxtidrecppfzutvah.exe dcktv.exe File opened for modification C:\Windows\dsqphfwmndgzwuwbjtrge.exe dcktv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfsgytrrgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcktv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 1052 dcktv.exe 1052 dcktv.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 1052 dcktv.exe 1052 dcktv.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1052 dcktv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3048 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 83 PID 5052 wrote to memory of 3048 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 83 PID 5052 wrote to memory of 3048 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 83 PID 3048 wrote to memory of 1052 3048 wfsgytrrgpc.exe 84 PID 3048 wrote to memory of 1052 3048 wfsgytrrgpc.exe 84 PID 3048 wrote to memory of 1052 3048 wfsgytrrgpc.exe 84 PID 3048 wrote to memory of 212 3048 wfsgytrrgpc.exe 85 PID 3048 wrote to memory of 212 3048 wfsgytrrgpc.exe 85 PID 3048 wrote to memory of 212 3048 wfsgytrrgpc.exe 85 PID 5052 wrote to memory of 116 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 95 PID 5052 wrote to memory of 116 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 95 PID 5052 wrote to memory of 116 5052 JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe 95 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wfsgytrrgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dcktv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dcktv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfsgytrrgpc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43911114fe45fe2349eea1c3c5657bfd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe"C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\dcktv.exe"C:\Users\Admin\AppData\Local\Temp\dcktv.exe" "-C:\Users\Admin\AppData\Local\Temp\akdxkdpawhftlebb.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\dcktv.exe"C:\Users\Admin\AppData\Local\Temp\dcktv.exe" "-C:\Users\Admin\AppData\Local\Temp\akdxkdpawhftlebb.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:212
-
-
-
C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe"C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_43911114fe45fe2349eea1c3c5657bfd.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD59d971bb939383ead01574086c58ce0ff
SHA127395ad96b95e852c967153c81a269152e73d465
SHA2560626436ccf6ca859ade4cc38becd95034974bb8cc82baa6e7f8e4324814420a5
SHA51270d63ed496a0a2b2d1a918480251f1e21961f8d414657de4d1245fb00309c2b96e8f446ca1c07fb60c9e9818130da67979a8bac8a1d0a56e858924cf59d17872
-
Filesize
272B
MD527b709391b05c5cf4e6da762baabc203
SHA19d505cbbb0873d16d4434cbf025ebfd4ed7150f5
SHA256147a8fd8bfbd0f97b2d55de2dd645ec8764bfca9d36fb574a313435b992fb70c
SHA5123d19fd0b48cf4e1d387983a0cb717cdc4ad0f4abafdc19cdde3403cc049e3a5b42898e224421d2d894f3588dff5ff3dd3f829298d028fb29517f8b3002f1fba1
-
Filesize
272B
MD5b66c695bb2bb585453d473dceaaad72d
SHA15cb54ee5022d8c8ee417c9929f41dac4ba2c91a8
SHA2562f73bd73da235039c90a41510754276a90d1d04ed11e2b7f1a6b6b6354b2bc09
SHA5128b47f35d83aab3e339a927d7fc6c1f62516e4fb46c2a321f06fd85742ab52fe59a1472797cf970f2ca5ec774c7e40610fbe4391bc4799ebbcab145744bebb5f4
-
Filesize
272B
MD5925d5e78dfa6620e403d77b90773af6b
SHA12e4ba0659d14f44a3fc25bb4554462fc121ff815
SHA256514b83d0d720f34d5ca5b3e13eafb6c2ef8c7cf58d20ef4307c661325d8aa042
SHA5128c48c26af0561c71f803498c2d8090e3b2af087d97f6c38a5f14a192e8b75355ede05014f67d42ea7c0fa932a5cf76c85330e470342eb56b2c78401e604384a4
-
Filesize
272B
MD5f9f2b68ce86061c2980f2cad14ccca00
SHA1ae3452cb6bbf0376ab5ac9759c9e349ab79ae078
SHA2568b402cc186592d185d8f709b8fd744b8a94d5380954d70ddaa3cbe65baeb4551
SHA51282c5d7f8875a15a13d74ddd90ba9eb71486028ff4d8c32257a768bf6a6fa82baca28c2b686f5fde9ae898a0cb6a53049e3f6f25b79d3c670006f129330bdbc99
-
Filesize
708KB
MD55b636d806943e2a0101554abbfe5becf
SHA169cba4316e8372a503597e5b5038262d3fa9e754
SHA256f4bfd9762b293bb249923922549449a3f7de0098182bd4541420f3f681491be5
SHA512fb11f42cb98ef9102c991525f198fa2794cfb7ada5c7264bdb7a9c31c8f51cb58532511a21c39b31b770c16154fe5e40c9ddc79d1a1b1515d9a2d9677ee8d378
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
272B
MD5806d5645e36e7f3af966ea55a45418a2
SHA1ca67edc927759345fd3e3dfb1aead5ccb9d0b282
SHA256ec3233b21e98d4c1ced09ba15218c6b8d5eae460eec66e0faefb2f230e51d0a6
SHA5129f35bd114bc2b99b26d44fe3d0d70c805582f57f7bdd1c7fba860eae5c21e485b19667253cc1a523c6bc371d36c8716793f04905cd3c6f5b0f6ff57556f0e8ba
-
Filesize
272B
MD5a07907e60b5e38cdb25cb9e80bb8bfb9
SHA19658e6a1f5f5233482f540326a9c4b2e64e72d30
SHA256150486e0062c1187df54d5c040964e0297ade2d19ca61a190799c0051372079f
SHA512ba721d075471ea07aab1935b2b58ccbc75b762743d9458ef5e57a5290659530fb9b9b8b1df0dc191c045f1aa9aab368e06418e921a1abce51f22488f093c5049
-
Filesize
3KB
MD5b0561fa601778d6e41b4f0820cd5039f
SHA12e9911dee7d4cb2d6443eb6a710ad2b1d3974a1f
SHA2566b53702d7c7478c104028f07731d6d359654e5df11d64650cde14380584f70d2
SHA512a3c87384ae2737e0ec378e8438e5b9fcd78b2d3f24f5dd18b1b2c50d29e38583c897357b2029d3d650a04ae5e1bb69942b22603809876b3d54adc3c1fba98dac
-
Filesize
532KB
MD543911114fe45fe2349eea1c3c5657bfd
SHA13ce01eaf787a67fd84d31bee4eddbeaab0b239c9
SHA256371e7fce1fa40071ff8b99fa72a84f8697e26e8d43bc0932c9acc9ce4ba64a0d
SHA512e333fa0db5a206dcbe32e385905aa71b09d3f09fbff449a65a6e5ea607ed9ab424595666d8603a173987f257735620d92942a7b420fdee049b281c4261018d35
-
Filesize
656KB
MD584465679e7c3bce67dc2f0661fc0603d
SHA1998d70d34c516273a7aa75094fe6d70b2977a4aa
SHA256b484afebbad6e16ca5b6c811a56df01f1702487c5383bade79fa59cfdd7e5484
SHA512858a33f20565b10dcd997a0f9c102963497912b3d3d2a9c87396e6d003030b311fff19d965ca8fd4f6c39ef1dff6bb9642cf74cffd332ed2030c91e86459ba0b